From 9deb677e660a362316eb20884f2b9c78d8165ff0 Mon Sep 17 00:00:00 2001
From: Syndesi <soerenklein98@gmail.com>
Date: Sun, 12 May 2024 19:02:52 +0200
Subject: [PATCH] Add support for Docker buildx provenance and sbom generation,
 closes #135.

---
 .github/workflows/ci-release-package.yml | 8 ++++++--
 .github/workflows/ci-test.yml            | 8 ++++++--
 CHANGELOG.md                             | 1 +
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci-release-package.yml b/.github/workflows/ci-release-package.yml
index ac4217b4..aa5affd3 100644
--- a/.github/workflows/ci-release-package.yml
+++ b/.github/workflows/ci-release-package.yml
@@ -112,10 +112,12 @@ jobs:
 
       - name: Build Docker image - AMD
         run: |
-          docker build \
+          docker buildx build \
             --target production \
             --build-arg="VERSION=${{ env.NEW_VERSION }}" \
             --no-cache \
+            --sbom=true \
+            --provenance=true \
             -t api:latest-amd \
             -f ./docker/Dockerfile \
             .
@@ -174,10 +176,12 @@ jobs:
 
       - name: Build Docker image - ARM
         run: |
-          docker build \
+          docker buildx build \
             --target production \
             --build-arg="VERSION=${{ env.NEW_VERSION }}" \
             --no-cache \
+            --sbom=true \
+            --provenance=true \
             -t api:latest-arm \
             -f ./docker/Dockerfile \
             .
diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml
index 42c8faf9..9b53a429 100644
--- a/.github/workflows/ci-test.yml
+++ b/.github/workflows/ci-test.yml
@@ -39,18 +39,22 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Build Docker image - AMD dev
         run: |
-          docker build \
+          docker buildx build \
             --target development \
             --no-cache \
+            --sbom=true \
+            --provenance=true \
             -t api:dev-amd \
             -f ./docker/Dockerfile \
             .
           docker save api:dev-amd | gzip > api-dev-amd.tar.gz
       - name: Build Docker image - AMD prod
         run: |
-          docker build \
+          docker buildx build \
             --target production \
             --build-arg="VERSION=$( cat composer.json | jq -r .version )" \
+            --sbom=true \
+            --provenance=true \
             -t api:prod-amd \
             -f ./docker/Dockerfile \
             .
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41e88daa..d5f8deae 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix wrong license identifier in Dockerfile, closes #302.
 ### Added
 - Add `requestId` property to all logs to enable finding all logs made during a single request, closes #306.
+- Add support for Docker buildx provenance and sbom generation, closes #135.
 ### Changed
 - Change naming of internal variables to replace `Uuid` with `Id`, because the variables are already type hinted and
   `Id` emerged as a better convention in the ecosystem. Closes #292.