buildkit
buildkit copied to clipboard
moby
gha cache breaks provenance
The gha cache seems to break provenance. At least as far as the Docker Scout service is concerned.
Noticed while playing around with the build-push-action and the attests, sbom, and provenance settings. No matter what I did, the Docker Scout scan always showed 2 failing checks for the images while builds from MacOS with the same options passed all checks:
In the end it turned out that removing
cache-from: type=gha
cache-to: type=gha,mode=max
fixed the problem. (Clearing the gha cache only fixes the problem for the next build but it breaks again on further builds with same attestation options).
If this is indeed the expected behavior, it should at least be documented.
(Tested with v0.11.2 and v0.12.0)
cc @cdupuis who reported a similar case internally.
Based on internal discussion this is likely coming from some case there the image layers record goes missing from provenance attestation for a cached build in some case.
We would need a reproducer, hopefully with --cache-to type=local or --cache-to type=registry as exact gha state is very hard to control/reset/inspect, showing how the provenance attestations loses some data.
No test case yet. But I'm not sure if this bug is even valid. The problem might be with the Scout service.
Even this short example gives me only 5/6, with the supply chain attestation check failing - although sbom and provenance are there.
$ docker builder version
github.com/docker/buildx v0.12.0-desktop.2 c5a13b51c1ae9358eb691e9a21c955590e26d0a0
$ cat Dockerfile
# syntax = docker/dockerfile:1.6.0
ARG BUILDKIT_SBOM_SCAN_CONTEXT=true
FROM alpine:3.18
COPY --link foo.txt .
CMD ["cat", "foo.txt"]
$ cat foo.txt
Hello, world!
Hello, world!
Hello, world!
Hello, world!
$ docker buildx build -t jkreileder/test:helloworld-3 --sbom true --provenance true --pull --push .
Not sure where to report this. The feedback link only leads me to a protected Google form. You probably have better connections there anyway.