Skip to content

ci: use docker github builder to build binaries and images #6388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
+277 −266
Draft

ci: use docker github builder to build binaries and images #6388

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1e86073
chore: update yamllint config
crazy-max Nov 28, 2025
2679f3f
ci: use docker github builder to build binaries
crazy-max Nov 27, 2025
6f7d2dc
ci: use docker github builder to build buildkit images
crazy-max Nov 28, 2025
162db6c
ci: use docker github builder to build frontend images
crazy-max Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
327 changes: 165 additions & 162 deletions .github/workflows/buildkit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,60 +50,66 @@ jobs:
fields: platforms

binaries:
uses: docker/github-builder-experimental/.github/workflows/bake.yml@c56377b5e16c21afb2f3ea02f9021a1ed4b51f45
permissions:
contents: read
id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token
packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow)
with:
runner: amd64
target: release
output: local
push: ${{ github.event_name != 'pull_request' }}
artifact-name: buildkit
cache: true
cache-scope: binaries
setup-qemu: true
bake-sbom: true
bake-set: |
*.no-cache-filter=${{ startsWith(github.ref, 'refs/tags/v') && 'gobuild-base' || '' }}

binaries-finalize:
runs-on: ubuntu-24.04
needs:
- prepare
strategy:
fail-fast: false
matrix:
include: ${{ fromJson(needs.prepare.outputs.binaries-platforms) }}
- binaries
steps:
-
name: Prepare
run: |
platform=${{ matrix.platforms }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: ${{ env.SETUP_BUILDX_VERSION }}
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
buildkitd-flags: --debug
-
name: Build
uses: docker/bake-action@v6
name: Download artifacts
uses: actions/download-artifact@v6
with:
# FIXME: remove context once git context with query string implemented in actions-toolkit
source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}
targets: release
provenance: mode=max
sbom: true
set: |
*.platform=${{ matrix.platforms }}
*.cache-from=type=gha,scope=binaries
*.cache-to=type=gha,scope=binaries
*.no-cache-filter=${{ startsWith(github.ref, 'refs/tags/v') && 'gobuild-base' || '' }}
path: /tmp/buildx-output
pattern: ${{ needs.binaries.outputs.artifact-name }}*
merge-multiple: true
-
name: Rename provenance and sbom
run: |
for pdir in /tmp/buildx-output/*/; do
(
cd "$pdir"
binname=$(find . -name 'buildkit-*')
filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
mv "provenance.json" "${filename}.provenance.json"
mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
find . -name 'sbom*.json' -exec rm {} \;
if [ -f "provenance.sigstore.json" ]; then
mv "provenance.sigstore.json" "${filename}.provenance.sigstore.json"
fi
)
done
mkdir -p "${{ env.DESTDIR }}"
mv /tmp/buildx-output/**/* "${{ env.DESTDIR }}/"
-
name: List artifacts
working-directory: ${{ env.DESTDIR }}
run: |
binname=$(find . -name 'buildkit-*')
filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
mv "provenance.json" "${filename}.provenance.json"
mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
find . -name 'sbom*.json' -exec rm {} \;
tree -nh .
-
name: Upload artifacts
name: Upload release binaries
uses: actions/upload-artifact@v5
with:
name: buildkit-${{ env.PLATFORM_PAIR }}
name: release
path: ${{ env.DESTDIR }}/*
if-no-files-found: error
retention-days: 1

test:
uses: ./.github/workflows/.test.yml
Expand Down Expand Up @@ -164,128 +170,130 @@ jobs:
with:
sarif_file: ${{ env.DESTDIR }}/govulncheck.out

image:
image-prepare:
runs-on: ubuntu-24.04
env:
DEFAULT_BASE: alpine
outputs:
includes: ${{ steps.set.outputs.includes }}
steps:
-
name: Set outputs
id: set
uses: actions/github-script@v8
env:
INPUT_DEFAULT-BASE: alpine
INPUT_REF: ${{ github.ref }}
INPUT_IMAGE-NAME: ${{ env.IMAGE_NAME }}
with:
script: |
const defaultBase = core.getInput('default-base');
const ref = core.getInput('ref');
const imageName = core.getInput('image-name');

function getTagSuffixAndLatest(base, target) {
let tagSuffix = '';
if (target) {
tagSuffix += `-${target}`;
}
if (base && base !== defaultBase) {
tagSuffix += `-${base}`;
}
let tagLatest = '';
if (ref && ref.startsWith('refs/tags/v')) {
const version = ref.replace('refs/tags/', '');
if (/^v[0-9]+\.[0-9]+\.[0-9]+$/.test(version)) {
tagLatest = target ? target : 'latest';
if (base && base !== defaultBase) {
tagLatest += `-${base}`;
}
}
}
return { tagSuffix, tagLatest };
}

const matrix = [
{ base: 'alpine' },
{ base: 'alpine', target: 'rootless'},
{ base: 'ubuntu', buildTags: 'nvidia venus' }
]

for (const entry of matrix) {
const { tagSuffix, tagLatest } = getTagSuffixAndLatest(entry.base, entry.target);
entry.imageName = imageName;
entry.tagSuffix = tagSuffix;
entry.tagLatest = tagLatest;
}

core.info(JSON.stringify(matrix, null, 2));
core.setOutput('includes', JSON.stringify(matrix));

image:
uses: docker/github-builder-experimental/.github/workflows/bake.yml@c56377b5e16c21afb2f3ea02f9021a1ed4b51f45
needs:
- image-prepare
- test
strategy:
fail-fast: false
matrix:
include:
-
base: 'alpine'
-
base: 'alpine'
target: 'rootless'
-
base: 'ubuntu'
build-tags: 'nvidia venus'
steps:
-
name: Prepare
run: |
tagSuffix=""
if [ -n "${{ matrix.target }}" ]; then
tagSuffix="${tagSuffix}-${{ matrix.target }}"
fi
if [ "${{ matrix.base }}" != "$DEFAULT_BASE" ]; then
tagSuffix="${tagSuffix}-${{ matrix.base }}"
fi
echo "TAG_SUFFIX=${tagSuffix}" >> $GITHUB_ENV
if [[ $GITHUB_REF == refs/tags/v* ]]; then
if [[ "${GITHUB_REF#refs/tags/}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
tagLatest=""
if [ -n "${{ matrix.target }}" ]; then
tagLatest=${{ matrix.target }}
else
tagLatest=latest
fi
if [ "${{ matrix.base }}" != "$DEFAULT_BASE" ]; then
tagLatest="${tagLatest}-${{ matrix.base }}"
fi
echo "TAG_LATEST=${tagLatest}" >> $GITHUB_ENV
fi
fi
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: ${{ env.SETUP_BUILDX_VERSION }}
driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
buildkitd-flags: --debug
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.IMAGE_NAME }}
# versioning strategy
## push semver tag v0.24.0
### moby/buildkit:v0.24.0
### moby/buildkit:latest
### moby/buildkit:v0.24.0-rootless
### moby/buildkit:rootless
### moby/buildkit:v0.24.0-ubuntu
### moby/buildkit:latest-ubuntu
## push semver prerelease tag v0.24.0-rc1
### moby/buildkit:v0.24.0-rc1
### moby/buildkit:v0.24.0-rc1-rootless
### moby/buildkit:v0.24.0-rc1-ubuntu
## push on master
### moby/buildkit:master
### moby/buildkit:master-rootless
### moby/buildkit:master-ubuntu
## scheduled event on master
### moby/buildkit:nightly
### moby/buildkit:nightly-rootless
### moby/buildkit:nightly-ubuntu
tags: |
type=schedule,pattern=nightly,suffix=${{ env.TAG_SUFFIX }}
type=ref,event=branch,suffix=${{ env.TAG_SUFFIX }}
type=ref,event=pr,suffix=${{ env.TAG_SUFFIX }}
type=semver,pattern={{raw}},suffix=${{ env.TAG_SUFFIX }}
type=raw,value=${{ env.TAG_LATEST }}
flavor: |
latest=false
annotations: |
org.opencontainers.image.title=BuildKit
org.opencontainers.image.vendor=Moby
bake-target: meta-helper
-
name: Login to DockerHub
if: ${{ github.repository == 'moby/buildkit' && (github.event_name == 'schedule' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
uses: docker/login-action@v3
with:
include: ${{ fromJson(needs.image-prepare.outputs.includes) }}
permissions:
contents: read
id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token
packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow)
with:
runner: amd64
target: image-cross
output: image
push: ${{ github.repository == 'moby/buildkit' && (github.event_name == 'schedule' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
envs: |
IMAGE_TARGET=${{ matrix.target }}
EXPORT_BASE=${{ matrix.base }}
BUILDKITD_TAGS=${{ matrix.buildTags }}
cache: true
cache-scope: image${{ matrix.target }}-${{ matrix.base }}
set-meta-annotations: true
meta-images: |
${{ matrix.imageName }}
# versioning strategy
## push semver tag v0.24.0
### moby/buildkit:v0.24.0
### moby/buildkit:latest
### moby/buildkit:v0.24.0-rootless
### moby/buildkit:rootless
### moby/buildkit:v0.24.0-ubuntu
### moby/buildkit:latest-ubuntu
## push semver prerelease tag v0.24.0-rc1
### moby/buildkit:v0.24.0-rc1
### moby/buildkit:v0.24.0-rc1-rootless
### moby/buildkit:v0.24.0-rc1-ubuntu
## push on master
### moby/buildkit:master
### moby/buildkit:master-rootless
### moby/buildkit:master-ubuntu
## scheduled event on master
### moby/buildkit:nightly
### moby/buildkit:nightly-rootless
### moby/buildkit:nightly-ubuntu
meta-tags: |
type=schedule,pattern=nightly,suffix=${{ matrix.tagSuffix }}
type=ref,event=branch,suffix=${{ matrix.tagSuffix }}
type=ref,event=pr,suffix=${{ matrix.tagSuffix }}
type=semver,pattern={{raw}},suffix=${{ matrix.tagSuffix }}
type=raw,value=${{ matrix.tagLatest }}
meta-flavor: |
latest=false
meta-annotations: |
org.opencontainers.image.title=BuildKit
org.opencontainers.image.vendor=Moby
meta-bake-target: meta-helper
setup-qemu: true
bake-sbom: true
bake-set: |
*.no-cache-filter=${{ (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) && 'buildkit-export-alpine,buildkit-export-ubuntu,gobuild-base,rootless' || '' }}
secrets:
registry-auths: |
- registry: docker.io
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Build
uses: docker/bake-action@v6
with:
# FIXME: remove context once git context with query string implemented in actions-toolkit
source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}
files: |
./docker-bake.hcl
cwd://${{ steps.meta.outputs.bake-file-tags }}
cwd://${{ steps.meta.outputs.bake-file-annotations }}
targets: image-cross
push: ${{ github.repository == 'moby/buildkit' && (github.event_name == 'schedule' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
provenance: mode=max,version=v1
sbom: true
set: |
*.cache-from=type=gha,scope=image${{ matrix.target }}-${{ matrix.base }}
*.cache-to=type=gha,scope=image${{ matrix.target }}-${{ matrix.base }}
*.no-cache-filter=${{ (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) && 'buildkit-export-alpine,buildkit-export-ubuntu,gobuild-base,rootless' || '' }}
env:
IMAGE_TARGET: ${{ matrix.target }}
EXPORT_BASE: ${{ matrix.base }}
BUILDKITD_TAGS: ${{ matrix.build-tags }}

scout:
runs-on: ubuntu-24.04
Expand Down Expand Up @@ -338,20 +346,15 @@ jobs:
contents: write
needs:
- test
- binaries
- binaries-finalize
- image
steps:
-
name: Download artifacts
name: Download release binaries
uses: actions/download-artifact@v6
with:
path: ${{ env.DESTDIR }}
pattern: buildkit-*
merge-multiple: true
-
name: List artifacts
run: |
tree -nh ${{ env.DESTDIR }}
name: release
-
name: GitHub Release
if: startsWith(github.ref, 'refs/tags/v')
Expand Down
Loading