fix: docker build omits attestations

cdklabs · Feb 7, 2025 · c804188 · c804188
1 parent 9775c79
commit c804188
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 18 deletions.
diff --git a/lib/private/docker.ts b/lib/private/docker.ts
@@ -129,6 +129,9 @@ export class Docker {
     await this.execute(buildCommand, {
       cwd: options.directory,
       subprocessOutputDestination: this.subprocessOutputDestination,
+      env: {
+        BUILDX_NO_DEFAULT_ATTESTATIONS: '1', // Docker Build adds provenance attestations by default that confuse cdk-assets
+      },
     });
   }
 

diff --git a/test/private/docker.test.ts b/test/private/docker.test.ts
@@ -6,26 +6,25 @@ type ShellExecuteMock = jest.SpyInstance<
   Parameters<Docker['execute']>
 >;
 
-describe('Docker', () => {
-  describe('exists', () => {
-    let docker: Docker;
-
-    const makeShellExecuteMock = (fn: (params: string[]) => void): ShellExecuteMock =>
-      jest
-        .spyOn<{ execute: Docker['execute'] }, 'execute'>(Docker.prototype as any, 'execute')
-        .mockImplementation(
-          async (params: string[], _options?: Omit<ShellOptions, 'shellEventPublisher'>) =>
-            fn(params)
-        );
-
-    afterEach(() => {
-      jest.restoreAllMocks();
-    });
+let docker: Docker;
 
-    beforeEach(() => {
-      docker = new Docker(() => {}, 'ignore');
-    });
+const makeShellExecuteMock = (fn: (params: string[]) => void): ShellExecuteMock =>
+  jest
+    .spyOn<{ execute: Docker['execute'] }, 'execute'>(Docker.prototype as any, 'execute')
+    .mockImplementation(
+      async (params: string[], _options?: Omit<ShellOptions, 'shellEventPublisher'>) => fn(params)
+    );
 
+afterEach(() => {
+  jest.restoreAllMocks();
+});
+
+beforeEach(() => {
+  docker = new Docker(() => {}, 'ignore');
+});
+
+describe('Docker', () => {
+  describe('exists', () => {
     test('returns true when image inspect command does not throw', async () => {
       const spy = makeShellExecuteMock(() => undefined);
 
@@ -95,4 +94,25 @@ describe('Docker', () => {
       expect(imageExists).toBe(false);
     });
   });
+
+  describe('build', () => {
+    test('includes BUILDX_NO_DEFAULT_ATTESTATIONS env variable in commands', async () => {
+      const spy = makeShellExecuteMock(() => undefined);
+
+      await docker.build({
+        directory: 'foo',
+        tag: 'bar',
+      });
+
+      // Verify the options passed to build
+      expect(spy).toHaveBeenCalledWith(
+        expect.any(Array),
+        expect.objectContaining({
+          env: expect.objectContaining({
+            BUILDX_NO_DEFAULT_ATTESTATIONS: '1',
+          }),
+        })
+      );
+    });
+  });
 });