synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-09 11:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
10,352 Commits 363 Branches 234 Tags
a099a8a25c78444448c2aee3b40109c5fd73f8c8
Commit Graph

21 Commits

Author SHA1 Message Date
Thomas Kosiewski
f48a24c18e feat: add SBOM generation and attestation to GitHub workflow (#17277) 
Move SBOM generation and attestation to GitHub workflow

This PR moves the SBOM generation and attestation process from the `build_docker.sh` script to the GitHub workflow. The change:

1. Removes SBOM generation and attestation from the `build_docker.sh` script
2. Adds a new "SBOM Generation and Attestation" step in the GitHub workflow
3. Generates and attests SBOMs for both multi-arch images and latest tags when applicable

This approach ensures SBOM generation happens once for the final multi-architecture image rather than for each architecture separately.

Change-Id: I2e15d7322ddec933bbc9bd7880abba9b0842719f
Signed-off-by: Thomas Kosiewski <tk@coder.com>
 2025-04-07 17:54:05 +02:00
Thomas Kosiewski
7171d52279 fix: replace both colons and slashes in SBOM filename for Docker image (#16915) 
This PR fixes the SBOM filename generation in the Docker build script to
properly handle image tags that contain slashes. The current
implementation only replaces colons with underscores, but fails when
image tags include slashes (common in registry paths).

The fix updates the string replacement to handle both colons and slashes
in the image tag when generating the SBOM filename.

Change-Id: Ifd7bad6d165393e11202e5bf070a4cb26eaa6a6a
Signed-off-by: Thomas Kosiewski <tk@coder.com>

Signed-off-by: Thomas Kosiewski <tk@coder.com>
 2025-03-13 23:01:03 +05:00
Thomas Kosiewski
389af22dac chore: replace colons in SBOM filename for Docker image attestation (#16914) 
This PR fixes an issue in the Docker build script where the SBOM file path used the image tag directly, which could contain colons. Since colons are not valid characters in filenames on many filesystems, this replaces colons with underscores in the output filename.

Change-Id: I887f4fc255d9bfa19b6c5d23ad0a5db7352aa2af
Signed-off-by: Thomas Kosiewski <tk@coder.com>
 2025-03-13 18:20:43 +01:00
M Atif Ali
4987de654e chore: enable SBOM attestations for docker images (#16894) 
- Enable SBOM and provenance attestations in Docker builds
- Installs `cosign` and `syft` in dogfood image
- Adds [github
attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds)

Signed-off-by: Thomas Kosiewski <tk@coder.com>

---------

Signed-off-by: Thomas Kosiewski <tk@coder.com>
Co-authored-by: Thomas Kosiewski <tk@coder.com>
 2025-03-13 21:45:11 +05:00
M Atif Ali
e817713dc0 revert: "chore: enable SBOM attestation for image builds" (#16868) 
Reverts coder/coder#16852

The CI failed to create the multi-arch manifest.

https://github.com/coder/coder/actions/runs/13773079355/job/38516182819#step:18:341

I personally think we should move to a [multi-arch
Dockerfile](https://docs.docker.com/build/building/multi-platform/#cross-compilation)
instead of creating the manifest manually.
 2025-03-10 19:55:03 +00:00
M Atif Ali
05ebece03a chore: enable SBOM attestation for image builds (#16852) 
- Added SBOM (Software Bill of Materials) generation during Docker build
to enhance traceability. Refer to Docker documentation on SBOM:
https://docs.docker.com/build/metadata/attestations/sbom/
- Updated Docker build scripts to use BuildKit for provenance and SBOM
support: https://docs.docker.com/build/metadata/attestations/
- Configured Docker daemon in dogfood image to support the Containerd
snapshotter feature to improve performance:
https://docs.docker.com/engine/storage/containerd/

> [!Important]
> We also need to enable `containerd` on depot runners.
> <img width="587" alt="image"
src="https://github.com/user-attachments/assets/1d7f87c7-fdcc-462a-babe-87ac6486ad09"
/>



## Testing

- Tested locally with ` docker buildx build --sbom=true --output
type=local,dest=out -f Dockerfile .` to verify that an SBOM file is
generated.
- Tested in
[CI](https://github.com/coder/coder/actions/runs/13731162662/job/38408790980?pr=16852#step:17:1)
to ensure the image builds without any errors.


Also closes coder/internal#88
 2025-03-11 00:24:14 +05:00
Cian Johnston
a3a16a1586 fix(scripts): modify logic for determining terraform arch (#9595) 
Commit fb3616c used a build-arg to set the desired terrafomr
architeture to fetch. This is set in build_docker.sh but not
when building using depot.dev. Baking the logic into the
Dockerfile instead.
 2023-09-08 10:47:51 +00:00
Cian Johnston
fb3616c37e fix(scripts): wget terraform directly from releases.hashicorp.com (#9594) 2023-09-08 10:02:18 +00:00
Colin Adler
97945ae272 fix(scripts): properly shift for --build-base option (#8167) 2023-06-22 15:24:03 -05:00
Dean Sheather
d6947aeaca chore: fix depot build (#6057) 2023-02-06 16:49:33 +00:00
Dean Sheather
b45c445255 feat: add git to Docker image (#6034) 2023-02-07 02:30:35 +10:00
Dean Sheather
819622182b chore: parallel makefile attempt 3 (#3926) 
* Revert "chore: Revert parallel Makefile builds (#3918)"

This reverts commit b077f71015.

* fix: fix release workflow with parallel makefile

* fix: mark generated files as fresh during releases
 2022-09-08 02:40:17 +10:00
Kyle Carberry
b077f71015 chore: Revert parallel Makefile builds (#3918) 
This was breaking the release process. Namely it was running
the `gen` targets due to the dependency tree, which was failing
on macOS and Linux runners. This revert can be reverted once
we fix that up.
 2022-09-07 01:56:51 +00:00
Dean Sheather
419d701927 chore: parallel builds with Makefile (#3854) 
* Revert "revert: Makefile buff-ification (#3700) (#3848)"

This reverts commit e490bdd531.

* fix: fix slim targets in makefile

* fix: don't clobber slim binaries, make sure they're in the correct location
 2022-09-06 17:27:06 +00:00
Kyle Carberry
e490bdd531 revert: Makefile buff-ification (#3700) (#3848) 
This caused the following issues:
- Slim binaries weren't being updated.
- The coder.tar.ztd was misplaced.
- There is no coder.sha1 file with proper filenames.

This should be reintroduced in a future change with those fixes.
 2022-09-02 14:46:58 -05:00
Dean Sheather
e1a4f3a16b Makefile buff-ification (#3700) 
Remove old go_build_matrix and go_build_slim scripts in favor of full makefile-ification.
 2022-09-02 12:58:23 +00:00
Joe Previte
05f932b37e refactor(scripts): remove -P from ln calls (#3740) 2022-08-29 15:05:08 -07:00
Dean Sheather
369a9fb535 fix: add writeable home dir to docker image (#3603) 2022-08-22 19:43:13 +10:00
Dean Sheather
66a5b0f7bc fix: don't use adduser and addgroup for docker images (#3344) 
* fix: don't use adduser and addgroup for docker images

* Revert "fix: Remove alternative image architectures until we virtualize (#3336)"

This reverts commit 00c5116a2e.
 2022-08-01 19:28:38 +00:00
Dean Sheather
8d6faa3c1a fix: login before pushing docker images in release pipeline (#2496) 2022-06-19 13:12:09 +10:00
Dean Sheather
075e891f28 Remove goreleaser in favor of build scripts (#2143) 2022-06-19 05:47:10 +10:00