Include git commit in oak containers system base image labels.

This will ensure that it's possible to trace images published to the Google Cloud Artifact Registry back to the git commit from which they were built. Actually including the git commit requires defining a bazel workspace status command (see https://bazel.build/docs/user-manual#workspace-status) and using an `expand_template` rule to dynamically populate labels (see https://github.com/bazel-contrib/rules_oci/blob/main/examples/labels/BUILD.bazel). The git commit will only be populated when `--stamp` is used; otherwise, the revision will be set to the fallback value "unknown". Bug: 332535604 Change-Id: I2445c91a16a12ec97ecbf0d92bc32d4cf7d53cea
project-oak · Apr 19, 2024 · a9a2314 · a9a2314
1 parent eae106c
commit a9a2314
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 1 deletion.
diff --git a/.bazelrc b/.bazelrc
@@ -18,3 +18,7 @@ build:clang-tidy --@bazel_clang_tidy//:clang_tidy_config=//:clang_tidy_config
 
 # Use nightly rustc by default
 build --@rules_rust//rust/toolchain/channel=nightly
+
+# Use a custom workspace status command so that the git revision is included in
+# stamped binaries.
+build --workspace_status_command=bazel/workspace_status_command.sh
diff --git a/WORKSPACE b/WORKSPACE
@@ -263,6 +263,10 @@ oci_pull(
     image = "europe-west2-docker.pkg.dev/oak-ci/oak-containers-sysimage-base/oak-containers-sysimage-base",
 )
 
+load("@aspect_bazel_lib//lib:repositories.bzl", "register_expand_template_toolchains")
+
+register_expand_template_toolchains()
+
 load("@//bazel:repositories.bzl", "oak_toolchain_repositories")
 
 oak_toolchain_repositories()

diff --git a/bazel/workspace_status_command.sh b/bazel/workspace_status_command.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# Copyright 2024 The Project Oak Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+echo "STABLE_GIT_COMMIT $(git rev-parse HEAD)"
diff --git a/oak_containers_system_image/BUILD b/oak_containers_system_image/BUILD
@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+load("@aspect_bazel_lib//lib:expand_template.bzl", "expand_template")
 load("@oak//bazel:defs.bzl", "oci_runtime_bundle")
 load("@rules_oci//oci:defs.bzl", "oci_image", "oci_push")
 load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
@@ -69,9 +70,27 @@ filegroup(
     tags = ["noci"],
 )
 
+# Defines labels added to :oak_containers_sysimage_base. When built with
+# `--stamp`, overrides in `stamp_substitutions` override those in
+# `substitutions`; `stamp_substitutions` can access workspace status values
+# (https://bazel.build/docs/user-manual#workspace-status) populated by bazel or
+# //bazel:workspace_status_command.sh. Labels must conform to
+# https://github.com/opencontainers/image-spec/blob/main/annotations.md.
+expand_template(
+    name = "oak_containers_sysimage_base_labels",
+    out = "oak_containers_sysimage_base_labels.txt",
+    stamp_substitutions = {"{revision}": "{{STABLE_GIT_COMMIT}}"},
+    substitutions = {"{revision}": "unknown"},
+    template = [
+        "org.opencontainers.image.source=https://github.com/project-oak/oak",
+        "org.opencontainers.image.revision={revision}",
+    ],
+)
+
 oci_image(
     name = "oak_containers_sysimage_base",
     architecture = "amd64",
+    labels = ":oak_containers_sysimage_base_labels",
     os = "linux",
     # This rule will fail until build-base.sh has been run
     tags = ["noci"],

diff --git a/oak_containers_system_image/README.md b/oak_containers_system_image/README.md
@@ -32,7 +32,7 @@ avoiding the need for Docker when rebuilding a system image container.
 To update the base image and push it:
 
 1. ./oak_containers_system_image/build-base.sh
-2. bazel run oak_containers_system_image:push_base
+2. bazel run --stamp oak_containers_system_image:push_base
 
 ## Bazel-Based System Image Tools