From ee7989df81d93e30e16c8648bb8d59b57ce5c7f4 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Wed, 11 Jan 2023 13:20:47 +0100 Subject: [PATCH] always set builder-id attribute for provenance Signed-off-by: CrazyMax --- src/context.ts | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/src/context.ts b/src/context.ts index 9f9576a..372aebd 100644 --- a/src/context.ts +++ b/src/context.ts @@ -162,13 +162,19 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str args.push('--platform', inputs.platforms.join(',')); } if (buildx.satisfies(buildxVersion, '>=0.10.0')) { + const prvBuilderID = `${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${github.context.repo.repo}/actions/runs/${github.context.runId}`; if (inputs.provenance) { - args.push('--provenance', inputs.provenance); + args.push('--provenance', getProvenanceAttrs(inputs.provenance, prvBuilderID)); } else if (await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) { if (fromPayload('repository.private') !== false) { - args.push('--provenance', `mode=min,inline-only=true`); + // if this is a private repository, we set the default provenance + // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603 + // along the builder-id attribute. + args.push('--provenance', `mode=min,inline-only=true,builder-id=${prvBuilderID}`); } else { - args.push('--provenance', `mode=max,builder-id=${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${github.context.repo.repo}/actions/runs/${github.context.runId}`); + // for a public repository, we set max provenance mode and the + // builder-id attribute. + args.push('--provenance', `mode=max,builder-id=${prvBuilderID}`); } } if (inputs.sbom) { @@ -288,3 +294,22 @@ function select(obj: any, path: string): any { const key = path.slice(0, i); return select(obj[key], path.slice(i + 1)); } + +function getProvenanceAttrs(input: string, builderID: string): string { + const fields = parse(input, { + relaxColumnCount: true, + skipEmptyLines: true + })[0]; + // check if builder-id attribute exists in the input + for (const field of fields) { + const parts = field + .toString() + .split(/(?<=^[^=]+?)=/) + .map(item => item.trim()); + if (parts[0] == 'builder-id') { + return input; + } + } + // if not add builder-id attribute + return `${input},builder-id=${builderID}`; +}