Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

handle attests correctly with provenance and sbom inputs #1086

Merged
merged 2 commits into from
Apr 26, 2024

Conversation

crazy-max
Copy link
Member

@crazy-max crazy-max commented Mar 26, 2024

We don't detect usage of attests input and therefore setting attests: type=provenance,mode=max will result in a duplicated provenance as we already set it automatically and build will fail with:

ERROR: duplicate attestation field provenance

This will also set builder-id automatically if provenance is used in attests which was not the case before.

To keep everything consistent across our flags such as load and push, provenance and sbom inputs take precedence over ones set in attests

src/context.ts Outdated Show resolved Hide resolved
@crazy-max

This comment was marked as resolved.

@crazy-max crazy-max force-pushed the fix-attests-provenance-sbom branch from 92318fe to 96acf63 Compare April 2, 2024 08:54
@crazy-max crazy-max marked this pull request as ready for review April 2, 2024 09:01
@crazy-max crazy-max merged commit c3b5701 into docker:master Apr 26, 2024
54 checks passed
@crazy-max crazy-max deleted the fix-attests-provenance-sbom branch April 26, 2024 09:06
vbraun pushed a commit to vbraun/sage that referenced this pull request Aug 27, 2024
    
Bumps [docker/build-push-action](https://github.com/docker/build-push-
action) from 5 to 6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/docker/build-push-
action/releases">docker/build-push-action's releases</a>.</em></p>
<blockquote>
<h2>v6.0.0</h2>
<ul>
<li>Export build record and generate <a
href="https://docs.docker.com/build/ci/github-actions/build-
summary/">build summary</a> by <a href="https://github.com/crazy-
max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1120">docker/build-push-action#1120</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.24.0 to 0.26.0 in
<a href="https://redirect.github.com/docker/build-push-
action/pull/1132">docker/build-push-action#1132</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1136">docker/build-push-action#1136</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1138">docker/build-push-action#1138</a></li>
<li>Bump braces from 3.0.2 to 3.0.3 in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1137">docker/build-push-action#1137</a></li>
</ul>
<blockquote>
<p>[!NOTE]
This major release adds support for generating <a
href="https://docs.docker.com/build/ci/github-actions/build-
summary/">Build summary</a> and exporting build record for your build.
You can disable this feature by setting <a
href="https://docs.docker.com/build/ci/github-actions/build-
summary/#disable-job-summary"> <code>DOCKER_BUILD_NO_SUMMARY:
true</code> environment variable in your workflow</a>.</p>
</blockquote>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.4.0...v6.0.0">https://github.com/docker/build-push-
action/compare/v5.4.0...v6.0.0</a></p>
<h2>v5.4.0</h2>
<ul>
<li>Show builder information before building by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1128">docker/build-push-action#1128</a></li>
<li>Handle attestations correctly with provenance and sbom inputs by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1086">docker/build-push-action#1086</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.19.0 to 0.24.0 in
<a href="https://redirect.github.com/docker/build-push-
action/pull/1088">docker/build-push-action#1088</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1105">docker/build-push-action#1105</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1121">docker/build-push-action#1121</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1127">docker/build-push-action#1127</a></li>
<li>Bump undici from 5.28.3 to 5.28.4 in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1090">docker/build-push-action#1090</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.3.0...v5.4.0">https://github.com/docker/build-push-
action/compare/v5.3.0...v5.4.0</a></p>
<h2>v5.3.0</h2>
<ul>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.18.0 to 0.19.0 in
<a href="https://redirect.github.com/docker/build-push-
action/pull/1080">docker/build-push-action#1080</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.2.0...v5.3.0">https://github.com/docker/build-push-
action/compare/v5.2.0...v5.3.0</a></p>
<h2>v5.2.0</h2>
<ul>
<li>Disable quotes detection for <code>outputs</code> input by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1074">docker/build-push-action#1074</a></li>
<li>Warn about ignored inputs by <a
href="https://github.com/favonia"><code>@​favonia</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1019">docker/build-push-action#1019</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.14.0 to 0.18.0 in
<a href="https://redirect.github.com/docker/build-push-
action/pull/1070">docker/build-push-action#1070</a></li>
<li>Bump undici from 5.26.3 to 5.28.3 in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1057">docker/build-push-action#1057</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.1.0...v5.2.0">https://github.com/docker/build-push-
action/compare/v5.1.0...v5.2.0</a></p>
<h2>v5.1.0</h2>
<ul>
<li>Add <code>annotations</code> input by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/992">docker/build-push-action#992</a></li>
<li>Add <code>secret-envs</code> input by <a
href="https://github.com/elias-lundgren"><code>@​elias-
lundgren</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/980">docker/build-push-action#980</a></li>
<li>Bump <code>@​babel/traverse</code> from 7.17.3 to 7.23.2 in <a
href="https://redirect.github.com/docker/build-push-
action/pull/991">docker/build-push-action#991</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.13.0-rc.1 to
0.14.0 in <a href="https://redirect.github.com/docker/build-push-
action/pull/990">docker/build-push-action#990</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1006">docker/build-push-action#1006</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.0.0...v5.1.0">https://github.com/docker/build-push-
action/compare/v5.0.0...v5.1.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="docker/build-push-action@31159d49
c0d4756269a0940a750801a1ea5d7003"><code>31159d4</code></a> Merge pull
request <a href="https://redirect.github.com/docker/build-push-
action/issues/1149">sagemath#1149</a> from
docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a href="docker/build-push-action@07e1c3e1
48c1973f78a15cef24eae4371e57280d"><code>07e1c3e</code></a> chore: update
generated content</li>
<li><a href="docker/build-push-action@f7febd62
1d13a78cf2751da16b38233f0e819581"><code>f7febd6</code></a> chore(deps):
Bump <code>@​docker/actions-toolkit</code> from 0.26.2 to 0.27.0</li>
<li><a href="docker/build-push-action@f6010ea7
0151369b06f0194be1051fbbdff851b2"><code>f6010ea</code></a> Merge pull
request <a href="https://redirect.github.com/docker/build-push-
action/issues/1147">sagemath#1147</a> from
docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a href="docker/build-push-action@c0a6b968
0fb13e0dc73747f7da2bb27d9f5a3beb"><code>c0a6b96</code></a> chore: update
generated content</li>
<li><a href="docker/build-push-action@0dfe9c3d
416a6cc790f37ce7704bbab23e3442db"><code>0dfe9c3</code></a> chore(deps):
Bump <code>@​docker/actions-toolkit</code> from 0.26.1 to 0.26.2</li>
<li><a href="docker/build-push-action@94f8f8c2
eec4bc3f1d78c1755580779804cb87b2"><code>94f8f8c</code></a> Merge pull
request <a href="https://redirect.github.com/docker/build-push-
action/issues/1142">sagemath#1142</a> from
docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a href="docker/build-push-action@22f4433c
588020040c09698d8998964f307cd95b"><code>22f4433</code></a> chore: update
generated content</li>
<li><a href="docker/build-push-action@6721c560
15505c8bc8e7087fae9263d32715d7a3"><code>6721c56</code></a> chore(deps):
Bump <code>@​docker/actions-toolkit</code> from 0.26.0 to 0.26.1</li>
<li><a href="docker/build-push-action@4367da97
8b557b70738a51fed31c93e6a240dfb3"><code>4367da9</code></a> Merge pull
request <a href="https://redirect.github.com/docker/build-push-
action/issues/1140">sagemath#1140</a> from
docker/dependabot/github_actions/docker/bake-ac...</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/build-push-
action/compare/v5...v6">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-
badges.githubapp.com/badges/compatibility_score?dependency-
name=docker/build-push-action&package-manager=github_actions&previous-
version=5&new-version=6)](https://docs.github.com/en/github/managing-
security-vulnerabilities/about-dependabot-security-updates#about-
compatibility-scores)

You can trigger a rebase of this PR by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.
    
URL: sagemath#38267
Reported by: dependabot[bot]
Reviewer(s): Kwankyu Lee
vbraun pushed a commit to vbraun/sage that referenced this pull request Aug 28, 2024
    
Bumps [docker/build-push-action](https://github.com/docker/build-push-
action) from 5 to 6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/docker/build-push-
action/releases">docker/build-push-action's releases</a>.</em></p>
<blockquote>
<h2>v6.0.0</h2>
<ul>
<li>Export build record and generate <a
href="https://docs.docker.com/build/ci/github-actions/build-
summary/">build summary</a> by <a href="https://github.com/crazy-
max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1120">docker/build-push-action#1120</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.24.0 to 0.26.0 in
<a href="https://redirect.github.com/docker/build-push-
action/pull/1132">docker/build-push-action#1132</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1136">docker/build-push-action#1136</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1138">docker/build-push-action#1138</a></li>
<li>Bump braces from 3.0.2 to 3.0.3 in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1137">docker/build-push-action#1137</a></li>
</ul>
<blockquote>
<p>[!NOTE]
This major release adds support for generating <a
href="https://docs.docker.com/build/ci/github-actions/build-
summary/">Build summary</a> and exporting build record for your build.
You can disable this feature by setting <a
href="https://docs.docker.com/build/ci/github-actions/build-
summary/#disable-job-summary"> <code>DOCKER_BUILD_NO_SUMMARY:
true</code> environment variable in your workflow</a>.</p>
</blockquote>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.4.0...v6.0.0">https://github.com/docker/build-push-
action/compare/v5.4.0...v6.0.0</a></p>
<h2>v5.4.0</h2>
<ul>
<li>Show builder information before building by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1128">docker/build-push-action#1128</a></li>
<li>Handle attestations correctly with provenance and sbom inputs by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1086">docker/build-push-action#1086</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.19.0 to 0.24.0 in
<a href="https://redirect.github.com/docker/build-push-
action/pull/1088">docker/build-push-action#1088</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1105">docker/build-push-action#1105</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1121">docker/build-push-action#1121</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1127">docker/build-push-action#1127</a></li>
<li>Bump undici from 5.28.3 to 5.28.4 in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1090">docker/build-push-action#1090</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.3.0...v5.4.0">https://github.com/docker/build-push-
action/compare/v5.3.0...v5.4.0</a></p>
<h2>v5.3.0</h2>
<ul>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.18.0 to 0.19.0 in
<a href="https://redirect.github.com/docker/build-push-
action/pull/1080">docker/build-push-action#1080</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.2.0...v5.3.0">https://github.com/docker/build-push-
action/compare/v5.2.0...v5.3.0</a></p>
<h2>v5.2.0</h2>
<ul>
<li>Disable quotes detection for <code>outputs</code> input by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1074">docker/build-push-action#1074</a></li>
<li>Warn about ignored inputs by <a
href="https://github.com/favonia"><code>@​favonia</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1019">docker/build-push-action#1019</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.14.0 to 0.18.0 in
<a href="https://redirect.github.com/docker/build-push-
action/pull/1070">docker/build-push-action#1070</a></li>
<li>Bump undici from 5.26.3 to 5.28.3 in <a
href="https://redirect.github.com/docker/build-push-
action/pull/1057">docker/build-push-action#1057</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.1.0...v5.2.0">https://github.com/docker/build-push-
action/compare/v5.1.0...v5.2.0</a></p>
<h2>v5.1.0</h2>
<ul>
<li>Add <code>annotations</code> input by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/992">docker/build-push-action#992</a></li>
<li>Add <code>secret-envs</code> input by <a
href="https://github.com/elias-lundgren"><code>@​elias-
lundgren</code></a> in <a
href="https://redirect.github.com/docker/build-push-
action/pull/980">docker/build-push-action#980</a></li>
<li>Bump <code>@​babel/traverse</code> from 7.17.3 to 7.23.2 in <a
href="https://redirect.github.com/docker/build-push-
action/pull/991">docker/build-push-action#991</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.13.0-rc.1 to
0.14.0 in <a href="https://redirect.github.com/docker/build-push-
action/pull/990">docker/build-push-action#990</a> <a
href="https://redirect.github.com/docker/build-push-
action/pull/1006">docker/build-push-action#1006</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-
action/compare/v5.0.0...v5.1.0">https://github.com/docker/build-push-
action/compare/v5.0.0...v5.1.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="docker/build-push-action@31159d49
c0d4756269a0940a750801a1ea5d7003"><code>31159d4</code></a> Merge pull
request <a href="https://redirect.github.com/docker/build-push-
action/issues/1149">sagemath#1149</a> from
docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a href="docker/build-push-action@07e1c3e1
48c1973f78a15cef24eae4371e57280d"><code>07e1c3e</code></a> chore: update
generated content</li>
<li><a href="docker/build-push-action@f7febd62
1d13a78cf2751da16b38233f0e819581"><code>f7febd6</code></a> chore(deps):
Bump <code>@​docker/actions-toolkit</code> from 0.26.2 to 0.27.0</li>
<li><a href="docker/build-push-action@f6010ea7
0151369b06f0194be1051fbbdff851b2"><code>f6010ea</code></a> Merge pull
request <a href="https://redirect.github.com/docker/build-push-
action/issues/1147">sagemath#1147</a> from
docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a href="docker/build-push-action@c0a6b968
0fb13e0dc73747f7da2bb27d9f5a3beb"><code>c0a6b96</code></a> chore: update
generated content</li>
<li><a href="docker/build-push-action@0dfe9c3d
416a6cc790f37ce7704bbab23e3442db"><code>0dfe9c3</code></a> chore(deps):
Bump <code>@​docker/actions-toolkit</code> from 0.26.1 to 0.26.2</li>
<li><a href="docker/build-push-action@94f8f8c2
eec4bc3f1d78c1755580779804cb87b2"><code>94f8f8c</code></a> Merge pull
request <a href="https://redirect.github.com/docker/build-push-
action/issues/1142">sagemath#1142</a> from
docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a href="docker/build-push-action@22f4433c
588020040c09698d8998964f307cd95b"><code>22f4433</code></a> chore: update
generated content</li>
<li><a href="docker/build-push-action@6721c560
15505c8bc8e7087fae9263d32715d7a3"><code>6721c56</code></a> chore(deps):
Bump <code>@​docker/actions-toolkit</code> from 0.26.0 to 0.26.1</li>
<li><a href="docker/build-push-action@4367da97
8b557b70738a51fed31c93e6a240dfb3"><code>4367da9</code></a> Merge pull
request <a href="https://redirect.github.com/docker/build-push-
action/issues/1140">sagemath#1140</a> from
docker/dependabot/github_actions/docker/bake-ac...</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/build-push-
action/compare/v5...v6">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility score](https://dependabot-
badges.githubapp.com/badges/compatibility_score?dependency-
name=docker/build-push-action&package-manager=github_actions&previous-
version=5&new-version=6)](https://docs.github.com/en/github/managing-
security-vulnerabilities/about-dependabot-security-updates#about-
compatibility-scores)

You can trigger a rebase of this PR by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.
    
URL: sagemath#38267
Reported by: dependabot[bot]
Reviewer(s): Kwankyu Lee
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants