Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: set record provenance in response #2280

Merged
merged 1 commit into from
Apr 11, 2024
Merged

build: set record provenance in response #2280

merged 1 commit into from
Apr 11, 2024

Conversation

crazy-max
Copy link
Member

@crazy-max crazy-max commented Feb 23, 2024
edited

follow-up discussion with @tonistiigi
related to #1681

Previously we got containerimage.buildinfo in the metadata file but buildinfo has been removed in BuildKit 0.12 (moby/buildkit#3582): https://github.com/moby/buildkit/blob/master/docs/deprecated.md#build-information

This was useful to see all sources that were used by the build with their exact versions and also the configuration that was passed to the build.

However with the provenance attestation supported since BuildKit v0.11, we have similar (and a "bit" more) information available.

With this change we set the provenance saved along the build record in the metadata file similar to containerimage.buildinfo that is named buildx.build.provenance. Will set minimal provenance by default but can be customized using the BUILDX_METADATA_PROVENANCE env var.

$ cd buildx/
$ BUILDX_METADATA_PROVENANCE=max docker buildx --builder builder bake binaries --metadata-file md.json
...
#19 copying files 56.29MB 0.3s done
#19 DONE 0.3s

#20 resolve build record provenance
#20 DONE 0.0s

md.json

$ cd buildx/
$ BUILDX_METADATA_PROVENANCE=max docker buildx --builder builder bake binaries-cross --metadata-file md.json
...
#28 copying files darwin/amd64 63.37MB 2.8s done
#28 copying files darwin/arm64 63.25MB 2.8s done
#28 DONE 2.8s

#29 resolve build record provenance
#29 DONE 0.0s

md.json

$ cd buildkit/
$ BUILDX_METADATA_PROVENANCE=max docker buildx --builder builder bake binaries --metadata-file md.json
...
#89 [integration-tests-base 18/18] COPY --link --from=binaries / /usr/bin/
#89 merging 1.8s done
#89 DONE 1.9s

#90 [integration-tests 1/1] COPY . .
#90 DONE 1.5s

#91 resolve build record provenance
#91 DONE 0.1s

md.json

@crazy-max

This comment was marked as resolved.

Sign in to view
crazy-max
crazy-max commented Feb 23, 2024
View reviewed changes
tests/build.go Outdated Show resolved Hide resolved
@crazy-max crazy-max force-pushed the provenance-metadata branch 3 times, most recently from 436f6c4 to 4a00e0f Compare February 24, 2024 14:03
@crazy-max crazy-max mentioned this pull request Feb 24, 2024
Merged
@crazy-max crazy-max force-pushed the provenance-metadata branch 6 times, most recently from eb6347c to e0256b6 Compare February 28, 2024 09:24
@crazy-max crazy-max marked this pull request as ready for review February 28, 2024 09:41
@crazy-max crazy-max marked this pull request as draft February 29, 2024 08:36
@crazy-max crazy-max marked this pull request as ready for review February 29, 2024 11:46
@crazy-max

This comment was marked as off-topic.

Sign in to view
@crazy-max crazy-max force-pushed the provenance-metadata branch 6 times, most recently from a1e68ca to b3585e6 Compare March 8, 2024 08:51
@crazy-max crazy-max force-pushed the provenance-metadata branch 2 times, most recently from 44789a4 to 16b1506 Compare March 15, 2024 13:40
@crazy-max crazy-max mentioned this pull request Mar 15, 2024
Merged
@crazy-max crazy-max force-pushed the provenance-metadata branch 5 times, most recently from fd017d8 to 9e35c6d Compare March 17, 2024 14:38
@crazy-max
Copy link
Member Author

crazy-max commented Mar 27, 2024
edited

@tonistiigi Updated to strip buildConfig and metadata from provenance if BUILDX_METADATA_PROVENANCE sets to min. Mode max sets full provenance. Let me know if defaulting to min would be good. Atm it doesn't set provenance at all.

@crazy-max crazy-max added this to the v0.14.0 milestone Apr 5, 2024
tonistiigi
tonistiigi reviewed Apr 10, 2024
View reviewed changes
build/build.go Outdated Show resolved Hide resolved
build/provenance.go Outdated Show resolved Hide resolved
build/provenance.go Outdated Show resolved Hide resolved
build/provenance.go Outdated Show resolved Hide resolved
build/provenance.go Outdated Show resolved Hide resolved
build/provenance.go Outdated Show resolved Hide resolved
docs/reference/buildx_bake.md Outdated Show resolved Hide resolved
build/provenance.go Show resolved Hide resolved
@crazy-max crazy-max force-pushed the provenance-metadata branch 3 times, most recently from 4e034e5 to 29890fa Compare April 10, 2024 19:05
tonistiigi
tonistiigi reviewed Apr 11, 2024
View reviewed changes
build/build.go Outdated Show resolved Hide resolved
build/provenance.go Outdated Show resolved Hide resolved
build/provenance.go Outdated Show resolved Hide resolved
util/confutil/metadata.go Outdated Show resolved Hide resolved
@crazy-max crazy-max force-pushed the provenance-metadata branch 3 times, most recently from 5e29d4b to fde233d Compare April 11, 2024 07:37
@crazy-max
build: set record provenance in response
2e2f9f5 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max mentioned this pull request Apr 11, 2024
Merged
@tonistiigi tonistiigi merged commit 3e90cc4 into docker:master Apr 11, 2024
87 checks passed
@crazy-max crazy-max deleted the provenance-metadata branch April 11, 2024 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

@dvdksn dvdksn Awaiting requested review from dvdksn

Assignees
No one assigned
Labels
status/needs-follow-up
Projects
None yet
Milestone
v0.14.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@crazy-max @tonistiigi @dvdksn