From 05fdd002b687f08f2322ebbe6ecc7b1dbe1329ff Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Tue, 14 Oct 2025 16:18:59 +0200
Subject: [PATCH] hack: use bake to build buildkit binaries

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/buildkit.yml | 39 +++++++++--------
 Makefile                       |  4 +-
 hack/release                   | 78 ----------------------------------
 3 files changed, 25 insertions(+), 96 deletions(-)
 delete mode 100755 hack/release

diff --git a/.github/workflows/buildkit.yml b/.github/workflows/buildkit.yml
index 7943d9a91..f07190b2a 100644
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -36,7 +36,7 @@ jobs:
   prepare:
     runs-on: ubuntu-24.04
     outputs:
-      platforms-includes: ${{ steps.platforms.outputs.matrix }}
+      binaries-platforms: ${{ steps.platforms.outputs.matrix }}
     steps:
       -
         name: Checkout
@@ -56,21 +56,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        include: ${{ fromJson(needs.prepare.outputs.platforms-includes) }}
+        include: ${{ fromJson(needs.prepare.outputs.binaries-platforms) }}
     steps:
       -
         name: Prepare
         run: |
           platform=${{ matrix.platforms }}
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-      -
-        name: Checkout
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      -
-        name: Expose GitHub Runtime
-        uses: crazy-max/ghaction-github-runtime@v3
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -83,14 +75,27 @@ jobs:
           buildkitd-flags: --debug
       -
         name: Build
+        uses: docker/bake-action@v6
+        with:
+          # FIXME: remove context once git context with query string implemented in actions-toolkit
+          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}
+          targets: release
+          provenance: mode=max
+          sbom: true
+          set: |
+            *.platform=${{ matrix.platforms }}
+            *.cache-from=type=gha,scope=binaries
+            *.cache-to=type=gha,scope=binaries
+            *.no-cache-filter=${{ startsWith(github.ref, 'refs/tags/v') && 'gobuild-base' || '' }}
+      -
+        name: Rename provenance and sbom
+        working-directory: ${{ env.DESTDIR }}
         run: |
-          make release
-        env:
-          RELEASE: ${{ startsWith(github.ref, 'refs/tags/v') }}
-          PLATFORMS: ${{ matrix.platforms }}
-          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
-          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          binname=$(find . -name 'buildkit-*')
+          filename=$(basename "$binname" | sed -E 's/\.(tar\.gz|zip)$//')
+          mv "provenance.json" "${filename}.provenance.json"
+          mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
+          find . -name 'sbom*.json' -exec rm {} \;
       -
         name: Upload artifacts
         uses: actions/upload-artifact@v4
diff --git a/Makefile b/Makefile
index 694ae8630..acbbccbf8 100644
--- a/Makefile
+++ b/Makefile
@@ -32,7 +32,9 @@ install:
 
 .PHONY: release
 release:
-	./hack/release
+	$(BUILDX_CMD) bake release
+	mv -f $(CURDIR)/bin/release/**/* $(CURDIR)/bin/release/
+	find $(CURDIR)/bin/release -type d -empty -delete
 
 .PHONY: clean
 clean:
diff --git a/hack/release b/hack/release
deleted file mode 100755
index 83a1d054e..000000000
--- a/hack/release
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu -o pipefail
-
-: "${GITHUB_ACTIONS=}"
-: "${GITHUB_REPOSITORY=}"
-: "${GITHUB_RUN_ID=}"
-: "${GITHUB_TOKEN=}"
-
-: "${BUILDX_CMD=docker buildx}"
-: "${DESTDIR=./bin/release}"
-: "${CACHE_FROM=}"
-: "${CACHE_TO=}"
-: "${RELEASE=false}"
-: "${PLATFORMS=}"
-
-if [ -n "$CACHE_FROM" ]; then
-  for cfrom in $CACHE_FROM; do
-    if [[ $cfrom == *"type=gha"* ]]; then
-      if [[ -n "$GITHUB_REPOSITORY" ]] && [[ $cfrom != *"repository="* ]]; then
-        cfrom="${cfrom},repository=${GITHUB_REPOSITORY}"
-      fi
-      if [[ -n "$GITHUB_TOKEN" ]] && [[ $cfrom != *"ghtoken="* ]]; then
-        cfrom="${cfrom},ghtoken=${GITHUB_TOKEN}"
-      fi
-    fi
-    setFlags+=(--set "*.cache-from=$cfrom")
-  done
-fi
-if [ -n "$CACHE_TO" ]; then
-  for cto in $CACHE_TO; do
-    if [[ $cto == *"type=gha"* ]]; then
-      if [[ -n "$GITHUB_REPOSITORY" ]] && [[ $cto != *"repository="* ]]; then
-        cto="${cto},repository=${GITHUB_REPOSITORY}"
-      fi
-      if [[ -n "$GITHUB_TOKEN" ]] && [[ $cto != *"ghtoken="* ]]; then
-        cto="${cto},ghtoken=${GITHUB_TOKEN}"
-      fi
-    fi
-    setFlags+=(--set "*.cache-to=$cto")
-  done
-fi
-if [ -n "$PLATFORMS" ]; then
-  setFlags+=(--set "*.platform=$PLATFORMS")
-fi
-if ${BUILDX_CMD} build --help 2>&1 | grep -- '--attest' >/dev/null; then
-  prvattrs="mode=max"
-  if [ "$GITHUB_ACTIONS" = "true" ]; then
-    prvattrs="$prvattrs,builder-id=https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
-  fi
-  setFlags+=(--set "*.attest=type=sbom")
-  setFlags+=(--set "*.attest=type=provenance,$prvattrs")
-fi
-if [[ "$RELEASE" = "true" ]] && [[ "$GITHUB_ACTIONS" = "true" ]]; then
-  setFlags+=(--set "*.no-cache-filter=gobuild-base")
-fi
-
-output=$(mktemp -d -t buildkit-output.XXXXXXXXXX)
-
-(
-  set -x
-  ${BUILDX_CMD} bake "${setFlags[@]}" --set "*.args.BUILDKIT_MULTI_PLATFORM=true" --set "*.output=$output" release
-)
-
-for pdir in "${output}"/*/; do
-  (
-    cd "$pdir"
-    releasetar=$(find . -name '*.tar.gz')
-    filename=$(basename "${releasetar%.tar.gz}")
-    mv "provenance.json" "${filename}.provenance.json"
-    mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
-    find . -name 'sbom*.json' -exec rm {} \;
-  )
-done
-
-mkdir -p "$DESTDIR"
-mv "$output"/**/* "$DESTDIR/"
-rm -rf "$output"