controller: handle attestation options across api

We can perform all attestation processing, handling how the sbom and provenance arguments interact on the client, while applying defaults on the server. Additionally, this allows us to start pulling fields out of CommonOpts. Signed-off-by: Justin Chadwell <me@jedevc.com>
2025-07-09 21:17:09 +08:00 · 2023-02-15 14:24:09 +00:00
parent 0b8f0264b0
commit c2e11196dd
9 changed files with 274 additions and 204 deletions
--- a/commands/bake.go
+++ b/commands/bake.go
@ -24,9 +24,11 @@ import (
 )

 type bakeOptions struct {
-	files     []string
-	overrides []string
-	printOnly bool
+	files      []string
+	overrides  []string
+	printOnly  bool
+	sbom       string
+	provenance string
 	controllerapi.CommonOptions
 }

@ -76,11 +78,11 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions, cFlags com
 	if cFlags.pull != nil {
 		overrides = append(overrides, fmt.Sprintf("*.pull=%t", *cFlags.pull))
 	}
-	if in.SBOM != "" {
-		overrides = append(overrides, fmt.Sprintf("*.attest=%s", buildflags.CanonicalizeAttest("sbom", in.SBOM)))
+	if in.sbom != "" {
+		overrides = append(overrides, fmt.Sprintf("*.attest=%s", buildflags.CanonicalizeAttest("sbom", in.sbom)))
 	}
-	if in.Provenance != "" {
-		overrides = append(overrides, fmt.Sprintf("*.attest=%s", buildflags.CanonicalizeAttest("provenance", in.Provenance)))
+	if in.provenance != "" {
+		overrides = append(overrides, fmt.Sprintf("*.attest=%s", buildflags.CanonicalizeAttest("provenance", in.provenance)))
 	}
 	contextPathHash, _ := os.Getwd()

@ -220,8 +222,8 @@ func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags.BoolVar(&options.ExportLoad, "load", false, `Shorthand for "--set=*.output=type=docker"`)
 	flags.BoolVar(&options.printOnly, "print", false, "Print the options without building")
 	flags.BoolVar(&options.ExportPush, "push", false, `Shorthand for "--set=*.output=type=registry"`)
-	flags.StringVar(&options.SBOM, "sbom", "", `Shorthand for "--set=*.attest=type=sbom"`)
-	flags.StringVar(&options.Provenance, "provenance", "", `Shorthand for "--set=*.attest=type=provenance"`)
+	flags.StringVar(&options.sbom, "sbom", "", `Shorthand for "--set=*.attest=type=sbom"`)
+	flags.StringVar(&options.provenance, "provenance", "", `Shorthand for "--set=*.attest=type=provenance"`)
 	flags.StringArrayVar(&options.overrides, "set", nil, `Override target value (e.g., "targetpattern.key=value")`)

 	commonBuildFlags(&cFlags, flags)
--- a/commands/build.go
+++ b/commands/build.go
@ -42,7 +42,6 @@ import (

 type buildOptions struct {
 	allow          []string
-	attests        []string
 	buildArgs      []string
 	cacheFrom      []string
 	cacheTo        []string
@ -67,6 +66,10 @@ type buildOptions struct {

 	invoke string

+	attests    []string
+	sbom       string
+	provenance string
+
 	progress string
 	quiet    bool

@ -78,7 +81,6 @@ func (o *buildOptions) toControllerOptions() (controllerapi.BuildOptions, error)
 	var err error
 	opts := controllerapi.BuildOptions{
 		Allow:          o.allow,
-		Attests:        o.attests,
 		BuildArgs:      listToMap(o.buildArgs, true),
 		CgroupParent:   o.cgroupParent,
 		ContextPath:    o.contextPath,
@ -96,6 +98,18 @@ func (o *buildOptions) toControllerOptions() (controllerapi.BuildOptions, error)
 		Opts:           &o.CommonOptions,
 	}

+	inAttests := append([]string{}, o.attests...)
+	if o.provenance != "" {
+		inAttests = append(inAttests, buildflags.CanonicalizeAttest("provenance", o.provenance))
+	}
+	if o.sbom != "" {
+		inAttests = append(inAttests, buildflags.CanonicalizeAttest("sbom", o.sbom))
+	}
+	opts.Attests, err = buildflags.ParseAttests(inAttests)
+	if err != nil {
+		return controllerapi.BuildOptions{}, err
+	}
+
 	opts.NamedContexts, err = buildflags.ParseContextNames(o.contexts)
 	if err != nil {
 		return controllerapi.BuildOptions{}, err
@ -285,8 +299,8 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags.Var(options.ulimits, "ulimit", "Ulimit options")

 	flags.StringArrayVar(&options.attests, "attest", []string{}, `Attestation parameters (format: "type=sbom,generator=image")`)
-	flags.StringVar(&options.SBOM, "sbom", "", `Shorthand for "--attest=type=sbom"`)
-	flags.StringVar(&options.Provenance, "provenance", "", `Shortand for "--attest=type=provenance"`)
+	flags.StringVar(&options.sbom, "sbom", "", `Shorthand for "--attest=type=sbom"`)
+	flags.StringVar(&options.provenance, "provenance", "", `Shortand for "--attest=type=provenance"`)

 	if isExperimental() {
 		flags.StringVar(&options.invoke, "invoke", "", "Invoke a command after the build [experimental]")