Skip to content

only use attestation when building image outside the development inner loop #12853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 20, 2025
Merged

only use attestation when building image outside the development inner loop #12853

merged 2 commits into from
May 20, 2025

Conversation

@glours
Copy link
Contributor

@glours glours commented May 20, 2025
edited
Loading

When building a image, by default attestation are generated and modify the image ID which trigger a container recreation on up and run command even if there isn't any changes on the image content itself

What I did

  • Added the provenance attribute to the build options, which is set to true only when build command is used
  • Remove attestation if build is coming from inner loop process or if user set none mode from the build command line

Related issue

(not mandatory) A picture of a cute animal, if possible in relation to what you did
image

@glours glours requested a review from a team as a code owner May 20, 2025 14:05
@glours glours requested review from crazy-max and ndeloof May 20, 2025 14:05
@glours glours self-assigned this May 20, 2025
@glours glours force-pushed the fix-build-recreate-containers branch from e6a82a0 to ac7dc8b Compare May 20, 2025 14:23
crazy-max
crazy-max reviewed May 20, 2025
View reviewed changes
Copy link
Member

@crazy-max crazy-max left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From build tool standpoint, provenance flag is a shorthand that can either be a bool (to enable/disable) or provenance attributes (atm only mode attribute exists): https://docs.docker.com/build/metadata/attestations/slsa-provenance/#create-provenance-attestations

By default provenance flag is empty: https://github.com/docker/buildx/blob/ea2b7020a4645bff395eb49e4e87ef08ba24eb93/commands/build.go#L648

And it defaults to min: https://github.com/docker/buildx/blob/ea2b7020a4645bff395eb49e4e87ef08ba24eb93/build/opt.go#L153

If compose wants to use this shorthand then I think it should have the same behavior as build provenance flag.

So to summarize provenance field should be bool/string type:

  • --provenance=true: enable provenance
  • --provenance=false: disable provenance
  • --provenance=mode=xxx: set mode (xxx can be min or max)

And defaults to empty so build.Build handles the default behavior.

In the case of your fix to disable provenance in the inner loop you would just need to set Attests["provenance"] = nil to disable provenance.

Maybe it would be better to handle that first to fix the issue and implement the provenance field in another PR as ti might need more thoughts?

@glours
only use attestation when building image outside the development inne…
f2d30fb 
…r loop

when building a image, by default attestation are generated and modify the image ID which trigger a container recreation on up, run command even if there isn't any changes on the image content itself

Signed-off-by: Guillaume Lours <[email protected]>
@glours glours force-pushed the fix-build-recreate-containers branch 2 times, most recently from e3605e9 to e3c481b Compare May 20, 2025 15:17
@glours glours force-pushed the fix-build-recreate-containers branch from e3c481b to 0225aed Compare May 20, 2025 15:37
@glours glours requested review from crazy-max and ndeloof May 20, 2025 15:48
@glours glours merged commit 7e198ee into docker:main May 20, 2025
26 checks passed
@BrewTestBot BrewTestBot mentioned this pull request May 23, 2025
Merged
@rancherbot rancherbot mentioned this pull request May 23, 2025
Merged
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request May 26, 2025
build(deps): update docker/compose to v2.36.2
e1ecc7a 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [docker/compose](https://github.com/docker/compose) | patch | `v2.36.1` -> `v2.36.2` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>docker/compose (docker/compose)</summary>

### [`v2.36.2`](https://github.com/docker/compose/releases/tag/v2.36.2)

[Compare Source](docker/compose@v2.36.1...v2.36.2)

#### What's Changed

##### 🐛 Fixes

-   Run ContainerStart sequentially by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12851
-   Only use attestation when building image outside the development inner loop by [@&#8203;glours](https://github.com/glours) in docker/compose#12853
-   Report error (re)creating container by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12859
-   Fix `up --build` with additional_context dependency by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12863

##### 🔧  Internal

-   Add example provider implementation by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12848
-   Add `up --build` e2e test by [@&#8203;ndeloof](https://github.com/ndeloof) in docker/compose#12864

##### ⚙️ Dependencies

-   Build(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 by [@&#8203;dependabot](https://github.com/dependabot) in docker/compose#12857
-   Bump compose-go to v2.6.4 by [@&#8203;glours](https://github.com/glours) in docker/compose#12867
-   Bump buildkit v0.22.0 and buildx v0.24.0 by [@&#8203;glours](https://github.com/glours) in docker/compose#12868

**Full Changelog**: docker/compose@v2.36.1...v2.36.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yNi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90Il19-->
@glours glours deleted the fix-build-recreate-containers branch June 30, 2025 21:26
This was referenced Jul 17, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ndeloof ndeloof ndeloof approved these changes

@crazy-max crazy-max crazy-max approved these changes

Assignees

@glours glours

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@glours @ndeloof @crazy-max