Merge pull request #17 from crazy-max/vendor

vendor dockerfile to validate go mod

Author: tonistiigi

.github/workflows/build.yml

@@ -1,4 +1,11 @@
-name: Build
+name: build
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 on:
   push:

.github/workflows/validate.yml

@@ -1,4 +1,11 @@
-name: Validate
+name: validate
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 on:
   push:
@@ -7,11 +14,35 @@ on:
   pull_request:
 
 jobs:
+  prepare:
+    runs-on: ubuntu-24.04
+    outputs:
+      includes: ${{ steps.generate.outputs.matrix }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v6
+      -
+        name: Generate matrix
+        id: generate
+        uses: docker/bake-action/subaction/matrix@v6
+        with:
+          target: validate-all
+
   validate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    needs:
+      - prepare
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.prepare.outputs.includes) }}
     steps:
-    - uses: actions/checkout@v5
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-    - name: Run validate-all
-      run: docker buildx bake validate-all
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Validate
+        uses: docker/bake-action@v6
+        with:
+          targets: ${{ matrix.target }}

docker-bake.hcl

@@ -12,6 +12,12 @@ variable "DOCKER_HARDENED_IMAGES_KEYRING_VERSION" {
     description = "The git branch or commit hash of docker/hardened-images-keyring to use for DHI verification."
 }
 
+target "_common" {
+  args = {
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+  }
+}
+
 target "tuf-root" {
     target = "tuf-root"
     output = [{
@@ -34,7 +40,7 @@ target "validate-tuf-root" {
 }
 
 group "validate-all" {
-  targets = ["lint", "lint-gopls", "validate-dockerfile", "validate-generated-files"]
+  targets = ["lint", "lint-gopls", "validate-vendor", "validate-dockerfile", "validate-generated-files"]
 }
 
 group "validate-generated-files" {
@@ -49,11 +55,19 @@ target "lint" {
   }
 }
 
+target "validate-vendor" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
 target "validate-dockerfile" {
   matrix = {
     dockerfile = [
       "Dockerfile",
       "./hack/dockerfiles/lint.Dockerfile",
+      "./hack/dockerfiles/vendor.Dockerfile"
     ]
   }
   name = "validate-dockerfile-${md5(dockerfile)}"
@@ -66,6 +80,21 @@ target "lint-gopls" {
     target = "gopls-analyze"
 }
 
+target "vendor" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "update"
+  output = ["."]
+}
+
+target "mod-outdated" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
+  target = "outdated"
+  no-cache-filter = ["outdated"]
+  output = ["type=cacheonly"]
+}
+
 target "binary" {
     target = "binary"
     platforms = [ "local" ]

hack/dockerfiles/vendor.Dockerfile

@@ -0,0 +1,46 @@
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION=1.25
+ARG ALPINE_VERSION=3.23
+ARG MODOUTDATED_VERSION=v0.9.0
+
+FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
+RUN apk add --no-cache git rsync
+WORKDIR /src
+
+FROM base AS vendored
+RUN --mount=target=/context \
+    --mount=target=.,type=tmpfs  \
+    --mount=target=/go/pkg/mod,type=cache <<EOT
+  set -e
+  rsync -a /context/. .
+  go mod tidy
+  mkdir /out
+  cp -r go.mod go.sum /out
+EOT
+
+FROM scratch AS update
+COPY --from=vendored /out /
+
+FROM vendored AS validate
+RUN --mount=target=/context \
+    --mount=target=.,type=tmpfs <<EOT
+  set -e
+  rsync -a /context/. .
+  git add -A
+  cp -rf /out/* .
+  if [ -n "$(git status --porcelain -- go.mod go.sum)" ]; then
+    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"'
+    git status --porcelain -- go.mod go.sum
+    exit 1
+  fi
+EOT
+
+FROM --platform=linux/amd64 psampaz/go-mod-outdated:${MODOUTDATED_VERSION} AS go-mod-outdated-amd64
+
+FROM go-mod-outdated-amd64 AS go-mod-outdated
+FROM base AS outdated
+RUN --mount=target=.,rw \
+  --mount=target=/go/pkg/mod,type=cache \
+  --mount=from=go-mod-outdated,source=/usr/bin/go-mod-outdated,target=/usr/bin/go-mod-outdated \
+  go list -mod=mod -u -m -json all | go-mod-outdated -update -direct