bake: don't set max provenance on private repos

crazy-max · crazy-max · commit 9c4ab1292bc8 · 2025-11-27T15:29:55.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -363,6 +363,7 @@ jobs:
           script: |
             const os = require('os');
             const { Bake } = require('@docker/actions-toolkit/lib/buildx/bake');
+            const { GitHub } = require('@docker/actions-toolkit/lib/github');
             const { Util } = require('@docker/actions-toolkit/lib/util');
             
             const inpPlatform = core.getInput('platform');
@@ -456,7 +457,15 @@ jobs:
             
             let bakeOverrides = [...inpBakeSet, outputOverride];
             await core.group(`Set bake overrides`, async () => {
-              bakeOverrides.push('*.attest=type=provenance,mode=max,version=v1', '*.tags=');
+              bakeOverrides.push('*.tags=');
+              if (GitHub.context.payload.repository?.private ?? false) {
+                // if this is a private repository, we set the default provenance
+                // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
+                bakeOverrides.push('*.attest=type=provenance,mode=min,inline-only=true,version=v1');
+              } else {
+                // for a public repository, we set max provenance mode
+                bakeOverrides.push('*.attest=type=provenance,mode=max,version=v1');
+              }
               if (inpPlatform) {
                 bakeOverrides.push(`*.platform=${inpPlatform}`);
               }
@@ -532,7 +541,8 @@ jobs:
         with:
           script: |
             // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved
-            await new Promise(resolve => setTimeout(resolve, 3000));
+            await new Promise(resolve => setTimeout(resolve, 2000));
+            
             const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore');
             
             const inpImageNames = core.getMultilineInput('image-names');
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -424,7 +424,8 @@ jobs:
         with:
           script: |
             // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved
-            await new Promise(resolve => setTimeout(resolve, 3000));
+            await new Promise(resolve => setTimeout(resolve, 2000));
+            
             const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore');
             
             const inpImageNames = core.getMultilineInput('image-names');
