(inputs: Inputs, toolkit: Toolkit)
| 236 | } |
| 237 | |
| 238 | async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> { |
| 239 | const args: Array<string> = []; |
| 240 | |
| 241 | // check if provenance attestation is set in attests input |
| 242 | let hasAttestProvenance = false; |
| 243 | await Util.asyncForEach(inputs.attests, async (attest: string) => { |
| 244 | if (Build.hasAttestationType('provenance', attest)) { |
| 245 | hasAttestProvenance = true; |
| 246 | } |
| 247 | }); |
| 248 | |
| 249 | let provenanceSet = false; |
| 250 | let sbomSet = false; |
| 251 | if (inputs.provenance) { |
| 252 | args.push('--attest', Build.resolveAttestationAttrs(`type=provenance,${inputs.provenance}`)); |
| 253 | provenanceSet = true; |
| 254 | } else if (!hasAttestProvenance && !noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) { |
| 255 | // if provenance not specified in provenance or attests inputs and BuildKit |
| 256 | // version compatible for attestation, set default provenance. Also needs |
| 257 | // to make sure user doesn't want to explicitly load the image to docker. |
| 258 | if (GitHub.context.payload.repository?.private ?? false) { |
| 259 | // if this is a private repository, we set the default provenance |
| 260 | // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603 |
| 261 | args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`); |
| 262 | } else { |
| 263 | // for a public repository, we set max provenance mode. |
| 264 | args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`); |
| 265 | } |
| 266 | } |
| 267 | if (inputs.sbom) { |
| 268 | args.push('--attest', Build.resolveAttestationAttrs(`type=sbom,${inputs.sbom}`)); |
| 269 | sbomSet = true; |
| 270 | } |
| 271 | |
| 272 | // set attests but check if provenance or sbom types already set as |
| 273 | // provenance and sbom inputs take precedence over attests input. |
| 274 | await Util.asyncForEach(inputs.attests, async (attest: string) => { |
| 275 | if (!Build.hasAttestationType('provenance', attest) && !Build.hasAttestationType('sbom', attest)) { |
| 276 | args.push('--attest', Build.resolveAttestationAttrs(attest)); |
| 277 | } else if (!provenanceSet && Build.hasAttestationType('provenance', attest)) { |
| 278 | args.push('--attest', Build.resolveProvenanceAttrs(attest)); |
| 279 | } else if (!sbomSet && Build.hasAttestationType('sbom', attest)) { |
| 280 | args.push('--attest', attest); |
| 281 | } |
| 282 | }); |
| 283 | |
| 284 | return args; |
| 285 | } |
| 286 | |
| 287 | function noDefaultAttestations(): boolean { |
| 288 | if (process.env.BUILDX_NO_DEFAULT_ATTESTATIONS) { |
no test coverage detected