Merge pull request #972 from kohkimakimoto/dev-provenance-flag

Add provenance option

Author: djmb

lib/kamal/commands/builder/base.rb

@@ -6,7 +6,7 @@ class BuilderError < StandardError; end
   delegate :argumentize, to: Kamal::Utils
   delegate \
     :args, :secrets, :dockerfile, :target, :arches, :local_arches, :remote_arches, :remote,
-    :cache_from, :cache_to, :ssh, :driver, :docker_driver?,
+    :cache_from, :cache_to, :ssh, :provenance, :driver, :docker_driver?,
     to: :builder_config
 
   def clean
@@ -37,7 +37,7 @@ def inspect_builder
   end
 
   def build_options
-    [ *build_tags, *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh ]
+    [ *build_tags, *build_cache, *build_labels, *build_args, *build_secrets, *build_dockerfile, *build_target, *build_ssh, *builder_provenance ]
   end
 
   def build_context
@@ -97,6 +97,10 @@ def build_ssh
       argumentize "--ssh", ssh if ssh.present?
     end
 
+    def builder_provenance
+      argumentize "--provenance", provenance unless provenance.nil?
+    end
+
     def builder_config
       config.builder
     end

lib/kamal/configuration/builder.rb

@@ -111,6 +111,10 @@ def ssh
     builder_config["ssh"]
   end
 
+  def provenance
+    builder_config["provenance"]
+  end
+
   def git_clone?
     Kamal::Git.used? && builder_config["context"].nil?
   end

lib/kamal/configuration/docs/builder.yml

@@ -102,3 +102,9 @@ builder:
   #
   # The build driver to use, defaults to `docker-container`:
   driver: docker
+
+  # Provenance
+  #
+  # It is used to configure provenance attestations for the build result.
+  # The value can also be a boolean to enable or disable provenance attestations.
+  provenance: mode=max

test/commands/builder_test.rb

@@ -144,6 +144,20 @@ class CommandsBuilderTest < ActiveSupport::TestCase
       builder.push.join(" ")
   end
 
+  test "push with provenance" do
+    builder = new_builder_command(builder: { "provenance" => "mode=max" })
+    assert_equal \
+      "docker buildx build --push --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --provenance mode=max .",
+      builder.push.join(" ")
+  end
+
+  test "push with provenance false" do
+    builder = new_builder_command(builder: { "provenance" => false })
+    assert_equal \
+      "docker buildx build --push --platform linux/amd64 --builder kamal-local-docker-container -t dhh/app:123 -t dhh/app:latest --label service=\"app\" --file Dockerfile --provenance false .",
+      builder.push.join(" ")
+  end
+
   test "mirror count" do
     command = new_builder_command
     assert_equal "docker info --format '{{index .RegistryConfig.Mirrors 0}}'", command.first_mirror.join(" ")

test/configuration/builder_test.rb

@@ -134,6 +134,16 @@ class ConfigurationBuilderTest < ActiveSupport::TestCase
     assert_equal "default=$SSH_AUTH_SOCK", config.builder.ssh
   end
 
+  test "provenance" do
+    assert_nil config.builder.provenance
+  end
+
+  test "setting provenance" do
+    @deploy[:builder]["provenance"] = "mode=max"
+
+    assert_equal "mode=max", config.builder.provenance
+  end
+
   test "local disabled but no remote set" do
     @deploy[:builder]["local"] = false