invert behavior of docker prov for quicker CI docker smoke-test witho…

…ut push side-effect
crim-ca · Mar 8, 2025 · a894cd9 · a894cd9
1 parent c1ab4d3
commit a894cd9
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -158,6 +158,9 @@ jobs:
     needs: tests
     if: ${{ success() && (contains(github.ref, 'refs/tags') || github.ref == 'refs/heads/master') }}
     runs-on: ubuntu-latest
+    env:
+      # enabled provenance attestation during build/push (see Makefile for details)
+      DOCKER_PROV: "true"
     steps:
       - uses: actions/checkout@v2
         with:

diff --git a/Makefile b/Makefile
@@ -844,7 +844,10 @@ DOCKER_REPO ?= pavics/weaver
 #	employ the remote registry reference to provide the relevant traceability.
 
 # whether to enable Provenance and SBOM tracking of built images
-DOCKER_PROV ?= true
+#	Disable by default to ensure that any operation that needs a local docker (eg: 'docker-test' target)
+#	doesn't lead to an unintended push to the remote registry. This should be enabled explicitly only
+#	for tagged releases for which we explicitly want traceability.
+DOCKER_PROV ?= false
 ifeq ($(DOCKER_PROV),true)
   DOCKER_BUILDER_STEP := docker-builder
   DOCKER_BUILDER_NAME ?= docker-prov