feat: Support for buildx

[ashnamehrotra]

Adds support and documentation for private and local image patching.

• default approach in action is changed to create a buildx instance
• the buildx instance needed to be created in entrypoint.sh since creating an instance outside of the container itself does not change anything about the Docker socket that we are mounting
• if user supplies a buildkit-version input, action will create a buildkit container for connection instead
• if user supplies a custom-socket input, action will connect to the custom socket which should have containerd img store enabled (Copacetic still outputs the patched img to the "default" docker context rather than the "setup-docker-action" context used to create a socket with containerd img store. I think this is intentional on Copa's side?)
• adds documentation for these approaches assuming Copacetic v0.6.1 will be released after this

default buildx test run
buildkit container test run
custom socket test run

Fixes #32 #16

[sozercan]

nit: indention is off in this json

[sozercan]

are these going to run sequentially? if so, can we execute in parallel using a matrix

[sozercan]

@ashnamehrotra looks like build e2e failed with a timeout https://github.com/project-copacetic/copa-action/actions/runs/7878674392/job/21497411542?pr=37 do we need to increase the timeout

[ashnamehrotra]

@ashnamehrotra looks like build e2e failed with a timeout https://github.com/project-copacetic/copa-action/actions/runs/7878674392/job/21497411542?pr=37 do we need to increase the timeout

Looking into this, I tested with 20min timeout and its still failing, there might be something else wrong. I also re-ran a test that was originally passing which is failing now.

[sozercan]

just fyi if you are passing timeout in the action, I don't think this'll be available in action yet (in non-test) since we didn't cut a release

[ashnamehrotra]

just fyi if you are passing timeout in the action, I don't think this'll be available in action yet (in non-test) since we didn't cut a release

The timeout flag should be available in copa-action in v1.1.0 release. Also looks like the timeout error was specific to the nginx image in the build test, created an issue here: project-copacetic/copacetic#504 and changed the test to use the OPA image for now.

Final issue to resolve is for custom-socket approach, trivy is unable to find the patched image in the bats test since it was created in a different context, even when switched to the new context.

[sozercan]

Thank you! added a few minor comments, otherwise LGTM

[sozercan]

this is fine for now, but we'll need to add a trivy ignore list like copa in the future as there's no way to avoid false positives

[ashnamehrotra]

Created issue to add that: #38

[sozercan]

why are we saving to a tarball? because trivy can't scan it? if so, can you add a note

[ashnamehrotra]

yes I did some research but I couldn't find a way to get trivy access without saving to tarball. Added a note for that!

[sozercan]

This is a bit confusing. Are we saying copa may have features that action might not?

[ashnamehrotra]

I meant to say that if a feature was released in Copa version v0.6.0 (like patching local images), it wont necessarily be supported in Copa-Action version v0.6.0. In this case it will supported starting with Copa-Action v0.6.1. I changed the wording a bit to try to make it more clear.