search

docker / build-push-action

GitHub Action to build and push Docker images with Buildx
https://github.com/marketplace/actions/build-and-push-docker-images
Apache License 2.0
4.31k stars 552 forks source link

handle attests correctly with provenance and sbom inputs #1086

Closed crazy-max closed 5 months ago

crazy-max commented 6 months ago

We don't detect usage of attests input and therefore setting attests: type=provenance,mode=max will result in a duplicated provenance as we already set it automatically and build will fail with: 

ERROR: duplicate attestation field provenance

This will also set builder-id automatically if provenance is used in attests which was not the case before.

To keep everything consistent across our flags such as load and push, provenance and sbom inputs take precedence over ones set in attests

crazy-max commented 6 months ago

https://github.com/docker/build-push-action/actions/runs/8437957902/job/23108984199?pr=1086#step:5:123

/usr/bin/docker buildx build --cache-from type=gha,scope=attests-image --cache-to type=gha,scope=attests-image,mode=max --file ./test/go/Dockerfile --iidfile /home/runner/work/_temp/docker-actions-toolkit-3KzNXb/iidfile --output type=image,name=localhost:5000/name/app:latest,push=true --attest type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/8437957902 --attest type=sbom,true --target image --metadata-file /home/runner/work/_temp/docker-actions-toolkit-3KzNXb/metadata-file ./test/go
ERROR: invalid value true

We need the canonical representation when using --attest similar to https://github.com/docker/buildx/blob/8abef5908705e49f7ba88ef8c957e1127b597a2a/util/buildflags/attests.go#L13-L21

Edit: added resolveAttestationAttrs in https://github.com/docker/actions-toolkit/pull/287 to return the canonical representation.