add source policy with deps validation

.github/workflows/build.yml

@@ -150,6 +150,8 @@ jobs:
       target: xx-all
       output: image
       push: ${{ github.event_name != 'pull_request' }}
+      set: |
+        *.args.release=1
       set-meta-labels: true
       meta-images: |
         tonistiigi/xx

.github/workflows/llvm.yml

@@ -50,4 +50,4 @@ jobs:
         name: Build
         uses: docker/bake-action@v6
         with:
-          targets: compiler-rt
+          targets: libcxx

docker-bake.hcl

@@ -98,7 +98,7 @@ target "test-cargo" {
 }
 
 group "validate" {
-    targets = ["shfmt-validate", "shellcheck"]
+    targets = ["shfmt-validate", "shellcheck", "opafmt-validate"]
 }
 
 target "shfmt-validate" {
@@ -118,6 +118,18 @@ target "shellcheck" {
     output = ["type=cacheonly"]
 }
 
+target "opafmt-validate" {
+    dockerfile = "./hack/dockerfiles/opafmt.Dockerfile"
+    target = "validate"
+    output = ["type=cacheonly"]
+}
+
+target "opafmt" {
+    dockerfile = "./hack/dockerfiles/opafmt.Dockerfile"
+    target = "update"
+    output = ["."]
+}
+
 group "default" {
     targets = ["xx-all"]
 }

hack/dockerfiles/opafmt.Dockerfile

@@ -0,0 +1,29 @@
+# syntax=docker/dockerfile:1.23
+# check=error=true
+
+FROM openpolicyagent/opa:1.15.2-static AS opa-bin
+
+FROM alpine AS opafmt
+COPY --from=opa-bin /opa /usr/bin/opa
+WORKDIR /src
+
+FROM opafmt AS generate
+WORKDIR /out
+RUN --mount=target=/src <<EOF
+  set -ex
+  find /src -name '*.rego' -type f | while read -r f; do
+    rel="${f#/src/}"
+    mkdir -p "$(dirname "$rel")"
+    cp -a "$f" "$rel"
+  done
+  opa fmt -w .
+EOF
+
+FROM scratch AS update
+COPY --from=generate /out /
+
+FROM opafmt AS validate
+RUN --mount=type=bind <<EOF
+  set -ex
+  opa fmt --fail -d .
+EOF

hack/dockerfiles/shellcheck.Dockerfile

@@ -1,6 +1,6 @@
-# syntax=docker/dockerfile:1.8
+# syntax=docker/dockerfile:1.23
 # check=error=true
 
-FROM koalaman/shellcheck-alpine:v0.10.0
+FROM koalaman/shellcheck-alpine:v0.11.0
 WORKDIR /src
 RUN --mount=type=bind,src=src shellcheck xx-*

hack/dockerfiles/shfmt.Dockerfile

@@ -1,7 +1,7 @@
-# syntax=docker/dockerfile:1.8
+# syntax=docker/dockerfile:1.23
 # check=error=true
 
-FROM mvdan/shfmt:v3.8.0-alpine AS shfmt
+FROM mvdan/shfmt:v3.13.1-alpine AS shfmt
 WORKDIR /src
 ARG SHFMT_FLAGS="-i 2 -ci"
 

src/Dockerfile

@@ -1,10 +1,10 @@
-# syntax=docker/dockerfile:1.8
+# syntax=docker/dockerfile:1.23
 # check=error=true
 
 ARG TEST_BASE_TYPE=alpine
 ARG TEST_BASE_IMAGE=${TEST_BASE_TYPE}
 ARG TEST_WITH_DARWIN=false
-ARG BATS_VERSION=v1.8.2
+ARG BATS_VERSION=v1.13.0
 
 # build prepares the sources
 FROM --platform=$BUILDPLATFORM alpine AS build

src/Dockerfile.rego

@@ -0,0 +1,72 @@
+package docker
+
+default allow := false
+
+decision := {"allow": allow}
+
+test_matrix := [
+	"centos",
+	"debian",
+	"fedora",
+	"oraclelinux",
+	"redhat/ubi8",
+	"rockylinux/rockylinux",
+	"ubuntu",
+]
+
+allow if {
+	input.local
+	not input.env.args.release == "1"
+}
+
+allow if {
+	input.git.remote == "https://github.com/tonistiigi/xx.git"
+	valid_xx_ref(input.git)
+}
+
+valid_xx_ref(git) if {
+	not git.tagName
+}
+
+valid_xx_ref(git) if {
+	git.isAnnotatedTag
+	git.tag.pgpSignature != null
+}
+
+allow if {
+	input.image.repo == "docker/dockerfile"
+	docker_github_builder(input.image, "moby/buildkit")
+	every sig in input.image.signatures {
+		startswith(sig.signer.sourceRepositoryRef, "refs/tags/dockerfile/")
+		some ts in sig.timestamps
+		ts.type == "Tlog"
+	}
+}
+
+allow if input.image.repo == "alpine"
+
+allow if {
+	input.image.repo in test_matrix
+	startswith(input.env.target, "test-")
+}
+
+allow if {
+	input.image.repo in test_matrix
+	input.env.target == "dev"
+}
+
+# dev helpers
+allow if {
+	input.image.repo == "tonistiigi/bats-assert"
+}
+
+allow if {
+	input.http.url == "https://raw.githubusercontent.com/fsaintjacques/semver-tool/3.4.0/src/semver"
+	input.http.checksum == "sha256:1ff4a97e4d1e389f6f034f7464ac4365f1be2d900e2dc2121e24a6dc239e8991"
+}
+
+allow if {
+	input.git.remote == "https://github.com/bats-core/bats-core.git"
+	input.git.tagName == "v1.13.0"
+	input.git.checksum == "d6a46f2cc2d3025ee3ffb59991c6d93ef903e339"
+}

src/ld/Dockerfile

@@ -1,4 +1,4 @@
-#syntax=docker/dockerfile:1
+#syntax=docker/dockerfile:1.23
 #check=error=true
 
 ARG ALPINE_VERSION=3.22

src/llvm/Dockerfile

@@ -1,4 +1,4 @@
-#syntax=docker/dockerfile:1.8
+#syntax=docker/dockerfile:1.23
 #check=error=true
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx AS xx
@@ -13,7 +13,7 @@ WORKDIR llvm-project/compiler-rt
 ARG TARGETPLATFORM
 RUN xx-apk add gcc g++
 RUN mkdir build && cd build && \
-    cmake $(xx-clang --print-cmake-defines) -DCOMPILER_RT_BUILD_SANITIZERS=OFF -DCOMPILER_RT_BUILD_XRAY=OFF -DCOMPILER_RT_BUILD_LIBFUZZER=OFF -DCOMPILER_RT_BUILD_PROFILE=OFF -DCOMPILER_RT_DEFAULT_TARGET_ONLY=ON -DCMAKE_SYSTEM_NAME=$(xx-info os | awk '{print toupper(substr($0,0,1))tolower(substr($0,2))}') -DCMAKE_LIPO=/usr/bin/llvm-lipo -G Ninja .. && \
+    cmake $(xx-clang --print-cmake-defines) -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -DCOMPILER_RT_BUILD_SANITIZERS=OFF -DCOMPILER_RT_BUILD_XRAY=OFF -DCOMPILER_RT_BUILD_LIBFUZZER=OFF -DCOMPILER_RT_BUILD_PROFILE=OFF -DCOMPILER_RT_DEFAULT_TARGET_ONLY=ON -DCMAKE_SYSTEM_NAME=$(xx-info os | awk '{print toupper(substr($0,0,1))tolower(substr($0,2))}') -DCMAKE_LIPO=/usr/bin/llvm-lipo -G Ninja .. && \
     ninja && mkdir /out && cp -a lib/linux /out/ && \
     cd .. && rm -rf build
 
@@ -31,7 +31,7 @@ ARG LIBCXX_TARGET
 ENV TARGETPLATFORM=${LIBCXX_TARGET}
 RUN xx-apk -v add gcc g++ linux-headers
 RUN mkdir build && cd build && \
-    cmake $(xx-clang --print-cmake-defines) -DLIBCXX_HAS_MUSL_LIBC=ON -G Ninja .. && \
+    cmake $(xx-clang --print-cmake-defines) -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -DLIBCXX_HAS_MUSL_LIBC=ON -G Ninja .. && \
     ninja && mkdir /out && cp -a lib/libc++* /out/ && \
     xx-verify /out/libc++.so && \
     cd .. && rm -rf build

util/bats-assert/Dockerfile

@@ -1,7 +1,7 @@
-#syntax=docker/dockerfile:1.8
+#syntax=docker/dockerfile:1.23
 #check=error=true
 
-ARG ALPINE_VERSION=3.20
+ARG ALPINE_VERSION=3.23
 
 FROM --platform=$BUILDPLATFORM alpine:${ALPINE_VERSION} AS build
 RUN apk add --no-cache git

util/bats-assert/test.bats.golden

@@ -27,5 +27,5 @@ not ok 5 run-fail
 
 The following warnings were encountered during tests:
 BW01: `run`'s command `./foobar` exited with code 127, indicating 'Command not found'. Use run's return code checks, e.g. `run -127`, to fix this message.
-      (from function `run' in file /usr/lib/bats-core/test_functions.bash, line 426,
+      (from function `run' in file /usr/lib/bats-core/test_functions.bash, line 420,
        in test file test.bats, line 15)