Feature: Use `google/ko` instead of `Dockerfile`

[azeemshaikh38]

Simplify our workflows and instead of Dockerfiles use google/ko.

[naveensrinivasan]

@dlorenc Does ko support tags? The cork job uses couple of tags to “latest” and “stable” to differentiate which between test runs?

[developer-guy]

@dlorenc Does ko support tags? The cork job uses couple of tags to “latest” and “stable” to differentiate which between test runs?

hello @naveensrinivasan, yes google/ko work with tags, let me give you an example:

$ KO_DOCKER_REPO=docker.io/devopps ko publish -B --tags latest,0.3.3,v0 github.com/GoTurkiye/hello-world-cli

Output

[naveensrinivasan]

Thank you @developer-guy!

[developer-guy]

btw @naveensrinivasan, we can do this if you want us to do, we are looking for an opportunity to contribute 🤩 👀

[naveensrinivasan]

@developer-guy Thank you! I am assigning it to you. Let me know if you have any questions.

Just an FYI there are multiple Dockerfiles in different directories. It would be great if the new ones can support Multi-Platform Images as an option.

KO_DATA_DATE_EPOCH would be useful for reproducibility https://github.com/ossf/scorecard/blob/6c1c789dc5b05cde492334f57b53807c786b038a/scripts/version-ldflags#L24

[azeemshaikh38]

Thanks for your interest in Scorecard @developer-guy and thank you for taking up this issue. Feel free to add this issue to #1121 where we are discussing our next milestone.

[developer-guy]

hello @naveensrinivasan @azeemsgoogle, I did a bunch of things in the PR but I'm not sure about what I did, so, I just want to discuss a bit about the changes that I did in here:

• I edited the dockerbuild target within the Makefile to use google/ko for building container images with cross-platform support enabled of the scorecard project. There are some limitations in google/ko, especially related to ldflags.
• I edited the GitHub Action ( .github/workflows/integration.yml) to enable google/ko support.
• I removed SOURCE_DATE_EPOCH variable from the scorecard/scripts/version-ldflags to use it within the Makefile for environment variable KO_DATA_DATE_EPOCH.

[azeemshaikh38]

Here's a suggestion - how about we start with a simple PR first which does the following:

1. Introduces a .ko.yaml file with the right ldflags and other build settings.
2. Adds a new step to dockerbuild in Makefile, which generates a local scorecard-ko image using ko.
3. Adds a step in the Makefile which diffs the images scorecard-ko and scorecard (image from Dockerfile). Consider using a tool like container-diff.

At this point, we'll have a basic setup to generate and test the scorecard-ko image. If there are important diffs in this image, we can iterate until these diffs are fixed. Once, that is accomplished we can attack the problem of replacing CloudBuild with ko. Repeat for all other Dockerfiles. Wdyt? @naveensrinivasan @developer-guy

[naveensrinivasan]

Here's a suggestion - how about we start with a simple PR first which does the following:

1. Introduces a .ko.yaml file with the right ldflags and other build settings.
2. Adds a new step to dockerbuild in Makefile, which generates a local scorecard-ko image using ko.
3. Adds a step in the Makefile which diffs the images scorecard-ko and scorecard (image from Dockerfile). Consider using a tool like container-diff.

At this point, we'll have a basic setup to generate and test the scorecard-ko image. If there are important diffs in this image, we can iterate until these diffs are fixed. Once, that is accomplished we can attack the problem of replacing CloudBuild with ko. Repeat for all other Dockerfiles. Wdyt? @naveensrinivasan @developer-guy

I agree with the plan @azeemshaikh38! Thanks

[developer-guy]

Hello @naveensrinivasan @azeemshaikh38, thank you so much for helping me.

[x] - Introduces a .ko.yaml file with the right ldflags and other build settings. [x] - Adds a new step to dockerbuild in Makefile, which generates a local scorecard-ko image using ko. [ ] - Adds a step in the Makefile which diffs the images scorecard-ko and scorecard (image from Dockerfile). Consider using a tool like container-diff.

IMHO, this commit resolves the ones that I put [x] in front of it. I'll make the third one ASAP because there are some problems with the image name that ko was built via the --local flag.

Here is why 👇 👀 https://github.com/GoogleContainerTools/container-diff/issues/366

[azeemshaikh38]

A great find by @naveensrinivasan. Adding here since its somewhat relevant to this issue - https://github.com/ImJasonH/ImJasonH/tree/main/articles/moving-and-building-images

[naveensrinivasan]

Thanks @ImjasonH

[naveensrinivasan]

Adds a step in the Makefile which diffs the images scorecard-ko and scorecard (image from Dockerfile). Consider using a tool like container-diff.

Thanks, @developer-guy! Can we skip this for this PR? @azeemshaikh38 Thoughts?

[azeemshaikh38]

Sure we can skip it for this PR.

[azeemshaikh38]

Re-opening this since I assume there is more to be done here. Is that correct @naveensrinivasan ?

[github-actions[bot]]

Stale issue message

[developer-guy]

Kindly ping @naveensrinivasan; what needs to be done? 🙏

[github-actions[bot]]

This issue is stale because it has been open for 60 days with no activity.