From 9164091c054bba1ee56185d8a2bc5725f3d0d263 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Thu, 27 Nov 2025 15:36:56 +0100 Subject: [PATCH] build: don't set max provenance on private repos Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/build.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d06eab4..91d6ecf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -309,6 +309,8 @@ jobs: INPUT_BUILD-TARGET: ${{ inputs.build-target }} with: script: | + const { GitHub } = require('@docker/actions-toolkit/lib/github'); + const inpPlatform = core.getInput('platform'); const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : ''; core.setOutput('platform-pair-suffix', platformPairSuffix); @@ -365,6 +367,15 @@ jobs: inpBuildLabels.push(...inpMetaLabels); } core.setOutput('labels', inpBuildLabels.join('\n')); + + if (GitHub.context.payload.repository?.private ?? false) { + // if this is a private repository, we set the default provenance + // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603 + core.setOutput('provenance', 'mode=min,inline-only=true,version=v1'); + } else { + // for a public repository, we set max provenance mode + core.setOutput('provenance', 'mode=max,version=v1'); + } - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} @@ -386,7 +397,7 @@ jobs: labels: ${{ steps.prepare.outputs.labels }} outputs: ${{ steps.prepare.outputs.output }} platforms: ${{ steps.prepare.outputs.platform }} - provenance: mode=max,version=v1 + provenance: ${{ steps.prepare.outputs.provenance }} pull: ${{ inputs.build-pull }} sbom: ${{ inputs.build-sbom }} secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN