ci: drop buildkit provenance attestations

The buildkit internal provenance v0.2 attestations are non-reproducible (by design), but added to the manifest index. By that, the digest of the container tag (that tags the index manifest) is not reproducible. As we now have the better external (and signed) provenance v1 attestations that describe the whole github action execution and point to the index manifest, we now solely use that. This is a more standard approach to attest builds using a sigstore bundle (that uses the OCI registry v2 referrer mechanism). With this patch, the digest of our tagged containers should finally be reproducible across all (identical) kas forks. Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
siemens · May 16, 2024 · 64e1daf · 64e1daf
1 parent 16e0446
commit 64e1daf
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
@@ -48,7 +48,7 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
-          provenance: mode=max,reproducible=true
+          provenance: false
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}

diff --git a/.github/workflows/next.yml b/.github/workflows/next.yml
@@ -109,7 +109,7 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
-          provenance: mode=max,reproducible=true
+          provenance: false
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:next
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -38,7 +38,7 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
-          provenance: mode=max,reproducible=true
+          provenance: false
           outputs: type=registry,rewrite-timestamp=true
           tags: |
             ghcr.io/${{ github.repository }}/${{ matrix.image-name }}