From 643557d534e3ceae9ea9bc3f05128d1ecd668f52 Mon Sep 17 00:00:00 2001
From: Guillaume Lours <705411+glours@users.noreply.github.com>
Date: Tue, 14 Mar 2023 11:08:04 +0100
Subject: [PATCH] build and push binaries images when a PR is merged or a tag
 pushed

Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>
---
 .github/workflows/merge.yml | 48 ++++++++++++++++++++++++++++++++++++-
 Dockerfile                  |  2 ++
 docker-bake.hcl             |  8 +++++++
 3 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml
index 690cda7a8..0528bdfc6 100644
--- a/.github/workflows/merge.yml
+++ b/.github/workflows/merge.yml
@@ -10,11 +10,13 @@ on:
       - 'v2'
     tags:
       - 'v*'
-  workflow_dispatch:
 
 permissions:
   contents: read # to fetch code (actions/checkout)
 
+env:
+  REPO_SLUG: "docker/compose-bin"
+
 jobs:
   e2e:
     name: Build and test
@@ -72,3 +74,47 @@ jobs:
         run: |
           make e2e-compose-standalone
 
+  bin-image:
+    runs-on: ubuntu-22.04
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ${{ env.REPO_SLUG }}
+          tags: |
+            type=ref,event=tag
+            type=edge
+          bake-target: meta-helper
+      -
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }}
+          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
+      -
+        name: Build and push image
+        uses: docker/bake-action@v2
+        with:
+          files: |
+            ./docker-bake.hcl
+            ${{ steps.meta.outputs.bake-file }}
+          targets: image-cross
+          push: ${{ github.event_name != 'pull_request' }}
+          set: |
+            *.cache-from=type=gha,scope=bin-image
+            *.cache-to=type=gha,scope=bin-image,mode=max
+            *.attest=type=sbom
+            *.attest=type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}
diff --git a/Dockerfile b/Dockerfile
index 75be9c10a..e2e44922d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -168,6 +168,8 @@ FROM binary-unix AS binary-linux
 FROM scratch AS binary-windows
 COPY --link --from=build /usr/bin/docker-compose /docker-compose.exe
 FROM binary-$TARGETOS AS binary
+# enable scanning for this stage
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 FROM --platform=$BUILDPLATFORM alpine AS releaser
 WORKDIR /work
diff --git a/docker-bake.hcl b/docker-bake.hcl
index ef75a7a1f..f9997b8af 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -33,6 +33,9 @@ function "bindir" {
   result = DESTDIR != "" ? DESTDIR : "./bin/${defaultdir}"
 }
 
+# Special target: https://github.com/docker/metadata-action#bake-definition
+target "meta-helper" {}
+
 target "_common" {
   args = {
     GO_VERSION = GO_VERSION
@@ -134,3 +137,8 @@ target "docs-update" {
   target = "docs-update"
   output = ["./docs"]
 }
+
+target "image-cross" {
+  inherits = ["meta-helper", "binary-cross"]
+  output = ["type=image"]
+}