mirror of
				https://github.com/docker/build-push-action.git
				synced 2025-10-23 08:56:39 +08:00 
			
		
		
		
	Merge pull request #784 from crazy-max/enable-provenance
revert disable provenance by default if not set
This commit is contained in:
		
							
								
								
									
										5
									
								
								.github/workflows/ci.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										5
									
								
								.github/workflows/ci.yml
									
									
									
									
										vendored
									
									
								
							| @@ -606,6 +606,11 @@ jobs: | ||||
|         if: matrix.target == 'binary' | ||||
|         run: | | ||||
|           tree /tmp/buildx-build | ||||
|       - | ||||
|         name: Print provenance | ||||
|         if: matrix.target == 'binary' | ||||
|         run: | | ||||
|           cat /tmp/buildx-build/provenance.json | jq | ||||
|       - | ||||
|         name: Print SBOM | ||||
|         if: matrix.target == 'binary' | ||||
|   | ||||
| @@ -557,7 +557,7 @@ nproc=3`], | ||||
|       [ | ||||
|         'build', | ||||
|         '--iidfile', '/tmp/.docker-build-push-jest/iidfile', | ||||
|         "--provenance", 'false', | ||||
|         "--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789`, | ||||
|         '--metadata-file', '/tmp/.docker-build-push-jest/metadata-file', | ||||
|         '.' | ||||
|       ] | ||||
|   | ||||
							
								
								
									
										2
									
								
								dist/index.js
									
									
									
										generated
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								dist/index.js
									
									
									
										generated
									
									
										vendored
									
									
								
							
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							
							
								
								
									
										2
									
								
								dist/index.js.map
									
									
									
										generated
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								dist/index.js.map
									
									
									
										generated
									
									
										vendored
									
									
								
							
										
											
												File diff suppressed because one or more lines are too long
											
										
									
								
							| @@ -169,14 +169,17 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str | ||||
|     if (inputs.provenance) { | ||||
|       args.push('--provenance', inputs.provenance); | ||||
|     } else if ((await buildx.satisfiesBuildKitVersion(inputs.builder, '>=0.11.0', standalone)) && !hasDockerExport(inputs)) { | ||||
|       // If provenance not specified but BuildKit version compatible for | ||||
|       // attestation, disable provenance anyway. Also needs to make sure user | ||||
|       // if provenance not specified and BuildKit version compatible for | ||||
|       // attestation, set default provenance. Also needs to make sure user | ||||
|       // doesn't want to explicitly load the image to docker. | ||||
|       // While this action successfully pushes OCI compliant images to | ||||
|       // well-known registries, some runtimes (e.g. Google Cloud Run and AWS | ||||
|       // Lambda) are not able to pull resulting image from their own registry... | ||||
|       // See also https://github.com/docker/buildx/issues/1533 | ||||
|       args.push('--provenance', 'false'); | ||||
|       if (fromPayload('repository.private') !== false) { | ||||
|         // if this is a private repository, we set the default provenance | ||||
|         // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603 | ||||
|         args.push('--provenance', getProvenanceAttrs(`mode=min,inline-only=true`)); | ||||
|       } else { | ||||
|         // for a public repository, we set max provenance mode. | ||||
|         args.push('--provenance', getProvenanceAttrs(`mode=max`)); | ||||
|       } | ||||
|     } | ||||
|     if (inputs.sbom) { | ||||
|       args.push('--sbom', inputs.sbom); | ||||
| @@ -278,6 +281,24 @@ export const asyncForEach = async (array, callback) => { | ||||
|   } | ||||
| }; | ||||
|  | ||||
| // eslint-disable-next-line @typescript-eslint/no-explicit-any | ||||
| function fromPayload(path: string): any { | ||||
|   return select(github.context.payload, path); | ||||
| } | ||||
|  | ||||
| // eslint-disable-next-line @typescript-eslint/no-explicit-any | ||||
| function select(obj: any, path: string): any { | ||||
|   if (!obj) { | ||||
|     return undefined; | ||||
|   } | ||||
|   const i = path.indexOf('.'); | ||||
|   if (i < 0) { | ||||
|     return obj[path]; | ||||
|   } | ||||
|   const key = path.slice(0, i); | ||||
|   return select(obj[key], path.slice(i + 1)); | ||||
| } | ||||
|  | ||||
| function getProvenanceInput(name: string): string { | ||||
|   const input = core.getInput(name); | ||||
|   if (!input) { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user