Skip to content

handle no default attestations env var #1343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
crazy-max merged 2 commits into from
Apr 23, 2025
Merged

handle no default attestations env var #1343

crazy-max merged 2 commits into from
Apr 23, 2025
+132 −39

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Mar 28, 2025

fixes #1339

We should not set provenance attestation if BUILDX_NO_DEFAULT_ATTESTATIONS env var is set.

@crazy-max crazy-max requested a review from tonistiigi March 28, 2025 10:22
@crazy-max crazy-max self-assigned this Mar 28, 2025
@crazy-max crazy-max mentioned this pull request Mar 28, 2025
Merged
@crazy-max crazy-max force-pushed the fix-no-default-attest branch from 93d7ffa to 515158f Compare April 7, 2025 12:47
@crazy-max crazy-max force-pushed the fix-no-default-attest branch from 515158f to 1c198f4 Compare April 9, 2025 16:58
@github-advanced-security

This comment was marked as outdated.

Sign in to view
tonistiigi
tonistiigi reviewed Apr 23, 2025
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the issue that env is not propagated to buildx or does this need custom handling? If former then maybe a better fix would be to just make sure all BUILDX_* env are forwarded.

@crazy-max
Copy link
Member Author

crazy-max commented Apr 23, 2025

or does this need custom handling

Yes it needs custom handling because the action is setting the provenance based on github events:

build-push-action/src/context.ts

Lines 248 to 260 in c566248

} else if (!hasAttestProvenance && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
// if provenance not specified in provenance or attests inputs and BuildKit
// version compatible for attestation, set default provenance. Also needs
// to make sure user doesn't want to explicitly load the image to docker.
if (GitHub.context.payload.repository?.private ?? false) {
// if this is a private repository, we set the default provenance
// attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
} else {
// for a public repository, we set max provenance mode.
args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
}
}

@crazy-max crazy-max merged commit 14487ce into docker:master Apr 23, 2025
68 checks passed
@crazy-max crazy-max deleted the fix-no-default-attest branch April 23, 2025 16:39
@jameslamb jameslamb mentioned this pull request Dec 2, 2025
Merged
rapids-bot bot pushed a commit to rapidsai/docker that referenced this pull request Dec 2, 2025
@jameslamb
opt out of automatic attestations (#821)
665e2df 
Closes #820

*(description copied from #820 (comment)

`build-*-manifest` CI jobs are failing like this:

```text
docker.io/rapidsai/staging:docker-cuvs-bench-820-26.02a-cuda13-py3.10-amd64 is a manifest list
Error: Process completed with exit code 1.
```

([build link](https://github.com/rapidsai/docker/actions/runs/19864919436/job/56926457521?pr=820#step:4:23))

Looks like in newer versions of `docker`, builds create manifest lists by default instead of single image builds:

* NVIDIA/gpu-operator#1940
* NVIDIA/k8s-driver-manager#132
* docker/build-push-action#1339 (comment)

This opts out of that using the configuration option added in docker/build-push-action#1343

It also updates all `pre-commit` hooks, to avoid needing another CI run for #820

Authors:
  - James Lamb (https://github.com/jameslamb)

Approvers:
  - Bradley Dice (https://github.com/bdice)

URL: #821
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees

@crazy-max crazy-max

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BUILDX_NO_DEFAULT_ATTESTATIONS not respected after v5.3.0

2 participants

@crazy-max @tonistiigi