build: put provenance in metadata under experimental env

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
docker · Feb 28, 2024 · eb6347c · eb6347c
1 parent 8ba3acd
commit eb6347c
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 14 deletions.
diff --git a/build/build.go b/build/build.go
@@ -816,7 +816,7 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 						rr.ExporterResponse[k] = string(v)
 					}
 					rr.ExporterResponse["buildx.build.ref"] = buildRef
-					if node.Driver.HistoryAPISupported(ctx) {
+					if confutil.IsExperimental() && node.Driver.HistoryAPISupported(ctx) {
 						if err := setRecordProvenance(ctx, c, rr, so.Ref, pw); err != nil {
 							return err
 						}

diff --git a/commands/build.go b/commands/build.go
@@ -338,7 +338,7 @@ func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions)
 	done := timeBuildCommand(mp, attributes)
 	var resp *client.SolveResponse
 	var retErr error
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		resp, retErr = runControllerBuild(ctx, dockerCli, opts, options, printer)
 	} else {
 		resp, retErr = runBasicBuild(ctx, dockerCli, opts, options, printer)
@@ -589,7 +589,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 
 	flags.StringArrayVar(&options.platforms, "platform", platformsDefault, "Set target platform for build")
 
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		flags.StringVar(&options.printFunc, "print", "", "Print result of information request (e.g., outline, targets)")
 		cobrautil.MarkFlagsExperimental(flags, "print")
 	}
@@ -617,7 +617,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	flags.StringVar(&options.sbom, "sbom", "", `Shorthand for "--attest=type=sbom"`)
 	flags.StringVar(&options.provenance, "provenance", "", `Shorthand for "--attest=type=provenance"`)
 
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		// TODO: move this to debug command if needed
 		flags.StringVar(&options.Root, "root", "", "Specify root directory of server to connect")
 		flags.BoolVar(&options.Detach, "detach", false, "Detach buildx server (supported only on linux)")
@@ -762,14 +762,6 @@ func (w *wrapped) Unwrap() error {
 	return w.err
 }
 
-func isExperimental() bool {
-	if v, ok := os.LookupEnv("BUILDX_EXPERIMENTAL"); ok {
-		vv, _ := strconv.ParseBool(v)
-		return vv
-	}
-	return false
-}
-
 func updateLastActivity(dockerCli command.Cli, ng *store.NodeGroup) error {
 	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {

diff --git a/commands/root.go b/commands/root.go
@@ -7,6 +7,7 @@ import (
 	imagetoolscmd "github.com/docker/buildx/commands/imagetools"
 	"github.com/docker/buildx/controller/remote"
 	"github.com/docker/buildx/util/cobrautil/completion"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/logutil"
 	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
@@ -63,7 +64,7 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		"using default config store",
 	))
 
-	if !isExperimental() {
+	if confutil.IsExperimental() {
 		cmd.SetHelpTemplate(cmd.HelpTemplate() + "\nExperimental commands and flags are hidden. Set BUILDX_EXPERIMENTAL=1 to show them.\n")
 	}
 
@@ -96,7 +97,7 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		duCmd(dockerCli, opts),
 		imagetoolscmd.RootCmd(dockerCli, imagetoolscmd.RootOptions{Builder: &opts.builder}),
 	)
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		cmd.AddCommand(debugcmd.RootCmd(dockerCli,
 			newDebuggableBuild(dockerCli, opts),
 		))

diff --git a/docs/reference/buildx_build.md b/docs/reference/buildx_build.md
@@ -327,6 +327,7 @@ $ cat metadata.json
 
 ```json
 {
+  "buildx.build.provenance": {},
   "buildx.build.ref": "mybuilder/mybuilder0/0fjb6ubs52xx3vygf6fgdl611",
   "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
   "containerimage.descriptor": {
@@ -342,6 +343,13 @@ $ cat metadata.json
 }
 ```
 
+> **Note**
+>
+> Build record [provenance](https://docs.docker.com/build/attestations/slsa-provenance/#provenance-attestation-example)
+> (`buildx.build.provenance`) is not included by default. Set the
+> `BUILDX_EXPERIMENTAL=1` environment variable to include provenance in the
+> metadata file.
+
 ### <a name="no-cache-filter"></a> Ignore build cache for specific stages (--no-cache-filter)
 
 The `--no-cache-filter` lets you specify one or more stages of a multi-stage