disable provenance by default if not set
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax
parent
37abcedcc1
commit
337a09d182
5
.github/workflows/ci.yml
vendored
5
.github/workflows/ci.yml
vendored
@ -606,11 +606,6 @@ jobs:
|
|||||||
if: matrix.target == 'binary'
|
if: matrix.target == 'binary'
|
||||||
run: |
|
run: |
|
||||||
tree /tmp/buildx-build
|
tree /tmp/buildx-build
|
||||||
-
|
|
||||||
name: Print provenance
|
|
||||||
if: matrix.target == 'binary'
|
|
||||||
run: |
|
|
||||||
cat /tmp/buildx-build/provenance.json | jq
|
|
||||||
-
|
-
|
||||||
name: Print SBOM
|
name: Print SBOM
|
||||||
if: matrix.target == 'binary'
|
if: matrix.target == 'binary'
|
||||||
|
|||||||
@ -557,7 +557,7 @@ nproc=3`],
|
|||||||
[
|
[
|
||||||
'build',
|
'build',
|
||||||
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
|
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
|
||||||
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
|
"--provenance", 'false',
|
||||||
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
|
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
|
||||||
'.'
|
'.'
|
||||||
]
|
]
|
||||||
@ -638,6 +638,43 @@ nproc=3`],
|
|||||||
'.'
|
'.'
|
||||||
]
|
]
|
||||||
],
|
],
|
||||||
|
[
|
||||||
|
23,
|
||||||
|
'0.10.0',
|
||||||
|
new Map<string, string>([
|
||||||
|
['context', '.'],
|
||||||
|
['load', 'false'],
|
||||||
|
['no-cache', 'false'],
|
||||||
|
['push', 'false'],
|
||||||
|
['pull', 'false'],
|
||||||
|
['outputs', 'type=docker'],
|
||||||
|
]),
|
||||||
|
[
|
||||||
|
'build',
|
||||||
|
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
|
||||||
|
"--output", 'type=docker',
|
||||||
|
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
|
||||||
|
'.'
|
||||||
|
]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
24,
|
||||||
|
'0.10.0',
|
||||||
|
new Map<string, string>([
|
||||||
|
['context', '.'],
|
||||||
|
['load', 'true'],
|
||||||
|
['no-cache', 'false'],
|
||||||
|
['push', 'false'],
|
||||||
|
['pull', 'false'],
|
||||||
|
]),
|
||||||
|
[
|
||||||
|
'build',
|
||||||
|
'--iidfile', '/tmp/.docker-build-push-jest/iidfile',
|
||||||
|
"--load",
|
||||||
|
'--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
|
||||||
|
'.'
|
||||||
|
]
|
||||||
|
],
|
||||||
])(
|
])(
|
||||||
'[%d] given %p with %p as inputs, returns %p',
|
'[%d] given %p with %p as inputs, returns %p',
|
||||||
async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
|
async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
|
||||||
|
|||||||
@ -169,17 +169,14 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
|
|||||||
if (inputs.provenance) {
|
if (inputs.provenance) {
|
||||||
args.push('--provenance', inputs.provenance);
|
args.push('--provenance', inputs.provenance);
|
||||||
} else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
|
} else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
|
||||||
// if provenance not specified and BuildKit version compatible for
|
// If provenance not specified but BuildKit version compatible for
|
||||||
// attestation, set default provenance. Also needs to make sure user
|
// attestation, disable provenance anyway. Also needs to make sure user
|
||||||
// doesn't want to explicitly load the image to docker.
|
// doesn't want to explicitly load the image to docker.
|
||||||
if (fromPayload('repository.private') !== false) {
|
// While this action successfully pushes OCI compliant images to
|
||||||
// if this is a private repository, we set the default provenance
|
// well-known registries, some runtimes (e.g. Google Cloud Run and AWS
|
||||||
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
|
// Lambda) are not able to pull resulting image from their own registry...
|
||||||
args.push('--provenance', getProvenanceAttrs(`mode=min,inline-only=true`));
|
// See also https://github.com/docker/buildx/issues/1533
|
||||||
} else {
|
args.push('--provenance', 'false');
|
||||||
// for a public repository, we set max provenance mode.
|
|
||||||
args.push('--provenance', getProvenanceAttrs(`mode=max`));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
if (inputs.sbom) {
|
if (inputs.sbom) {
|
||||||
args.push('--sbom', inputs.sbom);
|
args.push('--sbom', inputs.sbom);
|
||||||
@ -281,24 +278,6 @@ export const asyncForEach = async (array, callback) => {
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
||||||
function fromPayload(path: string): any {
|
|
||||||
return select(github.context.payload, path);
|
|
||||||
}
|
|
||||||
|
|
||||||
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
||||||
function select(obj: any, path: string): any {
|
|
||||||
if (!obj) {
|
|
||||||
return undefined;
|
|
||||||
}
|
|
||||||
const i = path.indexOf('.');
|
|
||||||
if (i < 0) {
|
|
||||||
return obj[path];
|
|
||||||
}
|
|
||||||
const key = path.slice(0, i);
|
|
||||||
return select(obj[key], path.slice(i + 1));
|
|
||||||
}
|
|
||||||
|
|
||||||
function getProvenanceInput(name: string): string {
|
function getProvenanceInput(name: string): string {
|
||||||
const input = core.getInput(name);
|
const input = core.getInput(name);
|
||||||
if (!input) {
|
if (!input) {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user