.github: Pin docker buildx version to v0.9.1 #23206
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
joestringer
added
the
release-note/misc
maintainer-s-little-helper
bot
added
dont-merge/needs-release-note-label
|
From @aanm:
|
|
Failed with buildx v0.10.0: https://github.com/cilium/cilium/actions/runs/3963537803/jobs/6791477015 Looks like attestation landed in the image despite turning it off: EDIT: We can see in the workflow file from the same run that provenance should be disabled: https://github.com/cilium/cilium/actions/runs/3963537803/workflow |
|
build-images-ci is using
So I guess the changes in this PR are ignored by CI. |
joestringer
force-pushed
the
pr/joe/buildx-provenance
branch
from
12251ba
to
0d6ebe1
Compare
joestringer
added
the
dont-merge/preview-only
|
Latest failure: https://github.com/cilium/cilium/actions/runs/3963649065/jobs/6791721533 Again, the workflow file shows that provenance should be disabled, but it's not: 🤷 either I'm messing up the configuration, or the provenance feature cannot be disabled by the upstream plugin. I'm going to try switching to an approach where we just pin the docker buildx version to an older version. |
Somewhere between the combination of GitHub action
docker/build-push-action v3.3.0 and Docker buildx version v0.10.0,
provenance attestation was transparently added into the build process
for new images. Unfortunately, since we already have SBOM generation
steps in our workflows, this would break the workflows. The existing
workflows would attempt to pull the images with provenance and then
generate an SBOM from that existing attestation. This would lead to a
message like the following in CI image builds:
level=fatal msg="generating doc: creating SPDX document: generating
SPDX package from image ref quay.io/cilium/docker-plugin-ci:XXX:
generating image package"
I tried disabling provenance in the docker/build-push-action, but
apparently it just ignored such requests and pushed the attestation into
the image anyway. So, this commit attempts to revert buildx back to
v0.9.1 to prevent it from generating those artifacts.
This is a quick-and-dirty hack to stabilize CI for the short term, then
we can figure out over time how to properly resolve the conflict between
these systems.
Signed-off-by: Joe Stringer <joe@cilium.io>
joestringer
force-pushed
the
pr/joe/buildx-provenance
branch
from
0d6ebe1
to
2076586
Compare
joestringer
changed the title
joestringer
removed
the
dont-merge/preview-only
|
Looks like that did the trick, the CI action pulled docker buildx v0.9.1: https://github.com/cilium/cilium/actions/runs/3963731211/jobs/6791899664 |
christarazi
approved these changes
Jan 20, 2023
joestringer
added
needs-backport/1.11
needs-backport/1.13
sayboras
approved these changes
Jan 20, 2023
There was a problem hiding this comment.
Docker buildx is just bumped to v0.10.0 today actions/runner-images#6941, so that probably explains mixed versions as part of transition.
aanm
approved these changes
Jan 20, 2023
|
Pinning did not seem to fix the issue. We are removing SBOM in #23204 until we find a better fix. Should we revert this? |
|
This isn't working because we set |
joestringer
removed
needs-backport/1.11
needs-backport/1.13
|
Dropping backport labels in favour of #23220 . |
joestringer
added
release-note/ci
This was referenced Jan 20, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Somewhere between the combination of GitHub action
docker/build-push-action v3.3.0 and Docker buildx version v0.10.0,
provenance attestation was transparently added into the build process
for new images. Unfortunately, since we already have SBOM generation
steps in our workflows, this would break the workflows. The existing
workflows would attempt to pull the images with provenance and then
generate an SBOM from that existing attestation. This would lead to a
message like the following in CI image builds:
I tried disabling provenance in the docker/build-push-action, but
apparently it just ignored such requests and pushed the attestation into
the image anyway. So, this commit attempts to revert buildx back to
v0.9.1 to prevent it from generating those artifacts.
This is a quick-and-dirty hack to stabilize CI for the short term, then
we can figure out over time how to properly resolve the conflict between
these systems.