gha cache breaks provenance

moby / buildkit

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

https://github.com/moby/moby/issues/34227

Apache License 2.0

8.25k stars 1.17k forks source link

gha cache breaks provenance #4501

Open jkreileder opened 11 months ago

jkreileder commented 11 months ago

The gha cache seems to break provenance. At least as far as the Docker Scout service is concerned.

Noticed while playing around with the build-push-action and the attests, sbom, and provenance settings. No matter what I did, the Docker Scout scan always showed 2 failing checks for the images while builds from MacOS with the same options passed all checks:

In the end it turned out that removing

          cache-from: type=gha
          cache-to: type=gha,mode=max

fixed the problem. (Clearing the gha cache only fixes the problem for the next build but it breaks again on further builds with same attestation options).

If this is indeed the expected behavior, it should at least be documented.

(Tested with v0.11.2 and v0.12.0)

tonistiigi commented 11 months ago

cc @cdupuis who reported a similar case internally.

Based on internal discussion this is likely coming from some case there the image layers record goes missing from provenance attestation for a cached build in some case.

We would need a reproducer, hopefully with --cache-to type=local or --cache-to type=registry as exact gha state is very hard to control/reset/inspect, showing how the provenance attestations loses some data.

jkreileder commented 11 months ago

No test case yet. But I'm not sure if this bug is even valid. The problem might be with the Scout service.

Even this short example gives me only 5/6, with the supply chain attestation check failing - although sbom and provenance are there.

$ docker builder version
github.com/docker/buildx v0.12.0-desktop.2 c5a13b51c1ae9358eb691e9a21c955590e26d0a0
$ cat Dockerfile        
# syntax = docker/dockerfile:1.6.0
ARG BUILDKIT_SBOM_SCAN_CONTEXT=true
FROM alpine:3.18
COPY --link foo.txt .
CMD ["cat", "foo.txt"]
$ cat foo.txt           
Hello, world!
Hello, world!
Hello, world!
Hello, world!
$ docker buildx build -t jkreileder/test:helloworld-3 --sbom true --provenance true --pull --push .

Not sure where to report this. The feedback link only leads me to a protected Google form. You probably have better connections there anyway.