mirror of
https://github.com/docker/build-push-action.git
synced 2024-11-09 20:05:38 +01:00
Merge pull request #784 from crazy-max/enable-provenance
revert disable provenance by default if not set
This commit is contained in:
commit
3b5e8027fc
5
.github/workflows/ci.yml
vendored
5
.github/workflows/ci.yml
vendored
@ -606,6 +606,11 @@ jobs:
|
|||||||
if: matrix.target == 'binary'
|
if: matrix.target == 'binary'
|
||||||
run: |
|
run: |
|
||||||
tree /tmp/buildx-build
|
tree /tmp/buildx-build
|
||||||
|
-
|
||||||
|
name: Print provenance
|
||||||
|
if: matrix.target == 'binary'
|
||||||
|
run: |
|
||||||
|
cat /tmp/buildx-build/provenance.json | jq
|
||||||
-
|
-
|
||||||
name: Print SBOM
|
name: Print SBOM
|
||||||
if: matrix.target == 'binary'
|
if: matrix.target == 'binary'
|
||||||
|
@ -557,7 +557,7 @@ nproc=3`],
|
|||||||
[
|
[
|
||||||
'build',
|
'build',
|
||||||
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
|
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
|
||||||
"--provenance", 'false',
|
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
|
||||||
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
|
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
|
||||||
'.'
|
'.'
|
||||||
]
|
]
|
||||||
|
2
dist/index.js
generated
vendored
2
dist/index.js
generated
vendored
File diff suppressed because one or more lines are too long
2
dist/index.js.map
generated
vendored
2
dist/index.js.map
generated
vendored
File diff suppressed because one or more lines are too long
@ -169,14 +169,17 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
|
|||||||
if (inputs.provenance) {
|
if (inputs.provenance) {
|
||||||
args.push('--provenance', inputs.provenance);
|
args.push('--provenance', inputs.provenance);
|
||||||
} else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
|
} else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
|
||||||
// If provenance not specified but BuildKit version compatible for
|
// if provenance not specified and BuildKit version compatible for
|
||||||
// attestation, disable provenance anyway. Also needs to make sure user
|
// attestation, set default provenance. Also needs to make sure user
|
||||||
// doesn't want to explicitly load the image to docker.
|
// doesn't want to explicitly load the image to docker.
|
||||||
// While this action successfully pushes OCI compliant images to
|
if (fromPayload('repository.private') !== false) {
|
||||||
// well-known registries, some runtimes (e.g. Google Cloud Run and AWS
|
// if this is a private repository, we set the default provenance
|
||||||
// Lambda) are not able to pull resulting image from their own registry...
|
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
|
||||||
// See also https://github.com/docker/buildx/issues/1533
|
args.push('--provenance', getProvenanceAttrs(`mode=min,inline-only=true`));
|
||||||
args.push('--provenance', 'false');
|
} else {
|
||||||
|
// for a public repository, we set max provenance mode.
|
||||||
|
args.push('--provenance', getProvenanceAttrs(`mode=max`));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (inputs.sbom) {
|
if (inputs.sbom) {
|
||||||
args.push('--sbom', inputs.sbom);
|
args.push('--sbom', inputs.sbom);
|
||||||
@ -278,6 +281,24 @@ export const asyncForEach = async (array, callback) => {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||||
|
function fromPayload(path: string): any {
|
||||||
|
return select(github.context.payload, path);
|
||||||
|
}
|
||||||
|
|
||||||
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
||||||
|
function select(obj: any, path: string): any {
|
||||||
|
if (!obj) {
|
||||||
|
return undefined;
|
||||||
|
}
|
||||||
|
const i = path.indexOf('.');
|
||||||
|
if (i < 0) {
|
||||||
|
return obj[path];
|
||||||
|
}
|
||||||
|
const key = path.slice(0, i);
|
||||||
|
return select(obj[key], path.slice(i + 1));
|
||||||
|
}
|
||||||
|
|
||||||
function getProvenanceInput(name: string): string {
|
function getProvenanceInput(name: string): string {
|
||||||
const input = core.getInput(name);
|
const input = core.getInput(name);
|
||||||
if (!input) {
|
if (!input) {
|
||||||
|
Loading…
Reference in New Issue
Block a user