Env var to set provenance mode

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2 years ago · d8b90b1ab1
parent 94d76d3bc1
commit d8b90b1ab1
3 changed files with 63 additions and 9 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -653,6 +653,46 @@ jobs:
        run: |
          cat /tmp/buildx-build/provenance.json | jq

+  provenance-env-mode:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        mode:
+          - min
+          - max
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            network=host
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./
+        with:
+          context: ./test/go
+          file: ./test/go/Dockerfile
+          target: image
+          outputs: type=image,name=localhost:5000/name/app:latest,push=true
+        env:
+          BUILDX_PROVENANCE_MODE: ${{ matrix.mode }}
+      -
+        name: Inspect Provenance
+        run: |
+          docker buildx imagetools inspect localhost:5000/name/app:latest --format '{{json .Provenance}}'
+
  sbom:
    runs-on: ubuntu-latest
    strategy:
--- a/README.md
+++ b/README.md
@ -34,6 +34,7 @@ ___
 * [Customizing](#customizing)
  * [inputs](#inputs)
  * [outputs](#outputs)
+  * [environment variables](#environment-variables)
 * [Troubleshooting](#troubleshooting)
 * [Contributing](#contributing)

@ -262,6 +263,12 @@ The following outputs are available:
 | `digest`   | String  | Image digest          |
 | `metadata` | JSON    | Build result metadata |

+### environment variables
+
+| Name                     | Type   | Description                                                                   |
+|--------------------------|--------|-------------------------------------------------------------------------------|
+| `BUILDX_PROVENANCE_MODE` | String | Set attestation provenance mode. One of `auto`, `min`, `max` (default `auto`) |
+
 ## Troubleshooting

 See [TROUBLESHOOTING.md](TROUBLESHOOTING.md)
--- a/src/context.ts
+++ b/src/context.ts
@ -160,16 +160,23 @@ async function getBuildArgs(inputs: Inputs, context: string, toolkit: Toolkit):
    if (inputs.provenance) {
      args.push('--provenance', inputs.provenance);
    } else if ((await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !BuildxInputs.hasDockerExporter(inputs.outputs, inputs.load)) {
-      // if provenance not specified and BuildKit version compatible for
-      // attestation, set default provenance. Also needs to make sure user
-      // doesn't want to explicitly load the image to docker.
-      if (GitHub.context.payload.repository?.private ?? false) {
-        // if this is a private repository, we set the default provenance
-        // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
-        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
+      const provenanceMode = process.env['BUILDX_PROVENANCE_MODE'] || 'auto';
+      if (provenanceMode === 'auto') {
+        // if provenance not specified and BuildKit version compatible for
+        // attestation, set default provenance. Also needs to make sure user
+        // doesn't want to explicitly load the image to docker.
+        if (GitHub.context.payload.repository?.private ?? false) {
+          // if this is a private repository, we set the default provenance
+          // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
+          args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=min,inline-only=true`));
+        } else {
+          // for a public repository, we set max provenance mode.
+          args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
+        }
+      } else if (provenanceMode === 'min' || provenanceMode === 'max') {
+        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=${provenanceMode}`));
      } else {
-        // for a public repository, we set max provenance mode.
-        args.push('--provenance', BuildxInputs.resolveProvenanceAttrs(`mode=max`));
+        throw new Error(`Invalid BUILDX_PROVENANCE_MODE: ${provenanceMode}`);
      }
    }
    if (inputs.sbom) {