Havoc420mac/docker-build-push-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

handle no default attestations env var

Browse Source 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax 2025-03-28 11:16:09 +01:00
parent 88844b95d8
commit 288d9e2e4a
No known key found for this signature in database
GPG Key ID: ADE44D8C9D44FBE4
3 changed files with 130 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.github/workflows/ci.yml vendored
View File

@ -1542,3 +1542,26 @@ jobs:
echo "::error::Should have failed" echo "::error::Should have failed"
exit 1 exit 1
fi fi
no-default-attestations:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
with:
path: action
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
driver-opts: |
image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
-
name: Build
uses: ./action
with:
file: ./test/Dockerfile
env:
BUILDX_NO_DEFAULT_ATTESTATIONS: 1

135
__tests__/context.test.ts
View File

@ -1,4 +1,4 @@
import {beforeEach, describe, expect, jest, test} from '@jest/globals'; import {afterEach, beforeEach, describe, expect, jest, test} from '@jest/globals';
import * as fs from 'fs'; import * as fs from 'fs';
import * as path from 'path'; import * as path from 'path';
@ -68,6 +68,7 @@ jest.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<Bu
}); });
describe('getArgs', () => { describe('getArgs', () => {
const originalEnv = process.env;
beforeEach(() => { beforeEach(() => {
process.env = Object.keys(process.env).reduce((object, key) => { process.env = Object.keys(process.env).reduce((object, key) => {
if (!key.startsWith('INPUT_')) { if (!key.startsWith('INPUT_')) {
@ -76,6 +77,9 @@ describe('getArgs', () => {
return object; return object;
}, {}); }, {});
}); });
afterEach(() => {
process.env = originalEnv;
});
// prettier-ignore // prettier-ignore
test.each([ test.each([
@ -93,7 +97,8 @@ describe('getArgs', () => {
'build', 'build',
'--iidfile', imageIDFilePath, '--iidfile', imageIDFilePath,
'.' '.'
] ],
undefined
], ],
[ [
1, 1,
@ -116,7 +121,8 @@ ccc"`],
'--build-arg', `MULTILINE=aaaa\nbbbb\nccc`, '--build-arg', `MULTILINE=aaaa\nbbbb\nccc`,
'--iidfile', imageIDFilePath, '--iidfile', imageIDFilePath,
'https://github.com/docker/build-push-action.git#refs/heads/master' 'https://github.com/docker/build-push-action.git#refs/heads/master'
] ],
undefined
], ],
[ [
2, 2,
@ -134,7 +140,8 @@ ccc"`],
'--tag', 'name/app:7.4', '--tag', 'name/app:7.4',
'--tag', 'name/app:latest', '--tag', 'name/app:latest',
'https://github.com/docker/build-push-action.git#refs/heads/master' 'https://github.com/docker/build-push-action.git#refs/heads/master'
] ],
undefined
], ],
[ [
3, 3,
@ -154,7 +161,8 @@ ccc"`],
'--label', 'org.opencontainers.image.description=concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit', '--label', 'org.opencontainers.image.description=concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit',
'--output', 'type=local,dest=./release-out', '--output', 'type=local,dest=./release-out',
'.' '.'
] ],
undefined
], ],
[ [
4, 4,
@ -171,7 +179,8 @@ ccc"`],
'build', 'build',
'--platform', 'linux/amd64,linux/arm64', '--platform', 'linux/amd64,linux/arm64',
'.' '.'
] ],
undefined
], ],
[ [
5, 5,
@ -187,7 +196,8 @@ ccc"`],
'build', 'build',
'--iidfile', imageIDFilePath, '--iidfile', imageIDFilePath,
'.' '.'
] ],
undefined
], ],
[ [
6, 6,
@ -205,7 +215,8 @@ ccc"`],
'--iidfile', imageIDFilePath, '--iidfile', imageIDFilePath,
'--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`, '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
'.' '.'
] ],
undefined
], ],
[ [
7, 7,
@ -223,7 +234,8 @@ ccc"`],
'--output', '.', '--output', '.',
'--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`, '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
'https://github.com/docker/build-push-action.git#refs/heads/master' 'https://github.com/docker/build-push-action.git#refs/heads/master'
] ],
undefined
], ],
[ [
8, 8,
@ -249,7 +261,8 @@ ccc"`],
'--builder', 'builder-git-context-2', '--builder', 'builder-git-context-2',
'--push', '--push',
'https://github.com/docker/build-push-action.git#refs/heads/master' 'https://github.com/docker/build-push-action.git#refs/heads/master'
] ],
undefined
], ],
[ [
9, 9,
@ -286,7 +299,8 @@ ccc"`],
'--builder', 'builder-git-context-2', '--builder', 'builder-git-context-2',
'--push', '--push',
'https://github.com/docker/build-push-action.git#refs/heads/master' 'https://github.com/docker/build-push-action.git#refs/heads/master'
] ],
undefined
], ],
[ [
10, 10,
@ -323,7 +337,8 @@ ccc`],
'--builder', 'builder-git-context-2', '--builder', 'builder-git-context-2',
'--push', '--push',
'https://github.com/docker/build-push-action.git#refs/heads/master' 'https://github.com/docker/build-push-action.git#refs/heads/master'
] ],
undefined
], ],
[ [
11, 11,
@ -349,7 +364,8 @@ ccc`],
'--network', 'host', '--network', 'host',
'--push', '--push',
'https://github.com/docker/build-push-action.git#refs/heads/master' 'https://github.com/docker/build-push-action.git#refs/heads/master'
] ],
undefined
], ],
[ [
12, 12,
@ -369,7 +385,8 @@ ccc`],
'--label', 'org.opencontainers.image.description=Reference implementation of operation "filter results (top-n)"', '--label', 'org.opencontainers.image.description=Reference implementation of operation "filter results (top-n)"',
'--output', 'type=local,dest=./release-out', '--output', 'type=local,dest=./release-out',
'.' '.'
] ],
undefined
], ],
[ [
13, 13,
@ -395,7 +412,8 @@ ccc`],
'--network', 'host', '--network', 'host',
'--push', '--push',
'.' '.'
] ],
undefined
], ],
[ [
14, 14,
@ -425,7 +443,8 @@ nproc=3`],
'--ulimit', 'nproc=3', '--ulimit', 'nproc=3',
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
15, 15,
@ -442,7 +461,8 @@ nproc=3`],
'--iidfile', imageIDFilePath, '--iidfile', imageIDFilePath,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'https://github.com/docker/build-push-action.git#refs/heads/master:docker' 'https://github.com/docker/build-push-action.git#refs/heads/master:docker'
] ],
undefined
], ],
[ [
16, 16,
@ -461,7 +481,8 @@ nproc=3`],
'--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`, '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'https://github.com/docker/build-push-action.git#refs/heads/master:subdir' 'https://github.com/docker/build-push-action.git#refs/heads/master:subdir'
] ],
undefined
], ],
[ [
17, 17,
@ -479,7 +500,8 @@ nproc=3`],
'--iidfile', imageIDFilePath, '--iidfile', imageIDFilePath,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
18, 18,
@ -497,7 +519,8 @@ nproc=3`],
'--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`, '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
19, 19,
@ -516,7 +539,8 @@ nproc=3`],
'--attest', `type=provenance,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`, '--attest', `type=provenance,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
20, 20,
@ -535,7 +559,8 @@ nproc=3`],
'--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`, '--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
21, 21,
@ -554,7 +579,8 @@ nproc=3`],
'--attest', 'type=provenance,disabled=true', '--attest', 'type=provenance,disabled=true',
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
22, 22,
@ -573,7 +599,8 @@ nproc=3`],
'--attest', 'type=provenance,builder-id=foo', '--attest', 'type=provenance,builder-id=foo',
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
23, 23,
@ -592,7 +619,8 @@ nproc=3`],
"--output", 'type=docker', "--output", 'type=docker',
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
24, 24,
@ -610,7 +638,8 @@ nproc=3`],
'--load', '--load',
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
25, 25,
@ -630,7 +659,8 @@ nproc=3`],
'--load', '--load',
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
26, 26,
@ -652,7 +682,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--load', '--load',
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
27, 27,
@ -673,7 +704,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--load', '--load',
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
28, 28,
@ -693,7 +725,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`, '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
29, 29,
@ -717,7 +750,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`, '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
30, 30,
@ -737,7 +771,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`, '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
31, 31,
@ -758,7 +793,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--attest', `type=sbom,disabled=false`, '--attest', `type=sbom,disabled=false`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
32, 32,
@ -778,7 +814,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`, '--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
], ],
[ [
33, 33,
@ -797,11 +834,37 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
'--attest', `type=provenance,mode=min,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`, '--attest', `type=provenance,mode=min,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
'--metadata-file', metadataJson, '--metadata-file', metadataJson,
'.' '.'
] ],
undefined
],
[
34,
'0.13.1',
new Map<string, string>([
['context', '.'],
['load', 'false'],
['no-cache', 'false'],
['push', 'false'],
['pull', 'false']
]),
[
'build',
'--iidfile', imageIDFilePath,
'--metadata-file', metadataJson,
'.'
],
new Map<string, string>([
['BUILDX_NO_DEFAULT_ATTESTATIONS', '1']
])
], ],
])( ])(
'[%d] given %p with %p as inputs, returns %p', '[%d] given %p with %p as inputs, returns %p',
async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => { async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>, envs: Map<string, string> | undefined) => {
if (envs) {
envs.forEach((value: string, name: string) => {
process.env[name] = value;
});
}
inputs.forEach((value: string, name: string) => { inputs.forEach((value: string, name: string) => {
setInput(name, value); setInput(name, value);
}); });

9
src/context.ts
View File

@ -245,7 +245,7 @@ async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
if (inputs.provenance) { if (inputs.provenance) {
args.push('--attest', Build.resolveAttestationAttrs(`type=provenance,${inputs.provenance}`)); args.push('--attest', Build.resolveAttestationAttrs(`type=provenance,${inputs.provenance}`));
provenanceSet = true; provenanceSet = true;
} else if (!hasAttestProvenance && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) { } else if (!hasAttestProvenance && !noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
// if provenance not specified in provenance or attests inputs and BuildKit // if provenance not specified in provenance or attests inputs and BuildKit
// version compatible for attestation, set default provenance. Also needs // version compatible for attestation, set default provenance. Also needs
// to make sure user doesn't want to explicitly load the image to docker. // to make sure user doesn't want to explicitly load the image to docker.
@ -277,3 +277,10 @@ async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
return args; return args;
} }
function noDefaultAttestations(): boolean {
if (process.env.BUILDX_NO_DEFAULT_ATTESTATIONS) {
return Util.parseBool(process.env.BUILDX_NO_DEFAULT_ATTESTATIONS);
}
return false;
}