The buildkit internal provenance v0.2 attestations are non-reproducible
(by design), but added to the manifest index. By that, the digest of the
container tag (that tags the index manifest) is not reproducible.
As we now have the better external (and signed) provenance v1
attestations that describe the whole github action execution and point to
the index manifest, we now solely use that. This is a more standard
approach to attest builds using a sigstore bundle (that uses the OCI
registry v2 referrer mechanism).
With this patch, the digest of our tagged containers should finally be
reproducible across all (identical) kas forks.
Signed-off-by: Felix Moessbauer <
felix.mo...@siemens.com>
---
.github/workflows/master.yml | 2 +-
.github/workflows/next.yml | 2 +-
.github/workflows/release.yml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 797ec44ef..206de997e 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -48,7 +48,7 @@ jobs:
build-args: |
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
DEBIAN_TAG=${{ env.DEBIAN_TAG }}
- provenance: mode=max,reproducible=true
+ provenance: false
outputs: type=registry,rewrite-timestamp=true
tags:
ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
diff --git a/.github/workflows/next.yml b/.github/workflows/next.yml
index 7d4f2d544..b30644171 100644
--- a/.github/workflows/next.yml
+++ b/.github/workflows/next.yml
@@ -109,7 +109,7 @@ jobs:
build-args: |
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
DEBIAN_TAG=${{ env.DEBIAN_TAG }}
- provenance: mode=max,reproducible=true
+ provenance: false
outputs: type=registry,rewrite-timestamp=true
tags:
ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:next
annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 36115fecf..97164e3f9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,7 +38,7 @@ jobs:
build-args: |
SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
DEBIAN_TAG=${{ env.DEBIAN_TAG }}
- provenance: mode=max,reproducible=true
+ provenance: false
outputs: type=registry,rewrite-timestamp=true
tags: |
ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
--
2.39.2