chore: enable SBOM and fix Docker multiarch manifests with attestations

matifali · ThomasK33 · commit e8d3cafb81a8 · 2025-03-12T14:16:18.000+01:00
- Enable SBOM and provenance attestations in Docker builds - Update build_docker_multiarch.sh to handle images with attestations - Fix issue with Docker manifest creation for images with multiple attestation manifests - Make Docker daemon config use containerd by default 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Thomas Kosiewski <tk@coder.com>
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -361,6 +361,7 @@ jobs:
           file: scripts/Dockerfile.base
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           provenance: true
+          sbom: true
           pull: true
           no-cache: true
           push: true
diff --git a/dogfood/coder/files/etc/docker/daemon.json b/dogfood/coder/files/etc/docker/daemon.json
@@ -1,3 +1,6 @@
 {
-	"registry-mirrors": ["https://mirror.gcr.io"]
+	"registry-mirrors": ["https://mirror.gcr.io"],
+	"features": {
+		"containerd-snapshotter": true
+	}
 }
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
@@ -136,10 +136,12 @@ fi
 
 log "--- Building Docker image for $arch ($image_tag)"
 
-docker build \
+docker buildx build \
 	--platform "$arch" \
 	--build-arg "BASE_IMAGE=$base_image" \
 	--build-arg "CODER_VERSION=$version" \
+	--provenance true \
+	--sbom true \
 	--no-cache \
 	--tag "$image_tag" \
 	-f Dockerfile \
diff --git a/scripts/build_docker_multiarch.sh b/scripts/build_docker_multiarch.sh
@@ -77,13 +77,24 @@ done
 
 # Sadly, manifests don't seem to support labels.
 log "--- Creating multi-arch Docker image ($target)"
-docker manifest create \
-	"$target" \
-	"${create_args[@]}"
+
+# Create a buildx builder instance if it doesn't exist
+if ! docker buildx inspect multiarch-builder &>/dev/null; then
+    docker buildx create --name multiarch-builder --use
+fi
+
+# Create manifest with buildx imagetools
+log "--- Creating multi-arch manifest with attestations"
+
+# For images with attestations, we preserve the entire structure by using image tags directly,
+# letting Docker handle retrieving both the architecture manifests and attestation manifests
+docker buildx imagetools create --tag "$target" "$@"
 
 if [[ "$push" == 1 ]]; then
-	log "--- Pushing multi-arch Docker image ($target)"
-	docker manifest push "$target"
+    log "--- Verifying multi-arch Docker image ($target)"
+    # The manifest is already created and pushed when using buildx imagetools create
+    # We just need to verify it exists
+    docker buildx imagetools inspect "$target"
 fi
 
 echo "$target"

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,6 @@`
`1`	`1`	`{`
`2`		`- "registry-mirrors": ["https://mirror.gcr.io"]`
	`2`	`+ "registry-mirrors": ["https://mirror.gcr.io"],`
	`3`	`+ "features": {`
	`4`	`+ "containerd-snapshotter": true`
	`5`	`+ }`
`3`	`6`	`}`