From 4b8b2973db354586585489bc3eaeaaee425374b0 Mon Sep 17 00:00:00 2001 From: technowhizz <7688823+technowhizz@users.noreply.github.com> Date: Tue, 5 Sep 2023 16:57:13 +0100 Subject: [PATCH 1/4] Add flag to disable provenance Adds a flag to disable build attestations/provenance. This causes issues on some clouds and so is defaulted to `false`. Whether or not it is enabled can be chaged with the github_buildx_enable_provenance variable. Co-authored-by: Will Szumski --- roles/github/README.md | 4 +++- roles/github/defaults/main.yml | 2 ++ roles/github/templates/build-kayobe-docker-image.yml.j2 | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/github/README.md b/roles/github/README.md index 0f85c6e..d6d3ef2 100644 --- a/roles/github/README.md +++ b/roles/github/README.md @@ -40,7 +40,7 @@ The following variables can be used to make small adjustments to the composition `github_image_name`: name of the kayobe image defaults to `kayobe`. -`github_image_tag`: tag used to select kayobe image defaults to `latest` +`github_image_tag`: tag used to select kayobe image defaults to `latest` `github_registry_username`: username used to authenticate with the docker registry. @@ -63,6 +63,8 @@ github_buildx_inline_config: | If you wish to make more impactful changes such as which workflows are built and what they contain then see the list of dictionaries called `workflows` in `defaults/main.yml` +`github_buildx_enable_provenance`: whether or not to enable build attestations/provenence. This causes issues on some clouds and so is defaulted to `false`. + `github_workflows:` is a list of dictionaries that contains each of the workflows described above. A given list element is made up of the following: - `name`: the name which the workflow shall refer to itself as within GitHub workflows user interface. diff --git a/roles/github/defaults/main.yml b/roles/github/defaults/main.yml index 04457d6..97549a3 100644 --- a/roles/github/defaults/main.yml +++ b/roles/github/defaults/main.yml @@ -25,6 +25,8 @@ github_buildx_inline_config: "" github_timeout: 360 +github_buildx_enable_provenance: false + github_kayobe_limit_input: | kayobeLimit: description: | diff --git a/roles/github/templates/build-kayobe-docker-image.yml.j2 b/roles/github/templates/build-kayobe-docker-image.yml.j2 index 4f12780..da11114 100644 --- a/roles/github/templates/build-kayobe-docker-image.yml.j2 +++ b/roles/github/templates/build-kayobe-docker-image.yml.j2 @@ -57,6 +57,9 @@ jobs: tags: | %% github_registry_url %%/%% github_image_name %%:latest %% github_registry_url %%/%% github_image_name %%:${{ github.sha }} +<% if not github_buildx_enable_provenance %> + provenance: false +<% endif %> <% if github_final_hook | length >= 1 +%> %% github_final_hook | indent(width=6, first=false) -%% <% endif %> From 796a27592e732b4470a7b6025e299cec04470253 Mon Sep 17 00:00:00 2001 From: Dawud <7688823+technowhizz@users.noreply.github.com> Date: Wed, 6 Sep 2023 14:12:46 +0100 Subject: [PATCH 2/4] Update roles/github/README.md Co-authored-by: Jack Hodgkiss --- roles/github/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/github/README.md b/roles/github/README.md index d6d3ef2..fc14d20 100644 --- a/roles/github/README.md +++ b/roles/github/README.md @@ -63,7 +63,7 @@ github_buildx_inline_config: | If you wish to make more impactful changes such as which workflows are built and what they contain then see the list of dictionaries called `workflows` in `defaults/main.yml` -`github_buildx_enable_provenance`: whether or not to enable build attestations/provenence. This causes issues on some clouds and so is defaulted to `false`. +`github_buildx_enable_provenance`: whether or not to enable build attestations/provenence. This has been [noted](https://github.com/docker/build-push-action/releases/tag/v4.1.1) to cause issues with docker registries such as Pulp. Default to false. `github_workflows:` is a list of dictionaries that contains each of the workflows described above. A given list element is made up of the following: From bff6590d00859ddcaa8c209c70cac9181b58d879 Mon Sep 17 00:00:00 2001 From: Dawud <7688823+technowhizz@users.noreply.github.com> Date: Wed, 6 Sep 2023 14:12:52 +0100 Subject: [PATCH 3/4] Update roles/github/defaults/main.yml Co-authored-by: Jack Hodgkiss --- roles/github/defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/github/defaults/main.yml b/roles/github/defaults/main.yml index 97549a3..c676dfb 100644 --- a/roles/github/defaults/main.yml +++ b/roles/github/defaults/main.yml @@ -23,10 +23,9 @@ github_final_hook: "" github_buildx_inline_config: "" -github_timeout: 360 - github_buildx_enable_provenance: false +github_timeout: 360 github_kayobe_limit_input: | kayobeLimit: description: | From e6654e4c8d959da8db8abbee853f650b07fcc392 Mon Sep 17 00:00:00 2001 From: Dawud <7688823+technowhizz@users.noreply.github.com> Date: Wed, 6 Sep 2023 14:19:56 +0100 Subject: [PATCH 4/4] Update roles/github/defaults/main.yml Co-authored-by: Jack Hodgkiss --- roles/github/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/github/defaults/main.yml b/roles/github/defaults/main.yml index c676dfb..6fc99ba 100644 --- a/roles/github/defaults/main.yml +++ b/roles/github/defaults/main.yml @@ -26,6 +26,7 @@ github_buildx_inline_config: "" github_buildx_enable_provenance: false github_timeout: 360 + github_kayobe_limit_input: | kayobeLimit: description: |