Merge branch 'main' into feature/protected-branches

ossf · Jan 5, 2021 · 5d84b86 · 5d84b86
2 parents 9ce57c0 + b86fae0
commit 5d84b86
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 8 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -11,12 +11,22 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM golang
-COPY . /go/src/github.com/ossf/scorecard
-WORKDIR /go/src/github.com/ossf/scorecard
-RUN [ "go", "build", "."]
 
-FROM gcr.io/cloud-builders/gsutil
-WORKDIR /go/src/github.com/ossf/scorecard
-COPY --from=0 /go/src/github.com/ossf/scorecard /go/src/github.com/ossf/scorecard
-ENTRYPOINT [ "./scorecard" ]
+# syntax = docker/dockerfile:1-experimental
+
+FROM --platform=${BUILDPLATFORM} golang:1.15 as base
+WORKDIR /src
+ENV CGO_ENABLED=0
+COPY go.* .
+RUN go mod download
+COPY . .
+
+FROM base AS build
+ARG TARGETOS
+ARG TARGETARCH
+RUN --mount=type=cache,target=/root/.cache/go-build \
+  GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /out/scorecard .
+
+FROM gcr.io/distroless/base:nonroot
+COPY --from=build /out/scorecard /
+ENTRYPOINT [ "/scorecard" ]
diff --git a/README.md b/README.md
@@ -177,6 +177,10 @@ These may be specified with the `--format` flag.
 - Any criteria in the scorecard must be actionable. It should be possible, with help, for any project to "check all the boxes".
 - Any solution to compile a scorecard should be usable by the greater open source community to monitor upstream security.
 
+## Docker
+
+- The Dockerfile in the root directory utilizes [experimental features](https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md) which is available in Docker v18.09 or later.
+
 ## Contributing
 
 If you want to get involved or have ideas you'd like to chat about, we discuss this project in the [OSSF Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers) meetings.

diff --git a/cron/Dockerfile b/cron/Dockerfile
@@ -0,0 +1,22 @@
+# Copyright 2020 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+FROM golang:1.15 as app
+COPY . /go/src/github.com/ossf/scorecard
+WORKDIR /go/src/github.com/ossf/scorecard
+RUN [ "go", "build", "."]
+
+FROM gcr.io/cloud-builders/gsutil
+WORKDIR /go/src/github.com/ossf/scorecard
+COPY --from=app /go/src/github.com/ossf/scorecard /go/src/github.com/ossf/scorecard
+ENTRYPOINT [ "./scorecard" ]