Merge pull request #784 from crazy-max/enable-provenance

revert disable provenance by default if not set
This commit is contained in:
CrazyMax 2023-01-30 19:25:07 +01:00 committed by GitHub
commit 3b5e8027fc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 36 additions and 10 deletions

View File

@ -606,6 +606,11 @@ jobs:
if: matrix.target == 'binary' if: matrix.target == 'binary'
run: | run: |
tree /tmp/buildx-build tree /tmp/buildx-build
-
name: Print provenance
if: matrix.target == 'binary'
run: |
cat /tmp/buildx-build/provenance.json | jq
- -
name: Print SBOM name: Print SBOM
if: matrix.target == 'binary' if: matrix.target == 'binary'

View File

@ -557,7 +557,7 @@ nproc=3`],
[ [
'build', 'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile', '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
"--provenance", 'false', "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file', '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.' '.'
] ]

2
dist/index.js generated vendored

File diff suppressed because one or more lines are too long

2
dist/index.js.map generated vendored

File diff suppressed because one or more lines are too long

View File

@ -169,14 +169,17 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
if (inputs.provenance) { if (inputs.provenance) {
args.push('--provenance', inputs.provenance); args.push('--provenance', inputs.provenance);
} else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) { } else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
// If provenance not specified but BuildKit version compatible for // if provenance not specified and BuildKit version compatible for
// attestation, disable provenance anyway. Also needs to make sure user // attestation, set default provenance. Also needs to make sure user
// doesn't want to explicitly load the image to docker. // doesn't want to explicitly load the image to docker.
// While this action successfully pushes OCI compliant images to if (fromPayload('repository.private') !== false) {
// well-known registries, some runtimes (e.g. Google Cloud Run and AWS // if this is a private repository, we set the default provenance
// Lambda) are not able to pull resulting image from their own registry... // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
// See also https://github.com/docker/buildx/issues/1533 args.push('--provenance', getProvenanceAttrs(`mode=min,inline-only=true`));
args.push('--provenance', 'false'); } else {
// for a public repository, we set max provenance mode.
args.push('--provenance', getProvenanceAttrs(`mode=max`));
}
} }
if (inputs.sbom) { if (inputs.sbom) {
args.push('--sbom', inputs.sbom); args.push('--sbom', inputs.sbom);
@ -278,6 +281,24 @@ export const asyncForEach = async (array, callback) => {
} }
}; };
// eslint-disable-next-line @typescript-eslint/no-explicit-any
function fromPayload(path: string): any {
return select(github.context.payload, path);
}
// eslint-disable-next-line @typescript-eslint/no-explicit-any
function select(obj: any, path: string): any {
if (!obj) {
return undefined;
}
const i = path.indexOf('.');
if (i < 0) {
return obj[path];
}
const key = path.slice(0, i);
return select(obj[key], path.slice(i + 1));
}
function getProvenanceInput(name: string): string { function getProvenanceInput(name: string): string {
const input = core.getInput(name); const input = core.getInput(name);
if (!input) { if (!input) {