Combining manifest list with crane
and docker manifest create
Usage:
./combine.sh <out> <manifest-list-1> <manifest-list-2> ...
Example:
{ | |
"bomFormat": "CycloneDX", | |
"specVersion": "1.3", | |
"version": 1, | |
"metadata": { | |
"component": { | |
"bom-ref": "pkg:golang/github.com/google/ko@(devel)?type=module", | |
"type": "application", | |
"name": "github.com/google/ko", | |
"version": "(devel)", |
{ | |
"bomFormat": "CycloneDX", | |
"specVersion": "1.4", | |
"version": 1, | |
"metadata": { | |
"component": { | |
"bom-ref": "pkg:golang/github.com/google/ko@(devel)?type=module", | |
"type": "application", | |
"name": "github.com/google/ko", | |
"version": "(devel)", |
$ curl -s https://api.github.com/repos/tektoncd/pipeline/releases\?count\=1000 | jq -r '.[].assets[] | "\(.browser_download_url)\t\(.download_count)"' | grep release.yaml | sort | |
https://github.com/tektoncd/pipeline/releases/download/v0.17.3/release.yaml 79 | |
https://github.com/tektoncd/pipeline/releases/download/v0.18.0/release.yaml 319 | |
https://github.com/tektoncd/pipeline/releases/download/v0.18.1/release.yaml 620 | |
https://github.com/tektoncd/pipeline/releases/download/v0.19.0/release.yaml 4831 | |
https://github.com/tektoncd/pipeline/releases/download/v0.20.0/release.yaml 171 | |
https://github.com/tektoncd/pipeline/releases/download/v0.20.1/release.yaml 1994 | |
https://github.com/tektoncd/pipeline/releases/download/v0.21.0/release.yaml 1093 | |
https://github.com/tektoncd/pipeline/releases/download/v0.22.0/release.yaml 603 | |
https://github.com/tektoncd/pipeline/releases/download/v0.23.0/release.yaml 28028 |
// You can edit this code! | |
// Click here and start typing. | |
package main | |
import ( | |
"errors" | |
"fmt" | |
) | |
var myerr = errors.New("error!") |
# find a signed image | |
$ img=ghcr.io/shipwright-io/build/shipwright-build-controller@sha256:887b76092d0e6f3c4f4c7b781589f41fde1c967ae9ae62f3a6bdbb18251a562f | |
# find its signature object | |
$ sigimg=$(cosign triangulate $img) | |
# see that object's manifest -- it's an image with one layer of type `application/vnd.dev.cosign.simplesigning.v1+json` | |
$ crane manifest $sigimg | jq | |
... | |
"layers": [ |
# This file is automatically @generated by Cargo. | |
# It is not intended for manual editing. | |
version = 3 | |
[[package]] | |
name = "aho-corasick" | |
version = "0.7.18" | |
source = "registry+https://github.com/rust-lang/crates.io-index" | |
checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f" | |
dependencies = [ |
Combining manifest list with crane
and docker manifest create
Usage:
./combine.sh <out> <manifest-list-1> <manifest-list-2> ...
Example:
$ echo "defaultBaseImage: gcr.io/imjasonh/combined" > .ko.yaml | |
$ export KO_DOCKER_REPO=gcr.io/imjasonh | |
$ ko publish ./ --platform=all | |
2022/01/03 16:32:50 Using base gcr.io/imjasonh/combined for github.com/vmware-tanzu/sonobuoy | |
2022/01/03 16:32:52 Building github.com/vmware-tanzu/sonobuoy for windows/amd64 | |
2022/01/03 16:32:52 Building github.com/vmware-tanzu/sonobuoy for windows/amd64 | |
2022/01/03 16:32:52 Building github.com/vmware-tanzu/sonobuoy for windows/amd64 | |
2022/01/03 16:32:53 Building github.com/vmware-tanzu/sonobuoy for linux/ppc64le | |
2022/01/03 16:32:53 Building github.com/vmware-tanzu/sonobuoy for linux/s390x | |
2022/01/03 16:32:53 Building github.com/vmware-tanzu/sonobuoy for linux/arm |
go.sum |
Cosmetic change: ko build | |
- aligns with go build, pack build, docker build | |
- ko publish will keep working forever | |
KOCACHE | |
- ko will cache recently built binaries in $KOCACHE, if set, along with some metadata that can avoid rebuilds and layer pushes when code hasn't changed. | |
- no-op build takes 3s | |
Improved SBOMs | |
- ko build automatically uploads SBOMs in SPDX format |