Standardize on OCI build output with compat checks

Makefile

@@ -9,9 +9,12 @@ include src/core/build.mk
 include src/libs/build.mk
 include src/tools/build.mk
 
+compat:
+	./src/compat.sh
+
 DEFAULT_GOAL := default
 .PHONY: default
-default: bootstrap core
+default: compat bootstrap core
 
 out/graph.svg: Makefile
 	$(MAKE) -Bnd | make2graph | dot -Tsvg -o graph.svg

src/compat.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -e
+
+readonly MIN_BASH_VERSION=5
+readonly MIN_DOCKER_VERSION=25
+readonly MIN_JQ_VERSION=1.6
+readonly MIN_GPG_VERSION=2.2
+
+### Exit with error message
+die() {
+	echo "$@" >&2
+	exit 1
+}
+
+### Bail and instruct user on missing package to install for their platform
+die_pkg() {
+	local -r package=${1?}
+	local -r version=${2?}
+	local install_cmd
+	case "$OSTYPE" in
+		linux*)
+			if command -v "apt" >/dev/null; then
+				install_cmd="apt install ${package}"
+			elif command -v "yum" >/dev/null; then
+				install_cmd="yum install ${package}"
+			elif command -v "pacman" >/dev/null; then
+				install_cmd="pacman -Ss ${package}"
+			elif command -v "emerge" >/dev/null; then
+				install_cmd="emerge ${package}"
+			elif command -v "nix-env" >/dev/null; then
+				install_cmd="nix-env -i ${package}"
+			fi
+		;;
+		bsd*)     install_cmd="pkg install ${package}" ;;
+		darwin*)  install_cmd="port install ${package}" ;;
+		*) die "Error: Your operating system is not supported" ;;
+	esac
+	echo "Error: ${package} ${version}+ does not appear to be installed." >&2
+	[ -n "$install_cmd" ] && echo "Try: \`${install_cmd}\`"  >&2
+	exit 1
+}
+
+### Check if actual binary version is >= minimum version
+check_version(){
+	local pkg="${1?}"
+	local have="${2?}"
+	local need="${3?}"
+	local i ver1 ver2 IFS='.'
+	[[ "$have" == "$need" ]] && return 0
+	read -r -a ver1 <<< "$have"
+	read -r -a ver2 <<< "$need"
+	for ((i=${#ver1[@]}; i<${#ver2[@]}; i++));
+		do ver1[i]=0;
+	done
+	for ((i=0; i<${#ver1[@]}; i++)); do
+		[[ -z ${ver2[i]} ]] && ver2[i]=0
+		((10#${ver1[i]} > 10#${ver2[i]})) && return 0
+		((10#${ver1[i]} < 10#${ver2[i]})) && die_pkg "${pkg}" "${need}"
+	done
+}
+
+### Check if required binaries are installed at appropriate versions
+check_tools(){
+	if [ -z "${BASH_VERSINFO[0]}" ] \
+	|| [ "${BASH_VERSINFO[0]}" -lt "${MIN_BASH_VERSION}" ]; then
+		die_pkg "bash" "${MIN_BASH_VERSION}"
+	fi
+	for cmd in "$@"; do
+		command -v "$1" >/dev/null || die "Error: $cmd not found"
+		case $cmd in
+			jq)
+				version=$(jq -V | sed 's/.*-//g')
+				check_version "jq" "${version}" "${MIN_JQ_VERSION}"
+			;;
+			gpg)
+				version=$(gpg --version | head -n1 | cut -d" " -f3)
+				check_version "gnupg" "${version}" "${MIN_GPG_VERSION}"
+			;;
+            docker)
+				version=$(docker version -f json | jq -r '.Server.Version')
+				check_version "docker" "${version}" "${MIN_DOCKER_VERSION}"
+			;;
+		esac
+	done
+}
+
+check_tools jq gpg docker;
+
+docker info -f '{{ .DriverStatus }}' \
+    | grep "io.containerd.snapshotter.v1" >/dev/null \
+|| die "Error: Docker Engine is not using containerd for image storage"

src/macros.mk

@@ -26,8 +26,10 @@ define build
 	$(eval VERSION := $(if $(3),$(3),latest))
 	$(eval TARGET := $(if $(4),$(4),package))
 	$(eval EXTRA_ARGS := $(if $(5),$(5),))
+	$(eval REVISION := $(shell git rev-list HEAD -1 src/$(CATEGORY)/$(NAME)))
 	$(eval BUILD_CMD := \
 		DOCKER_BUILDKIT=1 \
+		BUILDKIT_MULTI_PLATFORM=1 \
 		SOURCE_DATE_EPOCH=1 \
 		$(BUILDER) \
 			build \
@@ -35,16 +37,19 @@ define build
 			-t $(REGISTRY)/$(NAME):$(VERSION) \
 			--build-arg REGISTRY=$(REGISTRY) \
 			--platform $(PLATFORM) \
-			--network=host \
 			--progress=plain \
 			$(if $(filter latest,$(VERSION)),,--build-arg VERSION=$(VERSION)) \
+			--output type=oci,force-compression=true,name=$(NAME),annotation-index.org.opencontainers.image.revision=$(REVISION),annotation-index.org.opencontainers.image.version=$(VERSION),dest=-  \
 			--target $(TARGET) \
 			$(EXTRA_ARGS) \
 			src/$(CATEGORY)/$(NAME) \
+			| gzip > $@; \
 	)
 	$(eval TIMESTAMP := $(shell TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ"))
 	mkdir -p out/
 	echo $(TIMESTAMP) $(BUILD_CMD) >> out/build.log
 	$(BUILD_CMD)
-	$(if $(filter package,$(TARGET)),$(BUILDER) save $(REGISTRY)/$(NAME):$(VERSION) -o $@,)
+	tar -xf $@ index.json -O \
+		| jq -r '.manifests[].digest | sub("sha256:";"")' \
+	> $@.digest
 endef