actions/bake-action
1
0
Fork 0
mirror of https://github.com/docker/bake-action.git synced 2025-12-06 07:48:26 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

check provenance attestation set in bake definition before overriding

Browse Source 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax
2025-11-26 12:02:17 +01:00
parent 41c10f2beb
commit 8ba51ac4ee
5 changed files with 79 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
.github/workflows/ci.yml vendored
View File

@@ -867,3 +867,23 @@ jobs:
files: |
./test/config.hcl
call: check
attest-override:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v5
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build and push
uses: ./
with:
workdir: ./test/attest
source: .

24
__tests__/context.test.ts
View File

@@ -218,7 +218,9 @@ describe('getArgs', () => {
[
'bake',
'--metadata-file', metadataJson,
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
],
undefined
],
@@ -311,7 +313,9 @@ describe('getArgs', () => {
'--set', '*.platform=linux/amd64,linux/ppc64le,linux/s390x',
'--set', `*.output=type=image,"name=moby/buildkit:v0.11.0,moby/buildkit:latest",push=true`,
'--metadata-file', metadataJson,
'--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'image-all'
],
undefined
@@ -332,7 +336,9 @@ describe('getArgs', () => {
'bake',
'--set', `*.labels.foo=bar=#baz`,
'--metadata-file', metadataJson,
'--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'image-all'
],
undefined
@@ -352,7 +358,9 @@ describe('getArgs', () => {
'https://github.com/docker/build-push-action.git#refs/heads/master',
'--file', './foo.hcl',
'--metadata-file', metadataJson,
'--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
],
undefined
],
@@ -371,7 +379,9 @@ describe('getArgs', () => {
'bake',
'--allow', 'network.host',
'--metadata-file', metadataJson,
"--provenance", `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
],
undefined
],
@@ -391,7 +401,9 @@ describe('getArgs', () => {
'https://github.com/docker/build-push-action.git#refs/heads/master:subdir',
'--file', './foo.hcl',
'--metadata-file', metadataJson,
'--provenance', `mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `lint.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-docs.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--set', `validate-vendor.attest=type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`
],
undefined
],

12
src/context.ts
View File

@@ -90,16 +90,22 @@ async function getBakeArgs(inputs: Inputs, definition: BakeDefinition, toolkit:
if (inputs.provenance) {
args.push('--provenance', inputs.provenance);
} else if (!noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(definition, inputs.load)) {
// if provenance not specified and BuildKit version compatible for
// check if provenance attestation is already specified in the bake
// definition and if not specified and BuildKit version compatible for
// attestation, set default provenance. Also needs to make sure user
// doesn't want to explicitly load the image to docker.
for (const targetName in definition.target) {
const target = definition.target[targetName];
if (!Array.isArray(target.attest) || !target.attest.some(attest => attest?.type === 'provenance')) {
if (GitHub.context.payload.repository?.private ?? false) {
// if this is a private repository, we set the default provenance
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
args.push('--provenance', Build.resolveProvenanceAttrs(`mode=min,inline-only=true`));
args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
} else {
// for a public repository, we set max provenance mode.
args.push('--provenance', Build.resolveProvenanceAttrs(`mode=max`));
args.push('--set', `${targetName}.attest=type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
}
}
}
}
if (inputs.sbom) {

10
test/attest/Dockerfile Normal file
View File

@@ -0,0 +1,10 @@
# syntax=docker/dockerfile:1
FROM busybox AS t1
RUN echo "Hello t1"
FROM busybox AS t2
RUN echo "Hello t2"
FROM busybox AS t3
RUN echo "Hello t3"

17
test/attest/docker-bake.hcl Normal file
View File

@@ -0,0 +1,17 @@
group "default" {
targets = ["t1", "t2", "t3"]
}
target "t1" {
target = "t1"
}
target "t2" {
target = "t2"
attest = ["type=provenance,mode=min"]
}
target "t3" {
target = "t3"
attest = ["type=sbom"]
}