MCPcopy
hub / github.com/docker/build-push-action / getAttestArgs

Function getAttestArgs

src/context.ts:238–285  ·  view source on GitHub ↗
(inputs: Inputs, toolkit: Toolkit)

Source from the content-addressed store, hash-verified

236}
237
238async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
239 const args: Array<string> = [];
240
241 // check if provenance attestation is set in attests input
242 let hasAttestProvenance = false;
243 await Util.asyncForEach(inputs.attests, async (attest: string) => {
244 if (Build.hasAttestationType('provenance', attest)) {
245 hasAttestProvenance = true;
246 }
247 });
248
249 let provenanceSet = false;
250 let sbomSet = false;
251 if (inputs.provenance) {
252 args.push('--attest', Build.resolveAttestationAttrs(`type=provenance,${inputs.provenance}`));
253 provenanceSet = true;
254 } else if (!hasAttestProvenance && !noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
255 // if provenance not specified in provenance or attests inputs and BuildKit
256 // version compatible for attestation, set default provenance. Also needs
257 // to make sure user doesn't want to explicitly load the image to docker.
258 if (GitHub.context.payload.repository?.private ?? false) {
259 // if this is a private repository, we set the default provenance
260 // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
261 args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=min,inline-only=true`)}`);
262 } else {
263 // for a public repository, we set max provenance mode.
264 args.push('--attest', `type=provenance,${Build.resolveProvenanceAttrs(`mode=max`)}`);
265 }
266 }
267 if (inputs.sbom) {
268 args.push('--attest', Build.resolveAttestationAttrs(`type=sbom,${inputs.sbom}`));
269 sbomSet = true;
270 }
271
272 // set attests but check if provenance or sbom types already set as
273 // provenance and sbom inputs take precedence over attests input.
274 await Util.asyncForEach(inputs.attests, async (attest: string) => {
275 if (!Build.hasAttestationType('provenance', attest) && !Build.hasAttestationType('sbom', attest)) {
276 args.push('--attest', Build.resolveAttestationAttrs(attest));
277 } else if (!provenanceSet && Build.hasAttestationType('provenance', attest)) {
278 args.push('--attest', Build.resolveProvenanceAttrs(attest));
279 } else if (!sbomSet && Build.hasAttestationType('sbom', attest)) {
280 args.push('--attest', attest);
281 }
282 });
283
284 return args;
285}
286
287function noDefaultAttestations(): boolean {
288 if (process.env.BUILDX_NO_DEFAULT_ATTESTATIONS) {

Callers 1

getBuildArgsFunction · 0.85

Calls 1

noDefaultAttestationsFunction · 0.85

Tested by

no test coverage detected