Consider building container images with ko

[imiric]

ko is a container image builder for Go programs that simplifies the process of building minimal and secure images. It uses distroless images as base, embeds SBOMs, and builds multi-platform images.

Currently Disco's images are built by Earthly, and use Ubuntu 24.04 as base. Moving to distroless would be more secure, simplify the build process, and reduce the image size considerably from the current ~140MB. SBOMs would be good to have as well.

I tried using distroless images in Earthly, but there's a blocking issue. There might be a workaround for it.

A potential blocker for adopting ko is that it also builds the Go binaries, which I would like to avoid, since the current build.sh script is simple and does what I need. It doesn't seem possible to use existing binaries and just building images with ko.

There are some alternatives:

• Abandon the build.sh script, build images with ko, extract the binaries from the images, and build the packages using the same binaries. It's a bit hacky, but could work.
• Use GoReleaser instead. I'm not a fan of it, and would rather not. It does support building images, and even supports ko, but has the same drawback of ko re-building the binaries. So this doesn't seem like an option.

[imiric]

Since v0.1.1, images now use distroless/static-debian12 as base, so there's less of an urgency to switch to ko. If we can also embed SBOMs manually, we can close this issue as unplanned, but I'll leave it open in the meantime.