From 337a09d182ee8c86aa958168dc985219e49e4b3b Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Fri, 27 Jan 2023 14:06:06 +0100 Subject: [PATCH] disable provenance by default if not set Signed-off-by: CrazyMax --- .github/workflows/ci.yml | 5 ----- __tests__/context.test.ts | 39 ++++++++++++++++++++++++++++++++++++++- src/context.ts | 35 +++++++---------------------------- 3 files changed, 45 insertions(+), 34 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8854d5c..32529f9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -606,11 +606,6 @@ jobs: if: matrix.target == 'binary' run: | tree /tmp/buildx-build - - - name: Print provenance - if: matrix.target == 'binary' - run: | - cat /tmp/buildx-build/provenance.json | jq - name: Print SBOM if: matrix.target == 'binary' diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts index 3110fb4..b02282a 100644 --- a/__tests__/context.test.ts +++ b/__tests__/context.test.ts @@ -557,7 +557,7 @@ nproc=3`], [ 'build', '--iidfile', '/tmp/.docker-build-push-jest/iidfile', - "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, + "--provenance", 'false', '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file', '.' ] @@ -638,6 +638,43 @@ nproc=3`], '.' ] ], + [ + 23, + '0.10.0', + new Map([ + ['context', '.'], + ['load', 'false'], + ['no-cache', 'false'], + ['push', 'false'], + ['pull', 'false'], + ['outputs', 'type=docker'], + ]), + [ + 'build', + '--iidfile', '/tmp/.docker-build-push-jest/iidfile', + "--output", 'type=docker', + '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file', + '.' + ] + ], + [ + 24, + '0.10.0', + new Map([ + ['context', '.'], + ['load', 'true'], + ['no-cache', 'false'], + ['push', 'false'], + ['pull', 'false'], + ]), + [ + 'build', + '--iidfile', '/tmp/.docker-build-push-jest/iidfile', + "--load", + '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file', + '.' + ] + ], ])( '[%d] given %p with %p as inputs, returns %p', async (num: number, buildxVersion: string, inputs: Map, expected: Array) => { diff --git a/src/context.ts b/src/context.ts index bb18868..1d3d02e 100644 --- a/src/context.ts +++ b/src/context.ts @@ -169,17 +169,14 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str if (inputs.provenance) { args.push('--provenance', inputs.provenance); } else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) { - // if provenance not specified and BuildKit version compatible for - // attestation, set default provenance. Also needs to make sure user + // If provenance not specified but BuildKit version compatible for + // attestation, disable provenance anyway. Also needs to make sure user // doesn't want to explicitly load the image to docker. - if (fromPayload('repository.private') !== false) { - // if this is a private repository, we set the default provenance - // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603 - args.push('--provenance', getProvenanceAttrs(`mode=min,inline-only=true`)); - } else { - // for a public repository, we set max provenance mode. - args.push('--provenance', getProvenanceAttrs(`mode=max`)); - } + // While this action successfully pushes OCI compliant images to + // well-known registries, some runtimes (e.g. Google Cloud Run and AWS + // Lambda) are not able to pull resulting image from their own registry... + // See also https://github.com/docker/buildx/issues/1533 + args.push('--provenance', 'false'); } if (inputs.sbom) { args.push('--sbom', inputs.sbom); @@ -281,24 +278,6 @@ export const asyncForEach = async (array, callback) => { } }; -// eslint-disable-next-line @typescript-eslint/no-explicit-any -function fromPayload(path: string): any { - return select(github.context.payload, path); -} - -// eslint-disable-next-line @typescript-eslint/no-explicit-any -function select(obj: any, path: string): any { - if (!obj) { - return undefined; - } - const i = path.indexOf('.'); - if (i < 0) { - return obj[path]; - } - const key = path.slice(0, i); - return select(obj[key], path.slice(i + 1)); -} - function getProvenanceInput(name: string): string { const input = core.getInput(name); if (!input) {