feat: self-contained container image build

[COLDTURNIP]

Which issue(s) this PR fixes:

Supports security build.

What this PR does / why we need it:

• Merge binary building process into container build as a separate building stage.
• Prepare for potential secure release

Special notes for your reviewer:

The secrets provided by EIO MUST NOT present in any visible output.

Additional documentation or context

Guidance on achieving SLSA Level 3

Summary by CodeRabbit

• New Features

  • Enhanced the automated build process to capture version details and perform conditional image publishing based on deployment context.
  • Introduced automated image tagging to ensure releases are versioned accurately.

• Chores

  • Updated the build pipeline with refined targets and a new packaging script to streamline Docker image creation.
  • Improved overall build automation for enhanced efficiency and consistency in deployment workflows.
  • Added new variables and targets to support multi-platform builds.

[coderabbitai]

Warning

Rate limit exceeded

@COLDTURNIP has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 3 minutes and 16 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between dab0097 and 39f7a59.

📒 Files selected for processing (4)

• .github/workflows/build.yml (1 hunks)
• Dockerfile (1 hunks)
• Makefile (2 hunks)
• scripts/package (1 hunks)

Walkthrough

The pull request introduces enhancements to the CI/CD pipeline by adding a new job for collecting versioning information and modifying existing jobs for Docker image building. The Makefile is updated with new variables and targets to manage Docker buildx machines and to invoke a packaging script. Additionally, a new Bash script automates the Docker image build process by constructing and executing build commands based on various parameters and versioning logic.

Changes

File(s)	Change Summary
.github/.../build.yml	• Added a build_info job to extract and output versioning information. • Modified build_push_image (renamed to "Build and push image for community") to depend on build_info.
Makefile	• Introduced MACHINE and DEFAULT_PLATFORMS variables. • Added targets: buildx-machine, workflow-image-build-push, and workflow-image-build-push-secure using the new packaging process. • Refactored the build target to pull the base image and call the packaging script.
scripts/package	• New Bash script that automates the Docker image build. • Implements dynamic tag generation, assembles the build command with appropriate flags, and outputs the built image name to a file.
Dockerfile	• Added build argument ARG IS_SECURE and environment variable ENV IS_SECURE ${IS_SECURE} for secure builds.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as "Developer"
    participant GH as "GitHub Actions"
    participant BInfo as "build_info job"
    participant CommImg as "Community Image Job"
    
    Dev->>GH: Push commit or tag
    GH->>BInfo: Trigger version collection
    BInfo-->>GH: Return version variables
    GH->>CommImg: Trigger build & push community image

Loading

sequenceDiagram
    participant User as "Developer"
    participant Make as "Makefile Targets"
    participant Script as "Packaging Script"
    participant Docker as "Docker Buildx"
    
    User->>Make: Invoke buildx-machine target
    Make-->>User: Buildx machine prepared
    User->>Make: Run workflow-image-build-push target
    Make->>Script: Execute packaging script
    Script->>Docker: Build Docker image
    Docker-->>Script: Return build result
    Script-->>User: Output latest image info

Loading

Poem

I'm a bunny with ears so keen,
Hopping through workflows, smooth and clean.
Version tags and builds in a row,
Secure images now ready to go!
With scripts and targets, my heart does sing, 🐰
A joyful leap for every new thing!

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

scripts/package (1)

40-42: Enhance security attestation handling

The secure build mode correctly adds SBOM and provenance attestation, but consider adding additional security measures.

 IFS=' ' read -r -a buildx_args <<<"$OUTPUT_ARGS"
-[[ $IS_SECURE == 'true' ]] && buildx_args+=('--sbom=true' '--attest' 'type=provenance,mode=max')
+[[ $IS_SECURE == 'true' ]] && buildx_args+=(
+  '--sbom=true'
+  '--attest' 'type=provenance,mode=max'
+  '--attest' 'type=vuln,scan-severity=CRITICAL'
+)
 [[ $TARGET_PLATFORMS ]] && buildx_args+=('--platform' "$TARGET_PLATFORMS")

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5374c53 and 7bb0ef3.

📒 Files selected for processing (3)

• .github/workflows/build.yml (1 hunks)
• Makefile (2 hunks)
• scripts/package (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/build.yml

64-64: property "build" is not defined in object type {build_info: {outputs: {image_tag: string; version_build: string; version_major: string; version_minor: string}; result: string}}

(expression)

---

76-76: property "build" is not defined in object type {build_info: {outputs: {image_tag: string; version_build: string; version_major: string; version_minor: string}; result: string}}

(expression)

---

93-93: property "build" is not defined in object type {build_info: {outputs: {image_tag: string; version_build: string; version_major: string; version_minor: string}; result: string}}

(expression)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

🔇 Additional comments (3)

scripts/package (1)

1-2: LGTM: Good error handling setup

The script properly sets -e to exit on any error, which is crucial for build reliability.

Makefile (1)

34-37: LGTM: Well-structured secure build targets

The workflow targets properly separate secure and non-secure builds, with appropriate parameter passing.

.github/workflows/build.yml (1)

81-88: LGTM: Secure vault secret handling

The workflow properly uses vault secrets for registry credentials, keeping sensitive information secure.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

55-55: Review Redundant Condition in Build Job
The condition on line 55 (if: ${{ startsWith(github.ref, 'refs/heads/') || startsWith(github.ref, 'refs/tags/') }}) appears to allow both tag and branch builds. Confirm that this is intentional and that no unintended build triggers occur. If the condition is meant only as a safeguard, a brief comment in the YAML might help future maintainers understand its purpose.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7bb0ef3 and b948b14.

📒 Files selected for processing (3)

• .github/workflows/build.yml (1 hunks)
• Makefile (2 hunks)
• scripts/package (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• Makefile
• scripts/package

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

🔇 Additional comments (5)

.github/workflows/build.yml (5)

36-36: Verify Environment Variable for Branch Handling
In the branch condition, image_tag is set using ${{ env.branch }}-head. Ensure that the branch environment variable is defined in the workflow context (or via another mechanism) so that the constructed tag is valid.

---

54-64: Correct Usage of Build Info Outputs in Image Publishing
The updated reference using needs.build_info.outputs.image_tag (line 64) correctly replaces the previous needs.build.outputs.image_tag, aligning with the output from the new build_info job.
Great job updating the dependency!

---

76-76: Ensure Accurate Trigger for Secure Image Build
The condition if: ${{ startsWith(github.ref, 'refs/tags/') && needs.build_info.outputs.version_build != '0' }} enforces that the secure image build runs only for tagged builds with a non-zero build version. Please verify that this logic fully captures the intended release criteria and that version_build is always set correctly by the version extraction step.

---

81-88: Secure Handling of Vault Secrets
The step that reads secrets using rancher-eio/read-vault-secrets@main appears well integrated. Just ensure that the secrets are never echoed or printed to the logs later in the process, maintaining their confidentiality as required by the PR's security objectives.

---

28-34: 🛠️ Refactor suggestion

⚠️ Potential issue

Secure and Robust Version Extraction
The current version extraction using a simple sed substitution may fail when processing the full ref (e.g. "refs/tags/v1.2.3"). Moreover, there is no explicit validation of the expected tag format, which could lead to unintended behavior if an unexpected ref is encountered.
Consider validating the ref format and then extracting the version using parameter expansion. For example:

-          ref=${{ github.ref }}
-          if [[ "$ref" =~ 'refs/tags/' ]]; then
-            version=$(sed -E 's/^v([0-9.]*)$/\1' <<<$ref )
-            version_major=$(cut -d. -f1 <<<$version)
-            version_minor=$(cut -d. -f2 <<<$version)
-            version_build=$(cut -d. -f3 <<<$version)
-            image_tag="$version"
+          ref=${{ github.ref }}
+          if [[ "$ref" =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            version=${ref#refs/tags/v}
+            version_major=$(cut -d. -f1 <<<"$version")
+            version_minor=$(cut -d. -f2 <<<"$version")
+            version_build=$(cut -d. -f3 <<<"$version")
+            image_tag="$version"
+          elif [[ "$ref" =~ ^refs/heads/ ]]; then
+            image_tag=${{ env.branch }}-head
+          else
+            echo "Unrecognized ref format: $ref" >&2
+            exit 1
          fi

This change both validates the input and simplifies the extraction.

Likely invalid or redundant comment.

[houhoucoop]

Cam we allow engineers to use make IS_SECURE=true run to test the production build locally?

[COLDTURNIP]

We still provide build target for local development, and the flag can be passed through envvar, e.g.:

export IS_SECURE=true
make build

[houhoucoop]

Tested that we can retrieve IS_SECURE from the environment and use it in the codebase.