Add support for Docker buildx provenance and sbom generation, closes #…

…135.
ember-nexus · May 12, 2024 · 9deb677 · 9deb677
1 parent 547affe
commit 9deb677
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/.github/workflows/ci-release-package.yml b/.github/workflows/ci-release-package.yml
@@ -112,10 +112,12 @@ jobs:
 
       - name: Build Docker image - AMD
         run: |
-          docker build \
+          docker buildx build \
             --target production \
             --build-arg="VERSION=${{ env.NEW_VERSION }}" \
             --no-cache \
+            --sbom=true \
+            --provenance=true \
             -t api:latest-amd \
             -f ./docker/Dockerfile \
             .
@@ -174,10 +176,12 @@ jobs:
 
       - name: Build Docker image - ARM
         run: |
-          docker build \
+          docker buildx build \
             --target production \
             --build-arg="VERSION=${{ env.NEW_VERSION }}" \
             --no-cache \
+            --sbom=true \
+            --provenance=true \
             -t api:latest-arm \
             -f ./docker/Dockerfile \
             .

diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml
@@ -39,18 +39,22 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build Docker image - AMD dev
         run: |
-          docker build \
+          docker buildx build \
             --target development \
             --no-cache \
+            --sbom=true \
+            --provenance=true \
             -t api:dev-amd \
             -f ./docker/Dockerfile \
             .
           docker save api:dev-amd | gzip > api-dev-amd.tar.gz
       - name: Build Docker image - AMD prod
         run: |
-          docker build \
+          docker buildx build \
             --target production \
             --build-arg="VERSION=$( cat composer.json | jq -r .version )" \
+            --sbom=true \
+            --provenance=true \
             -t api:prod-amd \
             -f ./docker/Dockerfile \
             .

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix wrong license identifier in Dockerfile, closes #302.
 ### Added
 - Add `requestId` property to all logs to enable finding all logs made during a single request, closes #306.
+- Add support for Docker buildx provenance and sbom generation, closes #135.
 ### Changed
 - Change naming of internal variables to replace `Uuid` with `Id`, because the variables are already type hinted and
   `Id` emerged as a better convention in the ecosystem. Closes #292.