Provenance or SBOM information not available after a build

[elsmorian]

Contributing guidelines

• [X] I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• [X] The documentation does not mention anything about my problem
• [X] There are no open or closed issues that are related to my problem

Description

Uusing the build push action into Google Artefact Registry results in the expected number of digests being there, but no tooling can seem to see the SBOM or Provenance information.

Expected behaviour

Running a pipeline would create and push an image and all provenance data to Artefact Registry, and then inspecting that would show it.

Actual behaviour

The build and push seems to succeed, but no tooling can actually read the SBOM or provenance information:

docker buildx imagetools inspect <image_name> --format "{{ json .SBOM }}"

{}%

docker buildx imagetools inspect <image_name> --format "{{ json .Provenance.SLSA }}"
null%

That makes sense though as when inspecting the image JSON, the SBOM and Provenance keys are not there:

docker buildx imagetools inspect <image_name> --format "{{ json . }}"
{
  "name": "<image_name> ",
  "manifest": {
    "mediaType": "application/vnd.oci.image.manifest.v1+json",
    "digest": "sha256:e0170fae5ffbe3e96102999630ad1c88ac84770aef9a28aa630206ff5a0aa619",
    "size": 566
  },
  "image": {
    "architecture": "unknown",
    "os": "unknown",
    "config": {},
    "rootfs": {
      "type": "layers",
      "diff_ids": [
        "sha256:c8e292c8a2e75d7642517e891558f643de7b31448345aced280b9b92f1e0e690"
      ]
    }
  }
}%

Repository URL

No response

Workflow run URL

No response

YAML workflow

- name: "Setup QEMU"
        uses: docker/setup-qemu-action@v3
        with:
          platforms: "${{ env.docker_platform }}"

      - name: "Setup Docker Buildx"
        uses: docker/setup-buildx-action@v3

      - name: "Build Docker Image"
        uses: "docker/build-push-action@v5"
        with:
          push: true
          tags: "${{ inputs.docker_image }}"
          platforms: "linux/amd64"
          sbom: true
          provenance: true

Workflow logs

No response

BuildKit logs

No response

Additional info

Buildx version
  /usr/bin/docker buildx version
  github.com/docker/buildx v0.11.2 9872040

The run succeeds and results in 3 digests being show in GAR which I believe is expected:

• The main tagged manifest
• The actual image manifest
• The config digest that points to the blobs which should have the SBOM and Provenance information in which is shown below:

  {
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:c0e4ece85c2ff117d6aed6fe5740290546efa258116b3ca2dda11e89507889c4",
    "size": 241
  },
  "layers": [
    {
       "mediaType": "application/vnd.in-toto+json",
       "digest": "sha256:9c15be8764d0f0ccb6d739b398616f73f9fa32eee82e42ef9787d4168cc239d5",
       "size": 5724173,
       "annotations": {
          "in-toto.io/predicate-type": "https://spdx.dev/Document"
       }
    },
    {
       "mediaType": "application/vnd.in-toto+json",
       "digest": "sha256:68091138e109f311d220cbd7bc21d3276fda115cf4e331e0400885b8b520ac79",
       "size": 68358,
       "annotations": {
          "in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
       }
    }
  ]
  }

This might be relate or similar to https://github.com/docker/build-push-action/issues/972 but i'm not 100%

[crazy-max]

Yes seems a duplicate of https://github.com/docker/build-push-action/issues/972. Let's continue the discussion there.