feat: use toolhive v0.2.4 with Dockerfile generation and add SBOM, provenance, and multi-arch support

- Updated toolhive to v0.2.4 to use new --dry-run functionality
- Modified main.go to always generate Dockerfiles instead of building
- Updated GitHub workflow to use Docker Buildx for building
- Added SBOM generation for supply chain transparency
- Added provenance attestation for build verification
- Added multi-architecture support (linux/amd64, linux/arm64)
- Improved build caching with GitHub Actions cache

Author: JAORMX

.github/workflows/build-containers.yml

@@ -105,6 +105,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write  # Needed for provenance attestation
 
     steps:
       - name: Checkout repository
@@ -115,6 +116,9 @@ jobs:
         with:
           go-version: '1.24'
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
 
@@ -139,37 +143,77 @@ jobs:
           # Extract server name from filename (without .yaml extension)
           server_name=$(basename "$config_file" .yaml)
           echo "server_name=$server_name" >> $GITHUB_OUTPUT
+          
+          # Generate image name
+          image_name="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/${protocol}/${server_name}"
+          echo "image_name=$image_name" >> $GITHUB_OUTPUT
 
-      - name: Build and capture container info
-        id: build
+      - name: Generate Dockerfile
+        id: dockerfile
         run: |
-          echo "Building container for ${{ steps.meta.outputs.config_file }}"
+          echo "Generating Dockerfile for ${{ steps.meta.outputs.config_file }}"
           
-          # Capture the output which includes the built image name
-          output=$(go run main.go -config "${{ steps.meta.outputs.config_file }}" 2>&1)
-          echo "$output"
+          # Create a temporary directory for the Dockerfile
+          dockerfile_dir=$(mktemp -d)
+          dockerfile_path="${dockerfile_dir}/Dockerfile"
           
-          # Extract the image name from the last line of output
-          image_name=$(echo "$output" | grep "Successfully built container image:" | sed 's/Successfully built container image: //')
-          echo "image_name=$image_name" >> $GITHUB_OUTPUT
-          echo "Captured built image: $image_name"
+          # Generate the Dockerfile using our tool
+          go run main.go -config "${{ steps.meta.outputs.config_file }}" -output "${dockerfile_path}"
+          
+          echo "dockerfile_dir=$dockerfile_dir" >> $GITHUB_OUTPUT
+          echo "dockerfile_path=$dockerfile_path" >> $GITHUB_OUTPUT
+          
+          # Display the generated Dockerfile for debugging
+          echo "Generated Dockerfile:"
+          cat "${dockerfile_path}"
 
-      - name: Push container image
-        if: github.event_name != 'pull_request' && steps.build.outputs.image_name != ''
-        run: |
-          image_name="${{ steps.build.outputs.image_name }}"
-          echo "Pushing image: $image_name"
-          docker push "$image_name"
+      - name: Extract metadata for Docker
+        id: docker-meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
+        with:
+          images: ${{ steps.meta.outputs.image_name }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,prefix={{branch}}-
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6
+        with:
+          context: ${{ steps.dockerfile.outputs.dockerfile_dir }}
+          file: ${{ steps.dockerfile.outputs.dockerfile_path }}
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.docker-meta.outputs.tags }}
+          labels: ${{ steps.docker-meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          sbom: true
+          provenance: true
+          annotations: |
+            org.opencontainers.image.title=${{ steps.meta.outputs.server_name }}
+            org.opencontainers.image.description=MCP server for ${{ steps.meta.outputs.server_name }}
+            org.opencontainers.image.vendor=Stacklok
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
 
       - name: Generate image summary
         run: |
           echo "## Container Build Summary" >> $GITHUB_STEP_SUMMARY
           echo "- **Config**: ${{ steps.meta.outputs.config_file }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Protocol**: ${{ steps.meta.outputs.protocol }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Server**: ${{ steps.meta.outputs.server_name }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Image**: ${{ steps.build.outputs.image_name }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Image**: ${{ steps.meta.outputs.image_name }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Platforms**: linux/amd64, linux/arm64" >> $GITHUB_STEP_SUMMARY
+          echo "- **SBOM**: ✅ Included" >> $GITHUB_STEP_SUMMARY
+          echo "- **Provenance**: ✅ Attested" >> $GITHUB_STEP_SUMMARY
           if [ "${{ github.event_name }}" != "pull_request" ]; then
             echo "- **Status**: ✅ Built and pushed" >> $GITHUB_STEP_SUMMARY
+            echo "- **Tags**:" >> $GITHUB_STEP_SUMMARY
+            echo "${{ steps.docker-meta.outputs.tags }}" | sed 's/^/  - /' >> $GITHUB_STEP_SUMMARY
           else
             echo "- **Status**: ✅ Built (not pushed - PR)" >> $GITHUB_STEP_SUMMARY
           fi
@@ -189,6 +233,11 @@ jobs:
           
           if [ "${{ needs.build-containers.result }}" == "success" ]; then
             echo "- **Build Status**: ✅ All changed containers built successfully" >> $GITHUB_STEP_SUMMARY
+            echo "- **Features**:" >> $GITHUB_STEP_SUMMARY
+            echo "  - 🏗️ Multi-architecture support (amd64, arm64)" >> $GITHUB_STEP_SUMMARY
+            echo "  - 📦 SBOM (Software Bill of Materials) included" >> $GITHUB_STEP_SUMMARY
+            echo "  - 🔐 Provenance attestation for supply chain security" >> $GITHUB_STEP_SUMMARY
+            echo "  - 🚀 GitHub Actions cache for faster builds" >> $GITHUB_STEP_SUMMARY
           elif [ "${{ needs.build-containers.result }}" == "failure" ]; then
             echo "- **Build Status**: ❌ Some containers failed to build" >> $GITHUB_STEP_SUMMARY
           elif [ "${{ needs.build-containers.result }}" == "skipped" ]; then

go.mod

@@ -5,7 +5,7 @@ go 1.24.1
 toolchain go1.24.6
 
 require (
-	github.com/stacklok/toolhive v0.2.3
+	github.com/stacklok/toolhive v0.2.4
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -18,7 +18,7 @@ require (
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
-	github.com/cedar-policy/cedar-go v1.2.5 // indirect
+	github.com/cedar-policy/cedar-go v1.2.6 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect

go.sum

@@ -16,8 +16,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
 github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
-github.com/cedar-policy/cedar-go v1.2.5 h1:JDyW1DrXR2f27bRIaS1mPWYULnZsCzi/Jjh397vxvoU=
-github.com/cedar-policy/cedar-go v1.2.5/go.mod h1:h5+3CVW1oI5LXVskJG+my9TFCYI5yjh/+Ul3EJie6MI=
+github.com/cedar-policy/cedar-go v1.2.6 h1:q6f1sRxhoBG7lnK/fH6oBG33ruf2yIpcfcPXNExANa0=
+github.com/cedar-policy/cedar-go v1.2.6/go.mod h1:h5+3CVW1oI5LXVskJG+my9TFCYI5yjh/+Ul3EJie6MI=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -217,8 +217,8 @@ github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
 github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
-github.com/stacklok/toolhive v0.2.3 h1:Nt0i1130kw02RXN2wlgz86eDNZXjDkKVctFmM+V9CbY=
-github.com/stacklok/toolhive v0.2.3/go.mod h1:WXyTC0mvg39DAbTdvT5FSsflq7MydcEZwpphxJD7e/A=
+github.com/stacklok/toolhive v0.2.4 h1:09q5WpXBkUo5HqBwul2GbI9A34bw0GC0MwxtOktGtC0=
+github.com/stacklok/toolhive v0.2.4/go.mod h1:eKmvhxewyIJ/BLR3ZbNnTsosqAVmSAY7l+PVcrJlnbM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=

main.go

@@ -59,6 +59,7 @@ func main() {
 	var (
 		configFile = flag.String("config", "", "Path to the YAML configuration file")
 		outputTag  = flag.String("tag", "", "Custom container image tag (optional)")
+		output     = flag.String("output", "", "Output file for Dockerfile (optional, defaults to stdout)")
 	)
 	flag.Parse()
 
@@ -72,14 +73,24 @@ func main() {
 		log.Fatalf("Failed to load configuration: %v", err)
 	}
 
-	// Build the container image
+	// Generate Dockerfile
 	ctx := context.Background()
-	imageName, err := buildMCPServerContainer(ctx, spec, *outputTag)
+	dockerfile, err := generateDockerfile(ctx, spec, *outputTag)
 	if err != nil {
-		log.Fatalf("Failed to build container: %v", err)
+		log.Fatalf("Failed to generate Dockerfile: %v", err)
 	}
 
-	fmt.Printf("Successfully built container image: %s\n", imageName)
+	// Output Dockerfile
+	if *output != "" {
+		// Write to file
+		if err := os.WriteFile(*output, []byte(dockerfile), 0644); err != nil {
+			log.Fatalf("Failed to write Dockerfile to %s: %v", *output, err)
+		}
+		fmt.Printf("Dockerfile written to: %s\n", *output)
+	} else {
+		// Output to stdout
+		fmt.Print(dockerfile)
+	}
 }
 
 // validateConfigPath ensures the config path is safe and within expected directories
@@ -148,8 +159,8 @@ func loadMCPServerSpec(configPath string) (*MCPServerSpec, error) {
 	return &spec, nil
 }
 
-// buildMCPServerContainer builds a container image using toolhive's library
-func buildMCPServerContainer(ctx context.Context, spec *MCPServerSpec, customTag string) (string, error) {
+// generateDockerfile generates a Dockerfile using toolhive's library
+func generateDockerfile(ctx context.Context, spec *MCPServerSpec, customTag string) (string, error) {
 	// Create the protocol scheme string
 	packageRef := spec.Spec.Package
 	if spec.Spec.Version != "" {
@@ -166,19 +177,20 @@ func buildMCPServerContainer(ctx context.Context, spec *MCPServerSpec, customTag
 	// Create image manager
 	imageManager := images.NewImageManager(ctx)
 
-	// Build the image using toolhive's BuildFromProtocolSchemeWithName function
-	imageName, err := runner.BuildFromProtocolSchemeWithName(
+	// Generate Dockerfile using toolhive's BuildFromProtocolSchemeWithName function with dryRun=true
+	dockerfile, err := runner.BuildFromProtocolSchemeWithName(
 		ctx,
 		imageManager,
 		protocolScheme,
 		"", // caCertPath - empty for now
 		imageTag,
+		true, // always dryRun to generate Dockerfile
 	)
 	if err != nil {
-		return "", fmt.Errorf("failed to build from protocol scheme %s: %w", protocolScheme, err)
+		return "", fmt.Errorf("failed to generate Dockerfile for protocol scheme %s: %w", protocolScheme, err)
 	}
 
-	return imageName, nil
+	return dockerfile, nil
 }
 
 // generateImageTag creates a container image tag based on the repository structure