Skip to content

Docker Images with Ko

You can also use ko to build and publish Docker container images.

Please notice that ko will build your binary again. That shouldn't increase the release times too much, as it'll use the same build options as the build pipe when possible, so the results will probably be cached.

Warning

When on --snapshot mode, Ko will publish the image to ko.local. If its a regular build, Ko will only run in the publishing phase.

Info

For Ko to work you still need to login, either with docker login or something else.

.goreleaser.yaml
kos:
  - # ID of this image.
    id: foo

    # Build ID that should be used to import the build settings.
    build: build-id

    # Main path to build.
    # It must be a relative path
    #
    # Default: build.main.
    main: ./cmd/...

    # Working directory used to build.
    #
    # Default: build.dir.
    working_dir: .

    # Base image to publish to use.
    #
    # Default: 'cgr.dev/chainguard/static'.
    base_image: alpine

    # Labels for the image.
    labels:
      foo: bar

    # Annotations for the OCI manifest.
    annotations:
      foo: bar

    # The default user the image should be run as.
    user: "1234:1234"

    # Repositories to push to.
    #
    # First one will be used on Ko build, the other ones will be copied from the
    # first one using crane.
    #
    # Default: [ '$KO_DOCKER_REPO' ].
    repositories:
      - ghcr.io/foo/bar
      - foo/bar

    # Repository to push to.
    #
    # Default: '$KO_DOCKER_REPO'.
    # Deprecated: use 'repositories' instead.
    repository: ghcr.io/foo/bar

    # Platforms to build and publish.
    #
    # Default: 'linux/amd64'.
    platforms:
      - linux/amd64
      - linux/arm64

    # Tag to build and push.
    # Empty tags are ignored.
    #
    # Default: 'latest'.
    # Templates: allowed.
    tags:
      - latest
      - "{{.Tag}}"
      - "{{if not .Prerelease}}stable{{end}}"

    # Creation time given to the image
    # in seconds since the Unix epoch as a string.
    #
    # Templates: allowed.
    creation_time: "{{.CommitTimestamp}}"

    # Creation time given to the files in the kodata directory
    # in seconds since the Unix epoch as a string.
    #
    # Templates: allowed.
    ko_data_creation_time: "{{.CommitTimestamp}}"

    # SBOM format to use.
    #
    # Default: 'spdx'.
    # Valid options are: spdx and none.
    sbom: none

    # Ldflags to use on build.
    #
    # Default: build.ldflags.
    ldflags:
      - foo
      - bar

    # Flags to use on build.
    #
    # Default: build.flags.
    flags:
      - foo
      - bar

    # Env to use on build.
    #
    # Default: build.env.
    env:
      - FOO=bar
      - SOMETHING=value

    # Bare uses a tag on the $KO_DOCKER_REPO without anything additional.
    bare: true

    # Whether to preserve the full import path after the repository name.
    preserve_import_paths: true

    # Whether to use the base path without the MD5 hash after the repository name.
    base_import_paths: true

Refer to ko's project page for more information.

Warning

Note that while GoReleaser's build section will evaluate environment variables for each target being built, Ko doesn't. This means that variables like .Os, .Arch, and the sorts, will not be available.

Example

Here's a minimal example:

.goreleaser.yaml
before:
  hooks:
    - go mod tidy

builds:
  - env: ["CGO_ENABLED=1"]
    binary: test
    goos:
      - darwin
      - linux
    goarch:
      - amd64
      - arm64

kos:
  - repository: ghcr.io/caarlos0/test-ko
    tags:
      - "{{.Version}}"
      - latest
    bare: true
    preserve_import_paths: false
    platforms:
      - linux/amd64
      - linux/arm64

This will build the binaries for linux/arm64, linux/amd64, darwin/amd64 and darwin/arm64, as well as the Docker images and manifest for Linux.

Signing KO manifests

KO will add the built manifest to the artifact list, so you can sign them with docker_signs:

.goreleaser.yaml
docker_signs:
  - artifacts: manifests