From 64e1daf76b0ea31a9e1de5f2e5c99661ae570889 Mon Sep 17 00:00:00 2001
From: Felix Moessbauer <felix.moessbauer@siemens.com>
Date: Thu, 16 May 2024 00:06:03 +0200
Subject: [PATCH] ci: drop buildkit provenance attestations

The buildkit internal provenance v0.2 attestations are non-reproducible
(by design), but added to the manifest index. By that, the digest of the
container tag (that tags the index manifest) is not reproducible.

As we now have the better external (and signed) provenance v1
attestations that describe the whole github action execution and point to
the index manifest, we now solely use that. This is a more standard
approach to attest builds using a sigstore bundle (that uses the OCI
registry v2 referrer mechanism).

With this patch, the digest of our tagged containers should finally be
reproducible across all (identical) kas forks.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .github/workflows/master.yml  | 2 +-
 .github/workflows/next.yml    | 2 +-
 .github/workflows/release.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 797ec44e..206de997 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -48,7 +48,7 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
-          provenance: mode=max,reproducible=true
+          provenance: false
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
diff --git a/.github/workflows/next.yml b/.github/workflows/next.yml
index 7d4f2d54..b3064417 100644
--- a/.github/workflows/next.yml
+++ b/.github/workflows/next.yml
@@ -109,7 +109,7 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
-          provenance: mode=max,reproducible=true
+          provenance: false
           outputs: type=registry,rewrite-timestamp=true
           tags: ghcr.io/${{ github.repository }}/${{ matrix.image-name }}:next
           annotations: ${{ env.DOCKER_METADATA_OUTPUT_ANNOTATIONS }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 36115fec..97164e3f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,7 +38,7 @@ jobs:
           build-args: |
             SOURCE_DATE_EPOCH=${{ env.SOURCE_DATE_EPOCH }}
             DEBIAN_TAG=${{ env.DEBIAN_TAG }}
-          provenance: mode=max,reproducible=true
+          provenance: false
           outputs: type=registry,rewrite-timestamp=true
           tags: |
             ghcr.io/${{ github.repository }}/${{ matrix.image-name }}