diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 62a5730c4..f0bf61ca6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -97,8 +97,6 @@ jobs: permissions: packages: write steps: - - uses: docker-practice/actions-setup-docker@1.0.8 - - uses: actions/setup-go@v2 with: go-version: ${{ env.GO_VERSION }} @@ -130,11 +128,6 @@ jobs: - name: Build & publish release artifacts run: make release env: - GHCR_USERNAME: ${{ github.actor }} - GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - DOCKER_USERNAME: ${{ secrets.TOOLBOX_DOCKER_USER }} - DOCKER_PASSWORD: ${{ secrets.TOOLBOX_DOCKER_PASS }} - # we use a different token than GITHUB_SECRETS to additionally allow updating the homebrew repos GITHUB_TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }} AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }} @@ -164,3 +157,28 @@ jobs: with: name: artifacts path: dist/**/* + + release-docker-assets: + needs: [release] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-go@v2 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.TOOLBOX_DOCKER_USER }} + password: ${{ secrets.TOOLBOX_DOCKER_PASS }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build & Publish docker images + run: make release-docker-assets diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 56e6b3651..9361429c9 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -2,10 +2,6 @@ release: prerelease: auto draft: false -env: - # required to support multi architecture docker builds - - DOCKER_CLI_EXPERIMENTAL=enabled - before: hooks: - ./.github/scripts/apple-signing/setup.sh {{ .IsSnapshot }} @@ -97,160 +93,3 @@ brews: homepage: *website description: *description license: "Apache License 2.0" - -dockers: - - image_templates: - - anchore/syft:debug - - anchore/syft:{{.Tag}}-debug - - ghcr.io/anchore/syft:debug - - ghcr.io/anchore/syft:{{.Tag}}-debug - goarch: amd64 - dockerfile: Dockerfile.debug - use: buildx - build_flag_templates: - - "--platform=linux/amd64" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:debug-arm64v8 - - anchore/syft:{{.Tag}}-debug-arm64v8 - - ghcr.io/anchore/syft:debug-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 - goarch: arm64 - dockerfile: Dockerfile.debug - use: buildx - build_flag_templates: - - "--platform=linux/arm64/v8" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:debug-ppc64le - - anchore/syft:{{.Tag}}-debug-ppc64le - - ghcr.io/anchore/syft:debug-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le - goarch: ppc64le - dockerfile: Dockerfile.debug - use: buildx - build_flag_templates: - - "--platform=linux/ppc64le" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:debug-s390x - - anchore/syft:{{.Tag}}-debug-s390x - - ghcr.io/anchore/syft:debug-s390x - - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x - goarch: s390x - dockerfile: Dockerfile.debug - use: buildx - build_flag_templates: - - "--platform=linux/s390x" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:latest - - anchore/syft:{{.Tag}} - - ghcr.io/anchore/syft:latest - - ghcr.io/anchore/syft:{{.Tag}} - goarch: amd64 - dockerfile: Dockerfile - use: buildx - build_flag_templates: - - "--platform=linux/amd64" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:{{.Tag}}-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 - goarch: arm64 - dockerfile: Dockerfile - use: buildx - build_flag_templates: - - "--platform=linux/arm64/v8" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:{{.Tag}}-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-ppc64le - goarch: ppc64le - dockerfile: Dockerfile - use: buildx - build_flag_templates: - - "--platform=linux/ppc64le" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - - - image_templates: - - anchore/syft:{{.Tag}}-s390x - - ghcr.io/anchore/syft:{{.Tag}}-s390x - goarch: s390x - dockerfile: Dockerfile - use: buildx - build_flag_templates: - - "--platform=linux/s390x" - - "--build-arg=BUILD_DATE={{.Date}}" - - "--build-arg=BUILD_VERSION={{.Version}}" - - "--build-arg=VCS_REF={{.FullCommit}}" - - "--build-arg=VCS_URL={{.GitURL}}" - -docker_manifests: - - name_template: anchore/syft:latest - image_templates: - - anchore/syft:{{.Tag}} - - anchore/syft:{{.Tag}}-arm64v8 - - anchore/syft:{{.Tag}}-ppc64le - - anchore/syft:{{.Tag}}-s390x - - - name_template: anchore/syft:debug - - anchore/syft:{{.Tag}}-debug - - anchore/syft:{{.Tag}}-debug-arm64v8 - - anchore/syft:{{.Tag}}-debug-ppc64le - - anchore/syft:{{.Tag}}-debug-s390x - - - name_template: anchore/syft:{{.Tag}} - image_templates: - - anchore/syft:{{.Tag}} - - anchore/syft:{{.Tag}}-arm64v8 - - anchore/syft:{{.Tag}}-ppc64le - - anchore/syft:{{.Tag}}-s390x - - - name_template: ghcr.io/anchore/syft:latest - image_templates: - - ghcr.io/anchore/syft:{{.Tag}} - - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-s390x - - - name_template: ghcr.io/anchore/syft:debug - image_templates: - - ghcr.io/anchore/syft:{{.Tag}}-debug - - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x - - - name_template: ghcr.io/anchore/syft:{{.Tag}} - image_templates: - - ghcr.io/anchore/syft:{{.Tag}} - - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 - - ghcr.io/anchore/syft:{{.Tag}}-ppc64le - - ghcr.io/anchore/syft:{{.Tag}}-s390x diff --git a/.goreleaser_docker.yaml b/.goreleaser_docker.yaml new file mode 100644 index 000000000..204cf6e91 --- /dev/null +++ b/.goreleaser_docker.yaml @@ -0,0 +1,190 @@ +# Separate docker configuration to isolate docker dependency away from +# mac-os runner on github actions. +# See: +# https://github.com/anchore/syft/issues/577 +# https://github.com/anchore/syft/issues/519 +# https://github.com/anchore/syft/issues/576 +env: + # required to support multi architecture docker builds + - DOCKER_CLI_EXPERIMENTAL=enabled + +builds: + - id: linux-build + dir: ./cmd/syft + binary: syft + goos: + - linux + goarch: + - amd64 + - arm64 + - ppc64le + - s390x + # set the modified timestamp on the output binary to the git timestamp to ensure a reproducible build + mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}' + env: &build-env + - CGO_ENABLED=0 + ldflags: &build-ldflags | + -w + -s + -extldflags '-static' + -X github.com/anchore/syft/internal/version.version={{.Version}} + -X github.com/anchore/syft/internal/version.gitCommit={{.Commit}} + -X github.com/anchore/syft/internal/version.buildDate={{.Date}} + -X github.com/anchore/syft/internal/version.gitDescription={{.Summary}} + +dockers: + - image_templates: + - anchore/syft:debug + - anchore/syft:{{.Tag}}-debug + - ghcr.io/anchore/syft:debug + - ghcr.io/anchore/syft:{{.Tag}}-debug + goarch: amd64 + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/amd64" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:debug-arm64v8 + - anchore/syft:{{.Tag}}-debug-arm64v8 + - ghcr.io/anchore/syft:debug-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 + goarch: arm64 + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/arm64/v8" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:debug-ppc64le + - anchore/syft:{{.Tag}}-debug-ppc64le + - ghcr.io/anchore/syft:debug-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le + goarch: ppc64le + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/ppc64le" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:debug-s390x + - anchore/syft:{{.Tag}}-debug-s390x + - ghcr.io/anchore/syft:debug-s390x + - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x + goarch: s390x + dockerfile: Dockerfile.debug + use: buildx + build_flag_templates: + - "--platform=linux/s390x" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:latest + - anchore/syft:{{.Tag}} + - ghcr.io/anchore/syft:latest + - ghcr.io/anchore/syft:{{.Tag}} + goarch: amd64 + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/amd64" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 + goarch: arm64 + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/arm64/v8" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-ppc64le + goarch: ppc64le + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/ppc64le" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + + - image_templates: + - anchore/syft:{{.Tag}}-s390x + - ghcr.io/anchore/syft:{{.Tag}}-s390x + goarch: s390x + dockerfile: Dockerfile + use: buildx + build_flag_templates: + - "--platform=linux/s390x" + - "--build-arg=BUILD_DATE={{.Date}}" + - "--build-arg=BUILD_VERSION={{.Version}}" + - "--build-arg=VCS_REF={{.FullCommit}}" + - "--build-arg=VCS_URL={{.GitURL}}" + +docker_manifests: + - name_template: anchore/syft:latest + image_templates: + - anchore/syft:{{.Tag}} + - anchore/syft:{{.Tag}}-arm64v8 + - anchore/syft:{{.Tag}}-ppc64le + - anchore/syft:{{.Tag}}-s390x + + - name_template: anchore/syft:debug + - anchore/syft:{{.Tag}}-debug + - anchore/syft:{{.Tag}}-debug-arm64v8 + - anchore/syft:{{.Tag}}-debug-ppc64le + - anchore/syft:{{.Tag}}-debug-s390x + + - name_template: anchore/syft:{{.Tag}} + image_templates: + - anchore/syft:{{.Tag}} + - anchore/syft:{{.Tag}}-arm64v8 + - anchore/syft:{{.Tag}}-ppc64le + - anchore/syft:{{.Tag}}-s390x + + - name_template: ghcr.io/anchore/syft:latest + image_templates: + - ghcr.io/anchore/syft:{{.Tag}} + - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-s390x + + - name_template: ghcr.io/anchore/syft:debug + image_templates: + - ghcr.io/anchore/syft:{{.Tag}}-debug + - ghcr.io/anchore/syft:{{.Tag}}-debug-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-debug-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-debug-s390x + + - name_template: ghcr.io/anchore/syft:{{.Tag}} + image_templates: + - ghcr.io/anchore/syft:{{.Tag}} + - ghcr.io/anchore/syft:{{.Tag}}-arm64v8 + - ghcr.io/anchore/syft:{{.Tag}}-ppc64le + - ghcr.io/anchore/syft:{{.Tag}}-s390x diff --git a/Makefile b/Makefile index 41e460035..b67f97406 100644 --- a/Makefile +++ b/Makefile @@ -263,6 +263,18 @@ snapshot-with-signing: ## Build snapshot release binaries and packages (with dum # remove the keychain with the trusted self-signed cert automatically .github/scripts/apple-signing/cleanup.sh +snapshot-docker-assets: # Build snapshot images of docker images that will be published on release + $(call title,Building snapshot docker release assets) + + # create a config with the dist dir overridden + echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml + cat .goreleaser_docker.yaml >> $(TEMPDIR)/goreleaser.yaml + + bash -c "\ + $(SNAPSHOT_CMD) \ + --config $(TEMPDIR)/goreleaser.yaml \ + --parallelism 1" + # note: we cannot clean the snapshot directory since the pipeline builds the snapshot separately .PHONY: compare-mac compare-mac: $(RESULTSDIR) $(SNAPSHOTDIR) ## Run compare tests on build snapshot binaries and packages (Mac) @@ -342,6 +354,18 @@ release: clean-dist CHANGELOG.md ## Build and publish final binaries and packag # upload the version file that supports the application version update check (excluding pre-releases) .github/scripts/update-version-file.sh "$(DISTDIR)" "$(VERSION)" +.PHONY: release-docker-assets +release-docker-assets: + $(call title,Publishing docker release assets) + + # create a config with the dist dir overridden + echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml + cat .goreleaser_docker.yaml >> $(TEMPDIR)/goreleaser.yaml + + bash -c "\ + $(RELEASE_CMD) \ + --config $(TEMPDIR)/goreleaser.yaml \ + --parallelism 1" .PHONY: clean clean: clean-dist clean-snapshot clean-test-image-cache ## Remove previous builds, result reports, and test cache