Add support for BASHBREW_BUILDKIT_SBOM_GENERATOR and provenance

[tianon]

Since Docker's image store can't represent these, we round trip them through our self-managed (or external) containerd image store, which also makes pushing more efficient.

This very notably also requires setting BUILDX_BUILDER to point to an SBOM/provenance-supporting buildx builder, which is not great but I think is fine for now (we'll manage the lifecycle of that in our Jenkins infra somehow).

(Unrelated changes are gofmt updates we've missed previously 🙈 😇)

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 73.10%. Comparing base (d7cd73a) to head (eeaf85b).
Report is 79 commits behind head on master.

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #69   +/-   ##
=======================================
  Coverage   73.10%   73.10%           
=======================================
  Files           7        7           
  Lines         714      714           
=======================================
  Hits          522      522           
  Misses        162      162           
  Partials       30       30           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[tianon]

Did a full test using this file:

Maintainers: Tianon Gravi <tianon@tianon.xyz> (@tianon)
GitRepo: https://github.com/tianon/dockerfiles.git

Tags: test
GitCommit: 60b606eceab821ffc4920cdb5b9803eca8a0218c
Directory: exim4
Builder: buildkit

Here's the results: (builder created via docker buildx create --name v0.11 --driver docker-container --driver-opt image=moby/buildkit:v0.11.3)

$ BUILDX_BUILDER=v0.11 BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1 BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1 bashbrew --namespace tianon build ./exim4
Building bashbrew/cache:a98d2793bd7bfef6b219024c78bf64c8b469e717f97e4ded06aa05bcac46e39b (exim4:test)
Importing sha256:99fa779e5064e2d00d7a71194dc135fdf85a619c264f08ef4089386d93ea8616 into Docker
dd44cd4ea5fb: Loading layer  22.41MB/22.41MB
a2d88f9f41f9: Loading layer     209B/209B
7e7ab1969748: Loading layer     160B/160B
b78ed77c11e7: Loading layer     926B/926B
1c64d5267d7a: Loading layer  6.776kB/6.776kB
Loaded image: bashbrew/cache:a98d2793bd7bfef6b219024c78bf64c8b469e717f97e4ded06aa05bcac46e39b
Loaded image: tianon/exim4:test

$ docker images tianon/exim4:test
REPOSITORY:TAG      IMAGE ID       CREATED          SIZE
tianon/exim4:test   96f6fc4afe44   39 seconds ago   159MB

$ BUILDX_BUILDER=v0.11 BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1 BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1 bashbrew --namespace tianon push ./exim4
Pushing sha256:99fa779e5064e2d00d7a71194dc135fdf85a619c264f08ef4089386d93ea8616 to tianon/exim4:test
WARN[0000] reference for unknown type: application/vnd.in-toto+json  digest="sha256:466eacae0c4640e6bc6aca20ee2b0d5fa95bdf52c6bc08c5740be15c380bda57" mediatype=application/vnd.in-toto+json size=12610
WARN[0000] reference for unknown type: application/vnd.in-toto+json  digest="sha256:3fd80a8b67a1698fc8a65cfbdeed47ad8822c6efc423b46a0052f2760046c83a" mediatype=application/vnd.in-toto+json size=2128751

https://explore.ggcr.dev/?image=tianon/exim4@sha256:99fa779e5064e2d00d7a71194dc135fdf85a619c264f08ef4089386d93ea8616

[tianon]

(The warnings during push are thanks to containerd; we could suppress them, but I don't think there's much value in doing so 🙈)

[tianon]

Again, but fully cached:

$ BUILDX_BUILDER=v0.11 BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1 BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1 bashbrew --namespace tianon build ./exim4
Using bashbrew/cache:a98d2793bd7bfef6b219024c78bf64c8b469e717f97e4ded06aa05bcac46e39b (exim4:test)
Importing sha256:99fa779e5064e2d00d7a71194dc135fdf85a619c264f08ef4089386d93ea8616 into Docker
Loaded image: bashbrew/cache:a98d2793bd7bfef6b219024c78bf64c8b469e717f97e4ded06aa05bcac46e39b
Loaded image: tianon/exim4:test

$ BUILDX_BUILDER=v0.11 BASHBREW_BUILDKIT_SBOM_GENERATOR=docker/buildkit-syft-scanner:stable-1 BASHBREW_BUILDKIT_SYNTAX=docker/dockerfile:1 bashbrew --namespace tianon push ./exim4
skipping exim4:test (remote tags all up-to-date)