diff --git a/.test/meta-commands/out.sh b/.test/meta-commands/out.sh index bdc4008..6313ad0 100644 --- a/.test/meta-commands/out.sh +++ b/.test/meta-commands/out.sh @@ -3,26 +3,17 @@ # # -SOURCE_DATE_EPOCH=1700741054 \ - docker buildx build --progress=plain \ +docker buildx build --progress=plain \ --provenance=mode=max,builder-id='https://github.com/docker-library' \ --output '"type=oci","dest=temp.tar"' \ - --annotation 'org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \ - --annotation 'org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \ - --annotation 'org.opencontainers.image.created=2023-11-23T12:04:14Z' \ - --annotation 'org.opencontainers.image.version=24.0.7-cli' \ - --annotation 'org.opencontainers.image.url=https://hub.docker.com/_/docker' \ - --annotation 'com.docker.official-images.bashbrew.arch=amd64' \ - --annotation 'org.opencontainers.image.base.name=alpine:3.18' \ - --annotation 'org.opencontainers.image.base.digest=sha256:d695c3de6fcd8cfe3a6222b0358425d40adfd129a8a47c3416faff1a8aece389' \ - --annotation 'manifest-descriptor:org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \ - --annotation 'manifest-descriptor:org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \ - --annotation 'manifest-descriptor:org.opencontainers.image.created=1970-01-01T00:00:00Z' \ - --annotation 'manifest-descriptor:org.opencontainers.image.version=24.0.7-cli' \ - --annotation 'manifest-descriptor:org.opencontainers.image.url=https://hub.docker.com/_/docker' \ - --annotation 'manifest-descriptor:com.docker.official-images.bashbrew.arch=amd64' \ - --annotation 'manifest-descriptor:org.opencontainers.image.base.name=alpine:3.18' \ - --annotation 'manifest-descriptor:org.opencontainers.image.base.digest=sha256:d695c3de6fcd8cfe3a6222b0358425d40adfd129a8a47c3416faff1a8aece389' \ + --annotation 'manifest,manifest-descriptor:org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \ + --annotation 'manifest,manifest-descriptor:org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \ + --annotation 'manifest,manifest-descriptor:org.opencontainers.image.created=1970-01-01T00:00:00Z' \ + --annotation 'manifest,manifest-descriptor:org.opencontainers.image.version=24.0.7-cli' \ + --annotation 'manifest,manifest-descriptor:org.opencontainers.image.url=https://hub.docker.com/_/docker' \ + --annotation 'manifest,manifest-descriptor:com.docker.official-images.bashbrew.arch=amd64' \ + --annotation 'manifest,manifest-descriptor:org.opencontainers.image.base.name=alpine:3.18' \ + --annotation 'manifest,manifest-descriptor:org.opencontainers.image.base.digest=sha256:d695c3de6fcd8cfe3a6222b0358425d40adfd129a8a47c3416faff1a8aece389' \ --tag 'docker:24.0.7-cli' \ --tag 'docker:24.0-cli' \ --tag 'docker:24-cli' \ @@ -64,8 +55,7 @@ docker pull 'mcr.microsoft.com/windows/servercore@sha256:d4ab2dd7d3d0fce6edc5df4 docker tag 'mcr.microsoft.com/windows/servercore@sha256:d4ab2dd7d3d0fce6edc5df459565a4c96bbb1d0148065b215ab5ddcab1e42eb4' 'mcr.microsoft.com/windows/servercore:ltsc2022' # # -SOURCE_DATE_EPOCH=1700741054 \ - DOCKER_BUILDKIT=0 \ +DOCKER_BUILDKIT=0 \ docker build \ --tag 'docker:24.0.7-windowsservercore-ltsc2022' \ --tag 'docker:24.0-windowsservercore-ltsc2022' \ diff --git a/meta.jq b/meta.jq index bb1c2d9..fb93445 100644 --- a/meta.jq +++ b/meta.jq @@ -79,7 +79,15 @@ def build_annotations($buildUrl): # https://github.com/opencontainers/image-spec/blob/v1.1.0/annotations.md#pre-defined-annotation-keys "org.opencontainers.image.source": $buildUrl, "org.opencontainers.image.revision": .source.entries[0].GitCommit, - "org.opencontainers.image.created": (.source.entries[0].SOURCE_DATE_EPOCH | strftime("%FT%TZ")), # see notes below about image index vs image manifest + "org.opencontainers.image.created": ( + if .source.entries[0].Builder == "oci-import" then + .source.entries[0].SOURCE_DATE_EPOCH + else + env.SOURCE_DATE_EPOCH // now + | tonumber + end + | strftime("%FT%TZ") + ), # TODO come up with less assuming values here? (Docker Hub assumption, tag ordering assumption) "org.opencontainers.image.version": ( # value of the first image tag @@ -138,7 +146,6 @@ def build_command: | [ ( [ - @sh "SOURCE_DATE_EPOCH=\(.source.entries[0].SOURCE_DATE_EPOCH)", # TODO EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=<(jq ...) "docker buildx build --progress=plain", @sh "--provenance=mode=max,builder-id=\(buildkit_provenance_builder_id)", @@ -156,24 +163,8 @@ def build_command: ), ( build_annotations($buildUrl) - | to_entries - # separate loops so that "image manifest" annotations are grouped separate from the index/descriptor annotations (easier to read) - | ( - .[] - | @sh "--annotation \(.key + "=" + .value)" - ), - ( - .[] - | @sh "--annotation \( - "manifest-descriptor:" + .key + "=" - + if .key == "org.opencontainers.image.created" then - # the "current" time breaks reproducibility (for the purposes of build verification), so we put "now" in the image index but "SOURCE_DATE_EPOCH" in the image manifest (which is the thing we'd ideally like to have reproducible, eventually) - (env.SOURCE_DATE_EPOCH // now) | tonumber | strftime("%FT%TZ") - # (this assumes the actual build is going to happen shortly after generating the command) - else .value end - )", - empty - ) + | to_entries[] + | @sh "--annotation \("manifest,manifest-descriptor:\(.key + "=" + .value)")" ), ( ( @@ -229,7 +220,6 @@ def build_command: | [ ( [ - @sh "SOURCE_DATE_EPOCH=\(.source.entries[0].SOURCE_DATE_EPOCH)", "DOCKER_BUILDKIT=0", "docker build", (