Automate SBOM generation for all CI images

[jayavenkatesh19]

Towards https://github.com/rapidsai/build-infra/issues/280

Current Approach

PR builds

• Image built and published on rapidsai/staging on Dockerhub
• Image tag is prepended with PR number gathered from GITHUB_REF
  Branch push
• Image built and published to rapidsai/<image_repo> on Dockerhub
• Image tag gathered from compute matrix is used.

Proposed changes using the multi-stage build approach

• Add a new stage in each Dockerfile called syft-base with the Syft binary installed on a minimal alpine 3.20 image.
• The main docker build is done using a stage called <ci-img>-base to differentiate it from the final image.
• Another stage is added called <ci-img>-sbom where the built stage is mounted to a specified location on the syft-base stage
• A syft-scan is done on the mounted location, and an SBOM is generated.
• The generated SBOM is then copied to the final stage, with image name and tags kept unchanged to ensure no changes to how these images are built and published.

[jameslamb]

Doing this in a multi-stage build makes sense to me!

I left some suggestions on standardizing things and make the configuration flow a little stricter.

[jameslamb]

Since this is repeated in multiple places, would you consider moving it into a script that's mounted in at build time?

Like this: rapidsai/docker#840

[jameslamb]

I was confused not to see changes in the CI workflows to ensure this is passed in, but now I see... it's defined in the build environment by default: https://docs.docker.com/build/building/multi-platform/#cross-compilation

Just sharing for the benefit of other reviewers.

[jameslamb]

Suggested change

	ARG SYFT_VER=1.32.0
	################################ build the syft-base image ###############################
	FROM --platform=$BUILDPLATFORM alpine:3.20 AS syft-base
	ARG SYSFT_ALPINE_VER=notset
	ARG SYFT_VER=notset
	################################ build the syft-base image ###############################
	FROM --platform=$BUILDPLATFORM alpine:${SYFT_ALPINE_VER} AS syft-base

Let's put the Alpine version and SYFT_VER in versions.yaml instead: https://github.com/rapidsai/ci-imgs/blob/main/versions.yaml. And let's please avoid putting any hard-coded versions into ARG statements and instead using notset (to give us a chance to catch bugs like "did not successfully pass configuration through).

• keeps it consistent across images
• allows us to use renovate to easily auto-update it

[jameslamb]

We recently removed miniforge-cuda and 26.02 will be the final release where it's published: #345

We only need to generate SBOMs for ci-conda, ci-wheel, and ci-testwheel.

[jameslamb]

Suggested change

	FROM syft-base AS citestwheel-sbom
	FROM syft-base AS sbom

I don't think it's necessary to add citestwheel- and similar prefixes to these stage names. They're already self-contained within 1 Dockerfile.

I recommend standardizing all of them to something generic.

[jameslamb]

The only thing that seems to differ in this call across the dockerfiles is --source-name, and I'm guessing we'd want the other configuration for syft to otherwise be consistent across all images.

Could you move this into a script that's mounted in at build time, similar to rapidsai/docker#840?

The --source-name could be provided by a new build argument IMAGE_REPO or similar, we already have enough information about that in the GitHub Actions configs to thread that through:

ci-imgs/.github/workflows/build-image.yaml

Line 74 in 59359a0

IMAGE_REPO: ${{ inputs.IMAGE_REPO }}

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.