From f111de2bd3e6fc8c69094b3304d4e3ddf5ccea5f Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <atif@coder.com>
Date: Fri, 7 Mar 2025 22:48:48 +0000
Subject: [PATCH 1/3] chore: enable SBOM and containerd support in Docker
 builds

Added SBOM (Software Bill of Materials) generation during Docker build to enhance traceability. Refer to Docker documentation on SBOM: docs.docker.com/build/metadata/attestations/sbom
Updated Docker build scripts to use BuildKit for provenance and SBOM support: docs.docker.com/build/metadata/attestations
Configured Docker daemon to support the Containerd snapshotter feature to improve performance: docs.docker.com/engine/storage/containerd
---
 .github/workflows/release.yaml                | 1 +
 dogfood/contents/files/etc/docker/daemon.json | 5 ++++-
 scripts/build_docker.sh                       | 4 +++-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a963a7da6b19a..b381e2c4447e2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -361,6 +361,7 @@ jobs:
           file: scripts/Dockerfile.base
           platforms: linux/amd64,linux/arm64,linux/arm/v7
           provenance: true
+          sbom: true
           pull: true
           no-cache: true
           push: true
diff --git a/dogfood/contents/files/etc/docker/daemon.json b/dogfood/contents/files/etc/docker/daemon.json
index c2cbc52c3cc45..775b800114ce7 100644
--- a/dogfood/contents/files/etc/docker/daemon.json
+++ b/dogfood/contents/files/etc/docker/daemon.json
@@ -1,3 +1,6 @@
 {
-	"registry-mirrors": ["https://mirror.gcr.io"]
+	"registry-mirrors": ["https://mirror.gcr.io"],
+	"features": {
+		"containerd-snapshotter': true
+	}
 }
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
index 1bee954e9713c..ad8fb5b8f141e 100755
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@@ -136,10 +136,12 @@ fi
 
 log "--- Building Docker image for $arch ($image_tag)"
 
-docker build \
+docker buildx build \
 	--platform "$arch" \
 	--build-arg "BASE_IMAGE=$base_image" \
 	--build-arg "CODER_VERSION=$version" \
+	--provenence true \
+	--sbom true \
 	--no-cache \
 	--tag "$image_tag" \
 	-f Dockerfile \

From 378fdf83f647210a042a750ae49a0d43ecd809ed Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <atif@coder.com>
Date: Fri, 7 Mar 2025 22:49:18 +0000
Subject: [PATCH 2/3] chore: enable SBOM and containerd support in Docker
 builds

Added SBOM (Software Bill of Materials) generation during Docker build to enhance traceability. Refer to Docker documentation on SBOM: docs.docker.com/build/metadata/attestations/sbom
Updated Docker build scripts to use BuildKit for provenance and SBOM support: docs.docker.com/build/metadata/attestations
Configured Docker daemon to support the Containerd snapshotter feature to improve performance: docs.docker.com/engine/storage/containerd
---
 .github/workflows/ci.yaml                     | 2 +-
 dogfood/contents/files/etc/docker/daemon.json | 2 +-
 scripts/build_docker.sh                       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index e663cc2303986..4f010b5be75cc 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -999,7 +999,7 @@ jobs:
           AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
 
       - name: Upload build artifacts
-        if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
+        if: ${{ github.repository_owner == 'coder' }}
         uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: dylibs
diff --git a/dogfood/contents/files/etc/docker/daemon.json b/dogfood/contents/files/etc/docker/daemon.json
index 775b800114ce7..33b0126288fda 100644
--- a/dogfood/contents/files/etc/docker/daemon.json
+++ b/dogfood/contents/files/etc/docker/daemon.json
@@ -1,6 +1,6 @@
 {
 	"registry-mirrors": ["https://mirror.gcr.io"],
 	"features": {
-		"containerd-snapshotter': true
+		"containerd-snapshotter": true
 	}
 }
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
index ad8fb5b8f141e..bf3e3bb8116bb 100755
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@@ -140,7 +140,7 @@ docker buildx build \
 	--platform "$arch" \
 	--build-arg "BASE_IMAGE=$base_image" \
 	--build-arg "CODER_VERSION=$version" \
-	--provenence true \
+	--provenance true \
 	--sbom true \
 	--no-cache \
 	--tag "$image_tag" \

From 1dcf0dab2881e2c2775d31959c902f68484c90c4 Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <atif@coder.com>
Date: Fri, 7 Mar 2025 23:26:17 +0000
Subject: [PATCH 3/3] chore: enable SBOM and containerd support in Docker
 builds

Added SBOM (Software Bill of Materials) generation during Docker build to enhance traceability. Refer to Docker documentation on SBOM: docs.docker.com/build/metadata/attestations/sbom
Updated Docker build scripts to use BuildKit for provenance and SBOM support: docs.docker.com/build/metadata/attestations
Configured Docker daemon to support the Containerd snapshotter feature to improve performance: docs.docker.com/engine/storage/containerd
---
 .github/workflows/ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 4f010b5be75cc..e663cc2303986 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -999,7 +999,7 @@ jobs:
           AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
 
       - name: Upload build artifacts
-        if: ${{ github.repository_owner == 'coder' }}
+        if: ${{ github.repository_owner == 'coder' && github.ref == 'refs/heads/main' }}
         uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: dylibs