imjasonh

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "version": 1,
  "metadata": {
    "component": {
      "bom-ref": "pkg:golang/github.com/google/ko@(devel)?type=module",
      "type": "application",
      "name": "github.com/google/ko",
      "version": "(devel)",

imjasonh

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "metadata": {
    "component": {
      "bom-ref": "pkg:golang/github.com/google/ko@(devel)?type=module",
      "type": "application",
      "name": "github.com/google/ko",
      "version": "(devel)",

imjasonh

$ curl -s https://api.github.com/repos/tektoncd/pipeline/releases\?count\=1000 | jq -r '.[].assets[] | "\(.browser_download_url)\t\(.download_count)"' | grep release.yaml | sort                                              
https://github.com/tektoncd/pipeline/releases/download/v0.17.3/release.yaml	79
https://github.com/tektoncd/pipeline/releases/download/v0.18.0/release.yaml	319
https://github.com/tektoncd/pipeline/releases/download/v0.18.1/release.yaml	620
https://github.com/tektoncd/pipeline/releases/download/v0.19.0/release.yaml	4831
https://github.com/tektoncd/pipeline/releases/download/v0.20.0/release.yaml	171
https://github.com/tektoncd/pipeline/releases/download/v0.20.1/release.yaml	1994
https://github.com/tektoncd/pipeline/releases/download/v0.21.0/release.yaml	1093
https://github.com/tektoncd/pipeline/releases/download/v0.22.0/release.yaml	603
https://github.com/tektoncd/pipeline/releases/download/v0.23.0/release.yaml	28028

imjasonh

// You can edit this code!
// Click here and start typing.
package main

import (
	"errors"
	"fmt"
)

var myerr = errors.New("error!")

imjasonh

# find a signed image
$ img=ghcr.io/shipwright-io/build/shipwright-build-controller@sha256:887b76092d0e6f3c4f4c7b781589f41fde1c967ae9ae62f3a6bdbb18251a562f

# find its signature object
$ sigimg=$(cosign triangulate $img)

# see that object's manifest -- it's an image with one layer of type `application/vnd.dev.cosign.simplesigning.v1+json`
$ crane manifest $sigimg | jq
...
  "layers": [

imjasonh

# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 3

[[package]]
name = "aho-corasick"
version = "0.7.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
dependencies = [

imjasonh

Combining manifest list with crane and docker manifest create

Usage:

./combine.sh <out> <manifest-list-1> <manifest-list-2> ...

Example:

imjasonh

$ echo "defaultBaseImage: gcr.io/imjasonh/combined" > .ko.yaml
$ export KO_DOCKER_REPO=gcr.io/imjasonh
$ ko publish ./ --platform=all
2022/01/03 16:32:50 Using base gcr.io/imjasonh/combined for github.com/vmware-tanzu/sonobuoy
2022/01/03 16:32:52 Building github.com/vmware-tanzu/sonobuoy for windows/amd64
2022/01/03 16:32:52 Building github.com/vmware-tanzu/sonobuoy for windows/amd64
2022/01/03 16:32:52 Building github.com/vmware-tanzu/sonobuoy for windows/amd64
2022/01/03 16:32:53 Building github.com/vmware-tanzu/sonobuoy for linux/ppc64le
2022/01/03 16:32:53 Building github.com/vmware-tanzu/sonobuoy for linux/s390x
2022/01/03 16:32:53 Building github.com/vmware-tanzu/sonobuoy for linux/arm

imjasonh

go.sum

imjasonh

Cosmetic change: ko build
- aligns with go build, pack build, docker build
- ko publish will keep working forever

KOCACHE
- ko will cache recently built binaries in $KOCACHE, if set, along with some metadata that can avoid rebuilds and layer pushes when code hasn't changed.
- no-op build takes 3s

Improved SBOMs
- ko build automatically uploads SBOMs in SPDX format