hack: use bake to build the dockerfile frontend

Signed-off-by: CrazyMax <[email protected]>

Author: crazy-max

.github/workflows/frontend.yml

@@ -28,7 +28,6 @@ env:
   SETUP_BUILDKIT_TAG: "moby/buildkit:latest"
   SCOUT_VERSION: "1.13.0"
   IMAGE_NAME: "docker/dockerfile-upstream"
-  PLATFORMS: "linux/386,linux/amd64,linux/arm/v7,linux/arm64,linux/mips,linux/mipsle,linux/mips64,linux/mips64le,linux/s390x,linux/ppc64le,linux/riscv64"
 
 jobs:
   test:
@@ -44,39 +43,19 @@ jobs:
 
   prepare:
     runs-on: ubuntu-24.04
-    if: github.event_name != 'schedule'
     outputs:
-      typ: ${{ steps.prep.outputs.typ }}
-      push: ${{ steps.prep.outputs.push }}
-      tag: ${{ steps.prep.outputs.tag }}
-      tags: ${{ steps.prep.outputs.tags }}
+      channels: ${{ steps.channels.outputs.matrix }}
     steps:
       -
-        name: Prepare
-        id: prep
+        name: Channels matrix
+        id: channels
         run: |
-          TYP=master
-          TAG=mainline
-          PUSH=false
           if [[ $GITHUB_REF == refs/tags/dockerfile/* ]]; then
-            TYP=tag
-            TAG=${GITHUB_REF#refs/tags/}
-            PUSH=push
-          elif [[ $GITHUB_REF == refs/heads/* ]]; then
-            if [ $GITHUB_REF = "refs/heads/${{ github.event.repository.default_branch }}" ]; then
-              PUSH=push
-            fi
-          fi
-          if [ "$GITHUB_REPOSITORY" != "moby/buildkit" ]; then
-            PUSH=false
-          fi
-          echo "typ=${TYP}" >>${GITHUB_OUTPUT}
-          echo "push=${PUSH}" >>${GITHUB_OUTPUT}
-          echo "tag=${TAG}" >>${GITHUB_OUTPUT}
-          if [ "${TYP}" = "master" ]; then
-            echo "tags=$(jq -cn --arg tag "$TAG" '[$tag, "labs"]')" >>${GITHUB_OUTPUT}
+            version=${GITHUB_REF#refs/tags/dockerfile/}
+            channel=$(echo "$version" | awk -F- '{print $NF}')
+            echo "matrix=$(jq -cn --arg channel "$channel" '[$channel]')" >>${GITHUB_OUTPUT}
           else
-            echo "tags=$(jq -cn --arg tag "$TAG" '[$tag]')" >>${GITHUB_OUTPUT}
+            echo "matrix=$(jq -cn '["mainline", "labs"]')" >>${GITHUB_OUTPUT}
           fi
 
   image:
@@ -87,22 +66,29 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        tag: ${{ fromJson(needs.prepare.outputs.tags) }}
+        channel: ${{ fromJson(needs.prepare.outputs.channels) }}
     steps:
       -
         name: Prepare
         run: |
-          if [[ "${{ matrix.tag }}" = "labs" ]] || [[ "${{ matrix.tag }}" == *-labs ]]; then
-            echo "CACHE_SCOPE=frontend-labs" >>${GITHUB_ENV}
-          else
-            echo "CACHE_SCOPE=frontend-mainline" >>${GITHUB_ENV}
+          if [ "${{ matrix.channel }}" != "mainline" ]; then
+            echo "TAG_SUFFIX=-${{ matrix.channel }}" >> $GITHUB_ENV
+          fi
+          if [[ $GITHUB_REF == refs/tags/dockerfile/* ]]; then
+            version=${GITHUB_REF#refs/tags/dockerfile/}
+            channel=$(echo "$version" | awk -F- '{print $NF}')
+            if [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+              echo "TAG_LATEST=latest" >> $GITHUB_ENV
+            elif [[ "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+-$channel$ ]]; then
+              echo "TAG_LATEST=$channel" >> $GITHUB_ENV
+            fi
+            echo "TAG_VERSION=${version%%-*}" >> $GITHUB_ENV
           fi
       -
         name: Checkout
         uses: actions/checkout@v4
-      -
-        name: Expose GitHub Runtime
-        uses: crazy-max/ghaction-github-runtime@v3
+        with:
+          fetch-depth: 0
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -113,22 +99,70 @@ jobs:
           version: ${{ env.SETUP_BUILDX_VERSION }}
           driver-opts: image=${{ env.SETUP_BUILDKIT_TAG }}
           buildkitd-flags: --debug
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.IMAGE_NAME }}
+          # versioning strategy
+          ## push tag dockerfile/1.17.0
+          ### docker/dockerfile-upstream:1.17.0
+          ### docker/dockerfile-upstream:1.17
+          ### docker/dockerfile-upstream:1
+          ### docker/dockerfile-upstream:latest
+          ## push tag dockerfile/1.17.0-labs
+          ### docker/dockerfile-upstream:1.17.0-labs
+          ### docker/dockerfile-upstream:1.17-labs
+          ### docker/dockerfile-upstream:1-labs
+          ### docker/dockerfile-upstream:labs
+          ## push prerelease tag dockerfile/1.17.0-rc1
+          ### docker/dockerfile-upstream:1.17.0-rc1
+          ## push prerelease tag dockerfile/1.17.0-rc1-labs
+          ### docker/dockerfile-upstream:1.17.0-rc1-labs
+          ## push on master
+          ### docker/dockerfile-upstream:master
+          ### docker/dockerfile-upstream:master-labs
+          tags: |
+            type=ref,event=branch,suffix=${{ env.TAG_SUFFIX }}
+            type=ref,event=pr,suffix=${{ env.TAG_SUFFIX }}
+            type=semver,pattern={{version}},value=${{ env.TAG_VERSION }},suffix=${{ env.TAG_SUFFIX }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ env.TAG_VERSION }},suffix=${{ env.TAG_SUFFIX }}
+            type=semver,pattern={{major}},value=${{ env.TAG_VERSION }},suffix=${{ env.TAG_SUFFIX }}
+            type=raw,value=${{ env.TAG_LATEST }}
+          flavor: |
+            latest=false
+          annotations: |
+            org.opencontainers.image.title=Dockerfile Frontend
+            org.opencontainers.image.vendor=Moby
+          bake-target: frontend-meta-helper
       -
         name: Login to DockerHub
         uses: docker/login-action@v3
-        if: needs.prepare.outputs.push == 'push'
+        if: ${{ github.repository == 'moby/buildkit' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/dockerfile/')) }}
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build
-        run: |
-          ./frontend/dockerfile/cmd/dockerfile-frontend/hack/release "${{ needs.prepare.outputs.typ }}" "${{ matrix.tag }}" "$IMAGE_NAME" "${{ needs.prepare.outputs.push }}"
+        uses: docker/bake-action@v6
+        with:
+          source: .
+          files: |
+            ./docker-bake.hcl
+            ${{ steps.meta.outputs.bake-file-tags }}
+            ${{ steps.meta.outputs.bake-file-annotations }}
+          targets: frontend-image-cross
+          push: ${{ github.repository == 'moby/buildkit' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/dockerfile/')) }}
+          provenance: mode=max
+          sbom: true
+          set: |
+            *.cache-from=type=gha,scope=frontend-${{ matrix.channel }}
+            *.cache-to=type=gha,scope=frontend-${{ matrix.channel }}
+            *.no-cache-filter=${{ (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/dockerfile/')) && 'base' || '' }}
         env:
-          RELEASE: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/v') }}
-          CACHE_FROM: type=gha,scope=${{ env.CACHE_SCOPE }}
-          CACHE_TO: type=gha,scope=${{ env.CACHE_SCOPE }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          FRONTEND_CHANNEL: ${{ matrix.channel }}
 
   scout:
     runs-on: ubuntu-24.04
@@ -181,7 +215,6 @@ jobs:
       # required to create GitHub release
       contents: write
     needs:
-      - prepare
       - test
       - image
     steps:

Makefile

@@ -25,6 +25,12 @@ images:
 	$(BUILDX_CMD) bake image
 	IMAGE_TARGET=rootless $(BUILDX_CMD) bake image
 
+.PHONY: frontends
+frontends:
+# docker/dockerfile:local and docker/dockerfile:local-labs are created on Docker
+	$(BUILDX_CMD) bake frontend-image
+	FRONTEND_CHANNEL=labs $(BUILDX_CMD) bake frontend-image
+
 .PHONY: install
 install:
 	mkdir -p $(DESTDIR)$(bindir)

docker-bake.hcl

@@ -50,6 +50,14 @@ variable "IMAGE_TARGET" {
   default = null
 }
 
+variable "FRONTEND_CHANNEL" {
+  default = "mainline"
+}
+
+variable "FRONTEND_BUILDTAGS" {
+  default = null
+}
+
 # Defines the output folder
 variable "DESTDIR" {
   default = ""
@@ -86,6 +94,9 @@ function "bindir" {
 target "meta-helper" {
   tags = [IMAGE_TARGET != null && IMAGE_TARGET != "" ? "moby/buildkit:local-${IMAGE_TARGET}" : "moby/buildkit:local"]
 }
+target "frontend-meta-helper" {
+  tags = [FRONTEND_CHANNEL != null && FRONTEND_CHANNEL != "" && FRONTEND_CHANNEL != "mainline" ? "docker/dockerfile:local-${FRONTEND_CHANNEL}" : "docker/dockerfile:local"]
+}
 
 target "_common" {
   args = {
@@ -161,6 +172,34 @@ target "image-cross" {
   ]
 }
 
+target "frontend-image" {
+  inherits = ["_common", "frontend-meta-helper"]
+  dockerfile = "./frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile"
+  args = {
+    CHANNEL = FRONTEND_CHANNEL
+    BUILDTAGS = FRONTEND_BUILDTAGS
+  }
+  output = ["type=docker"]
+}
+
+target "frontend-image-cross" {
+  inherits = ["frontend-image"]
+  output = ["type=image"]
+  platforms = [
+    "linux/386",
+    "linux/amd64",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/mips",
+    "linux/mipsle",
+    "linux/mips64",
+    "linux/mips64le",
+    "linux/s390x",
+    "linux/ppc64le",
+    "linux/riscv64"
+  ]
+}
+
 target "integration-tests-base" {
   inherits = ["_common"]
   target = "integration-tests-base"

frontend/dockerfile/cmd/dockerfile-frontend/Dockerfile

@@ -14,21 +14,34 @@ WORKDIR /src
 ENV GOFLAGS=-mod=vendor
 
 FROM base AS version
-ARG CHANNEL
-# TODO: PKG should be inferred from go modules
-RUN --mount=target=. \ 
-  PKG=github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend VERSION=$(./frontend/dockerfile/cmd/dockerfile-frontend/hack/detect "$CHANNEL") REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi) \
-  && echo "-X main.Version=${VERSION} -X main.Revision=${REVISION} -X main.Package=${PKG}" | tee /tmp/.ldflags \
-  && echo -n "${VERSION}" | tee /tmp/.version
+ARG CHANNEL=mainline
+ARG BUILDTAGS
+RUN --mount=target=. <<EOT
+  set -e
+  tagsFile="./frontend/dockerfile/release/$CHANNEL/tags"
+  if [ ! -f "$tagsFile" ]; then
+    echo "No build tags found for $CHANNEL."
+    exit 1
+  fi
+  if [ "$CHANNEL" = "mainline" ]; then
+    VERSION=$(git describe --always --tags --match "dockerfile/[0-9]*")
+  else
+    VERSION=$(git describe --always --tags --match "dockerfile/[0-9]*-$CHANNEL")
+  fi
+  PKG=github.com/moby/buildkit/frontend/dockerfile/cmd/dockerfile-frontend
+  REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
+  echo "-X main.Version=${VERSION} -X main.Revision=${REVISION} -X main.Package=${PKG}" | tee /tmp/.ldflags
+  echo -n "$BUILDTAGS $(cat $tagsFile)" | tee /tmp/.buildtags
+EOT
 
 FROM base AS build
 RUN apk add --no-cache file
-ARG BUILDTAGS=""
 ARG TARGETPLATFORM
 RUN --mount=target=. --mount=type=cache,target=/root/.cache \
   --mount=target=/go/pkg/mod,type=cache \
   --mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \
-  CGO_ENABLED=0 xx-go build -o /dockerfile-frontend -ldflags "-d $(cat /tmp/.ldflags)" -tags "$BUILDTAGS netgo static_build osusergo" ./frontend/dockerfile/cmd/dockerfile-frontend && \
+  --mount=source=/tmp/.buildtags,target=/tmp/.buildtags,from=version \
+  CGO_ENABLED=0 xx-go build -o /dockerfile-frontend -ldflags "-d $(cat /tmp/.ldflags)" -tags "$(cat /tmp/.buildtags) netgo static_build osusergo" ./frontend/dockerfile/cmd/dockerfile-frontend && \
   xx-verify --static /dockerfile-frontend
 
 FROM scratch AS release