ci: try docker bake

PurpleBooth · Oct 31, 2024 · 294f484 · 294f484
1 parent 6c604a8
commit 294f484
Show file tree

Hide file tree

Showing 5 changed files with 151 additions and 60 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -2,3 +2,4 @@
 !src
 !Cargo.lock
 !Cargo.toml
+!nfpm.yaml
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -1,13 +1,10 @@
 name: Test
 on:
   push:
-    branches:
-    - '*'
   pull_request:
   workflow_dispatch:
+  merge_group:
 jobs:
-  docker-build:
-    uses: PurpleBooth/common-pipelines/.github/workflows/docker-build.yml@main
   lint-markdown:
     uses: PurpleBooth/common-pipelines/.github/workflows/markdown-check.yml@main
   commit-checks:
@@ -16,71 +13,77 @@ jobs:
     uses: PurpleBooth/common-pipelines/.github/workflows/rust-check.yml@main
   specdown:
     uses: PurpleBooth/common-pipelines/.github/workflows/specdown-check.yml@main
+  docker-build:
+    uses: PurpleBooth/common-pipelines/.github/workflows/bake-build.yaml@main
+
   release:
     if: github.ref == 'refs/heads/main'
     needs:
-    - specdown
-    - lint-markdown
-    - rust-checks
-    - commit-checks
-    - docker-build
+      - docker-build
+      - specdown
+      - lint-markdown
+      - rust-checks
+      - commit-checks
     outputs:
       current_version: ${{ steps.current_version.outputs.current_version }}
       previous_version: ${{ steps.previous_version.outputs.previous_version }}
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@main
-      with:
-        fetch-depth: 0
-    - uses: cargo-bins/cargo-binstall@main
-      name: Install cargo binstall
-    - name: Get tags
-      run: git fetch --tags origin
-    - shell: bash
-      run: cargo binstall --no-confirm cargo-edit
-    - shell: bash
-      run: cargo binstall --no-confirm --locked cocogitto
-    - id: previous_version
-      run: |
-        cog get-version | tee .version
-        echo "previous_version=$( cat .version )"  >> "$GITHUB_OUTPUT"
-        rm .version
-      shell: bash
-    - name: Semver release
-      id: release
-      run: |
-        git config --global user.name "cog-bot"
-        git config --global user.email "[email protected]"
-        cog bump --auto
-    - id: current_version
-      run: |
-        cog get-version | tee .version
-        echo "current_version=$( cat .version )"  >> "$GITHUB_OUTPUT"
-        rm .version
-      shell: bash
+      - uses: actions/checkout@main
+        with:
+          fetch-depth: 0
+      - uses: cargo-bins/cargo-binstall@main
+        name: Install cargo binstall
+      - name: Get tags
+        run: git fetch --tags origin
+      - shell: bash
+        run: cargo binstall --no-confirm cargo-edit
+      - shell: bash
+        run: cargo binstall --no-confirm --locked cocogitto
+      - id: previous_version
+        run: |
+          cog get-version | tee .version
+          echo "previous_version=$( cat .version )"  >> "$GITHUB_OUTPUT"
+          rm .version
+        shell: bash
+      - name: Semver release
+        id: release
+        run: |
+          git config --global user.name "cog-bot"
+          git config --global user.email "[email protected]"
+          cog bump --auto
+      - id: current_version
+        run: |
+          cog get-version | tee .version
+          echo "current_version=$( cat .version )"  >> "$GITHUB_OUTPUT"
+          rm .version
+        shell: bash
+
+  docker-push:
+    if: needs.release.outputs.current_version != needs.release.outputs.previous_version
+    needs:
+      - release
+    uses: PurpleBooth/common-pipelines/.github/workflows/bake-push.yaml@main
+    with:
+      current_version: ${{ needs.release.outputs.current_version }}
+
+  docker-push-edge:
+    if: needs.release.outputs.current_version == needs.release.outputs.previous_version
+    needs:
+      - release
+    uses: PurpleBooth/common-pipelines/.github/workflows/bake-push.yaml@main
+
 
   release-binary:
     if: needs.release.outputs.current_version != needs.release.outputs.previous_version
     needs:
-    - release
+      - release
     uses: PurpleBooth/common-pipelines/.github/workflows/release-rust-binary.yml@main
     with:
       current_version: ${{ needs.release.outputs.current_version }}
       previous_version: ${{ needs.release.outputs.previous_version }}
     secrets:
+      cargo_token: ${{ secrets.CARGO_TOKEN }}
       committer_token: ${{ secrets.COMMITTER_TOKEN }}
       gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
       gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}
-
-  docker-push:
-    permissions:
-      attestations: write
-      packages: write
-      id-token: write
-      contents: read
-    if: needs.release.outputs.current_version != needs.release.outputs.previous_version
-    needs:
-    - release
-    uses: PurpleBooth/common-pipelines/.github/workflows/docker-push.yml@main
-    with:
-      current_version: ${{ needs.release.outputs.current_version }}
diff --git a/Dockerfile.bins b/Dockerfile.bins
@@ -0,0 +1,36 @@
+FROM goreleaser/nfpm@sha256:bf713f8fb367975d647bdd7c04137d107fa943d350950c75a6339a97af9353a9 AS nfpm
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:0c6a569797744e45955f39d4f7538ac344bfb7ebf0a54006a0a4297b153ccf0f AS xx
+ARG TARGETPLATFORM
+
+FROM --platform=$BUILDPLATFORM rust:alpine@sha256:466dc9924d265455aa73e72fd9cdac9db69ce6a988e6f0e6baf852db3485d97d AS builder
+RUN apk add clang lld openssl-dev curl bash
+# copy xx scripts to your build stage
+COPY --from=xx / /
+ARG TARGETPLATFORM
+ARG VER
+ENV VER=$VER
+
+COPY --from=nfpm "/usr/bin/nfpm" "/usr/bin/nfpm"
+RUN xx-apk add --no-cache musl-dev zlib-dev zlib-static openssl-dev openssl-libs-static pkgconfig alpine-sdk
+
+WORKDIR /app
+RUN cargo new --lib whatismyip
+WORKDIR /app/whatismyip
+COPY Cargo.* ./
+RUN xx-cargo build --release --target-dir ./build
+COPY . ./
+RUN xx-cargo build --release --target-dir ./build && \
+    xx-verify --static "./build/$(xx-cargo --print-target-triple)/release/whatismyip" && \
+    cp -v  "./build/$(xx-cargo --print-target-triple)/release/whatismyip" "./whatismyip"
+
+COPY nfpm.yaml nfpm.yaml
+RUN mkdir /PACKS && \
+    GOARCH="$(xx-info arch)" nfpm pkg --packager archlinux --config="nfpm.yaml" --target="/PACKS" && \
+    GOARCH="$(xx-info arch)" nfpm pkg --packager rpm --config="nfpm.yaml" --target="/PACKS" && \
+    GOARCH="$(xx-info arch)" nfpm pkg --packager apk --config="nfpm.yaml" --target="/PACKS" && \
+    GOARCH="$(xx-info arch)" nfpm pkg --packager deb --config="nfpm.yaml" --target="/PACKS"
+FROM scratch
+USER nonroot
+COPY --from=builder /PACKS .
+COPY --from=builder /app/whatismyip/whatismyip .
diff --git a/Dockerfile → Dockerfile.container b/Dockerfile → Dockerfile.container
@@ -1,8 +1,9 @@
+
 FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:0c6a569797744e45955f39d4f7538ac344bfb7ebf0a54006a0a4297b153ccf0f AS xx
 ARG TARGETPLATFORM
 
 FROM --platform=$BUILDPLATFORM rust:alpine@sha256:466dc9924d265455aa73e72fd9cdac9db69ce6a988e6f0e6baf852db3485d97d AS builder
-RUN apk add clang lld openssl-dev
+RUN apk add clang lld openssl-dev curl bash
 # copy xx scripts to your build stage
 COPY --from=xx / /
 ARG TARGETPLATFORM
@@ -13,21 +14,16 @@ WORKDIR /app
 RUN cargo new --lib whatismyip
 WORKDIR /app/whatismyip
 COPY Cargo.* ./
-
 RUN xx-cargo build --release --target-dir ./build
 COPY . ./
 RUN xx-cargo build --release --target-dir ./build && \
     xx-verify --static "./build/$(xx-cargo --print-target-triple)/release/whatismyip" && \
     cp -v  "./build/$(xx-cargo --print-target-triple)/release/whatismyip" "./build/whatismyip"
 RUN addgroup -g 568 nonroot
 RUN adduser -u 568 -G nonroot -D nonroot
-USER nonroot
-
 FROM scratch
-COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder "/app/whatismyip/build/whatismyip" /
 COPY --from=builder /etc/group /etc/group
-
-USER nonroot
-COPY --from=builder /app/whatismyip/build/whatismyip .
+COPY --from=builder /etc/passwd /etc/passwd
 RUN ["/whatismyip", "--version"]
 ENTRYPOINT ["/whatismyip"]
diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -0,0 +1,55 @@
+target "bins" {
+  name = "bins-${join("-", split("/", item.TARGETPLAFORM))}"
+  dockerfile = "Dockerfile.bins"
+
+  args = {
+    TARGETPLAFORM = "${item.TARGETPLAFORM}"
+  }
+  output = ["type=local,dest=arfacs/bins/${item.TARGETPLAFORM}"]
+
+  matrix = {
+    item = [
+      {
+        TARGETPLAFORM = "linux/amd64"
+      },
+      {
+        TARGETPLAFORM = "linux/arm64"
+      },
+      {
+        TARGETPLAFORM = "alpine/amd64"
+      },
+      {
+        TARGETPLAFORM = "alpine/arm64"
+      },
+      {
+        TARGETPLAFORM = "darwin/amd64"
+      },
+      {
+        TARGETPLAFORM = "darwin/arm64"
+      },
+      {
+        TARGETPLAFORM = "windows/amd64"
+      },
+      {
+        TARGETPLAFORM = "windows/arm64"
+      }
+    ]
+  }
+}
+
+
+target "docker" {
+
+  attest = [
+    "type=provenance,mode=max",
+    "type=sbom"
+  ]
+
+  platform = ["alpine/amd64", "alpine/arm64"]
+
+  dockerfile = "Dockerfile.container"
+}
+
+group "default" {
+  targets = ["bins", "docker"]
+}