Introduce new attestation exporter options#3403
Closed
jedevc wants to merge 5 commits intomoby:masterfrom
Closed
Conversation
jedevc
force-pushed
the
exporter-attestations-options
branch
from
de22d35 to
2aa3f8a
Compare
tonistiigi
reviewed
Dec 14, 2022
Member
tonistiigi
left a comment
tonistiigi
left a comment
There was a problem hiding this comment.
I'm not convinced we should remove inline-only. I think this is the correct way for client to ask for expected behavior without knowing too much about the internals. I don't mind a way to skip attestation on exporter level as well if there is a use case.
jedevc
force-pushed
the
exporter-attestations-options
branch
from
2aa3f8a to
fe28241
Compare
Member
Author
|
Removed inline-only in #3420 - we shouldn't block the rest of the changes on that. |
tonistiigi
reviewed
Dec 20, 2022
| } | ||
|
|
||
| for _, att := range attestations { | ||
| target, ok := att.Metadata[result.AttestationReasonKey] |
Member
There was a problem hiding this comment.
Not from this PR but I don't understand why this is called a "reason". It is attestation type. So why can't we just use the already existing predicate type field?
Signed-off-by: Justin Chadwell <me@jedevc.com>
This allows one implementation for all the opts parsing, similar to how we do today for the ImageCommitOpts. Additionally, we rename attestation-prefix to attestations-prefix (pluralized) to prepare for the new attestations option. Signed-off-by: Justin Chadwell <me@jedevc.com>
This option looks like a mistake added in 45fc3ed. These options aren't ever used, so we don't need to parse them, we can just silently discard them. Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
Instead of just the boolean true/false values, we allow the attestation option for exporters to contain an arbitrary list of "attestation reasons". Only attestations that have a reason matching the list will actually be output. This allows clients to completely detach the concepts of "what attestations to generate" and "what attestations to output". Signed-off-by: Justin Chadwell <me@jedevc.com>
jedevc
force-pushed
the
exporter-attestations-options
branch
from
fe28241 to
2488167
Compare
4 tasks
ycpss91255
added a commit
to ycpss91255-docker/template
that referenced
this pull request
Apr 24, 2026
`ARG TARGETARCH=amd64` (with a default) silently shadows BuildKit's per-platform auto-inject (moby/buildkit#3403). Consequence: every multi-arch build of this Dockerfile — including every `:vX.Y.Z` and `:latest` pushed to GHCR by release-test-tools.yaml since v0.9.10 — ran its `case` branch with TARGETARCH=amd64 *regardless of target platform*. The arm64 variant therefore shipped x86_64 shellcheck and hadolint binaries; downstream CI on arm64 runners fails at `shellcheck: Exec format error` the first time it consumes test-tools on arm64 (caught by ros1_bridge PR #27 enabling the arm64 matrix). Fix: drop the default. `ARG TARGETARCH` (bare declaration) lets BuildKit auto-inject take effect. Outside BuildKit, pass `--build-arg TARGETARCH=<arch>` explicitly — the `case` default branch already fails loud on empty TARGETARCH so nobody silently ships the wrong binaries. Regression test in template_spec.bats asserts the ARG has no default, plus the existing bare-declaration test continues to guarantee consumption is still wired. 674 → 675. Re-release plan: tag v0.10.0-rc2 after merge. release-test-tools.yaml re-runs on tag push and reissues ghcr.io/.../test-tools:v0.10.0-rc2 + :latest with correct per-arch binaries. Downstream repos on the broken v0.9.13 / v0.10.0-rc1 tags stay broken on arm64 until they bump @tag.
ycpss91255
added a commit
to ycpss91255-docker/ros1_bridge
that referenced
this pull request
Apr 24, 2026
v0.9.13's release-test-tools.yaml shipped a multi-arch ghcr.io/ycpss91255-docker/test-tools:v0.9.13 with x86_64 shellcheck / hadolint binaries in BOTH manifest variants — the `ARG TARGETARCH=amd64` default in template/dockerfile/Dockerfile.test-tools shadowed BuildKit's per-platform auto-inject (moby/buildkit#3403), so every multi-arch run fell back to amd64. This branch enabled the arm64 matrix but kept pointing at @v0.9.13, so the arm64 shard blew up at `shellcheck: Exec format error` on first run. Template v0.10.0-rc2 (#126 / #127) drops the ARG default. The rc2 GHCR image's arm64 variant contains real aarch64 binaries (verified via `docker cp` + `file`). Bumping build-worker.yaml + release- worker.yaml @tag so this PR's arm64 shard picks up the correct image.
ycpss91255
added a commit
to ycpss91255-docker/ros1_bridge
that referenced
this pull request
Apr 24, 2026
* ci: enable arm64 in build matrix (linux/amd64,linux/arm64) PR #23 rebuilt devel from a multi-arch base for Jetson support, but main.yaml never opted in to the template's arm64 build matrix — the build-worker.yaml input defaults to linux/amd64 only. As a result, every PR since #23 has only verified amd64 in CI; arm64 has been validated manually via rsync-to-Jetson. Pass platforms: linux/amd64,linux/arm64 to build-worker.yaml so CI runs both architectures in parallel (template v0.9.11 added the ubuntu-24.04-arm runner support). * ci: bump template @tag to v0.10.0-rc2 for arm64 test-tools fix v0.9.13's release-test-tools.yaml shipped a multi-arch ghcr.io/ycpss91255-docker/test-tools:v0.9.13 with x86_64 shellcheck / hadolint binaries in BOTH manifest variants — the `ARG TARGETARCH=amd64` default in template/dockerfile/Dockerfile.test-tools shadowed BuildKit's per-platform auto-inject (moby/buildkit#3403), so every multi-arch run fell back to amd64. This branch enabled the arm64 matrix but kept pointing at @v0.9.13, so the arm64 shard blew up at `shellcheck: Exec format error` on first run. Template v0.10.0-rc2 (#126 / #127) drops the ARG default. The rc2 GHCR image's arm64 variant contains real aarch64 binaries (verified via `docker cp` + `file`). Bumping build-worker.yaml + release- worker.yaml @tag so this PR's arm64 shard picks up the correct image.
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
These replace the
inline-onlyattestation fields introduce in #3342.Instead, we can now specify
attestations=<true/false/filter-list>per exporter, to enable specific attestation per exporter - the default in buildkit is set totrue. The possible values are:true: output all provided attestations from the solverfalse: output none of the provided attestations from the solverreason,[reasons]: a csv list of reasons, outputs only the attestations that were generated for one of those specified reasons, using the metadata field. e.g.--output type=...,attestations=provenancewill only include provenance attestations in the output for that exporter, even if other attestations (like SBOMs) were generated in the solver.We also update the
attestation-prefixoption to beattestation[s]-prefix- to be more aligned with the newattestationsflag.Additionally, we have a few smaller minor refactoring commits around the exporter: