slsa3 build

rancher · Sep 18, 2024 · 288f216 · 288f216
1 parent b0086d6
commit 288f216
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 37 deletions.
diff --git a/.github/workflows/image-push.yml b/.github/workflows/image-push.yml
@@ -22,9 +22,6 @@ jobs:
         echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
         echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV"
 
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
-
     - name: Docker meta
       id: meta-amd64
       uses: docker/metadata-action@v5
@@ -38,27 +35,24 @@ jobs:
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
 
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-
     - name: Login to Container Registry
       uses: docker/login-action@v3
       with:
         username: ${{ env.DOCKER_USERNAME }}
         password: ${{ env.DOCKER_PASSWORD }}
 
-    - name: Build container image
+    - name: Build and push container image
       id: build-amd64
-      uses: docker/build-push-action@v6
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      env: 
+        META_LABELS: ${{ steps.meta-amd64.outputs.labels }}
       with:
-        context: .
-        file: Dockerfile
-        platforms: linux/amd64
-        labels: ${{ steps.meta-amd64.outputs.labels }}
-        outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
-        build-args: |
-          TAG=${{ env.TAG }}
-          ARCH=${{ env.ARCH }}
+        image: hardened-calico
+        tag: ${{ github.event.release.tag_name }}
+        public-repo: rancher
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+        push-to-prime: false
 
     - name: Export digest
       run: |
@@ -89,9 +83,6 @@ jobs:
         echo "$(make -s log | grep TAG)" >> "$GITHUB_ENV"
         echo "$(make -s log | grep ARCH)" >> "$GITHUB_ENV"
 
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
-
     - name: Docker meta
       id: meta-arm64
       uses: docker/metadata-action@v5
@@ -105,27 +96,24 @@ jobs:
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
           secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD
 
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-
     - name: Login to Container Registry
       uses: docker/login-action@v3
       with:
         username: ${{ env.DOCKER_USERNAME }}
         password: ${{ env.DOCKER_PASSWORD }}
 
-    - name: Build container image
+    - name: Build and push container image
       id: build-arm64
-      uses: docker/build-push-action@v6
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      env: 
+        META_LABELS: ${{ steps.meta-arm64.outputs.labels }}
       with:
-        context: .
-        file: Dockerfile
-        platforms: linux/arm64
-        labels: ${{ steps.meta-arm64.outputs.labels }}
-        outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
-        build-args: |
-          TAG=${{ env.TAG }}
-          ARCH=${{ env.ARCH }}
+        image: hardened-calico
+        tag: ${{ github.event.release.tag_name }}
+        public-repo: rancher
+        public-username: ${{ env.DOCKER_USERNAME }}
+        public-password: ${{ env.DOCKER_PASSWORD }}
+        push-to-prime: false
 
     - name: Export digest
       run: |
@@ -156,9 +144,6 @@ jobs:
           pattern: digests-*
           merge-multiple: true
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5

diff --git a/Makefile b/Makefile
@@ -10,16 +10,30 @@ else
 	ARCH=$(UNAME_M)
 endif
 
+ifndef TARGET_PLATFORMS
+	ifeq ($(UNAME_M), x86_64)
+		TARGET_PLATFORMS:=linux/amd64
+	else ifeq ($(UNAME_M), aarch64)
+		TARGET_PLATFORMS:=linux/arm64
+	else 
+		TARGET_PLATFORMS:=linux/$(UNAME_M)
+	endif
+endif
+
 BUILD_META=-build$(shell date +%Y%m%d)
 ORG ?= rancher
 TAG ?= ${GITHUB_ACTION_TAG}
+REGISTRY_IMAGE ?= $(ORG)/hardened-calico
+META_LABELS ?= ${META_LABELS}
 
 K3S_ROOT_VERSION ?= v0.14.0
 
 ifeq ($(TAG),)
 TAG := v3.28.1$(BUILD_META)
 endif
 
+IMAGE ?= $(REGISTRY_IMAGE):$(TAG)
+
 ifeq (,$(filter %$(BUILD_META),$(TAG)))
 $(error TAG $(TAG) needs to end with build metadata: $(BUILD_META))
 endif
@@ -31,11 +45,26 @@ image-build:
 		--pull \
 		--build-arg TAG=$(TAG:$(BUILD_META)=) \
 		--build-arg K3S_ROOT_VERSION=$(K3S_ROOT_VERSION) \
-		--tag $(ORG)/hardened-calico:$(TAG) \
-		--tag $(ORG)/hardened-calico:$(TAG)-$(ARCH) \
+		--tag $(IMAGE) \
+		--tag $(IMAGE)-$(ARCH) \
 		--load \
 		.
 
+.PHONY: push-image
+push-image:
+	docker buildx build \
+		--sbom=true \
+		--attest type=provenance,mode=max \
+		--platform=$(TARGET_PLATFORMS) \
+		--build-arg TAG=$(TAG:$(BUILD_META)=) \
+		--build-arg K3S_ROOT_VERSION=$(K3S_ROOT_VERSION) \
+		--outputs type=image,name=$(REGISTRY_IMAGE),push-by-digest=true,name-canonical=true,push=true \
+		--tag $(IMAGE) \
+		--tag $(IMAGE)-$(ARCH) \
+		--label $(META_LABELS) \
+		--push \
+		.
+
 .PHONY: image-push
 image-push:
 	docker push $(ORG)/hardened-calico:$(TAG)-$(ARCH)