add provenance and sbom inputs

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2025-12-06 07:48:05 +08:00 · 2023-03-13 14:37:07 +01:00
parent 6cf674e56b
commit b5a1ab1e8c
7 changed files with 882 additions and 12 deletions
--- a/src/context.ts
+++ b/src/context.ts
@@ -1,5 +1,7 @@
 import * as core from '@actions/core';
+import {Bake} from '@docker/actions-toolkit/lib/buildx/bake';
 import {Inputs as BuildxInputs} from '@docker/actions-toolkit/lib/buildx/inputs';
+import {GitHub} from '@docker/actions-toolkit/lib/github';
 import {Toolkit} from '@docker/actions-toolkit/lib/toolkit';
 import {Util} from '@docker/actions-toolkit/lib/util';

@@ -11,7 +13,9 @@ export interface Inputs {
  noCache: boolean;
  pull: boolean;
  load: boolean;
+  provenance: string;
  push: boolean;
+  sbom: string;
  set: string[];
  source: string;
 }
@@ -25,7 +29,9 @@ export async function getInputs(): Promise<Inputs> {
    noCache: core.getBooleanInput('no-cache'),
    pull: core.getBooleanInput('pull'),
    load: core.getBooleanInput('load'),
+    provenance: BuildxInputs.getProvenanceInput('provenance'),
    push: core.getBooleanInput('push'),
+    sbom: core.getInput('sbom'),
    set: Util.getInputList('set', {ignoreComma: true}),
    source: core.getInput('source')
  };
@@ -54,6 +60,27 @@ async function getBakeArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<stri
  if (await toolkit.buildx.versionSatisfies('>=0.6.0')) {
    args.push('--metadata-file', BuildxInputs.getBuildMetadataFilePath());
  }
+  if (await toolkit.buildx.versionSatisfies('>=0.10.0')) {
+    const bakedef = await toolkit.bake.parseDefinitions([...inputs.files, inputs.source], inputs.targets, inputs.workdir);
+    if (inputs.provenance) {
+      args.push('--provenance', inputs.provenance);
+    } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Bake.hasDockerExporter(bakedef, inputs.load)) {
+      // if provenance not specified and BuildKit version compatible for
+      // attestation, set default provenance. Also needs to make sure user
+      // doesn't want to explicitly load the image to docker.
+      if (GitHub.context.payload.repository?.private ?? false) {
+        // if this is a private repository, we set the default provenance
+        // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
+        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
+      } else {
+        // for a public repository, we set max provenance mode.
+        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
+      }
+    }
+    if (inputs.sbom) {
+      args.push('--sbom', inputs.sbom);
+    }
+  }
  return args;
 }