chore: fix login image with sha release (#10157)

# Which Problems Are Solved

Fixes the releasing of multi-architecture login images.

# How the Problems Are Solved

- The login-container workflow extends the bake definition with a file
docker-bake-release.hcl wich adds the platforms linux/arm and linux/amd
to all relevant build targets. The used technique is similar to how the
docker metadata action allows to extend the bake definitions.
- The local login tag is moved to the metadata bake target, which is
always inherited and overwritten in the pipeline
- Packages write permission is added

# Additional Changes

- The MIT license is noted in container labels and annotations
- The Image is built from root so that the local proto files are used

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

.github/workflows/build.yml

@@ -86,7 +86,7 @@ jobs:
       actions: write
       id-token: write
     with:
-      ignore-run-cache:  ${{ github.event_name == 'workflow_dispatch' }}
+      ignore-run-cache:  ${{ github.event_name == 'workflow_dispatch' || fromJSON(github.run_attempt) > 1 }}
       node_version: "20"
 
   container:
@@ -106,7 +106,7 @@ jobs:
       packages: write
       id-token: write
     with:
-      login_build_image_name: "ghcr.io/zitadel/login-build"
+      login_build_image_name: "ghcr.io/zitadel/zitadel-login-build"
       node_version: "20"
 
   e2e:
@@ -133,5 +133,5 @@ jobs:
       image_name: "ghcr.io/zitadel/zitadel"
       google_image_name: "europe-docker.pkg.dev/zitadel-common/zitadel-repo/zitadel"
       build_image_name_login: ${{ needs.login-container.outputs.login_build_image }}
-      image_name_login: "ghcr.io/zitadel/login"
+      image_name_login: "ghcr.io/zitadel/zitadel-login"
-      google_image_name_login: europe-docker.pkg.dev/zitadel-common/zitadel-repo/login
+      google_image_name_login: "europe-docker.pkg.dev/zitadel-common/zitadel-repo/zitadel-login"

.github/workflows/login-container.yml

@@ -22,6 +22,7 @@ env:
   default_labels: |
     org.opencontainers.image.documentation=https://zitadel.com/docs
     org.opencontainers.image.vendor=CAOS AG
+    org.opencontainers.image.licenses=MIT
 
 jobs:
   login-container:
@@ -29,6 +30,7 @@ jobs:
     runs-on: depot-ubuntu-22.04-8
     permissions:
       id-token: write
+      packages: write
     steps:
       - uses: actions/checkout@v4
       - uses: depot/setup-action@v1
@@ -40,6 +42,8 @@ jobs:
         with:
           images: ${{ inputs.login_build_image_name }}
           labels: ${{ env.default_labels}}
+          annotations: |
+            manifest:org.opencontainers.image.licenses=MIT
           tags: |
             type=sha,prefix=,suffix=,format=long
       - name: Login to Docker registry
@@ -53,11 +57,14 @@ jobs:
         env:
           NODE_VERSION: ${{ inputs.node_version }}
         with:
-          workdir: login
           push: true
+          provenance: true
+          sbom: true
           targets: login-standalone
-          set: login-standalone.platforms=[linux/amd64,linux/arm64]
+          set: login-*.context=./login/
           project: w47wkxzdtw
           files: |
+            ./login/docker-bake.hcl
+            ./login/docker-bake-release.hcl
             ./docker-bake.hcl
             cwd://${{ steps.login-meta.outputs.bake-file }}

login/Makefile

@@ -14,7 +14,7 @@ export GID := $(id -g)
 export LOGIN_TEST_ACCEPTANCE_BUILD_CONTEXT := $(LOGIN_DIR)apps/login-test-acceptance
 
 export DOCKER_METADATA_OUTPUT_VERSION ?= local
-export LOGIN_TAG ?= login:${DOCKER_METADATA_OUTPUT_VERSION}
+export LOGIN_TAG ?= zitadel-login:${DOCKER_METADATA_OUTPUT_VERSION}
 export LOGIN_TEST_UNIT_TAG := login-test-unit:${DOCKER_METADATA_OUTPUT_VERSION}
 export LOGIN_TEST_INTEGRATION_TAG := login-test-integration:${DOCKER_METADATA_OUTPUT_VERSION}
 export LOGIN_TEST_ACCEPTANCE_TAG := login-test-acceptance:${DOCKER_METADATA_OUTPUT_VERSION}

login/apps/login-test-acceptance/docker-compose-ci.yaml

@@ -16,7 +16,7 @@ services:
       ZITADEL_ADMIN_USER: zitadel-admin@zitadel.traefik
 
   login:
-    image: "${LOGIN_TAG:-login:local}"
+    image: "${LOGIN_TAG:-zitadel-login:local}"
     container_name: acceptance-login
     labels:
       - "traefik.enable=true"

login/docker-bake-release.hcl

@@ -0,0 +1,3 @@
+target "release" {
+  platforms = ["linux/amd64", "linux/arm64"]
+}

login/docker-bake.hcl

@@ -6,12 +6,18 @@ variable "DOCKERFILES_DIR" {
   default = "dockerfiles/"
 }
 
+# The release target is overwritten in docker-bake-release.hcl
+# It makes sure the image is built for multiple platforms.
+# By default the platforms property is empty, so images are only built for the current bake runtime platform.
+target "release" {}
+
 # typescript-proto-client is used to generate the client code for the login service.
 # It is not login-prefixed, so it is easily extendable.
 # To extend this bake-file.hcl, set the context of all login-prefixed targets to a different directory.
 # For example docker bake --file login/docker-bake.hcl --file docker-bake.hcl --set login-*.context=./login/
 # The zitadel repository uses this to generate the client and the mock server from local proto files.
 target "typescript-proto-client" {
+  inherits   = ["release"]
   dockerfile = "${DOCKERFILES_DIR}typescript-proto-client.Dockerfile"
   contexts = {
     # We directly generate and download the client server-side with buf, so we don't need the proto files
@@ -37,6 +43,7 @@ target "login-typescript-proto-client-out" {
 # For example docker bake --file login/docker-bake.hcl --file docker-bake.hcl --set login-*.context=./login/
 # The zitadel repository uses this to generate the client and the mock server from local proto files.
 target "proto-files" {
+  inherits   = ["release"]
   dockerfile = "${DOCKERFILES_DIR}proto-files.Dockerfile"
   contexts = {
     login-pnpm = "target:login-pnpm"
@@ -48,6 +55,7 @@ variable "NODE_VERSION" {
 }
 
 target "login-pnpm" {
+  inherits   = ["release"]
   dockerfile = "${DOCKERFILES_DIR}login-pnpm.Dockerfile"
   args = {
     NODE_VERSION = "${NODE_VERSION}"
@@ -76,6 +84,7 @@ target "login-test-unit" {
 }
 
 target "login-client" {
+  inherits   = ["release"]
   dockerfile = "${DOCKERFILES_DIR}login-client.Dockerfile"
   contexts = {
     login-pnpm              = "target:login-pnpm"
@@ -124,16 +133,21 @@ variable "LOGIN_TAG" {
   default = "zitadel-login:local"
 }
 
-target "docker-metadata-action" {}
+target "docker-metadata-action" {
+  # In the pipeline, this target is overwritten by the docker metadata action.
+  tags = ["${LOGIN_TAG}"]
+}
 
 # We run integration and acceptance tests against the next standalone server for docker.
 target "login-standalone" {
-  inherits   = ["docker-metadata-action"]
+  inherits = [
+    "docker-metadata-action",
+    "release",
+  ]
   dockerfile = "${DOCKERFILES_DIR}login-standalone.Dockerfile"
   contexts = {
     login-client = "target:login-client"
   }
-  tags   = ["${LOGIN_TAG}"]
 }
 
 target "login-standalone-out" {