Skip to content

ci: use docker github builder to build bin image and binaries #3520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+91 −196
Open

ci: use docker github builder to build bin image and binaries #3520

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
105ebd9
ci: use docker github builder to build bin image
crazy-max Nov 13, 2025
9a64ed8
ci: use docker github builder to build binaries
crazy-max Nov 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
209 changes: 91 additions & 118 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -346,129 +346,117 @@ jobs:
with:
sarif_file: ${{ env.DESTDIR }}/govulncheck.out

prepare-binaries:
binaries:
uses: docker/github-builder-experimental/.github/workflows/bake.yml@813ea76fdb0a744196f46fd25149937a6dbd42a2
permissions:
contents: read
id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token
packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow)
with:
runner: amd64
target: release
output: local
push: ${{ github.event_name != 'pull_request' }}
artifact-name: buildx
cache: true
cache-scope: binaries
bake-sbom: true

binaries-finalize:
runs-on: ubuntu-24.04
outputs:
matrix: ${{ steps.platforms.outputs.matrix }}
needs:
- binaries
steps:
-
name: Checkout
uses: actions/checkout@v6
name: Download artifacts
uses: actions/download-artifact@v6
with:
path: /tmp/buildx-output
pattern: ${{ needs.binaries.outputs.artifact-name }}*
merge-multiple: true
-
name: Create matrix
id: platforms
name: Rename provenance and sbom
run: |
echo "matrix=$(docker buildx bake binaries-cross --print | jq -cr '.target."binaries-cross".platforms')" >>${GITHUB_OUTPUT}
for pdir in /tmp/buildx-output/*/; do
(
cd "$pdir"
binname=$(find . -name 'buildx-*')
filename=$(basename "${binname%.exe}")
mv "provenance.json" "${filename}.provenance.json"
mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
find . -name 'sbom*.json' -exec rm {} \;
if [ -f "provenance.sigstore.json" ]; then
mv "provenance.sigstore.json" "${filename}.provenance.sigstore.json"
fi
)
done
mkdir -p "${{ env.DESTDIR }}"
mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/"
-
name: Show matrix
name: Create checksums
working-directory: ${{ env.DESTDIR }}
run: |
echo ${{ steps.platforms.outputs.matrix }}

binaries:
runs-on: ubuntu-24.04
needs:
- prepare-binaries
strategy:
fail-fast: false
matrix:
platform: ${{ fromJson(needs.prepare-binaries.outputs.matrix) }}
steps:
sha256sum -b buildx-* > ./checksums.txt
sed -i '/darwin/d' ./checksums.txt
sha256sum -c --strict checksums.txt
-
name: Prepare
name: List artifacts
working-directory: ${{ env.DESTDIR }}
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
name: Checkout
uses: actions/checkout@v6
tree -nh .
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: ${{ env.SETUP_BUILDX_VERSION }}
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
buildkitd-flags: --debug
-
name: Build
name: Check artifacts
working-directory: ${{ env.DESTDIR }}
run: |
make release
env:
PLATFORMS: ${{ matrix.platform }}
CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
find . -type f -exec file -e ascii -- {} +
-
name: Upload artifacts
name: Upload release binaries
uses: actions/upload-artifact@v5
with:
name: buildx-${{ env.PLATFORM_PAIR }}
name: release
path: ${{ env.DESTDIR }}/*
if-no-files-found: error

bin-image:
bin-image-prepare:
runs-on: ubuntu-24.04
outputs:
repo-slug: ${{ env.REPO_SLUG }}
steps:
# FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671
- run: echo "Exposing env vars for reusable workflow"

bin-image:
if: ${{ github.repository == 'docker/buildx' }}
uses: docker/github-builder-experimental/.github/workflows/bake.yml@813ea76fdb0a744196f46fd25149937a6dbd42a2
needs:
- bin-image-prepare
- test-integration
- test-unit
if: ${{ github.event_name != 'pull_request' && github.repository == 'docker/buildx' }}
steps:
-
name: Free disk space
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
android: true
dotnet: true
haskell: true
large-packages: true
swap-storage: true
-
name: Checkout
uses: actions/checkout@v6
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: ${{ env.SETUP_BUILDX_VERSION }}
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
buildkitd-flags: --debug
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.REPO_SLUG }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
bake-target: meta-helper
-
name: Login to DockerHub
if: github.event_name != 'pull_request'
uses: docker/login-action@v3
with:
permissions:
contents: read
id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token
packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow)
with:
runner: amd64
target: image-cross
output: image
push: ${{ github.event_name != 'pull_request' }}
cache: true
cache-scope: bin-image
set-meta-labels: true
meta-images: |
${{ needs.bin-image-prepare.outputs.repo-slug }}
meta-tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
meta-bake-target: meta-helper
bake-sbom: true
secrets:
registry-auths: |
- registry: docker.io
username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
-
name: Build and push image
uses: docker/bake-action@v6
with:
source: .
files: |
./docker-bake.hcl
${{ steps.meta.outputs.bake-file }}
targets: image-cross
push: ${{ github.event_name != 'pull_request' }}
sbom: true
set: |
*.cache-from=type=gha,scope=bin-image
*.cache-to=type=gha,scope=bin-image,mode=max

scout:
runs-on: ubuntu-24.04
Expand Down Expand Up @@ -509,29 +497,14 @@ jobs:
needs:
- test-integration
- test-unit
- binaries
- binaries-finalize
steps:
-
name: Checkout
uses: actions/checkout@v6
-
name: Download binaries
name: Download release binaries
uses: actions/download-artifact@v6
with:
path: ${{ env.DESTDIR }}
pattern: buildx-*
merge-multiple: true
-
name: Create checksums
run: ./hack/hash-files
-
name: List artifacts
run: |
tree -nh ${{ env.DESTDIR }}
-
name: Check artifacts
run: |
find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
name: release
-
name: GitHub Release
if: startsWith(github.ref, 'refs/tags/v')
Expand Down
4 changes: 0 additions & 4 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,6 @@ install: binaries
mkdir -p ~/.docker/cli-plugins
install bin/build/buildx ~/.docker/cli-plugins/docker-buildx

.PHONY: release
release:
./hack/release

.PHONY: validate-all
validate-all: lint test validate-vendor validate-docs

Expand Down
17 changes: 0 additions & 17 deletions hack/hash-files
View file
Open in desktop

This file was deleted.

57 changes: 0 additions & 57 deletions hack/release
View file
Open in desktop

This file was deleted.