only use attestation when building image outside the development inner loop

when building a image, by default attestation are generated and modify the image ID which trigger a container recreation on up, run command even if there isn't any changes on the image content itself Signed-off-by: Guillaume Lours <705411+glours@users.noreply.github.com>
2025-05-20 16:00:33 +02:00 · 2025-05-20 16:00:33 +02:00 · 0566431c64
parent 4f6cc2a330
commit 0566431c64
5 changed files with 50 additions and 24 deletions
--- a/cmd/compose/build.go
+++ b/cmd/compose/build.go
@ -35,17 +35,18 @@ import (

 type buildOptions struct {
 	*ProjectOptions
-	quiet   bool
-	pull    bool
-	push    bool
-	args    []string
-	noCache bool
-	memory  cliopts.MemBytes
-	ssh     string
-	builder string
-	deps    bool
-	print   bool
-	check   bool
+	quiet      bool
+	pull       bool
+	push       bool
+	args       []string
+	noCache    bool
+	memory     cliopts.MemBytes
+	ssh        string
+	builder    string
+	deps       bool
+	print      bool
+	check      bool
+	provenance string
 }

 func (opts buildOptions) toAPIBuildOptions(services []string) (api.BuildOptions, error) {
@ -69,20 +70,27 @@ func (opts buildOptions) toAPIBuildOptions(services []string) (api.BuildOptions,
 	if uiMode == ui.ModeJSON {
 		uiMode = "rawjson"
 	}
+	var provenance *string
+	// empty when set by up, run or create functions and "none" when set by the user from the build command
+	if opts.provenance != "" && opts.provenance != "none" {
+		provenance = &opts.provenance
+	}
+
 	return api.BuildOptions{
-		Pull:     opts.pull,
-		Push:     opts.push,
-		Progress: uiMode,
-		Args:     types.NewMappingWithEquals(opts.args),
-		NoCache:  opts.noCache,
-		Quiet:    opts.quiet,
-		Services: services,
-		Deps:     opts.deps,
-		Memory:   int64(opts.memory),
-		Print:    opts.print,
-		Check:    opts.check,
-		SSHs:     SSHKeys,
-		Builder:  builderName,
+		Pull:       opts.pull,
+		Push:       opts.push,
+		Progress:   uiMode,
+		Args:       types.NewMappingWithEquals(opts.args),
+		NoCache:    opts.noCache,
+		Quiet:      opts.quiet,
+		Services:   services,
+		Deps:       opts.deps,
+		Memory:     int64(opts.memory),
+		Print:      opts.print,
+		Check:      opts.check,
+		SSHs:       SSHKeys,
+		Builder:    builderName,
+		Provenance: provenance,
 	}, nil
 }

@ -123,6 +131,7 @@ func buildCommand(p *ProjectOptions, dockerCli command.Cli, backend api.Service)
 	flags.StringVar(&opts.ssh, "ssh", "", "Set SSH authentications used when building service images. (use 'default' for using your default SSH Agent)")
 	flags.StringVar(&opts.builder, "builder", "", "Set builder to use")
 	flags.BoolVar(&opts.deps, "with-dependencies", false, "Also build dependencies (transitively)")
+	flags.StringVar(&opts.provenance, "provenance", "min", "Set provenance mode (none|min|max)")

 	flags.Bool("parallel", true, "Build images in parallel. DEPRECATED")
 	flags.MarkHidden("parallel") //nolint:errcheck
--- a/docs/reference/compose_build.md
+++ b/docs/reference/compose_build.md
@ -22,6 +22,7 @@ run `docker compose build` to rebuild it.
 | `-m`, `--memory`      | `bytes`       | `0`     | Set memory limit for the build container. Not supported by BuildKit.                                        |
 | `--no-cache`          | `bool`        |         | Do not use cache when building the image                                                                    |
 | `--print`             | `bool`        |         | Print equivalent bake file                                                                                  |
+| `--provenance`        | `string`      | `max`   | Set provenance mode (none\|min\|max)                                                                        |
 | `--pull`              | `bool`        |         | Always attempt to pull a newer version of the image                                                         |
 | `--push`              | `bool`        |         | Push service images                                                                                         |
 | `-q`, `--quiet`       | `bool`        |         | Don't print anything to STDOUT                                                                              |
--- a/docs/reference/docker_compose_build.yaml
+++ b/docs/reference/docker_compose_build.yaml
@ -126,6 +126,16 @@ options:
      experimentalcli: false
      kubernetes: false
      swarm: false
+    - option: provenance
+      value_type: string
+      default_value: max
+      description: Set provenance mode (none|min|max)
+      deprecated: false
+      hidden: false
+      experimental: false
+      experimentalcli: false
+      kubernetes: false
+      swarm: false
    - option: pull
      value_type: bool
      default_value: "false"
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@ -159,6 +159,8 @@ type BuildOptions struct {
 	Print bool
 	// Check let builder validate build configuration
 	Check bool
+	// Provenance
+	Provenance *string
 }

 // Apply mutates project according to build options
--- a/pkg/compose/build.go
+++ b/pkg/compose/build.go
@ -481,6 +481,9 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 		return build.Options{}, err
 	}

+	attests := map[string]*string{}
+	attests["provenance"] = options.Provenance
+
 	return build.Options{
 		Inputs: build.Inputs{
 			ContextPath:      service.Build.Context,
@ -504,6 +507,7 @@ func (s *composeService) toBuildOptions(project *types.Project, service types.Se
 		Session:      sessionConfig,
 		Allow:        allow,
 		SourcePolicy: sp,
+		Attests:      attests,
 	}, nil
 }