From 019df0f616d970ae7791691dc40ca2c3c0bcaf17 Mon Sep 17 00:00:00 2001
From: Jonny Stoten <jonny.stoten@docker.com>
Date: Mon, 1 Jul 2024 10:50:18 +0100
Subject: [PATCH 1/5] Add production stage to Dockerfile and tidy up

---
 Dockerfile | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 72c40a7..28f656c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,38 +1,37 @@
 ARG BUILDERIMAGE="golang:1.22"
 ARG BASEIMAGE="gcr.io/distroless/static:nonroot"
 
-FROM ${BUILDERIMAGE} as builder
+FROM ${BUILDERIMAGE} AS builder
 
-ARG LDFLAGS
-
-ENV GO111MODULE=on \
-  CGO_ENABLED=0
+ENV CGO_ENABLED=0
 
 WORKDIR /app
 
-COPY . .
-
-# --- This block can be replaced by `RUN go mod download` when github.com/docker/attest is public
+# --- This block can be removed when github.com/docker/attest is public
 ENV GOPRIVATE="github.com/docker/attest"
-RUN --mount=type=cache,target=$GOPATH/pkg/mod --mount=type=secret,id=GITHUB_TOKEN <<EOT
+RUN --mount=type=secret,id=GITHUB_TOKEN <<EOT
   set -e
   GITHUB_TOKEN=${GITHUB_TOKEN:-$(cat /run/secrets/GITHUB_TOKEN)}
   if [ -n "$GITHUB_TOKEN" ]; then
     echo "Setting GitHub access token"
     git config --global "url.https://x-access-token:${GITHUB_TOKEN}@github.com.insteadof" "https://github.com"
   fi
-  go mod download
 EOT
 # ---
 
-RUN --mount=type=cache,target=$GOPATH/pkg/mod --mount=type=cache,target=/root/.cache/go-build make build
+RUN --mount=type=bind,source=.,target=/app \
+    --mount=type=cache,target=$GOPATH/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go build -o /bin/attest main.go
 
-FROM ${BASEIMAGE}
+FROM ${BASEIMAGE} AS production
 
-COPY --from=builder /app/bin/attest /
-
-COPY --from=builder --chown=65532:65532 /app/certs/tls.crt /app/certs/tls.key /certs/
+COPY --from=builder /bin/attest /
 
 USER 65532:65532
 
 ENTRYPOINT ["/attest"]
+
+FROM production AS dev
+
+COPY certs/tls.crt certs/tls.key /certs/

From dbb42b4d2b0d181cd41caf03400718615fbab6cd Mon Sep 17 00:00:00 2001
From: Jonny Stoten <jonny.stoten@docker.com>
Date: Mon, 1 Jul 2024 10:51:04 +0100
Subject: [PATCH 2/5] Add release workflow

---
 .github/workflows/release-drafter.yml | 23 +++++++++++
 .github/workflows/release.yml         | 56 +++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 .github/workflows/release-drafter.yml
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
new file mode 100644
index 0000000..fc3d476
--- /dev/null
+++ b/.github/workflows/release-drafter.yml
@@ -0,0 +1,23 @@
+name: Release Drafter
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, reopened, synchronize]
+permissions:
+  contents: read
+
+jobs:
+  update_release_draft:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: release-drafter/release-drafter@v6
+        with:
+          config-name: release-drafter-config.yml
+          publish: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..b58c0c0
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,56 @@
+name: release
+on:
+  release:
+    types: [published]
+env:
+  IMAGE_NAME: docker/attest-provider
+jobs:
+  dockerhub:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: dockerpublicbot
+          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@ad38cffc07bac6e3857755914c4c88bfd2db4da4 # v1.10.2
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
+          repositories: "attest"
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: lab:latest
+          driver: cloud
+          endpoint: docker/default
+          install: true
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          target: production
+          build-args: |
+            VERSION=v${{ steps.meta.outputs.version }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64 # todo figure out additional platforms for release
+          attests: type=sbom,generator=docker/scout-sbom-indexer:1
+          provenance: mode=max
+          secrets: |
+            GITHUB_TOKEN=${{ steps.app-token.outputs.token }}

From e2d4b0b5f6db4215d10bf406324e34bc145553f0 Mon Sep 17 00:00:00 2001
From: Jonny Stoten <jonny.stoten@docker.com>
Date: Mon, 1 Jul 2024 13:36:42 +0100
Subject: [PATCH 3/5] Add release-drafter config

---
 .github/release-drafter-config.yml | 62 ++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 .github/release-drafter-config.yml

diff --git a/.github/release-drafter-config.yml b/.github/release-drafter-config.yml
new file mode 100644
index 0000000..3c90424
--- /dev/null
+++ b/.github/release-drafter-config.yml
@@ -0,0 +1,62 @@
+name-template: "v$RESOLVED_VERSION"
+tag-template: "v$RESOLVED_VERSION"
+categories:
+  - title: "🚀 Features"
+    labels:
+      - "feat"
+      - "feature"
+      - "enhancement"
+  - title: "🐛 Bug Fixes"
+    labels:
+      - "fix"
+      - "bugfix"
+      - "bug"
+  - title: "🧰 Maintenance"
+    labels:
+      - "chore"
+
+change-template: "- $TITLE @$AUTHOR (#$NUMBER)"
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+version-resolver:
+  major:
+    labels:
+      - "major"
+  minor:
+    labels:
+      - "minor"
+  patch:
+    labels:
+      - "patch"
+  default: patch
+template: |
+  ## Changes
+
+  $CHANGES
+
+autolabeler:
+  - label: "chore"
+    files:
+      - "*.md"
+    branch:
+      - '/docs{0,1}\/.+/'
+      - '/tests{0,1}\/.+/'
+      - '/chore{0,1}\/.+/'
+    title:
+      - "/docs/i"
+      - "/test/i"
+      - "/chore/i"
+  - label: "bug"
+    branch:
+      - '/fix\/.+/'
+      - '/revert\/.+/'
+    title:
+      - "/fix/i"
+      - "/revert/i"
+  - label: "feature"
+    branch:
+      - '/feature\/.+/'
+      - '/feat\/.+/'
+      - '/add\/.+/'
+    title:
+      - "/feat/i"
+      - "/add/i"

From df8818d57c8b707a938569670c91a1d194322b27 Mon Sep 17 00:00:00 2001
From: Jonny Stoten <jonny.stoten@docker.com>
Date: Mon, 1 Jul 2024 15:01:44 +0100
Subject: [PATCH 4/5] chown cert files

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 28f656c..4bf948a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,4 +34,4 @@ ENTRYPOINT ["/attest"]
 
 FROM production AS dev
 
-COPY certs/tls.crt certs/tls.key /certs/
+COPY --chown=65532:65532 certs/tls.crt certs/tls.key /certs/

From 9f1db587b3236fa5bb44c42f19594722b9307357 Mon Sep 17 00:00:00 2001
From: Jonny Stoten <jonny.stoten@docker.com>
Date: Tue, 2 Jul 2024 09:15:51 +0100
Subject: [PATCH 5/5] Add this repo to github token scope

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b58c0c0..dc2db77 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,7 +21,7 @@ jobs:
         with:
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
-          repositories: "attest"
+          repositories: "attest,attest-provider"
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5