From 6810fa5809dc42a31b5cacf3f7f80ed4aba24257 Mon Sep 17 00:00:00 2001
From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Date: Wed, 3 Aug 2022 09:10:40 -0400
Subject: [PATCH] move docker release into separate release workflow (#862)

---
 .github/workflows/release.yaml |  50 +++++++++++---
 .goreleaser.yaml               |  95 --------------------------
 .goreleaser_docker.yaml        | 120 +++++++++++++++++++++++++++++++++
 Makefile                       |  25 +++++++
 4 files changed, 187 insertions(+), 103 deletions(-)
 create mode 100644 .goreleaser_docker.yaml

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 7d865425..89805d2b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -94,10 +94,8 @@ jobs:
   release:
     needs: [quality-gate]
     # due to our code signing process, it's vital that we run our release steps on macOS
-    runs-on: macos-latest
+    runs-on: ubuntu-latest
     steps:
-      - uses: docker-practice/actions-setup-docker@v1
-
       - uses: actions/setup-go@v2
         with:
           go-version: ${{ env.GO_VERSION }}
@@ -130,11 +128,6 @@ jobs:
       - name: Build & publish release artifacts
         run: make release
         env:
-          GHCR_USERNAME: ${{ github.actor }}
-          GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          DOCKER_USERNAME: ${{ secrets.TOOLBOX_DOCKER_USER }}
-          DOCKER_PASSWORD: ${{ secrets.TOOLBOX_DOCKER_PASS }}
-          # we use a different token than GITHUB_SECRETS to additionally allow updating the homebrew repos
           GITHUB_TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }}
           AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
@@ -164,3 +157,44 @@ jobs:
         with:
           name: artifacts
           path: dist/**/*
+
+  release-docker-assets:
+    needs: [release]
+    # code signing requires we run on mac-os runners. docker does not come installed on the mac-os runner
+    # a previous release process installed and configured docker on the mac-os runner which lead to blocked releases
+    # the anchore tools team opted to break this step out to a separate process to remove this work constraint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.TOOLBOX_DOCKER_USER }}
+          password: ${{ secrets.TOOLBOX_DOCKER_PASS }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Restore go cache
+        id: go-cache
+        uses: actions/cache@v2.1.3
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-${{ env.GO_VERSION }}-
+
+      - name: (cache-miss) Bootstrap all project dependencies
+        if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
+        run: make bootstrap
+
+      - name: Build & Publish docker images
+        run: make release-docker-assets
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 044e4b2d..8c4d5239 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -2,10 +2,6 @@ release:
   prerelease: auto
   draft: false
 
-env:
-  # required to support multi architecture docker builds
-  - DOCKER_CLI_EXPERIMENTAL=enabled
-
 before:
   hooks:
     - ./.github/scripts/apple-signing/setup.sh {{ .IsSnapshot }}
@@ -91,94 +87,3 @@ brews:
     homepage: *website
     description: *description
     license: "Apache License 2.0"
-
-dockers:
-  - image_templates:
-      - anchore/grype:debug
-      - anchore/grype:{{.Tag}}-debug
-      - ghcr.io/anchore/grype:debug
-      - ghcr.io/anchore/grype:{{.Tag}}-debug
-    goarch: amd64
-    dockerfile: Dockerfile.debug
-    use: buildx
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--build-arg=BUILD_DATE={{.Date}}"
-      - "--build-arg=BUILD_VERSION={{.Version}}"
-      - "--build-arg=VCS_REF={{.FullCommit}}"
-      - "--build-arg=VCS_URL={{.GitURL}}"
-
-  - image_templates:
-      - anchore/grype:debug-arm64v8
-      - anchore/grype:{{.Tag}}-debug-arm64v8
-      - ghcr.io/anchore/grype:debug-arm64v8
-      - ghcr.io/anchore/grype:{{.Tag}}-debug-arm64v8
-    goarch: arm64
-    dockerfile: Dockerfile.debug
-    use: buildx
-    build_flag_templates:
-      - "--platform=linux/arm64/v8"
-      - "--build-arg=BUILD_DATE={{.Date}}"
-      - "--build-arg=BUILD_VERSION={{.Version}}"
-      - "--build-arg=VCS_REF={{.FullCommit}}"
-      - "--build-arg=VCS_URL={{.GitURL}}"
-
-  - image_templates:
-      - anchore/grype:latest
-      - anchore/grype:{{.Tag}}
-      - ghcr.io/anchore/grype:latest
-      - ghcr.io/anchore/grype:{{.Tag}}
-    goarch: amd64
-    dockerfile: Dockerfile
-    use: buildx
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--build-arg=BUILD_DATE={{.Date}}"
-      - "--build-arg=BUILD_VERSION={{.Version}}"
-      - "--build-arg=VCS_REF={{.FullCommit}}"
-      - "--build-arg=VCS_URL={{.GitURL}}"
-
-  - image_templates:
-      - anchore/grype:{{.Tag}}-arm64v8
-      - ghcr.io/anchore/grype:{{.Tag}}-arm64v8
-    goarch: arm64
-    dockerfile: Dockerfile.debug
-    use: buildx
-    build_flag_templates:
-      - "--platform=linux/arm64/v8"
-      - "--build-arg=BUILD_DATE={{.Date}}"
-      - "--build-arg=BUILD_VERSION={{.Version}}"
-      - "--build-arg=VCS_REF={{.FullCommit}}"
-      - "--build-arg=VCS_URL={{.GitURL}}"
-
-docker_manifests:
-  - name_template: anchore/grype:latest
-    image_templates:
-      - anchore/grype:{{.Tag}}
-      - anchore/grype:{{.Tag}}-arm64v8
-
-  - name_template: anchore/grype:debug
-    image_templates:
-      - anchore/grype:{{.Tag}}-debug
-      - anchore/grype:{{.Tag}}-debug-arm64v8
-
-  - name_template: anchore/grype:{{.Tag}}
-    image_templates:
-      - anchore/grype:{{.Tag}}
-      - anchore/grype:{{.Tag}}-arm64v8
-
-  - name_template: ghcr.io/anchore/grype:latest
-    image_templates:
-      - ghcr.io/anchore/grype:{{.Tag}}
-      - ghcr.io/anchore/grype:{{.Tag}}-arm64v8
-
-  - name_template: ghcr.io/anchore/grype:debug
-    image_templates:
-      - ghcr.io/anchore/grype:{{.Tag}}-debug
-      - ghcr.io/anchore/grype:{{.Tag}}-debug-arm64v8
-
-  - name_template: ghcr.io/anchore/grype:{{.Tag}}
-    image_templates:
-      - ghcr.io/anchore/grype:{{.Tag}}
-      - ghcr.io/anchore/grype:{{.Tag}}-arm64v8
-
diff --git a/.goreleaser_docker.yaml b/.goreleaser_docker.yaml
new file mode 100644
index 00000000..9032272c
--- /dev/null
+++ b/.goreleaser_docker.yaml
@@ -0,0 +1,120 @@
+# Separate docker configuration to isolate docker dependency away from
+# mac-os runner on github actions.
+release:
+  disable: true
+
+env:
+  # required to support multi architecture docker builds
+  - DOCKER_CLI_EXPERIMENTAL=enabled
+
+builds:
+  - id: linux-build
+    binary: grype
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    # set the modified timestamp on the output binary to the git timestamp to ensure a reproducible build
+    mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}'
+    env: &build-env
+      - CGO_ENABLED=0
+    ldflags: &build-ldflags |
+      -w
+      -s
+      -extldflags '-static'
+      -X github.com/anchore/grype/internal/version.version={{.Version}}
+      -X github.com/anchore/grype/internal/version.syftVersion={{.Env.SYFT_VERSION}}
+      -X github.com/anchore/grype/internal/version.gitCommit={{.Commit}}
+      -X github.com/anchore/grype/internal/version.buildDate={{.Date}}
+      -X github.com/anchore/grype/internal/version.gitDescription={{.Summary}}
+
+dockers:
+  - image_templates:
+      - anchore/grype:debug
+      - anchore/grype:{{.Tag}}-debug
+      - ghcr.io/anchore/grype:debug
+      - ghcr.io/anchore/grype:{{.Tag}}-debug
+    goarch: amd64
+    dockerfile: Dockerfile.debug
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+  - image_templates:
+      - anchore/grype:debug-arm64v8
+      - anchore/grype:{{.Tag}}-debug-arm64v8
+      - ghcr.io/anchore/grype:debug-arm64v8
+      - ghcr.io/anchore/grype:{{.Tag}}-debug-arm64v8
+    goarch: arm64
+    dockerfile: Dockerfile.debug
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/arm64/v8"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+  - image_templates:
+      - anchore/grype:latest
+      - anchore/grype:{{.Tag}}
+      - ghcr.io/anchore/grype:latest
+      - ghcr.io/anchore/grype:{{.Tag}}
+    goarch: amd64
+    dockerfile: Dockerfile
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+  - image_templates:
+      - anchore/grype:{{.Tag}}-arm64v8
+      - ghcr.io/anchore/grype:{{.Tag}}-arm64v8
+    goarch: arm64
+    dockerfile: Dockerfile
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/arm64/v8"
+      - "--build-arg=BUILD_DATE={{.Date}}"
+      - "--build-arg=BUILD_VERSION={{.Version}}"
+      - "--build-arg=VCS_REF={{.FullCommit}}"
+      - "--build-arg=VCS_URL={{.GitURL}}"
+
+docker_manifests:
+  - name_template: anchore/grype:latest
+    image_templates:
+      - anchore/grype:{{.Tag}}
+      - anchore/grype:{{.Tag}}-arm64v8
+
+  - name_template: anchore/grype:debug
+      - anchore/grype:{{.Tag}}-debug
+      - anchore/grype:{{.Tag}}-debug-arm64v8
+
+  - name_template: anchore/grype:{{.Tag}}
+    image_templates:
+      - anchore/grype:{{.Tag}}
+      - anchore/grype:{{.Tag}}-arm64v8
+
+  - name_template: ghcr.io/anchore/grype:latest
+    image_templates:
+      - ghcr.io/anchore/grype:{{.Tag}}
+      - ghcr.io/anchore/grype:{{.Tag}}-arm64v8
+
+  - name_template: ghcr.io/anchore/grype:debug
+    image_templates:
+      - ghcr.io/anchore/grype:{{.Tag}}-debug
+      - ghcr.io/anchore/grype:{{.Tag}}-debug-arm64v8
+
+  - name_template: ghcr.io/anchore/grype:{{.Tag}}
+    image_templates:
+      - ghcr.io/anchore/grype:{{.Tag}}
+      - ghcr.io/anchore/grype:{{.Tag}}-arm64v8
+
diff --git a/Makefile b/Makefile
index d50fb1cc..2b46a55f 100644
--- a/Makefile
+++ b/Makefile
@@ -287,6 +287,31 @@ release: clean-dist CHANGELOG.md  ## Build and publish final binaries and packag
 	# upload the version file that supports the application version update check (excluding pre-releases)
 	.github/scripts/update-version-file.sh "$(DISTDIR)" "$(VERSION)"
 
+.PHONY: release-docker-assets
+release-docker-assets:
+	$(call title,Publishing docker release assets)
+
+	# create a config with the dist dir overridden
+	echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml
+	cat .goreleaser_docker.yaml >> $(TEMPDIR)/goreleaser.yaml
+
+	bash -c "\
+		$(RELEASE_CMD) \
+			--config $(TEMPDIR)/goreleaser.yaml \
+			--parallelism 1"
+
+snapshot-docker-assets: # Build snapshot images of docker images that will be published on release
+	$(call title,Building snapshot docker release assets)
+
+	# create a config with the dist dir overridden
+	echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml
+	cat .goreleaser_docker.yaml >> $(TEMPDIR)/goreleaser.yaml
+
+	bash -c "\
+		$(SNAPSHOT_CMD) \
+			--config $(TEMPDIR)/goreleaser.yaml \
+			--parallelism 1"
+
 .PHONY: clean
 clean: clean-dist clean-snapshot  ## Remove previous builds and result reports
 	$(call safe_rm_rf_children,$(RESULTSDIR))