Merge pull request #61 from LaurentGoderre/provenance-builder

Specify the builder id for provenance
docker-library · Oct 11, 2024 · e22b5e2 · e22b5e2
2 parents 2084a63 + 8937e38
commit e22b5e2
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/.test/meta-commands/out.sh b/.test/meta-commands/out.sh
@@ -5,7 +5,7 @@
 # <build>
 SOURCE_DATE_EPOCH=1700741054 \
 	docker buildx build --progress=plain \
-	--provenance=mode=max \
+	--provenance=mode=max,builder-id='https://github.com/docker-library' \
 	--output '"type=oci","dest=temp.tar"' \
 	--annotation 'org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \
 	--annotation 'org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \

diff --git a/doi.jq b/doi.jq
@@ -151,6 +151,12 @@ def _sbom_subset:
 	]
 ;
 
+# https://github.com/docker-library/meta-scripts/pull/61 (for lack of better documentation for setting this in buildkit)
+# https://slsa.dev/provenance/v0.2#builder.id
+def buildkit_provenance_builder_id:
+	"https://github.com/docker-library"
+;
+
 # input: "build" object (with "buildId" top level key)
 # output: boolean
 def build_should_sbom:

diff --git a/meta.jq b/meta.jq
@@ -141,7 +141,7 @@ def build_command:
 					@sh "SOURCE_DATE_EPOCH=\(.source.entry.SOURCE_DATE_EPOCH)",
 					# TODO EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=<(jq ...)
 					"docker buildx build --progress=plain",
-					"--provenance=mode=max",
+					@sh "--provenance=mode=max,builder-id=\(buildkit_provenance_builder_id)",
 					if build_should_sbom then
 						"--sbom=generator=\"$BASHBREW_BUILDKIT_SBOM_GENERATOR\""
 					else empty end,