disable provenance by default if not set

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
docker · Jan 30, 2023 · f92c39a · f92c39a
1 parent 37abced
commit f92c39a
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 36 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -534,6 +534,12 @@ jobs:
           - builder-id=foo
           - false
           - true
+        buildx_version:
+          - v0.9.1
+          - v0.10.1
+        buildkit_version:
+          - moby/buildkit:v0.11.2
+          - moby/buildkit:v0.10.6
     steps:
       -
         name: Checkout
@@ -542,10 +548,10 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
         with:
-          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          version: ${{ matrix.buildx_version }}
           driver-opts: |
             network=host
-            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+            image=${{ matrix.buildkit_version }}
       -
         name: Build
         uses: ./
@@ -606,11 +612,6 @@ jobs:
         if: matrix.target == 'binary'
         run: |
           tree /tmp/buildx-build
-      -
-        name: Print provenance
-        if: matrix.target == 'binary'
-        run: |
-          cat /tmp/buildx-build/provenance.json | jq
       -
         name: Print SBOM
         if: matrix.target == 'binary'

diff --git a/__tests__/context.test.ts b/__tests__/context.test.ts
@@ -557,7 +557,7 @@ nproc=3`],
       [
         'build',
         '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
-        "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`,
+        "--provenance", 'false',
         '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
         '.'
       ]
@@ -638,6 +638,43 @@ nproc=3`],
         '.'
       ]
     ],
+    [
+      23,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+        ['outputs', 'type=docker'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--output", 'type=docker',
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
+    [
+      24,
+      '0.10.0',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'true'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false'],
+      ]),
+      [
+        'build',
+        '--iidfile', '/tmp/.docker-build-push-jest/iidfile',
+        "--load",
+        '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file',
+        '.'
+      ]
+    ],
   ])(
     '[%d] given %p with %p as inputs, returns %p',
     async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {

diff --git a/src/context.ts b/src/context.ts
@@ -169,17 +169,14 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
     if (inputs.provenance) {
       args.push('--provenance', inputs.provenance);
     } else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) {
-      // if provenance not specified and BuildKit version compatible for
-      // attestation, set default provenance. Also needs to make sure user
+      // If provenance not specified but BuildKit version compatible for
+      // attestation, disable provenance anyway. Also needs to make sure user
       // doesn't want to explicitly load the image to docker.
-      if (fromPayload('repository.private') !== false) {
-        // if this is a private repository, we set the default provenance
-        // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
-        args.push('--provenance', getProvenanceAttrs(`mode=min,inline-only=true`));
-      } else {
-        // for a public repository, we set max provenance mode.
-        args.push('--provenance', getProvenanceAttrs(`mode=max`));
-      }
+      // While this action successfully pushes OCI compliant images to
+      // well-known registries, some runtimes (e.g. Google Cloud Run and AWS
+      // Lambda) are not able to pull resulting image from their own registry...
+      // See also https://github.com/docker/buildx/issues/1533
+      args.push('--provenance', 'false');
     }
     if (inputs.sbom) {
       args.push('--sbom', inputs.sbom);
@@ -281,24 +278,6 @@ export const asyncForEach = async (array, callback) => {
   }
 };
 
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-function fromPayload(path: string): any {
-  return select(github.context.payload, path);
-}
-
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-function select(obj: any, path: string): any {
-  if (!obj) {
-    return undefined;
-  }
-  const i = path.indexOf('.');
-  if (i < 0) {
-    return obj[path];
-  }
-  const key = path.slice(0, i);
-  return select(obj[key], path.slice(i + 1));
-}
-
 function getProvenanceInput(name: string): string {
   const input = core.getInput(name);
   if (!input) {