Skip to content

handle no default attestations env var #1343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 23, 2025
Merged

handle no default attestations env var #1343

merged 2 commits into from
Apr 23, 2025

Conversation

crazy-max
Copy link
Member

fixes #1339

We should not set provenance attestation if BUILDX_NO_DEFAULT_ATTESTATIONS env var is set.
@crazy-max crazy-max requested a review from tonistiigi March 28, 2025 10:22
@crazy-max crazy-max self-assigned this Mar 28, 2025
@crazy-max crazy-max mentioned this pull request Mar 28, 2025
Merged
@crazy-max crazy-max force-pushed the fix-no-default-attest branch from 93d7ffa to 515158f Compare April 7, 2025 12:47
crazy-max added 2 commits April 9, 2025 18:48
@crazy-max
handle no default attestations env var
288d9e2 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max
chore: update generated content
1c198f4 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max force-pushed the fix-no-default-attest branch from 515158f to 1c198f4 Compare April 9, 2025 16:58
@github-advanced-security

This comment was marked as outdated.

Sign in to view
tonistiigi
tonistiigi reviewed Apr 23, 2025
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the issue that env is not propagated to buildx or does this need custom handling? If former then maybe a better fix would be to just make sure all BUILDX_* env are forwarded.
@crazy-max
Copy link
Member Author

or does this need custom handling

Yes it needs custom handling because the action is setting the provenance based on github events:

build-push-action/src/context.ts

Lines 248 to 260 in c566248

} else if (!hasAttestProvenance && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
// if provenance not specified in provenance or attests inputs and BuildKit
// version compatible for attestation, set default provenance. Also needs
// to make sure user doesn't want to explicitly load the image to docker.
if (GitHub.context.payload.repository?.private ?? false) {
// if this is a private repository, we set the default provenance
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
} else {
// for a public repository, we set max provenance mode.
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
}
}

@crazy-max crazy-max merged commit 14487ce into docker:master Apr 23, 2025
68 checks passed
@crazy-max crazy-max deleted the fix-no-default-attest branch April 23, 2025 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@crazy-max @tonistiigi