chore(deps): Bump docker/build-push-action from 3.3.0 to 4.0.0

[dependabot]

Bumps docker/build-push-action from 3.3.0 to 4.0.0.

Release notes

Sourced from docker/build-push-action's releases.

v4.0.0

Note

Buildx v0.10 enables support for a minimal SLSA Provenance attestation, which requires support for OCI-compliant multi-platform images. This may introduce issues with registry and runtime support (e.g. Google Cloud Run and AWS Lambda). You can optionally disable the default provenance attestation functionality using provenance: false.

• Revert disable provenance by default if not set by @​crazy-max in docker/build-push-action#784

Full Changelog: docker/build-push-action@v3.3.1...v4.0.0

v3.3.1

• Disable provenance by default if not set by @​crazy-max (#781)

Full Changelog: docker/build-push-action@v3.3.0...v3.3.1

Commits

• 3b5e802 Merge pull request #784 from crazy-max/enable-provenance
• 02d3266 update generated content
• f403daf revert disable provenance by default if not set
• 1104d47 Merge pull request #781 from crazy-max/disable-provenance
• 838bf90 update generated content
• 337a09d disable provenance by default if not set
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[georglauterbach]

Please check if this might be breaking anything :) I found nothing yet that would break our CI, but I could be missing something. I added the label meta/needs-triage - we can remove this when done double-checking.

[polarathene]

It just appears to be about the "SLSA Provenance attestation" support being enabled by default into images when possible. Breaking change as some registries may not be compatible from what I could make of the Changelog. I think ours registries are unaffected though 👍

[casperklein]

I ran into problems with the new default of --provenance=true, same problem as here.

Building my images with --provenance=false fixed it for now. We could build with provenance=false to restore the old behaviour. This could prevent other issues we are not aware of yet. I am also fine to give it a try as it is.

[georglauterbach]

Building my images with --provenance=false fixed it for now. We could build with provenance=true to restore the old behaviour.

Did you mean 'provenance=false'?

This could prevent other issues we are not aware of yet. I am also fine to give it a try as it is.

Agreed, but we should check first whether we can build with provenance=true. @casperklein can you check that in the fork of yours?

[casperklein]

That was a typo. Ive edited my post.

The build was successful in both cases for me. My problem was related to using the image afterwords. Some docker cli commands are not yet ready to handle images with added provenance.

[polarathene]

Some docker cli commands are not yet ready to handle images with added provenance.

Is that running with BuildKit 0.10 or newer? Docker Engine still ships BuildKit 0.8 IIRC (couple years old), unlike buildx. DOCKER_BUILDKIT=1 uses that Docker Engine bundled version, not the buildx one. That was something I found when troubleshooting some frustrating issues with COPY --link support.

The CLI has recently got improved support for manifest. Once Docker Engine 23.0 is released, I think the situation will be improved. Might take a while for broader availability.

---

We don't have any demand for the feature, so I'm fine opt-ing out.

[georglauterbach]

Then let's opt out :D @casperklein could you please adjust the PR accordingly?:)

[polarathene]

• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

I assume we still want the bot to raise new PRs when minor releases are made? But until comfortable going ahead with it, we'll have to keep closing the PRs. Better than ignoring and forgetting about it though? 😅

[georglauterbach]

• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

I assume we still want the bot to raise new PRs when minor releases are made? But until comfortable going ahead with it, we'll have to keep closing the PRs. Better than ignoring and forgetting about it though? 😅

I'd go ahead with the new version but opt out of the new feature - this way we can later opt-in and don't have to worry about always closing PRs @dependabot raises. So adjust the changes here and then merge it IMO.

[polarathene]

I'd go ahead with the new version but opt out of the new feature

Oh right.. long day 😅

[casperklein]

Some docker cli commands are not yet ready to handle images with added provenance.

Is that running with BuildKit 0.10 or newer?

I checked the buildkit version, it's 0.10.6

Details

Client: Docker Engine - Community
 Version:           23.0.0
 API version:       1.42
 Go version:        go1.19.5
 Git commit:        e92dd87
 Built:             Wed Feb  1 17:43:17 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.0
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.5
  Git commit:       d7573ab
  Built:            Wed Feb  1 17:43:17 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.16
  GitCommit:        31aa4358a36870b21a992d3ad2bef29e1d693bec
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[polarathene]

I checked the buildkit version, it's 0.10.6

Oh awesome, they released 23.0 this month 🎉