mirror of
https://github.com/docker/build-push-action.git
synced 2025-04-02 02:06:34 +00:00
Env var to set provenance mode
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax
parent
94d76d3bc1
commit
d8b90b1ab1
3 changed files with 63 additions and 9 deletions
40
.github/workflows/ci.yml
vendored
40
.github/workflows/ci.yml
vendored
|
|
@ -653,6 +653,46 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
cat /tmp/buildx-build/provenance.json | jq
|
cat /tmp/buildx-build/provenance.json | jq
|
||||||
|
|
||||||
|
provenance-env-mode:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
mode:
|
||||||
|
- min
|
||||||
|
- max
|
||||||
|
services:
|
||||||
|
registry:
|
||||||
|
image: registry:2
|
||||||
|
ports:
|
||||||
|
- 5000:5000
|
||||||
|
steps:
|
||||||
|
-
|
||||||
|
name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
-
|
||||||
|
name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v3
|
||||||
|
with:
|
||||||
|
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
|
||||||
|
driver-opts: |
|
||||||
|
network=host
|
||||||
|
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
|
||||||
|
-
|
||||||
|
name: Build
|
||||||
|
uses: ./
|
||||||
|
with:
|
||||||
|
context: ./test/go
|
||||||
|
file: ./test/go/Dockerfile
|
||||||
|
target: image
|
||||||
|
outputs: type=image,name=localhost:5000/name/app:latest,push=true
|
||||||
|
env:
|
||||||
|
BUILDX_PROVENANCE_MODE: ${{ matrix.mode }}
|
||||||
|
-
|
||||||
|
name: Inspect Provenance
|
||||||
|
run: |
|
||||||
|
docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .Provenance}}'
|
||||||
|
|
||||||
sbom:
|
sbom:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
strategy:
|
||||||
|
|
|
||||||
|
|
@ -34,6 +34,7 @@ ___
|
||||||
* [Customizing](#customizing)
|
* [Customizing](#customizing)
|
||||||
* [inputs](#inputs)
|
* [inputs](#inputs)
|
||||||
* [outputs](#outputs)
|
* [outputs](#outputs)
|
||||||
|
* [environment variables](#environment-variables)
|
||||||
* [Troubleshooting](#troubleshooting)
|
* [Troubleshooting](#troubleshooting)
|
||||||
* [Contributing](#contributing)
|
* [Contributing](#contributing)
|
||||||
|
|
||||||
|
|
@ -262,6 +263,12 @@ The following outputs are available:
|
||||||
| `digest` | String | Image digest |
|
| `digest` | String | Image digest |
|
||||||
| `metadata` | JSON | Build result metadata |
|
| `metadata` | JSON | Build result metadata |
|
||||||
|
|
||||||
|
### environment variables
|
||||||
|
|
||||||
|
| Name | Type | Description |
|
||||||
|
|--------------------------|--------|-------------------------------------------------------------------------------|
|
||||||
|
| `BUILDX_PROVENANCE_MODE` | String | Set attestation provenance mode. One of `auto`, `min`, `max` (default `auto`) |
|
||||||
|
|
||||||
## Troubleshooting
|
## Troubleshooting
|
||||||
|
|
||||||
See [TROUBLESHOOTING.md](TROUBLESHOOTING.md)
|
See [TROUBLESHOOTING.md](TROUBLESHOOTING.md)
|
||||||
|
|
|
||||||
|
|
@ -160,16 +160,23 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
|
||||||
if (inputs.provenance) {
|
if (inputs.provenance) {
|
||||||
args.push('--provenance', inputs.provenance);
|
args.push('--provenance', inputs.provenance);
|
||||||
} else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !BuildxInputs.hasDockerExporter(inputs.outputs, inputs.load)) {
|
} else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !BuildxInputs.hasDockerExporter(inputs.outputs, inputs.load)) {
|
||||||
// if provenance not specified and BuildKit version compatible for
|
const provenanceMode = process.env['BUILDX_PROVENANCE_MODE'] || 'auto';
|
||||||
// attestation, set default provenance. Also needs to make sure user
|
if (provenanceMode === 'auto') {
|
||||||
// doesn't want to explicitly load the image to docker.
|
// if provenance not specified and BuildKit version compatible for
|
||||||
if (GitHub.context.payload.repository?.private ?? false) {
|
// attestation, set default provenance. Also needs to make sure user
|
||||||
// if this is a private repository, we set the default provenance
|
// doesn't want to explicitly load the image to docker.
|
||||||
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
|
if (GitHub.context.payload.repository?.private ?? false) {
|
||||||
args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
|
// if this is a private repository, we set the default provenance
|
||||||
|
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
|
||||||
|
args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
|
||||||
|
} else {
|
||||||
|
// for a public repository, we set max provenance mode.
|
||||||
|
args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
|
||||||
|
}
|
||||||
|
} else if (provenanceMode === 'min' || provenanceMode === 'max') {
|
||||||
|
args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=${provenanceMode}`));
|
||||||
} else {
|
} else {
|
||||||
// for a public repository, we set max provenance mode.
|
throw new Error(`Invalid BUILDX_PROVENANCE_MODE: ${provenanceMode}`);
|
||||||
args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (inputs.sbom) {
|
if (inputs.sbom) {
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue