From 10362f59ddb25f5d9265eddba0374fad7ad5a65d Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <atif@coder.com>
Date: Mon, 7 Oct 2024 15:15:27 +0500
Subject: [PATCH 1/3] chore: add build attestation to docker images

---
 .github/workflows/docker-base.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker-base.yaml b/.github/workflows/docker-base.yaml
index 942d80cfa4679..258460ae54207 100644
--- a/.github/workflows/docker-base.yaml
+++ b/.github/workflows/docker-base.yaml
@@ -60,6 +60,7 @@ jobs:
           context: base-build-context
           file: scripts/Dockerfile.base
           platforms: linux/amd64,linux/arm64,linux/arm/v7
+          provenance: true
           pull: true
           no-cache: true
           push: ${{ github.event_name != 'pull_request' }}

From 3198fec9475fef313fc3986d93fccaed6935b11e Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <me@matifali.dev>
Date: Mon, 7 Oct 2024 10:48:19 +0000
Subject: [PATCH 2/3] Enable build provenance for Docker images

Adds `provenance: true` to the Docker build commands to ensure the
provenance of Docker images is tracked, enhancing traceability and
security compliance. This provides verifiable details of how and when
an image was built.
---
 .github/workflows/release.yaml | 1 +
 scripts/build_docker.sh        | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 0732d0bbfa125..9d7c73e09043b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -256,6 +256,7 @@ jobs:
           context: base-build-context
           file: scripts/Dockerfile.base
           platforms: linux/amd64,linux/arm64,linux/arm/v7
+          provenance: true
           pull: true
           no-cache: true
           push: true
diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
index 1bee954e9713c..e55a00fcf80fc 100755
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@@ -124,6 +124,7 @@ if [[ "$build_base" != "" ]]; then
 	log "--- Building base Docker image for $arch ($build_base)"
 	docker build \
 		--platform "$arch" \
+		--provenance=true \
 		--tag "$build_base" \
 		--no-cache \
 		-f Dockerfile.base \
@@ -141,6 +142,7 @@ docker build \
 	--build-arg "BASE_IMAGE=$base_image" \
 	--build-arg "CODER_VERSION=$version" \
 	--no-cache \
+	--provenance=true \
 	--tag "$image_tag" \
 	-f Dockerfile \
 	. 1>&2

From 5dfb5c463c0aa5a029ebbd5662174aaf0aba4e77 Mon Sep 17 00:00:00 2001
From: Muhammad Atif Ali <me@matifali.dev>
Date: Wed, 13 Nov 2024 10:31:07 +0500
Subject: [PATCH 3/3] Remove `--provenance=true` from docker builds

---
 scripts/build_docker.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
index e55a00fcf80fc..1bee954e9713c 100755
--- a/scripts/build_docker.sh
+++ b/scripts/build_docker.sh
@@ -124,7 +124,6 @@ if [[ "$build_base" != "" ]]; then
 	log "--- Building base Docker image for $arch ($build_base)"
 	docker build \
 		--platform "$arch" \
-		--provenance=true \
 		--tag "$build_base" \
 		--no-cache \
 		-f Dockerfile.base \
@@ -142,7 +141,6 @@ docker build \
 	--build-arg "BASE_IMAGE=$base_image" \
 	--build-arg "CODER_VERSION=$version" \
 	--no-cache \
-	--provenance=true \
 	--tag "$image_tag" \
 	-f Dockerfile \
 	. 1>&2