hack: use bake to build buildkit images

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2026-06-30 19:57:39 +00:00 · 2025-08-14 16:13:32 +02:00
parent 399c615e50
commit 1fa57ee945
5 changed files with 129 additions and 169 deletions
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -30,45 +30,24 @@ env:
  SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest"
  SCOUT_VERSION: "1.13.0"
  IMAGE_NAME: "moby/buildkit"
-  PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm64,linux/s390x,linux/ppc64le,linux/riscv64"
  DESTDIR: "./bin"

 jobs:
  prepare:
    runs-on: ubuntu-24.04
    outputs:
-      tag: ${{ steps.prep.outputs.tag }}
-      push: ${{ steps.prep.outputs.push }}
-      platforms: ${{ steps.prep.outputs.platforms }}
+      platforms-includes: ${{ steps.platforms.outputs.matrix }}
    steps:
      -
        name: Checkout
        uses: actions/checkout@v5
      -
-        name: Prepare
-        id: prep
-        run: |
-          TAG=pr
-          PUSH=false
-          if [ "${{ github.event_name }}" = "schedule" ]; then
-            TAG=nightly
-            PUSH=push
-          elif [[ $GITHUB_REF == refs/tags/v* ]]; then
-            TAG=${GITHUB_REF#refs/tags/}
-            PUSH=push
-          elif [[ $GITHUB_REF == refs/heads/* ]]; then
-            TAG=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
-            if [ $GITHUB_REF = "refs/heads/${{ github.event.repository.default_branch }}" ]; then
-              PUSH=push
-            fi
-          fi
-          if [ "$GITHUB_REPOSITORY" != "moby/buildkit" ]; then
-            PUSH=false
-          fi
-          echo "tag=${TAG}" >>${GITHUB_OUTPUT}
-          echo "push=${PUSH}" >>${GITHUB_OUTPUT}
-          platforms=$(docker buildx bake release --print | jq -cr '.target."release".platforms')
-          echo "platforms=$platforms" >>${GITHUB_OUTPUT}
+        name: Platforms matrix
+        id: platforms
+        uses: docker/bake-action/subaction/matrix@v6
+        with:
+          target: release
+          fields: platforms

  binaries:
    runs-on: ubuntu-24.04
@@ -77,12 +56,12 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        platform: ${{ fromJson(needs.prepare.outputs.platforms) }}
+        include: ${{ fromJson(needs.prepare.outputs.platforms-includes) }}
    steps:
      -
        name: Prepare
        run: |
-          platform=${{ matrix.platform }}
+          platform=${{ matrix.platforms }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      -
        name: Checkout
@@ -108,7 +87,7 @@ jobs:
          make release
        env:
          RELEASE: ${{ startsWith(github.ref, 'refs/tags/v') }}
-          PLATFORMS: ${{ matrix.platform }}
+          PLATFORMS: ${{ matrix.platforms }}
          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -183,21 +162,29 @@ jobs:
  image:
    runs-on: ubuntu-24.04
    needs:
-      - prepare
      - test
    strategy:
      fail-fast: false
      matrix:
-        target-stage:
+        target:
          - ''
          - rootless
    steps:
      -
-        name: Checkout
-        uses: actions/checkout@v5
-      -
-        name: Expose GitHub Runtime
-        uses: crazy-max/ghaction-github-runtime@v3
+        name: Prepare
+        run: |
+          if [ -n "${{ matrix.target }}" ]; then
+            echo "TAG_SUFFIX=-${{ matrix.target }}" >> $GITHUB_ENV
+          fi
+          if [[ $GITHUB_REF == refs/tags/v* ]]; then
+            if [[ "${GITHUB_REF#refs/tags/}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+              if [ -n "${{ matrix.target }}" ]; then
+                echo "TAG_LATEST=${{ matrix.target }}" >> $GITHUB_ENV
+              else
+                echo "TAG_LATEST=latest" >> $GITHUB_ENV
+              fi
+            fi
+          fi
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
@@ -208,23 +195,67 @@ jobs:
          version: ${{ env.SETUP_BUILDX_VERSION }}
          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
          buildkitd-flags: --debug
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.IMAGE_NAME }}
+          # versioning strategy
+          ## push semver tag v0.24.0
+          ### moby/buildkit:v0.24.0
+          ### moby/buildkit:latest
+          ### moby/buildkit:v0.24.0-rootless
+          ### moby/buildkit:rootless
+          ## push semver prerelease tag v0.24.0-rc1
+          ### moby/buildkit:v0.24.0-rc1
+          ### moby/buildkit:v0.24.0-rc1-rootless
+          ## push on master
+          ### moby/buildkit:master
+          ### moby/buildkit:master-rootless
+          ## scheduled event on master
+          ### moby/buildkit:nightly
+          ### moby/buildkit:nightly-rootless
+          tags: |
+            type=schedule,pattern=nightly,suffix=${{ env.TAG_SUFFIX }}
+            type=ref,event=branch,suffix=${{ env.TAG_SUFFIX }}
+            type=ref,event=pr,suffix=${{ env.TAG_SUFFIX }}
+            type=semver,pattern={{raw}},suffix=${{ env.TAG_SUFFIX }}
+            type=raw,value=${{ env.TAG_LATEST }}
+          flavor: |
+            latest=false
+          annotations: |
+            org.opencontainers.image.title=BuildKit
+            org.opencontainers.image.vendor=Moby
+          bake-target: meta-helper
      -
        name: Login to DockerHub
-        if: needs.prepare.outputs.push == 'push'
+        if: ${{ github.repository == 'moby/buildkit' && (github.event_name == 'schedule' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
-        name: Build ${{ needs.prepare.outputs.tag }}
-        run: |
-          ./hack/images "${{ needs.prepare.outputs.tag }}" "$IMAGE_NAME" "${{ needs.prepare.outputs.push }}"
+        name: Build
+        uses: docker/bake-action@v6
+        with:
+          # FIXME: remove context once git context with query string implemented in actions-toolkit
+          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.ref }}
+          files: |
+            ./docker-bake.hcl
+            cwd://${{ steps.meta.outputs.bake-file-tags }}
+            cwd://${{ steps.meta.outputs.bake-file-annotations }}
+          targets: image-cross
+          push: ${{ github.repository == 'moby/buildkit' && (github.event_name == 'schedule' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) }}
+          provenance: mode=max,version=v1
+          sbom: true
+          set: |
+            *.cache-from=type=gha,scope=image${{ matrix.target }}
+            *.cache-to=type=gha,scope=image${{ matrix.target }}
+            *.no-cache-filter=${{ (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v')) && 'buildkit-export-alpine,buildkit-export-ubuntu,gobuild-base,rootless' || '' }}
        env:
-          RELEASE: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v') }}
-          TARGET: ${{ matrix.target-stage }}
-          CACHE_FROM: type=gha,scope=image${{ matrix.target-stage }}
-          CACHE_TO: type=gha,scope=image${{ matrix.target-stage }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          IMAGE_TARGET: ${{ matrix.target }}

  scout:
    runs-on: ubuntu-24.04
@@ -276,7 +307,6 @@ jobs:
      # required to create GitHub release
      contents: write
    needs:
-      - prepare
      - test
      - binaries
      - image
@@ -301,4 +331,3 @@ jobs:
        with:
          draft: true
          files: ${{ env.DESTDIR }}/*
-          name: ${{ needs.prepare.outputs.tag }}
--- a/8
+++ b/8
@@ -18,11 +18,13 @@ ARG AZURITE_VERSION=3.33.0
 ARG GOTESTSUM_VERSION=v1.9.0
 ARG DELVE_VERSION=v1.23.1

-ARG GO_VERSION=1.25
+ARG EXPORT_BASE=alpine
 ARG ALPINE_VERSION=3.22
+ARG UBUNTU_VERSION=24.04
+
+ARG GO_VERSION=1.25
 ARG XX_VERSION=1.7.0
 ARG BUILDKIT_DEBUG
-ARG EXPORT_BASE=alpine

 # minio for s3 integration tests
 FROM quay.io/minio/minio:${MINIO_VERSION} AS minio
@@ -208,7 +210,7 @@ RUN apk add --no-cache fuse3 git openssh openssl pigz xz iptables ip6tables \
 COPY --link examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
 VOLUME /var/lib/buildkit

-FROM ubuntu:24.04 AS buildkit-export-ubuntu
+FROM ubuntu:${UBUNTU_VERSION} AS buildkit-export-ubuntu
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
    fuse3 \
--- a/4
+++ b/4
@@ -22,8 +22,8 @@ cross:
 .PHONY: images
 images:
 # moby/buildkit:local and moby/buildkit:local-rootless are created on Docker
-	hack/images local moby/buildkit
-	TARGET=rootless hack/images local moby/buildkit
+	$(BUILDX_CMD) bake image
+	IMAGE_TARGET=rootless $(BUILDX_CMD) bake image

 .PHONY: install
 install:
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,7 +1,15 @@
+variable "EXPORT_BASE" {
+  default = null
+}
+
 variable "ALPINE_VERSION" {
  default = null
 }

+variable "UBUNTU_VERSION" {
+  default = null
+}
+
 variable "GO_VERSION" {
  default = null
 }
@@ -14,6 +22,10 @@ variable "BUILDKITD_TAGS" {
  default = null
 }

+variable "BUILDKIT_DEBUG" {
+  default = null
+}
+
 variable "HTTP_PROXY" {
  default = null
 }
@@ -46,6 +58,10 @@ variable "ARCHUTIL_MULTIPLATFORM" {
  default = null
 }

+variable "IMAGE_TARGET" {
+  default = null
+}
+
 # Defines the output folder
 variable "DESTDIR" {
  default = ""
@@ -78,12 +94,20 @@ function "bindir" {
  result = DESTDIR != "" ? DESTDIR : "./bin/${defaultdir}"
 }

+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "meta-helper" {
+  tags = [IMAGE_TARGET != null && IMAGE_TARGET != "" ? "moby/buildkit:local-${IMAGE_TARGET}" : "moby/buildkit:local"]
+}
+
 target "_common" {
  args = {
+    EXPORT_BASE = EXPORT_BASE
    ALPINE_VERSION = ALPINE_VERSION
+    UBUNTU_VERSION = UBUNTU_VERSION
    GO_VERSION = GO_VERSION
    NODE_VERSION = NODE_VERSION
    BUILDKITD_TAGS = BUILDKITD_TAGS
+    BUILDKIT_DEBUG = BUILDKIT_DEBUG
    HTTP_PROXY = HTTP_PROXY
    HTTPS_PROXY = HTTPS_PROXY
    NO_PROXY = NO_PROXY
@@ -133,6 +157,26 @@ target "release" {
  output = [bindir("release")]
 }

+target "image" {
+  inherits = ["_common", "meta-helper"]
+  target = IMAGE_TARGET
+  cache-to = ["type=inline"]
+  output = ["type=docker"]
+}
+
+target "image-cross" {
+  inherits = ["image"]
+  output = ["type=image"]
+  platforms = [
+    "linux/amd64",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64"
+  ]
+}
+
 target "integration-tests-base" {
  inherits = ["_common"]
  target = "integration-tests-base"
--- a/hack/images
+++ b/hack/images
@@ -1,115 +0,0 @@
-#!/usr/bin/env bash
-
-TAG=$1
-REPO=$2
-PUSH=$3
-
-. $(dirname $0)/util
-set -eu -o pipefail
-
-: "${RELEASE=false}"
-: "${PLATFORMS=}"
-: "${TARGET=}"
-
-versionTag=$(git describe --always --tags --match "v[0-9]*")
-
-if [[ ! "$versionTag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-  versionTag=""
-fi
-
-usage() {
-  echo "usage: $0 <tag> <repo> [push]"
-  exit 1
-}
-
-if [ -z "$TAG" ] || [ -z "$REPO" ]; then
-  usage
-fi
-
-platformFlag=""
-if [ -n "$PLATFORMS" ]; then
-  platformFlag="--platform=$PLATFORMS"
-fi
-
-localmode=""
-if [[ "$TAG" == "local" ]]; then
-  localmode="1"
-  if [ "$PUSH" = "push" ]; then
-    echo >&2 "local images cannot be pushed"
-    exit 1
-  fi
-fi
-
-attestFlags="$(buildAttestFlags)"
-
-outputFlag="--output=type=image,push=false"
-if [ "$PUSH" = "push" ]; then
-  outputFlag="--output=type=image,push=true"
-fi
-if [ -n "$localmode" ]; then
-  outputFlag="--output=type=docker"
-  attestFlags=""
-fi
-
-if [ -z "$localmode" ] && [ "$GITHUB_ACTIONS" = "true" ]; then
-  outputFlag="${outputFlag},annotation.org.opencontainers.image.title=BuildKit"
-  if [ -n "$GITHUB_SHA" ]; then
-    outputFlag="${outputFlag},annotation.org.opencontainers.image.revision=$GITHUB_SHA"
-  fi
-  if [ -n "$GITHUB_REPOSITORY" ] && [ -n "$GITHUB_SERVER_URL" ]; then
-    outputFlag="${outputFlag},annotation.org.opencontainers.image.source=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
-    outputFlag="${outputFlag},annotation.org.opencontainers.image.url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
-  fi
-  if [ -n "$versionTag" ]; then
-    outputFlag="${outputFlag},annotation.org.opencontainers.image.version=$versionTag"
-  fi
-fi
-
-targetFlag=""
-if [ -n "$TARGET" ]; then
-  targetFlag="--target=$TARGET"
-fi
-
-tagNames="$REPO:$TAG"
-if [ -n "$TARGET" ]; then
-  tagNames="$tagNames-$TARGET"
-fi
-
-if [[ "$versionTag" == "$TAG" ]]; then
-  if [ -n "$TARGET" ]; then
-    tagNames="$tagNames $REPO:$TARGET"
-  else
-    tagNames="$tagNames $REPO:latest"
-  fi
-fi
-
-importCacheFlags=""
-for tagName in $tagNames; do
-  importCacheFlags="$importCacheFlags--cache-from=type=registry,ref=$tagName "
-done
-if [ -n "$cacheFromFlags" ]; then
-  importCacheFlags="$importCacheFlags$cacheFromFlags"
-fi
-if [ -n "$localmode" ]; then
-  importCacheFlags=""
-fi
-
-exportCacheFlags=""
-if [ -n "$cacheToFlags" ]; then
-  exportCacheFlags="$cacheToFlags"
-elif [ "$PUSH" = "push" ]; then
-  exportCacheFlags="--cache-to=type=inline"
-fi
-
-tagFlags=""
-for tagName in $tagNames; do
-  tagFlags="$tagFlags--tag=$tagName "
-done
-
-nocacheFilterFlag=""
-if [[ "$RELEASE" = "true" ]] && [[ "$GITHUB_ACTIONS" = "true" ]]; then
-  nocacheFilterFlag="--no-cache-filter=buildkit-export-alpine,buildkit-export-ubuntu,gobuild-base,rootless"
-fi
-
-buildxCmd build --build-arg "BUILDKIT_CONTEXT_KEEP_GIT_DIR=1" --build-arg BUILDKITD_TAGS --build-arg BUILDKIT_DEBUG --build-arg EXPORT_BASE $platformFlag $targetFlag $importCacheFlags $exportCacheFlags $tagFlags $outputFlag $nocacheFilterFlag $attestFlags \
-  $currentcontext