feat: unify machine buildx pipeline and enable sbom+provenance publish

[jferrazbr]

Issue

• rancher-security#1380

Problem

The repository had diverging build and publish paths:

• local binary/artifact builds and image publishing were not fully aligned
• release publishing flow differed from the standard publish-image approach used in other Rancher repos

Solution

Unify build and publish around a single self-contained BuildKit path:

• Introduce one shared Makefile buildx call reused by:
  • build (non-CROSS path)
  • push-image
• Build binaries inside package/Dockerfile multi-stage targets, then export binaries from a dedicated machine-binary stage for local artifacts.
• Keep SBOM + provenance enabled in push-image:
  • --sbom=true
  • --attest type=provenance,mode=max
• Align release publishing with rancher/ecm-distro-tools/actions/publish-image.
• Remove legacy Dapper artifacts no longer needed by the new flow (Dockerfile.dapper, scripts/entry).

Testing

Manual Testing

Executed locally:

• make ci ARCH=amd64
• make build ARCH=amd64
• make build ARCH=arm64

Local registry push validation with attestations:

• REPO=127.0.0.1:5000/rancher TAG=sbom-prov TARGET_PLATFORMS=linux/amd64 make push-image

Verified pushed OCI artifacts include:

• image manifest,
• attestation manifest.

Verified attestation predicate types from registry blobs:

• https://spdx.dev/Document
• https://slsa.dev/provenance/v0.2

Engineering Testing

Manual Verification Evidence

• docker buildx imagetools inspect --raw <image> shows attestation-manifest.
• Direct registry blob inspection confirms SBOM and provenance predicates are present.

[tashima42]

Hey! Can you implement something similar to this PR creating a separate target that only pushes attestations and SBOM to the prime registry?

rancher/image-build-kubernetes#105

[macedogm]

@jferrazbr from RST we are good with this PR, except the comment made by Pedro. That must be addressed before merging, please. Can you please also request a Copilot review?

[Copilot]

Pull request overview

This PR updates the repo’s build and release workflows to use a unified Docker Buildx/BuildKit pipeline for building rancher-machine, exporting local artifacts from multi-stage targets, and publishing images with SBOM + provenance enabled.

Changes:

• Replaces the non-CROSS local build path with a shared make buildx flow that exports the binary from a BuildKit target.
• Refactors package/Dockerfile into multi-stage targets (machine-build, machine-binary, machine-artifacts) and updates copy paths for a repo-root build context.
• Removes legacy Dapper-based build plumbing and updates the release workflow to use rancher/ecm-distro-tools/actions/publish-image.

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
Makefile	Introduces shared buildx target and rewires build/push-image around it; removes dapper integration.
package/Dockerfile	Adds BuildKit-friendly stages to build/export binaries and build the final runtime image from the build stage output.
scripts/build	Delegates non-CROSS builds to make build; retains CROSS=1 multi-target compilation path.
scripts/package	Simplifies packaging to tar the exported binary from ./bin (removes legacy copy into ./package).
.github/workflows/release.yaml	Updates release build to make build + make package, and publishing to the shared publish-image action.
Dockerfile.dapper	Removed (legacy Dapper build image).
scripts/entry	Removed (legacy Dapper entrypoint).
.gitignore	Drops dapper temp artifacts from ignore list.
.dockerignore	Expands ignored paths for smaller build contexts; ignores old package binary artifacts pattern.

Comments suppressed due to low confidence (2)

scripts/build:18

• The CROSS build path is setting -ldflags "-X main.VERSION=$VERSION", but there is no main.VERSION symbol in the Go codebase (so version info won’t be embedded). Align these -X flags with the version package used by the CLI (github.com/rancher/machine/version.Version and github.com/rancher/machine/version.GitCommit), consistent with the new BuildKit-based build in package/Dockerfile.

if [ "${CROSS}" = 1 ]; then
    CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "-X main.VERSION=$VERSION"  -o ./bin/rancher-machine-Darwin-x86_64 ./cmd/rancher-machine
    CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "-X main.VERSION=$VERSION"  -o ./bin/rancher-machine-Darwin-arm64 ./cmd/rancher-machine
    CGO_ENABLED=0 GOOS=windows go build -ldflags "-X main.VERSION=$VERSION" -o ./bin/rancher-machine-Windows-x86_64.exe ./cmd/rancher-machine
    CGO_ENABLED=0 GOARCH=arm64 go build -a -tags netgo -installsuffix netgo -ldflags "-X main.VERSION=$VERSION" -o ./bin/rancher-machine-Linux-arm64 ./cmd/rancher-machine

Dockerfile.dapper:1

• The removed Dockerfile.dapper downloaded and executed remote tooling (curl … | sh and curl/wget of Docker binaries) without any checksum or signature verification, which exposes the build environment and resulting artifacts to supply-chain compromise if an upstream endpoint is hijacked or tampered with. An attacker controlling or intercepting these URLs could inject arbitrary code into the build image and thus into produced binaries. Prefer installing tools from trusted package repositories or pinned artifacts with verified checksums/signatures; this PR fully removes this file, which effectively eliminates this risk from the current build flow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.