Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow skipping provenance #113

Merged
merged 2 commits into from
Jan 27, 2023
Merged

Allow skipping provenance #113

merged 2 commits into from
Jan 27, 2023

Conversation

ErikSchierboom
Copy link
Member

This PR allows caller to pass provenance: false to skip generating provenance attestation.
This fixes an issue we had where our AWS lambda Docker images could not be published.

See https://stackoverflow.com/questions/65608802/cant-deploy-container-image-to-lambda-function, docker/buildx#1509 (comment), docker/build-push-action#764

Copy link
Member

@ee7 ee7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

To others: it looks like the problem is due to the docker/build-push-action bump from 3.2.0 to 3.3.0 (which isn't present yet in main in this repo):

Buildx v0.10 enables support for a minimal SLSA Provenance attestation, which requires support for OCI-compliant multi-platform images. This may introduce issues with registry and runtime support (e.g. https://www.github.com/docker/buildx/issues/1533). You can optionally disable the default provenance attestation functionality using provenance: false.

Do we need to do this anywhere else?

https://github.com/search?q=org%3Aexercism+docker%2Fbuild-push-action&type=code

@ErikSchierboom
Copy link
Member Author

I don't think we need to. There is nothing inherently wrong with provenance, it's just that Amazon ECR deploys fail for our lambdas, which apparently don't handle provenance well (we're just running Docker for the track tooling so should be fine).

@ErikSchierboom ErikSchierboom merged commit a3f8316 into main Jan 27, 2023
@ErikSchierboom ErikSchierboom deleted the build-platform-image branch January 27, 2023 10:33
@ErikSchierboom
Copy link
Member Author

Status: it seems to all work!

Lines of code counter: https://github.com/exercism/lines-of-code-counter/actions/runs/4023666857
Snippet generator: https://github.com/exercism/snippet-extractor/actions/runs/4023666356
Prolog track test runner redeploy: https://github.com/exercism/prolog-test-runner/actions/runs/4023668956 (and still functional)

mdesouky added a commit to uptick/actions that referenced this pull request Jul 26, 2023
When trying to use the docker image built by the pipeline for lambda it fails with this error The image manifest or layer media type for the source image 305686791668.dkr.ecr.ap-southeast-2.amazonaws.com/auto-scheduler:main-e3745b8 is not supported.

this always happens on the main branch for some reason as it was not encountered with the test tag but nevertheless here is the issue on github:
docker/buildx#1509 (comment)
exercism/github-actions#113
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants