From 6ad07f2a4b6a1e6fb77cb94820def43ea894c4af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Wed, 3 Jan 2024 11:40:04 +0100
Subject: [PATCH 1/3] Dockerfile/binary: Output the binary directly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`scripts/make/binary` produces `docker` file that is a symlink to a
`docker-<platform>` file.
Make the `binary` Dockerfile target produce an image that only contains
the `docker` binary and not the symlink.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 95479cdc50..f5b4eaf77b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -124,4 +124,4 @@ FROM scratch AS plugins
 COPY --from=build-plugins /out .
 
 FROM scratch AS binary
-COPY --from=build /out .
+COPY --from=build /out/docker /docker

From ecf338f43b112c9f2d02614e955789a436be09b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Thu, 4 Jan 2024 13:55:28 +0100
Subject: [PATCH 2/3] scripts/build: Handle VERSION containing git ref
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Transform `VERSION` variable if it contains a git ref.
This is the same as moby does (with "<<<" bashism removed).

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
 scripts/build/.variables | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/scripts/build/.variables b/scripts/build/.variables
index e0147655b4..a9371ebec2 100755
--- a/scripts/build/.variables
+++ b/scripts/build/.variables
@@ -22,6 +22,13 @@ else
     BUILDTIME=${BUILDTIME:-$(TZ=UTC date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +"%Y-%m-%dT%H:%M:%SZ")}
 fi
 
+case "$VERSION" in
+	refs/tags/v*) VERSION=${VERSION#refs/tags/v} ;;
+	refs/tags/*) VERSION=${VERSION#refs/tags/} ;;
+	refs/heads/*) VERSION=$(echo "${VERSION#refs/heads/}" | sed -r 's#/+#-#g') ;;
+	refs/pull/*) VERSION=pr-$(echo "$VERSION" | grep -o '[0-9]\+') ;;
+esac
+
 GOOS="$(go env GOOS)"
 GOARCH="$(go env GOARCH)"
 if [ "${GOARCH}" = "arm" ]; then

From 15d4c99f3812233379a87ecc2e936ff227218c74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Wed, 3 Jan 2024 10:07:34 +0100
Subject: [PATCH 3/3] ci: Add bin-image workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Build and push an image containing a static CLI binary for master branch
and every release branch and tag.

This is a slightly adjusted copy of the bin-image workflow from
docker/buildx (by @crazy-max).

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
 .github/workflows/build.yml | 47 +++++++++++++++++++++++++++++++++++++
 docker-bake.hcl             | 23 ++++++++++++++++++
 2 files changed, 70 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8a0d384915..8487e4d3c3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  VERSION: ${{ github.ref }}
+
 on:
   workflow_dispatch:
   push:
@@ -86,6 +89,50 @@ jobs:
           path: /tmp/out/*
           if-no-files-found: error
 
+  bin-image:
+    runs-on: ubuntu-20.04
+    if: ${{ github.event_name != 'pull_request' && github.repository == 'docker/cli' }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: dockereng/cli-bin
+          tags: |
+            type=semver,pattern={{version}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+      -
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_CLIBIN_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_CLIBIN_TOKEN }}
+      -
+        name: Build and push image
+        uses: docker/bake-action@v4
+        with:
+          files: |
+            ./docker-bake.hcl
+            ${{ steps.meta.outputs.bake-file }}
+          targets: bin-image-cross
+          push: ${{ github.event_name != 'pull_request' }}
+          set: |
+            *.cache-from=type=gha,scope=bin-image
+            *.cache-to=type=gha,scope=bin-image,mode=max
+
   prepare-plugins:
     runs-on: ubuntu-20.04
     outputs:
diff --git a/docker-bake.hcl b/docker-bake.hcl
index b5de2da990..8c4af8ce16 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -165,3 +165,26 @@ target "e2e-gencerts" {
     dockerfile = "./e2e/testdata/Dockerfile.gencerts"
     output = ["./e2e/testdata"]
 }
+
+target "docker-metadata-action" {
+  tags = ["cli-bin:local"]
+}
+
+target "bin-image" {
+  inherits = ["binary", "docker-metadata-action"]
+  output = ["type=docker"]
+}
+
+target "bin-image-cross" {
+  inherits = ["bin-image"]
+  output = ["type=image"]
+  platforms = [
+    "linux/amd64",
+    "linux/arm/v6",
+    "linux/arm/v7",
+    "linux/arm64",
+    "linux/ppc64le",
+    "linux/s390x",
+    "windows/amd64"
+  ]
+}