Add OCI annotations (#917)

cloudposse · Feb 12, 2024 · b0ef0de · b0ef0de
1 parent 3502375
commit b0ef0de
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 5 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -1,5 +1,7 @@
 name: "docker"
 on:
+  workflow_dispatch:
+
   pull_request:
     types: [opened, synchronize, reopened]
   release:
@@ -14,6 +16,7 @@ jobs:
       id-token: write
       contents: read
     env:
+      LATEST_TAG_OS: 'debian'
       IAM_ROLE_SESSION_NAME: geodesic-ci
       AWS_REGION: us-east-1
       ECR_REGISTRY: public.ecr.aws/ # Images will be published to `public.ecr.aws/cloudposse/$repositoryName`
@@ -44,7 +47,6 @@ jobs:
       # We therefore designate whichever base OS version we recommend as the best supported
       # as the one to get the "latest" tag. Initially that will be Alpine.
       env:
-        LATEST_TAG_OS: 'debian'
         BASE_OS: ${{matrix.os}}
 
       run: |
@@ -63,6 +65,8 @@ jobs:
         fi
         printf "Version resolved to %s\n" "${VERSION}"
         echo version=${VERSION} >> $GITHUB_OUTPUT
+        printf "Commit SHA resolved to %s\n" "${COMMIT_SHA}"
+        echo commit_sha=${COMMIT_SHA} >> $GITHUB_OUTPUT
         TAGS="${{ github.repository }}:sha-${COMMIT_SHA:0:7}-${BASE_OS}"
         TAGS="$TAGS,${{ env.ECR_REGISTRY }}${{ github.repository }}:sha-${COMMIT_SHA:0:7}-${BASE_OS}"
         if [[ -n $VERSION ]]; then
@@ -85,6 +89,45 @@ jobs:
           printf "%s\n" "${TAGS}"
           echo tags=${TAGS} >> $GITHUB_OUTPUT
         fi
+    - name: Prepare Metadata for Docker Images
+      id: Metadata
+      uses: docker/metadata-action@v5
+      env:
+        DOCKER_METADATA_PR_HEAD_SHA: true
+        DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+      with:
+        images: |
+          cloudposse/geodesic
+          ${{ env.ECR_REGISTRY }}cloudposse/geodesic
+        flavor: |
+          suffix=-${{ matrix.os }}
+          latest=false
+        # Geodesic's original code is licensed under the Apache 2.0 License (Apache-2.0)
+        # but it contains many other components with different licenses.
+        labels: |
+          org.opencontainers.image.title=Geodesic
+          org.opencontainers.image.description=Geodesic is a DevOps Linux Toolbox in Docker
+          org.opencontainers.image.vendor=Cloud Posse, LLC
+          org.opencontainers.image.licenses=NOASSERTION
+        annotations: |
+          org.opencontainers.image.title=Geodesic
+          org.opencontainers.image.description=Geodesic is a DevOps Linux Toolbox in Docker
+          org.opencontainers.image.vendor=Cloud Posse, LLC
+          org.opencontainers.image.licenses=NOASSERTION
+        tags: |
+          type=semver,pattern={{version}}
+          type=ref,event=pr,prefix=pr-,suffix=-${{matrix.os}}
+          type=sha,prefix=sha-,suffix=-${{matrix.os}}
+          type=raw,value=latest,enable=${{ github.event_name == 'release' && github.event.action == 'published' }}
+          type=raw,value=latest,suffix=,enable=${{ github.event_name == 'release' && github.event.action == 'published' && matrix.os == env.LATEST_TAG_OS }}
+
+    - name: Show metadata
+      run: |
+        printf "Old tags for cloudposse/geodesic\n\n"
+        printf "  %s\n" $(tr , " " <<<'${{ steps.prepare.outputs.tags }}') | sort
+        printf "\n\nNew tags for cloudposse/geodesic\n\n%s\n\n" '${{ steps.Metadata.outputs.tags }}'
+
+
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
     - name: Set up Docker Buildx
@@ -99,9 +142,13 @@ jobs:
       id: docker_build
       uses: docker/build-push-action@v5
       with:
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
         push: ${{ steps.prepare.outputs.publish == 'true' }}
         platforms: ${{ steps.prepare.outputs.platforms }}
-        tags: ${{ steps.prepare.outputs.tags }}
+        tags: ${{ steps.Metadata.outputs.tags }}
+        labels: ${{ steps.Metadata.outputs.labels }}
+        annotations: ${{ steps.Metadata.outputs.annotations }}
         file: ./os/${{matrix.os}}/Dockerfile.${{matrix.os}}
         build-args: |
           VERSION=${{ steps.prepare.outputs.version }}
diff --git a/Makefile b/Makefile
@@ -6,7 +6,12 @@ export DOCKER_TAG ?= $(DOCKER_BASE_TAG)-$(DOCKER_BASE_OS)
 export DOCKER_IMAGE_NAME_BASE ?= $(DOCKER_IMAGE):$(DOCKER_BASE_TAG)
 export DOCKER_IMAGE_NAME ?= $(DOCKER_IMAGE):$(DOCKER_TAG)
 export DOCKER_FILE ?= os/$(DOCKER_BASE_OS)/Dockerfile.$(DOCKER_BASE_OS)
-export DOCKER_BUILD_FLAGS = --build-arg DEV_VERSION=$(shell printf "%s/%s" $$(git describe --tags 2>/dev/null || echo "unk") $$(git branch --no-color --show-current || echo "unk"))
+export DOCKER_DEV_BUILD_FLAGS = --build-arg DEV_VERSION=$(shell printf "%s/%s" $$(git describe --tags 2>/dev/null || echo "unk") $$(git branch --no-color --show-current || echo "unk"))
+# Force Alpine build to be amd64, allow Debian build to be alternate platform by setting BUILD_ARCH
+export BUILD_ARCH ?= $(if $(subst alpine,,$(DOCKER_BASE_OS)),,amd64)
+export DOCKER_ARCH_BUILD_FLAGS = $(if $(BUILD_ARCH), --platform=linux/$(BUILD_ARCH),)
+# Set DOCKER_EXTRA_BUILD_FLAGS to add to the default build flags, set DOCKER_BUILD_FLAGS to override
+export DOCKER_BUILD_FLAGS ?= $(DOCKER_EXTRA_BUILD_FLAGS) $(DOCKER_ARCH_BUILD_FLAGS) $(DOCKER_DEV_BUILD_FLAGS)
 export INSTALL_PATH ?= /usr/local/bin
 export APP_NAME ?= geodesic
 

diff --git a/os/alpine/Dockerfile.alpine b/os/alpine/Dockerfile.alpine
@@ -88,6 +88,12 @@ ARG VERSION
 ENV GEODESIC_VERSION=$VERSION
 ENV GEODESIC_OS=alpine
 
+ARG TARGETARCH
+ARG TARGETOS
+RUN [ -n "$TARGETARCH" ] && [ -n "$TARGETOS" ] || (echo "Geodesic must be built with buildkit."; echo "See: https://docs.docker.com/build/buildkit/"; false)
+RUN [ "$TARGETARCH" = "amd64" ] || (echo "Unsupported TARGETARCH: \"$TARGETARCH\"" >&2 && false)
+RUN [ "$TARGETOS" = "linux" ] || (echo "Unsupported TARGETOS: \"$TARGETOS\"" >&2 && false)
+
 # Set XDG environment variables per https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
 # This is not a "multi-user" system, so we'll use special directories under
 # - /etc as the global configuration dir instead of default $HOME/.config

diff --git a/os/debian/Dockerfile.debian b/os/debian/Dockerfile.debian
@@ -66,6 +66,14 @@ ARG VERSION
 ENV GEODESIC_VERSION=$VERSION
 ENV GEODESIC_OS=debian
 
+# TARGETARCH and TARGETOS are defined by buildkit, but not available with other builders
+ARG TARGETARCH
+ARG TARGETOS
+RUN [ -n "$TARGETARCH" ] && [ -n "$TARGETOS" ] || (echo "Geodesic must be built with buildkit."; echo "See: https://docs.docker.com/build/buildkit/"; false)
+RUN [ "$TARGETARCH" = "amd64" ] || [ "$TARGETARCH" = "arm64" ] || (echo "Unsupported TARGETARCH: \"$TARGETARCH\"" && false)
+RUN [ "$TARGETOS" = "linux" ] || (echo "Unsupported TARGETOS: \"$TARGETOS\"" && false)
+
+
 # Set a default terminal to "dumb" (headless) to make `tput` happy when running scripts.
 # When we launch Geodesic for interactive use, we forward the host value of `TERM`
 ENV TERM=dumb
@@ -266,8 +274,6 @@ COPY rootfs/ /
 COPY os/debian/rootfs/ /
 
 
-ARG TARGETARCH
-
 # For certain pagkage we like to have but are not available on arm64,
 # install them on amd64, and link to a stub script on arm64.
 RUN if [ "$TARGETARCH" = "amd64" ]; then \