Provenance ignored when set to false If Buildx version is not provided

[warrenbrown]

Contributing guidelines

• [X] I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• [X] The documentation does not mention anything about my problem
• [X] There are no open or closed issues that are related to my problem

Description

When using build push action when trying to set provenance to false to prevent multi images being built and pushed. Setting provenance: false is not working and provenance is ignored resulting in multi image builds. What I have discovered is that the buildx version is not being provided hence why setting provenance: false is ignored

Here is a link to the if statement that is supposed to set the buildx version https://github.com/docker/build-push-action/blob/master/src/context.ts#L159-L180

Had to create a workaround where I set the buildx version before calling the build push action.

Expected behaviour

Expect a buildx version to be set so provenance: false is recognized and multiple format image is not pushed to ecr

Actual behaviour

After setting provenance: false a default buildx version is not provided resulting in the provenance value not being recognized, and muilti image builds are being pushed to ecr.

GHA run with provenance: false:

Buildx version is not recognized or set:

Multiple images pushed:

Repository URL

No response

Workflow run URL

No response

YAML workflow

jobs:
  build:
    name: docker // build
    steps:
...
      - name: Build
        id: build
        uses: cloudposse/github-action-docker-build-push@1.14.0
        with:
          organization: ${{ inputs.organization }}
          provenance: ${{ inputs.provenance }}
          repository: ${{ inputs.repository }}
          registry: ${{ secrets.registry }}
          workdir: ${{ inputs.context-path }}
          file: ${{ inputs.dockerfile }}
          image_name: ${{ steps.context.outputs.image }}
          build-args: |
            ${{ inputs.build-args }}

      - uses: cloudposse/github-action-secret-outputs@0.1.0
        id: image
        with:
          secret: ${{ secrets.secret-outputs-passphrase }}
          op: encode
          in: ${{ steps.build.outputs.image }}

Workflow logs

github action logs.txt

BuildKit logs

No response

Additional info

No response

[crazy-max]

cloudposse/github-action-docker-build-push@1.14.0

This is not our action, you should report at https://github.com/cloudposse/github-action-docker-build-push

[crazy-max]

Also looking at your logs, buildx version looks off:

2024-01-03T16:45:05.1424130Z [command]/usr/bin/docker info
2024-01-03T16:45:05.1685400Z Client:
2024-01-03T16:45:05.1685716Z  Version:    24.0.5
2024-01-03T16:45:05.1686004Z  Context:    default
2024-01-03T16:45:05.1686280Z  Debug Mode: false
2024-01-03T16:45:05.1686548Z  Plugins:
2024-01-03T16:45:05.1686809Z   buildx: Docker Buildx (Docker Inc.)
2024-01-03T16:45:05.1687148Z     Version:  v0.0.0+unknown
2024-01-03T16:45:05.1687762Z     Path:     /usr/libexec/docker/cli-plugins/docker-buildx

Maybe an issue with your self-hosted runner.

[warrenbrown]

That action is a pass thru to get to your action

[warrenbrown]

https://github.com/cloudposse/github-action-docker-build-push/blob/1.14.0/action.yml#L176-L195 @crazy-max I shoudl have provided the yaml that calls your action apologies

[crazy-max]

Can you provide a minimal repro please? A link to the repo running this workflow would be ideal to help figure out what's going on as there are many inputs provided in your reusable workflow.

[johncblandii]

@crazy-max we may not have time for a minimal repo. We can check our runners out, but they're getting docker simply from amazon-linux-extras install docker.

The main thing here is the version gets handled by way of your setup action. That action, without specifying a version, reports 0.0.0 and your code does not respect that version as greater than 0.10.0 so it ignores provenance.

The issue may stem from https://github.com/docker/setup-buildx-action because passing version: 0.12.0 reports a proper version. Passing no version reports 0.0.0.

[crazy-max]

@johncblandii Hum so aws does not build buildx package correctly :disappointed:

[johncblandii]

@johncblandii Hum so aws does not build buildx package correctly :disappointed:

Any way of solving that?

[crazy-max]

Fix packaging on their side or always set version: latest in setup-buildx-action imo.

[crazy-max]

Closing this one since this is an upstream issue with bad packaging. You can either set version: latest in setup-buildx-action or provenance: true if you know that buildx binary is compatible.