Merge 1c198f4467 into 88844b95d8

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

.github/workflows/ci.yml

@@ -1542,3 +1542,26 @@ jobs:
             echo "::error::Should have failed"
             exit 1
           fi
+
+  no-default-attestations:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: action
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ inputs.buildx-version || env.BUILDX_VERSION }}
+          driver-opts: |
+            image=${{ inputs.buildkit-image || env.BUILDKIT_IMAGE }}
+      -
+        name: Build
+        uses: ./action
+        with:
+          file: ./test/Dockerfile
+        env:
+          BUILDX_NO_DEFAULT_ATTESTATIONS: 1

__tests__/context.test.ts

@@ -1,4 +1,4 @@
-import {beforeEach, describe, expect, jest, test} from '@jest/globals';
+import {afterEach, beforeEach, describe, expect, jest, test} from '@jest/globals';
 import * as fs from 'fs';
 import * as path from 'path';
 
@@ -68,6 +68,7 @@ jest.spyOn(Builder.prototype, 'inspect').mockImplementation(async (): Promise<Bu
 });
 
 describe('getArgs', () => {
+  const originalEnv = process.env;
   beforeEach(() => {
     process.env = Object.keys(process.env).reduce((object, key) => {
       if (!key.startsWith('INPUT_')) {
@@ -76,6 +77,9 @@ describe('getArgs', () => {
       return object;
     }, {});
   });
+  afterEach(() => {
+    process.env = originalEnv;
+  });
 
   // prettier-ignore
   test.each([
@@ -93,7 +97,8 @@ describe('getArgs', () => {
         'build',
         '--iidfile', imageIDFilePath,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       1,
@@ -116,7 +121,8 @@ ccc"`],
         '--build-arg', `MULTILINE=aaaa\nbbbb\nccc`,
         '--iidfile', imageIDFilePath,
         'https://github.com/docker/build-push-action.git#refs/heads/master'
-      ]
+      ],
+      undefined
     ],
     [
       2,
@@ -134,7 +140,8 @@ ccc"`],
         '--tag', 'name/app:7.4',
         '--tag', 'name/app:latest',
         'https://github.com/docker/build-push-action.git#refs/heads/master'
-      ]
+      ],
+      undefined
     ],
     [
       3,
@@ -154,7 +161,8 @@ ccc"`],
         '--label', 'org.opencontainers.image.description=concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit',
         '--output', 'type=local,dest=./release-out',
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       4,
@@ -171,7 +179,8 @@ ccc"`],
         'build',
         '--platform', 'linux/amd64,linux/arm64',
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       5,
@@ -187,7 +196,8 @@ ccc"`],
         'build',
         '--iidfile', imageIDFilePath,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       6,
@@ -205,7 +215,8 @@ ccc"`],
         '--iidfile', imageIDFilePath,
         '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       7,
@@ -223,7 +234,8 @@ ccc"`],
         '--output', '.',
         '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
         'https://github.com/docker/build-push-action.git#refs/heads/master'
-      ]
+      ],
+      undefined
     ],
     [
       8,
@@ -249,7 +261,8 @@ ccc"`],
         '--builder', 'builder-git-context-2',
         '--push',
         'https://github.com/docker/build-push-action.git#refs/heads/master'
-      ]
+      ],
+      undefined
     ],
     [
       9,
@@ -286,7 +299,8 @@ ccc"`],
         '--builder', 'builder-git-context-2',
         '--push',
         'https://github.com/docker/build-push-action.git#refs/heads/master'
-      ]
+      ],
+      undefined
     ],
     [
       10,
@@ -323,7 +337,8 @@ ccc`],
         '--builder', 'builder-git-context-2',
         '--push',
         'https://github.com/docker/build-push-action.git#refs/heads/master'
-      ]
+      ],
+      undefined
     ],
     [
       11,
@@ -349,7 +364,8 @@ ccc`],
         '--network', 'host',
         '--push',
         'https://github.com/docker/build-push-action.git#refs/heads/master'
-      ]
+      ],
+      undefined
     ],
     [
       12,
@@ -369,7 +385,8 @@ ccc`],
         '--label', 'org.opencontainers.image.description=Reference implementation of operation "filter results (top-n)"',
         '--output', 'type=local,dest=./release-out',
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       13,
@@ -395,7 +412,8 @@ ccc`],
         '--network', 'host',
         '--push',
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       14,
@@ -425,7 +443,8 @@ nproc=3`],
         '--ulimit', 'nproc=3',
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       15,
@@ -442,7 +461,8 @@ nproc=3`],
         '--iidfile', imageIDFilePath,
         '--metadata-file', metadataJson,
         'https://github.com/docker/build-push-action.git#refs/heads/master:docker'
-      ]
+      ],
+      undefined
     ],
     [
       16,
@@ -461,7 +481,8 @@ nproc=3`],
         '--secret', `id=GIT_AUTH_TOKEN,src=${tmpName}`,
         '--metadata-file', metadataJson,
         'https://github.com/docker/build-push-action.git#refs/heads/master:subdir'
-      ]
+      ],
+      undefined
     ],
     [
       17,
@@ -479,7 +500,8 @@ nproc=3`],
         '--iidfile', imageIDFilePath,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       18,
@@ -497,7 +519,8 @@ nproc=3`],
         '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       19,
@@ -516,7 +539,8 @@ nproc=3`],
         '--attest', `type=provenance,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       20,
@@ -535,7 +559,8 @@ nproc=3`],
         '--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       21,
@@ -554,7 +579,8 @@ nproc=3`],
         '--attest', 'type=provenance,disabled=true',
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       22,
@@ -573,7 +599,8 @@ nproc=3`],
         '--attest', 'type=provenance,builder-id=foo',
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       23,
@@ -592,7 +619,8 @@ nproc=3`],
         "--output", 'type=docker',
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       24,
@@ -610,7 +638,8 @@ nproc=3`],
         '--load',
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       25,
@@ -630,7 +659,8 @@ nproc=3`],
         '--load',
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       26,
@@ -652,7 +682,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
         '--load',
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       27,
@@ -673,7 +704,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
         '--load',
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       28,
@@ -693,7 +725,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
         '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       29,
@@ -717,7 +750,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
         '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       30,
@@ -737,7 +771,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
         '--attest', `type=provenance,mode=min,inline-only=true,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       31,
@@ -758,7 +793,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
         '--attest', `type=sbom,disabled=false`,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       32,
@@ -778,7 +814,8 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
         '--attest', `type=provenance,mode=max,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
     ],
     [
       33,
@@ -797,11 +834,37 @@ ANOTHER_SECRET=ANOTHER_SECRET_ENV`]
         '--attest', `type=provenance,mode=min,builder-id=https://github.com/docker/build-push-action/actions/runs/123456789/attempts/1`,
         '--metadata-file', metadataJson,
         '.'
-      ]
+      ],
+      undefined
+    ],
+    [
+      34,
+      '0.13.1',
+      new Map<string, string>([
+        ['context', '.'],
+        ['load', 'false'],
+        ['no-cache', 'false'],
+        ['push', 'false'],
+        ['pull', 'false']
+      ]),
+      [
+        'build',
+        '--iidfile', imageIDFilePath,
+        '--metadata-file', metadataJson,
+        '.'
+      ],
+      new Map<string, string>([
+        ['BUILDX_NO_DEFAULT_ATTESTATIONS', '1']
+      ])
     ],
   ])(
     '[%d] given %p with %p as inputs, returns %p',
-    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>) => {
+    async (num: number, buildxVersion: string, inputs: Map<string, string>, expected: Array<string>, envs: Map<string, string> | undefined) => {
+      if (envs) {
+        envs.forEach((value: string, name: string) => {
+          process.env[name] = value;
+        });
+      }
       inputs.forEach((value: string, name: string) => {
         setInput(name, value);
       });

package.json

@@ -27,7 +27,7 @@
   "packageManager": "yarn@3.6.3",
   "dependencies": {
     "@actions/core": "^1.11.1",
-    "@docker/actions-toolkit": "0.56.0",
+    "@docker/actions-toolkit": "0.59.0",
     "handlebars": "^4.7.7"
   },
   "devDependencies": {

src/context.ts

@@ -81,25 +81,6 @@ export async function getInputs(): Promise<Inputs> {
   };
 }
 
-export function sanitizeInputs(inputs: Inputs) {
-  const res = {};
-  for (const key of Object.keys(inputs)) {
-    if (key === 'github-token') {
-      continue;
-    }
-    const value: string | string[] | boolean = inputs[key];
-    if (typeof value === 'boolean' && value === false) {
-      continue;
-    } else if (Array.isArray(value) && value.length === 0) {
-      continue;
-    } else if (!value) {
-      continue;
-    }
-    res[key] = value;
-  }
-  return res;
-}
-
 export async function getArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<string>> {
   const context = handlebars.compile(inputs.context)({
     defaultContext: Context.gitContext()
@@ -264,7 +245,7 @@ async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
   if (inputs.provenance) {
     args.push('--attest', Build.resolveAttestationAttrs(`type=provenance,${inputs.provenance}`));
     provenanceSet = true;
-  } else if (!hasAttestProvenance && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
+  } else if (!hasAttestProvenance && !noDefaultAttestations() && (await toolkit.buildkit.versionSatisfies(inputs.builder, '>=0.11.0')) && !Build.hasDockerExporter(inputs.outputs, inputs.load)) {
     // if provenance not specified in provenance or attests inputs and BuildKit
     // version compatible for attestation, set default provenance. Also needs
     // to make sure user doesn't want to explicitly load the image to docker.
@@ -296,3 +277,10 @@ async function getAttestArgs(inputs: Inputs, toolkit: Toolkit): Promise<Array<st
 
   return args;
 }
+
+function noDefaultAttestations(): boolean {
+  if (process.env.BUILDX_NO_DEFAULT_ATTESTATIONS) {
+    return Util.parseBool(process.env.BUILDX_NO_DEFAULT_ATTESTATIONS);
+  }
+  return false;
+}

src/main.ts

@@ -24,8 +24,8 @@ actionsToolkit.run(
   async () => {
     const startedTime = new Date();
     const inputs: context.Inputs = await context.getInputs();
+    stateHelper.setSummaryInputs(inputs);
     core.debug(`inputs: ${JSON.stringify(inputs)}`);
-    stateHelper.setInputs(inputs);
 
     const toolkit = new Toolkit();
 
@@ -216,7 +216,7 @@ actionsToolkit.run(
           await GitHub.writeBuildSummary({
             exportRes: exportRes,
             uploadRes: uploadRes,
-            inputs: stateHelper.inputs
+            inputs: stateHelper.summaryInputs
           });
         } catch (e) {
           core.warning(e.message);

src/state-helper.ts

@@ -1,20 +1,18 @@
 import * as core from '@actions/core';
 
-import {Inputs, sanitizeInputs} from './context';
+import {Build} from '@docker/actions-toolkit/lib/buildx/build';
+
+import {Inputs} from './context';
 
 export const tmpDir = process.env['STATE_tmpDir'] || '';
-export const inputs = process.env['STATE_inputs'] ? JSON.parse(process.env['STATE_inputs']) : undefined;
 export const buildRef = process.env['STATE_buildRef'] || '';
 export const isSummarySupported = !!process.env['STATE_isSummarySupported'];
+export const summaryInputs = process.env['STATE_summaryInputs'] ? JSON.parse(process.env['STATE_summaryInputs']) : undefined;
 
 export function setTmpDir(tmpDir: string) {
   core.saveState('tmpDir', tmpDir);
 }
 
-export function setInputs(inputs: Inputs) {
-  core.saveState('inputs', JSON.stringify(sanitizeInputs(inputs)));
-}
-
 export function setBuildRef(buildRef: string) {
   core.saveState('buildRef', buildRef);
 }
@@ -22,3 +20,39 @@ export function setBuildRef(buildRef: string) {
 export function setSummarySupported() {
   core.saveState('isSummarySupported', 'true');
 }
+
+export function setSummaryInputs(inputs: Inputs) {
+  const res = {};
+  for (const key of Object.keys(inputs)) {
+    if (key === 'github-token') {
+      continue;
+    }
+    const value: string | string[] | boolean = inputs[key];
+    if (typeof value === 'boolean' && !value) {
+      continue;
+    } else if (Array.isArray(value)) {
+      if (value.length === 0) {
+        continue;
+      } else if (key === 'secrets' && value.length > 0) {
+        const secretKeys: string[] = [];
+        for (const secret of value) {
+          try {
+            // eslint-disable-next-line @typescript-eslint/no-unused-vars
+            const [skey, _] = Build.parseSecretKvp(secret, true);
+            secretKeys.push(skey);
+          } catch (err) {
+            // ignore invalid secret
+          }
+        }
+        if (secretKeys.length > 0) {
+          res[key] = secretKeys;
+        }
+        continue;
+      }
+    } else if (!value) {
+      continue;
+    }
+    res[key] = value;
+  }
+  core.saveState('summaryInputs', JSON.stringify(res));
+}

yarn.lock

@@ -12,9 +12,9 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@actions/artifact@npm:^2.2.2":
+"@actions/artifact@npm:^2.3.2":
-  version: 2.2.2
+  version: 2.3.2
-  resolution: "@actions/artifact@npm:2.2.2"
+  resolution: "@actions/artifact@npm:2.3.2"
   dependencies:
     "@actions/core": ^1.10.0
     "@actions/github": ^5.1.1
@@ -28,13 +28,13 @@ __metadata:
     archiver: ^7.0.1
     jwt-decode: ^3.1.2
     unzip-stream: ^0.3.1
-  checksum: 1501b3d0ceb671f370786ccf70014de9586c5a78c95d235248fc16c73bf928f8de2aa932a679258f6d9bc2f2e570648d830551af9f063298f05d19f3330b33bc
+  checksum: 78ee41b43800accb2f3527e1733217c43d53693e7f96ce2470b16890fb84f5c2ebaaa6048ccdb6cfe188b54c02779ec99623c6932558e757f6829cfde203cf2c
   languageName: node
   linkType: hard
 
-"@actions/cache@npm:^4.0.2":
+"@actions/cache@npm:^4.0.3":
-  version: 4.0.2
+  version: 4.0.3
-  resolution: "@actions/cache@npm:4.0.2"
+  resolution: "@actions/cache@npm:4.0.3"
   dependencies:
     "@actions/core": ^1.11.1
     "@actions/exec": ^1.0.1
@@ -46,7 +46,7 @@ __metadata:
     "@azure/storage-blob": ^12.13.0
     "@protobuf-ts/plugin": ^2.9.4
     semver: ^6.3.1
-  checksum: 208f11238a26194f331b329bb99d50a87c1a3ccef1dbae181e5c142b3faf41715203e0c5cbc491519d3d97540a68fbd418c25fb6e16caabf76248c40867c02b4
+  checksum: ee9c2a21a70bd3f35c63f302af478e23f135c26deb77ea2e4eed29c62766a4b201fc7435651c0d56fa504c02d203107e3bdfda1dba18a3ee09338e1dfc3f2fe8
   languageName: node
   linkType: hard
 
@@ -1072,12 +1072,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@docker/actions-toolkit@npm:0.56.0":
+"@docker/actions-toolkit@npm:0.59.0":
-  version: 0.56.0
+  version: 0.59.0
-  resolution: "@docker/actions-toolkit@npm:0.56.0"
+  resolution: "@docker/actions-toolkit@npm:0.59.0"
   dependencies:
-    "@actions/artifact": ^2.2.2
+    "@actions/artifact": ^2.3.2
-    "@actions/cache": ^4.0.2
+    "@actions/cache": ^4.0.3
     "@actions/core": ^1.11.1
     "@actions/exec": ^1.1.1
     "@actions/github": ^6.0.0
@@ -1097,7 +1097,7 @@ __metadata:
     semver: ^7.7.1
     tar-stream: ^3.1.7
     tmp: ^0.2.3
-  checksum: 0f1b569f8bb206399f8c26e566c78e30e4a311bbd64486016e7fa1d35fbbb4c94d4f55afa6b711afa4b41c5835b40b038f48c3d1bfdfdc6f7c6680973e922d9e
+  checksum: 0956071aa04e04132b789d47ba57813c566115bea9fdedf3c648d0a0da8ce12350de9cd2a796ce1da7b64b995ae073bfe344b0f63c6f331a45e60195e15680a6
   languageName: node
   linkType: hard
 
@@ -3143,7 +3143,7 @@ __metadata:
   resolution: "docker-build-push@workspace:."
   dependencies:
     "@actions/core": ^1.11.1
-    "@docker/actions-toolkit": 0.56.0
+    "@docker/actions-toolkit": 0.59.0
     "@types/node": ^20.12.12
     "@typescript-eslint/eslint-plugin": ^7.9.0
     "@typescript-eslint/parser": ^7.9.0