only use attestation when building image outside the development inner loop

glours · glours · commit 0566431c6467 · 2025-05-20T18:21:05.000+02:00
when building a image, by default attestation are generated and modify the image ID which trigger a container recreation on up, run command even if there isn't any changes on the image content itself

Signed-off-by: Guillaume Lours &lt;705411+glours@users.noreply.github.com&gt;
diff --git a/cmd/compose/build.go b/cmd/compose/build.go
@@ -35,17 +35,18 @@ import (
 
 type buildOptions struct {
 	*ProjectOptions
-	quiet   bool
-	pull    bool
-	push    bool
-	args    []string
-	noCache bool
-	memory  cliopts.MemBytes
-	ssh     string
-	builder string
-	deps    bool
-	print   bool
-	check   bool
+	quiet      bool
+	pull       bool
+	push       bool
+	args       []string
+	noCache    bool
+	memory     cliopts.MemBytes
+	ssh        string
+	builder    string
+	deps       bool
+	print      bool
+	check      bool
+	provenance string
 }
 
 func (opts buildOptions) toAPIBuildOptions(services []string) (api.BuildOptions, error) {
@@ -69,20 +70,27 @@ func (opts buildOptions) toAPIBuildOptions(services []string) (api.BuildOptions,
 	if uiMode == ui.ModeJSON {
 		uiMode = "rawjson"
 	}
+	var provenance *string
+	// empty when set by up, run or create functions and "none" when set by the user from the build command
+	if opts.provenance != "" && opts.provenance != "none" {
+		provenance = &opts.provenance
+	}
+
 	return api.BuildOptions{
-		Pull:     opts.pull,
-		Push:     opts.push,
-		Progress: uiMode,
-		Args:     types.NewMappingWithEquals(opts.args),
-		NoCache:  opts.noCache,
-		Quiet:    opts.quiet,
-		Services: services,
-		Deps:     opts.deps,
-		Memory:   int64(opts.memory),
-		Print:    opts.print,
-		Check:    opts.check,
-		SSHs:     SSHKeys,
-		Builder:  builderName,
+		Pull:       opts.pull,
+		Push:       opts.push,
+		Progress:   uiMode,
+		Args:       types.NewMappingWithEquals(opts.args),
+		NoCache:    opts.noCache,
+		Quiet:      opts.quiet,
+		Services:   services,
+		Deps:       opts.deps,
+		Memory:     int64(opts.memory),
+		Print:      opts.print,
+		Check:      opts.check,
+		SSHs:       SSHKeys,
+		Builder:    builderName,
+		Provenance: provenance,
 	}, nil
 }
 
@@ -123,6 +131,7 @@ func buildCommand(p *ProjectOptions, dockerCli command.Cli, backend api.Service)
 	flags.StringVar(&opts.ssh, "ssh", "", "Set SSH authentications used when building service images. (use 'default' for using your default SSH Agent)")
 	flags.StringVar(&opts.builder, "builder", "", "Set builder to use")
 	flags.BoolVar(&opts.deps, "with-dependencies", false, "Also build dependencies (transitively)")
+	flags.StringVar(&opts.provenance, "provenance", "min", "Set provenance mode (none|min|max)")
 
 	flags.Bool("parallel", true, "Build images in parallel. DEPRECATED")
 	flags.MarkHidden("parallel") //nolint:errcheck
diff --git a/docs/reference/compose_build.md b/docs/reference/compose_build.md
@@ -22,6 +22,7 @@ run `docker compose build` to rebuild it.
 | `-m`, `--memory`      | `bytes`       | `0`     | Set memory limit for the build container. Not supported by BuildKit.                                        |
 | `--no-cache`          | `bool`        |         | Do not use cache when building the image                                                                    |
 | `--print`             | `bool`        |         | Print equivalent bake file                                                                                  |
+| `--provenance`        | `string`      | `max`   | Set provenance mode (none\|min\|max)                                                                        |
 | `--pull`              | `bool`        |         | Always attempt to pull a newer version of the image                                                         |
 | `--push`              | `bool`        |         | Push service images                                                                                         |
 | `-q`, `--quiet`       | `bool`        |         | Don't print anything to STDOUT                                                                              |
diff --git a/docs/reference/docker_compose_build.yaml b/docs/reference/docker_compose_build.yaml
@@ -126,6 +126,16 @@ options:
       experimentalcli: false
       kubernetes: false
       swarm: false
+    - option: provenance
+      value_type: string
+      default_value: max
+      description: Set provenance mode (none|min|max)
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
     - option: pull
       value_type: bool
       default_value: "false"
diff --git a/pkg/api/api.go b/pkg/api/api.go
@@ -159,6 +159,8 @@ type BuildOptions struct {
 	Print bool
 	// Check let builder validate build configuration
 	Check bool
+	// Provenance
+	Provenance *string
 }
 
 // Apply mutates project according to build options
diff --git a/pkg/compose/build.go b/pkg/compose/build.go
@@ -481,6 +481,9 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 		return build.Options{}, err
 	}
 
+	attests := map[string]*string{}
+	attests["provenance"] = options.Provenance
+
 	return build.Options{
 		Inputs: build.Inputs{
 			ContextPath:      service.Build.Context,
@@ -504,6 +507,7 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 		Session:      sessionConfig,
 		Allow:        allow,
 		SourcePolicy: sp,
+		Attests:      attests,
 	}, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -159,6 +159,8 @@ type BuildOptions struct {`
`159`	`159`	`Print bool`
`160`	`160`	`// Check let builder validate build configuration`
`161`	`161`	`Check bool`
	`162`	`+ // Provenance`
	`163`	`+ Provenance *string`
`162`	`164`	`}`
`163`	`165`
`164`	`166`	`// Apply mutates project according to build options`