Skip to content

Commit d14785b

Browse files
authored
Merge pull request #359 from crazy-max/check-attest-definition
check provenance attestation set in bake definition before overriding
2 parents 41c10f2 + 597dc07 commit d14785b

7 files changed

Lines changed: 81 additions & 16 deletions

File tree

.github/workflows/ci.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -867,3 +867,23 @@ jobs:
867867
files: |
868868
./test/config.hcl
869869
call: check
870+
871+
attest-override:
872+
runs-on: ubuntu-latest
873+
steps:
874+
-
875+
name: Checkout
876+
uses: actions/checkout@v5
877+
-
878+
name: Set up Docker Buildx
879+
uses: docker/setup-buildx-action@v3
880+
with:
881+
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
882+
driver-opts: |
883+
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
884+
-
885+
name: Build and push
886+
uses: ./
887+
with:
888+
workdir: ./test/attest
889+
source: .

__tests__/context.test.ts

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -218,7 +218,9 @@ describe('getArgs', () => {
218218
[
219219
'bake',
220220
'--metadata-file', metadataJson,
221-
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
221+
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
222+
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
223+
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
222224
],
223225
undefined
224226
],
@@ -311,7 +313,9 @@ describe('getArgs', () => {
311313
'--set', '*.platform=linux/amd64,linux/ppc64le,linux/s390x',
312314
'--set', `*.output=type=image,"name=moby/buildkit:v0.11.0,moby/buildkit:latest",push=true`,
313315
'--metadata-file', metadataJson,
314-
'--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
316+
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
317+
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
318+
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
315319
'image-all'
316320
],
317321
undefined
@@ -332,7 +336,9 @@ describe('getArgs', () => {
332336
'bake',
333337
'--set', `*.labels.foo=bar=#baz`,
334338
'--metadata-file', metadataJson,
335-
'--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
339+
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
340+
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
341+
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
336342
'image-all'
337343
],
338344
undefined
@@ -352,7 +358,9 @@ describe('getArgs', () => {
352358
'https://github.com/docker/build-push-action.git#refs/heads/master',
353359
'--file', './foo.hcl',
354360
'--metadata-file', metadataJson,
355-
'--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
361+
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
362+
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
363+
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
356364
],
357365
undefined
358366
],
@@ -371,7 +379,9 @@ describe('getArgs', () => {
371379
'bake',
372380
'--allow', 'network.host',
373381
'--metadata-file', metadataJson,
374-
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
382+
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
383+
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
384+
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
375385
],
376386
undefined
377387
],
@@ -391,7 +401,9 @@ describe('getArgs', () => {
391401
'https://github.com/docker/build-push-action.git#refs/heads/master:subdir',
392402
'--file', './foo.hcl',
393403
'--metadata-file', metadataJson,
394-
'--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
404+
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
405+
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
406+
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
395407
],
396408
undefined
397409
],

dist/index.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/index.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/context.ts

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -90,16 +90,22 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
9090
if (inputs.provenance) {
9191
args.push('--provenance', inputs.provenance);
9292
} else if (!noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
93-
// if provenance not specified and BuildKit version compatible for
93+
// check if provenance attestation is already specified in the bake
94+
// definition and if not specified and BuildKit version compatible for
9495
// attestation, set default provenance. Also needs to make sure user
9596
// doesn't want to explicitly load the image to docker.
96-
if (GitHub.context.payload.repository?.private ?? false) {
97-
// if this is a private repository, we set the default provenance
98-
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
99-
args.push('--provenance', Build.resolveProvenanceAttrs(`mode=min,inline-only=true`));
100-
} else {
101-
// for a public repository, we set max provenance mode.
102-
args.push('--provenance', Build.resolveProvenanceAttrs(`mode=max`));
97+
for (const targetName in definition.target) {
98+
const target = definition.target[targetName];
99+
if (!Array.isArray(target.attest) || !target.attest.some(attest => attest?.type === 'provenance')) {
100+
if (GitHub.context.payload.repository?.private ?? false) {
101+
// if this is a private repository, we set the default provenance
102+
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
103+
args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
104+
} else {
105+
// for a public repository, we set max provenance mode.
106+
args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
107+
}
108+
}
103109
}
104110
}
105111
if (inputs.sbom) {

test/attest/Dockerfile

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# syntax=docker/dockerfile:1
2+
3+
FROM busybox AS t1
4+
RUN echo "Hello t1"
5+
6+
FROM busybox AS t2
7+
RUN echo "Hello t2"
8+
9+
FROM busybox AS t3
10+
RUN echo "Hello t3"

test/attest/docker-bake.hcl

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
group "default" {
2+
targets = ["t1", "t2", "t3"]
3+
}
4+
5+
target "t1" {
6+
target = "t1"
7+
}
8+
9+
target "t2" {
10+
target = "t2"
11+
attest = ["type=provenance,mode=min"]
12+
}
13+
14+
target "t3" {
15+
target = "t3"
16+
attest = ["type=sbom"]
17+
}

0 commit comments

Comments
 (0)