From f403dafe18abeb00b9d5976ab285a9f457520f29 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Mon, 30 Jan 2023 19:21:25 +0100
Subject: [PATCH] revert disable provenance by default if not set
This partially reverts 337a09d182ee8c86aa958168dc985219e49e4b3b but
keeps the newly added tests.
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
.github/workflows/ci.yml | 5 +++++
__tests__/context.test.ts | 2 +-
src/context.ts | 35 ++++++++++++++++++++++++++++-------
3 files changed, 34 insertions(+), 8 deletions(-)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 32529f9..8854d5c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -606,6 +606,11 @@ jobs:
if: matrix.target == 'binary'
run: |
tree /tmp/buildx-build
+ -
+ name: Print provenance
+ if: matrix.target == 'binary'
+ run: |
+ cat /tmp/buildx-build/provenance.json | jq
-
name: Print SBOM
if: matrix.target == 'binary'
diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts
index b02282a..a5171f9 100644
--- a/__tests__/context.test.ts
+++ b/__tests__/context.test.ts
@@ -557,7 +557,7 @@ nproc=3`],
[
'build',
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
- "--provenance", 'false',
+ "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
'.'
]
diff --git a/src/context.ts b/src/context.ts
index 1d3d02e..bb18868 100644
--- a/src/context.ts
+++ b/src/context.ts
@@ -169,14 +169,17 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
if (inputs.provenance) {
args.push('--provenance', inputs.provenance);
} else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
- // If provenance not specified but BuildKit version compatible for
- // attestation, disable provenance anyway. Also needs to make sure user
+ // if provenance not specified and BuildKit version compatible for
+ // attestation, set default provenance. Also needs to make sure user
// doesn't want to explicitly load the image to docker.
- // While this action successfully pushes OCI compliant images to
- // well-known registries, some runtimes (e.g. Google Cloud Run and AWS
- // Lambda) are not able to pull resulting image from their own registry...
- // See also https://github.com/docker/buildx/issues/1533
- args.push('--provenance', 'false');
+ if (fromPayload('repository.private') !== false) {
+ // if this is a private repository, we set the default provenance
+ // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
+ args.push('--provenance', getProvenanceAttrs(`mode=min,inline-only=true`));
+ } else {
+ // for a public repository, we set max provenance mode.
+ args.push('--provenance', getProvenanceAttrs(`mode=max`));
+ }
}
if (inputs.sbom) {
args.push('--sbom', inputs.sbom);
@@ -278,6 +281,24 @@ export const asyncForEach = async (array, callback) => {
}
};
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function fromPayload(path: string): any {
+ return select(github.context.payload, path);
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function select(obj: any, path: string): any {
+ if (!obj) {
+ return undefined;
+ }
+ const i = path.indexOf('.');
+ if (i < 0) {
+ return obj[path];
+ }
+ const key = path.slice(0, i);
+ return select(obj[key], path.slice(i + 1));
+}
+
function getProvenanceInput(name: string): string {
const input = core.getInput(name);
if (!input) {