ci(dockerhub): secure sha256 references and multi-layer caching

- Use sha256 references that can be automatically updated by dependabot
- Use buildkit's cacheFrom and cacheTo to increase difficulty of supply chain attacks

Co-authored-by: Tim Beyer <[email protected]>

.circleci/config.yml

@@ -413,7 +413,7 @@ jobs:
       - deploy:
           name: Build and test docker images
           command: |
-            bash support/docker-bake-test.sh
+            bash support/docker-bake-test.sh $CIRCLE_BRANCH
   dockerhub-release:
     <<: *node-config
     steps:
@@ -428,7 +428,7 @@ jobs:
           command: |
             # bonsai edge
             if [ "$CIRCLE_BRANCH" == "0.13" ]; then
-              MAJOR_VERSION=0 MINOR_VERSION=13 PRERELEASE=edge CODENAME=bonsai \
+              MAJOR_VERSION=0 MINOR_VERSION=13 PRERELEASE=edge CODENAME=bonsai BRANCH_NAME=$CIRCLE_BRANCH \
                 docker buildx bake --push --progress=plain -f support/docker-bake.hcl all
             fi
 

support/alpine-builder.Dockerfile

@@ -1,6 +1,5 @@
 # Note: This is used by build-pkg.ts, and is not usable as a Garden container
-ARG NODE_VERSION=18-alpine3.17
-FROM node:${NODE_VERSION} as builder
+FROM node:18-alpine@sha256:44aaf1ccc80eaed6572a0f2ef7d6b5a2982d54481e4255480041ac92221e2f11 as builder
 
 RUN apk add --no-cache \
   ca-certificates \

support/alpine.Dockerfile

@@ -1,7 +1,7 @@
 #
 # garden-base
 #
-FROM node:18-alpine3.17 as garden-alpine-base
+FROM node:18-alpine@sha256:44aaf1ccc80eaed6572a0f2ef7d6b5a2982d54481e4255480041ac92221e2f11 as garden-alpine-base
 
 RUN apk add --no-cache \
   bash \
@@ -35,7 +35,7 @@ RUN chmod +x /garden/garden \
 
 ENTRYPOINT ["/garden/garden"]
 
-FROM python:3.8-alpine AS aws-builder
+FROM python:3.8-alpine@sha256:4912e629ee15ae93787756afb2e02b040448a86eadcb00bb542a7e81cbb2d8f8 AS aws-builder
 
 ENV AWSCLI_VERSION=2.11.18
 
@@ -68,7 +68,7 @@ RUN curl -o aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/
 #
 # gcloud base
 #
-FROM google/cloud-sdk:430.0.0-alpine as gcloud-base
+FROM google/cloud-sdk:430.0.0-alpine@sha256:10bbf2db2828f7ce67ce49e4704b6225634319b9efef02d9a90185e107aef662 as gcloud-base
 
 RUN gcloud components install kubectl gke-gcloud-auth-plugin --quiet
 

support/buster.Dockerfile

@@ -1,4 +1,4 @@
-FROM node:18.16.0-buster as buster-base
+FROM node:18-buster@sha256:9b982ad25de81f86da9c47fd057e15f980036343ad45e602ead9926eea0d64ff as buster-base
 
 # system dependencies
 RUN set -ex; \

support/docker-bake-test.sh

@@ -2,6 +2,8 @@
 
 set -x -e -o pipefail
 
+export BRANCH_NAME=$1
+
 # Bash test framework. Sorry :D
 fail() {
   echo "FAIL: $@"

support/docker-bake.hcl

@@ -1,10 +1,17 @@
+##
+## Parameters
+##
+
 // required
 variable "CODENAME" {
 }
 variable "MINOR_VERSION" {
 }
 variable "MAJOR_VERSION" {
 }
+variable "BRANCH_NAME" {
+  default = ""
+}
 
 // optional
 variable "PATCH_VERSION" {
@@ -14,6 +21,10 @@ variable "PRERELEASE" {
   default = ""
 }
 
+##
+## Helpers
+##
+
 function "isProductionRelease" {
   params = []
   result = PRERELEASE == ""
@@ -59,16 +70,22 @@ function "repository" {
   result = [for t in tags : "${repository}:${t}"]
 }
 
-group "all" {
-  targets = ["alpine", "buster"]
+function "cacheFrom" {
+  params = [repository, flavor]
+  result = "type=registry,ref=${repository}:_buildcache_${flavor}"
 }
 
-target "buster" {
-  dockerfile = "../../support/buster.Dockerfile"
-  target     = "buster-base"
-  platforms  = ["linux/amd64"]
-  context    = "dist/linux-amd64"
-  tags       = repository("gardendev/garden", tags("buster"))
+function "cacheTo" {
+  params = [repository, flavor]
+  result = "${BRANCH_NAME == "0.13" || BRANCH_NAME == "main" ? "${cacheFrom(repository, flavor)},mode=max" : ""}"
+}
+
+##
+## Groups
+##
+
+group "all" {
+  targets = ["alpine", "buster"]
 }
 
 group "alpine" {
@@ -82,40 +99,66 @@ group "alpine" {
   ]
 }
 
+##
+## Images
+##
+
+target "buster" {
+  dockerfile = "../../support/buster.Dockerfile"
+  target     = "buster-base"
+  platforms  = ["linux/amd64"]
+  context    = "dist/linux-amd64"
+  tags       = repository("gardendev/garden", tags("buster"))
+  cache-from = cacheFrom("gardendev/garden", "buster")
+  cache-to   = cacheTo("gardendev/garden", "buster")
+}
+
 target "alpine-base" {
   dockerfile = "../../support/alpine.Dockerfile"
   target     = "garden-alpine-base"
   platforms  = ["linux/amd64"]
   context    = "dist/alpine-amd64"
   tags       = repository("gardendev/garden", withLatest(tags("alpine")))
+  cache-from = cacheFrom("gardendev/garden", "alpine")
+  cache-to   = cacheTo("gardendev/garden", "alpine")
 }
 
 target "alpine-aws" {
-  inherits = ["alpine-base"]
-  target   = "garden-aws"
-  tags     = repository("gardendev/garden-aws", withLatest(tags("alpine")))
+  inherits   = ["alpine-base"]
+  target     = "garden-aws"
+  tags       = repository("gardendev/garden-aws", withLatest(tags("alpine")))
+  cache-from = cacheFrom("gardendev/garden-aws", "alpine")
+  cache-to   = cacheTo("gardendev/garden-aws", "alpine")
 }
 
 target "alpine-azure" {
-  inherits = ["alpine-base"]
-  target   = "garden-azure"
-  tags     = repository("gardendev/garden-azure", withLatest(tags("alpine")))
+  inherits   = ["alpine-base"]
+  target     = "garden-azure"
+  tags       = repository("gardendev/garden-azure", withLatest(tags("alpine")))
+  cache-from = cacheFrom("gardendev/garden-azure", "alpine")
+  cache-to   = cacheTo("gardendev/garden-azure", "alpine")
 }
 
 target "alpine-gcloud" {
-  inherits = ["alpine-base"]
-  target   = "garden-gcloud"
-  tags     = repository("gardendev/garden-gcloud", withLatest(tags("alpine")))
+  inherits   = ["alpine-base"]
+  target     = "garden-gcloud"
+  tags       = repository("gardendev/garden-gcloud", withLatest(tags("alpine")))
+  cache-from = cacheFrom("gardendev/garden-gcloud", "alpine")
+  cache-to   = cacheTo("gardendev/garden-gcloud", "alpine")
 }
 
 target "alpine-aws-gcloud" {
-  inherits = ["alpine-base"]
-  target   = "garden-aws-gcloud"
-  tags     = repository("gardendev/garden-aws-gcloud", withLatest(tags("alpine")))
+  inherits   = ["alpine-base"]
+  target     = "garden-aws-gcloud"
+  tags       = repository("gardendev/garden-aws-gcloud", withLatest(tags("alpine")))
+  cache-from = cacheFrom("gardendev/garden-aws-gcloud", "alpine")
+  cache-to   = cacheTo("gardendev/garden-aws-gcloud", "alpine")
 }
 
 target "alpine-aws-gcloud-azure" {
-  inherits = ["alpine-base"]
-  target   = "garden-aws-gcloud-azure"
-  tags     = repository("gardendev/garden-aws-gcloud-azure", withLatest(tags("alpine")))
+  inherits   = ["alpine-base"]
+  target     = "garden-aws-gcloud-azure"
+  tags       = repository("gardendev/garden-aws-gcloud-azure", withLatest(tags("alpine")))
+  cache-from = cacheFrom("gardendev/garden-aws-gcloud-azure", "alpine")
+  cache-to   = cacheTo("gardendev/garden-aws-gcloud-azure", "alpine")
 }