From d8b90b1ab1b337be5abd07a17d9288c4ee5d28aa Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Sat, 3 Feb 2024 15:08:18 +0100
Subject: [PATCH] Env var to set provenance mode

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/ci.yml | 40 ++++++++++++++++++++++++++++++++++++++++
 README.md                |  7 +++++++
 src/context.ts           | 25 ++++++++++++++++---------
 3 files changed, 63 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7d50206..a94856e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -653,6 +653,46 @@ jobs:
         run: |
           cat /tmp/buildx-build/provenance.json | jq
 
+  provenance-env-mode:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        mode:
+          - min
+          - max
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          target: image
+          outputs: type=image,name=localhost:5000/name/app:latest,push=true
+        env:
+          BUILDX_PROVENANCE_MODE: ${{ matrix.mode }}
+      -
+        name: Inspect Provenance
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .Provenance}}'
+
   sbom:
     runs-on: ubuntu-latest
     strategy:
diff --git a/README.md b/README.md
index 7c3f11a..d89815e 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@ ___
 * [Customizing](#customizing)
   * [inputs](#inputs)
   * [outputs](#outputs)
+  * [environment variables](#environment-variables)
 * [Troubleshooting](#troubleshooting)
 * [Contributing](#contributing)
 
@@ -262,6 +263,12 @@ The following outputs are available:
 | `digest`   | String  | Image digest          |
 | `metadata` | JSON    | Build result metadata |
 
+### environment variables
+
+| Name                     | Type   | Description                                                                   |
+|--------------------------|--------|-------------------------------------------------------------------------------|
+| `BUILDX_PROVENANCE_MODE` | String | Set attestation provenance mode. One of `auto`, `min`, `max` (default `auto`) |
+
 ## Troubleshooting
 
 See [TROUBLESHOOTING.md](TROUBLESHOOTING.md)
diff --git a/src/context.ts b/src/context.ts
index 358ba29..f21f689 100644
--- a/src/context.ts
+++ b/src/context.ts
@@ -160,16 +160,23 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
     if (inputs.provenance) {
       args.push('--provenance', inputs.provenance);
     } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !BuildxInputs.hasDockerExporter(inputs.outputs, inputs.load)) {
-      // if provenance not specified and BuildKit version compatible for
-      // attestation, set default provenance. Also needs to make sure user
-      // doesn't want to explicitly load the image to docker.
-      if (GitHub.context.payload.repository?.private ?? false) {
-        // if this is a private repository, we set the default provenance
-        // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
-        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
+      const provenanceMode = process.env['BUILDX_PROVENANCE_MODE'] || 'auto';
+      if (provenanceMode === 'auto') {
+        // if provenance not specified and BuildKit version compatible for
+        // attestation, set default provenance. Also needs to make sure user
+        // doesn't want to explicitly load the image to docker.
+        if (GitHub.context.payload.repository?.private ?? false) {
+          // if this is a private repository, we set the default provenance
+          // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
+          args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
+        } else {
+          // for a public repository, we set max provenance mode.
+          args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
+        }
+      } else if (provenanceMode === 'min' || provenanceMode === 'max') {
+        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=${provenanceMode}`));
       } else {
-        // for a public repository, we set max provenance mode.
-        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
+        throw new Error(`Invalid BUILDX_PROVENANCE_MODE: ${provenanceMode}`);
       }
     }
     if (inputs.sbom) {