Skip to content
This repository was archived by the owner on Mar 3, 2025. It is now read-only.

fix: docker build attestations break cdk-assets (400 Bad Request) (backport #342) #347

Merged
merged 5 commits into from
Feb 11, 2025

Conversation

aws-cdk-automation
Copy link
Collaborator

Backport

This will backport the following commits from main to v2-main:

Questions ?

Please refer to the Backport tool documentation

There are various issues in cdk that can be traced back to attestations
in docker:

aws/aws-cdk#30258
aws/aws-cdk#31549
aws/aws-cdk#33264

cdk-assets cannot work with docker containerd because it will attempt to
upload multiple files to the same hash in ECR, and our ECR repository is
immutable (by requirement). docker recently changed their default to
turn on containerd which causes this issue to skyrocket.

the hotfix here is to add an environment variable when calling `docker`
so that the attestation file is not added to the manifest. we can later
look into adding support for including
[provenance](https://docs.docker.com/build/metadata/attestations/slsa-provenance/)
attestations if there is need for it.

i've chosen to fix this via environment variable instead of as a command
option `--provenance=false` because we must keep docker replacements in
mind, and at least finch [does
not](https://runfinch.com/docs/cli-reference/finch_build/) have a
`provenance` property at the moment.

in addition to this unit test that shows the env variable exists when
`docker build` is called, i have also ensured that this solves the issue
in my local setup + symlinked `cdk-assets`..

(cherry picked from commit 8bdea13)

# Conflicts:
#	lib/private/docker.ts
#	test/private/docker.test.ts
@kaizencc kaizencc closed this Feb 11, 2025
auto-merge was automatically disabled February 11, 2025 16:17

Pull request was closed

@kaizencc kaizencc reopened this Feb 11, 2025
@aws-cdk-automation aws-cdk-automation added this pull request to the merge queue Feb 11, 2025
Merged via the queue into v2-main with commit 884e8a0 Feb 11, 2025
12 checks passed
@aws-cdk-automation aws-cdk-automation deleted the backport/v2-main-pr-342 branch February 11, 2025 16:20
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants