arc-remote-signer/docker-bake.hcl at main · circlefin/arc-remote-signer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
// This is set automatically when running in Github Actions
variable "CI" { default = "false" }
variable "ENCLAVE_EIF" { default = "" }

// Reproducible enclave build variables.
variable "SOURCE_DATE_EPOCH" { default = "0" }

// Enclave PCR measurements set from nitro-cli describe-eif output.
variable "ENCLAVE_PCR0" { default = "" }
variable "ENCLAVE_PCR1" { default = "" }
variable "ENCLAVE_PCR2" { default = "" }

target "docker-metadata-action" {}
variable "IMAGES" {
  default = [
    "signer",
    "signer-with-enclave",
  ]
}

target "meta-target" {
  matrix = { item = IMAGES }
  name   = "${item}-meta-target"

  context    = "."
  dockerfile = "docker/Dockerfile"
  target     = item

  contexts = {
    certs = "./docker/certs"
  }

  args = {
    ENCLAVE_EIF  = ENCLAVE_EIF
    ENCLAVE_PCR0 = ENCLAVE_PCR0
    ENCLAVE_PCR1 = ENCLAVE_PCR1
    ENCLAVE_PCR2 = ENCLAVE_PCR2
  }

  tags   = ["nitro-enclave-signer/${item}:latest"]
  output = CI ? [] : ["type=docker"]
}

target "target" {
  matrix   = { item = IMAGES }
  name     = item
  inherits = ["${item}-meta-target", "docker-metadata-action"]
}

group "default" {
  targets = ["signer"]
}

// Enclave uses a separate Dockerfile for reproducible builds.
target "enclave-meta-target" {
  context    = "."
  dockerfile = "docker/Dockerfile.enclave"
  target     = "enclave"

  contexts = {
    certs = "./docker/certs"
  }

  args = {
    SOURCE_DATE_EPOCH = SOURCE_DATE_EPOCH
  }

  tags   = ["nitro-enclave-signer/enclave:latest"]
  // rewrite-timestamp requires BuildKit >= 0.13.0
  output = ["type=docker,rewrite-timestamp=true"]
}

target "enclave" {
  inherits = ["enclave-meta-target", "docker-metadata-action"]
}