From 8937e387657e085215cd6aea5a7bf98906300655 Mon Sep 17 00:00:00 2001 From: Laurent Goderre Date: Thu, 27 Jun 2024 11:49:03 -0400 Subject: [PATCH] Specify the builder id for provenance --- .test/meta-commands/out.sh | 2 +- doi.jq | 6 ++++++ meta.jq | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.test/meta-commands/out.sh b/.test/meta-commands/out.sh index 01d63cd..fe3bc8d 100644 --- a/.test/meta-commands/out.sh +++ b/.test/meta-commands/out.sh @@ -5,7 +5,7 @@ # SOURCE_DATE_EPOCH=1700741054 \ docker buildx build --progress=plain \ - --provenance=mode=max \ + --provenance=mode=max,builder-id='https://github.com/docker-library' \ --output '"type=oci","dest=temp.tar"' \ --annotation 'org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \ --annotation 'org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \ diff --git a/doi.jq b/doi.jq index 2a5a888..067a01c 100644 --- a/doi.jq +++ b/doi.jq @@ -157,6 +157,12 @@ def _sbom_subset: ] ; +# https://github.com/docker-library/meta-scripts/pull/61 (for lack of better documentation for setting this in buildkit) +# https://slsa.dev/provenance/v0.2#builder.id +def buildkit_provenance_builder_id: + "https://github.com/docker-library" +; + # input: "build" object (with "buildId" top level key) # output: boolean def build_should_sbom: diff --git a/meta.jq b/meta.jq index 78367cd..3cfe969 100644 --- a/meta.jq +++ b/meta.jq @@ -139,7 +139,7 @@ def build_command: @sh "SOURCE_DATE_EPOCH=\(.source.entry.SOURCE_DATE_EPOCH)", # TODO EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=<(jq ...) "docker buildx build --progress=plain", - "--provenance=mode=max", + @sh "--provenance=mode=max,builder-id=\(buildkit_provenance_builder_id)", if build_should_sbom then # see "bashbrew remote arches docker/scout-sbom-indexer:1" (we need the SBOM scanner to be runnable on the host architecture) # bashbrew remote arches --json docker/scout-sbom-indexer:1 | jq '.arches | keys_unsorted' -c