From 12656235e2ecfd44669abf7b64808f24c14f9b3e Mon Sep 17 00:00:00 2001
From: Elio Bischof <elio@zitadel.com>
Date: Thu, 3 Jul 2025 13:10:10 +0200
Subject: [PATCH] chore: fix login image with sha release (#10157)

# Which Problems Are Solved

Fixes the releasing of multi-architecture login images.

# How the Problems Are Solved

- The login-container workflow extends the bake definition with a file
docker-bake-release.hcl wich adds the platforms linux/arm and linux/amd
to all relevant build targets. The used technique is similar to how the
docker metadata action allows to extend the bake definitions.
- The local login tag is moved to the metadata bake target, which is
always inherited and overwritten in the pipeline
- Packages write permission is added

# Additional Changes

- The MIT license is noted in container labels and annotations
- The Image is built from root so that the local proto files are used

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/build.yml                   |  8 ++---
 .github/workflows/login-container.yml         | 11 +++++--
 login/Makefile                                |  2 +-
 .../docker-compose-ci.yaml                    |  2 +-
 login/docker-bake-release.hcl                 |  3 ++
 login/docker-bake.hcl                         | 30 ++++++++++++++-----
 6 files changed, 40 insertions(+), 16 deletions(-)
 create mode 100644 login/docker-bake-release.hcl

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 47aa4adef0..81f3104065 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -86,7 +86,7 @@ jobs:
       actions: write
       id-token: write
     with:
-      ignore-run-cache:  ${{ github.event_name == 'workflow_dispatch' }}
+      ignore-run-cache:  ${{ github.event_name == 'workflow_dispatch' || fromJSON(github.run_attempt) > 1 }}
       node_version: "20"
 
   container:
@@ -106,7 +106,7 @@ jobs:
       packages: write
       id-token: write
     with:
-      login_build_image_name: "ghcr.io/zitadel/login-build"
+      login_build_image_name: "ghcr.io/zitadel/zitadel-login-build"
       node_version: "20"
 
   e2e:
@@ -133,5 +133,5 @@ jobs:
       image_name: "ghcr.io/zitadel/zitadel"
       google_image_name: "europe-docker.pkg.dev/zitadel-common/zitadel-repo/zitadel"
       build_image_name_login: ${{ needs.login-container.outputs.login_build_image }}
-      image_name_login: "ghcr.io/zitadel/login"
-      google_image_name_login: europe-docker.pkg.dev/zitadel-common/zitadel-repo/login
+      image_name_login: "ghcr.io/zitadel/zitadel-login"
+      google_image_name_login: "europe-docker.pkg.dev/zitadel-common/zitadel-repo/zitadel-login"
diff --git a/.github/workflows/login-container.yml b/.github/workflows/login-container.yml
index bce15512af..5cc841bff4 100644
--- a/.github/workflows/login-container.yml
+++ b/.github/workflows/login-container.yml
@@ -22,6 +22,7 @@ env:
   default_labels: |
     org.opencontainers.image.documentation=https://zitadel.com/docs
     org.opencontainers.image.vendor=CAOS AG
+    org.opencontainers.image.licenses=MIT
 
 jobs:
   login-container:
@@ -29,6 +30,7 @@ jobs:
     runs-on: depot-ubuntu-22.04-8
     permissions:
       id-token: write
+      packages: write
     steps:
       - uses: actions/checkout@v4
       - uses: depot/setup-action@v1
@@ -40,6 +42,8 @@ jobs:
         with:
           images: ${{ inputs.login_build_image_name }}
           labels: ${{ env.default_labels}}
+          annotations: |
+            manifest:org.opencontainers.image.licenses=MIT
           tags: |
             type=sha,prefix=,suffix=,format=long
       - name: Login to Docker registry
@@ -53,11 +57,14 @@ jobs:
         env:
           NODE_VERSION: ${{ inputs.node_version }}
         with:
-          workdir: login
           push: true
+          provenance: true
+          sbom: true
           targets: login-standalone
-          set: login-standalone.platforms=[linux/amd64,linux/arm64]
+          set: login-*.context=./login/
           project: w47wkxzdtw
           files: |
+            ./login/docker-bake.hcl
+            ./login/docker-bake-release.hcl
             ./docker-bake.hcl
             cwd://${{ steps.login-meta.outputs.bake-file }}
diff --git a/login/Makefile b/login/Makefile
index a6e781374b..05cf704c3f 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -14,7 +14,7 @@ export GID := $(id -g)
 export LOGIN_TEST_ACCEPTANCE_BUILD_CONTEXT := $(LOGIN_DIR)apps/login-test-acceptance
 
 export DOCKER_METADATA_OUTPUT_VERSION ?= local
-export LOGIN_TAG ?= login:${DOCKER_METADATA_OUTPUT_VERSION}
+export LOGIN_TAG ?= zitadel-login:${DOCKER_METADATA_OUTPUT_VERSION}
 export LOGIN_TEST_UNIT_TAG := login-test-unit:${DOCKER_METADATA_OUTPUT_VERSION}
 export LOGIN_TEST_INTEGRATION_TAG := login-test-integration:${DOCKER_METADATA_OUTPUT_VERSION}
 export LOGIN_TEST_ACCEPTANCE_TAG := login-test-acceptance:${DOCKER_METADATA_OUTPUT_VERSION}
diff --git a/login/apps/login-test-acceptance/docker-compose-ci.yaml b/login/apps/login-test-acceptance/docker-compose-ci.yaml
index 7a531fcf42..6f5963df43 100644
--- a/login/apps/login-test-acceptance/docker-compose-ci.yaml
+++ b/login/apps/login-test-acceptance/docker-compose-ci.yaml
@@ -16,7 +16,7 @@ services:
       ZITADEL_ADMIN_USER: zitadel-admin@zitadel.traefik
 
   login:
-    image: "${LOGIN_TAG:-login:local}"
+    image: "${LOGIN_TAG:-zitadel-login:local}"
     container_name: acceptance-login
     labels:
       - "traefik.enable=true"
diff --git a/login/docker-bake-release.hcl b/login/docker-bake-release.hcl
new file mode 100644
index 0000000000..51e1c194f6
--- /dev/null
+++ b/login/docker-bake-release.hcl
@@ -0,0 +1,3 @@
+target "release" {
+  platforms = ["linux/amd64", "linux/arm64"]
+}
diff --git a/login/docker-bake.hcl b/login/docker-bake.hcl
index 9520b752fa..b60fd7270a 100644
--- a/login/docker-bake.hcl
+++ b/login/docker-bake.hcl
@@ -6,12 +6,18 @@ variable "DOCKERFILES_DIR" {
   default = "dockerfiles/"
 }
 
+# The release target is overwritten in docker-bake-release.hcl
+# It makes sure the image is built for multiple platforms.
+# By default the platforms property is empty, so images are only built for the current bake runtime platform.
+target "release" {}
+
 # typescript-proto-client is used to generate the client code for the login service.
 # It is not login-prefixed, so it is easily extendable.
 # To extend this bake-file.hcl, set the context of all login-prefixed targets to a different directory.
 # For example docker bake --file login/docker-bake.hcl --file docker-bake.hcl --set login-*.context=./login/
 # The zitadel repository uses this to generate the client and the mock server from local proto files.
 target "typescript-proto-client" {
+  inherits   = ["release"]
   dockerfile = "${DOCKERFILES_DIR}typescript-proto-client.Dockerfile"
   contexts = {
     # We directly generate and download the client server-side with buf, so we don't need the proto files
@@ -37,6 +43,7 @@ target "login-typescript-proto-client-out" {
 # For example docker bake --file login/docker-bake.hcl --file docker-bake.hcl --set login-*.context=./login/
 # The zitadel repository uses this to generate the client and the mock server from local proto files.
 target "proto-files" {
+  inherits   = ["release"]
   dockerfile = "${DOCKERFILES_DIR}proto-files.Dockerfile"
   contexts = {
     login-pnpm = "target:login-pnpm"
@@ -48,6 +55,7 @@ variable "NODE_VERSION" {
 }
 
 target "login-pnpm" {
+  inherits   = ["release"]
   dockerfile = "${DOCKERFILES_DIR}login-pnpm.Dockerfile"
   args = {
     NODE_VERSION = "${NODE_VERSION}"
@@ -76,6 +84,7 @@ target "login-test-unit" {
 }
 
 target "login-client" {
+  inherits   = ["release"]
   dockerfile = "${DOCKERFILES_DIR}login-client.Dockerfile"
   contexts = {
     login-pnpm              = "target:login-pnpm"
@@ -93,7 +102,7 @@ target "core-mock" {
   contexts = {
     protos = "target:proto-files"
   }
-  tags   = ["${LOGIN_CORE_MOCK_TAG}"]
+  tags = ["${LOGIN_CORE_MOCK_TAG}"]
 }
 
 variable "LOGIN_TEST_INTEGRATION_TAG" {
@@ -105,7 +114,7 @@ target "login-test-integration" {
   contexts = {
     login-pnpm = "target:login-pnpm"
   }
-  tags   = ["${LOGIN_TEST_INTEGRATION_TAG}"]
+  tags = ["${LOGIN_TEST_INTEGRATION_TAG}"]
 }
 
 variable "LOGIN_TEST_ACCEPTANCE_TAG" {
@@ -117,28 +126,33 @@ target "login-test-acceptance" {
   contexts = {
     login-pnpm = "target:login-pnpm"
   }
-  tags   = ["${LOGIN_TEST_ACCEPTANCE_TAG}"]
+  tags = ["${LOGIN_TEST_ACCEPTANCE_TAG}"]
 }
 
 variable "LOGIN_TAG" {
   default = "zitadel-login:local"
 }
 
-target "docker-metadata-action" {}
+target "docker-metadata-action" {
+  # In the pipeline, this target is overwritten by the docker metadata action.
+  tags = ["${LOGIN_TAG}"]
+}
 
 # We run integration and acceptance tests against the next standalone server for docker.
 target "login-standalone" {
-  inherits   = ["docker-metadata-action"]
+  inherits = [
+    "docker-metadata-action",
+    "release",
+  ]
   dockerfile = "${DOCKERFILES_DIR}login-standalone.Dockerfile"
   contexts = {
     login-client = "target:login-client"
   }
-  tags   = ["${LOGIN_TAG}"]
 }
 
 target "login-standalone-out" {
-  inherits   = ["login-standalone"]
-  target = "login-standalone-out"
+  inherits = ["login-standalone"]
+  target   = "login-standalone-out"
   output = [
     "type=local,dest=${LOGIN_DIR}apps/login/standalone"
   ]