Merge pull request #321 from depot/revert-320-fix/bake-sboms-s3-cache

goller · web-flow · commit fb93b7263e8a · 2025-03-05T12:14:18.000-06:00
Revert "fix: add SBOM and S3 caching secrets"
diff --git a/go.mod b/go.mod
@@ -7,7 +7,6 @@ require (
 	buf.build/gen/go/depot/api/protocolbuffers/go v1.32.0-20240221184445-e8316610338f.1
 	connectrpc.com/connect v1.15.0
 	github.com/adrg/xdg v0.4.0
-	github.com/aws/aws-sdk-go-v2/config v1.15.5
 	github.com/briandowns/spinner v1.18.1
 	github.com/charmbracelet/bubbles v0.16.1
 	github.com/charmbracelet/bubbletea v0.24.2
@@ -65,6 +64,7 @@ require (
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.16.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.15.5 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.0 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.10 // indirect
diff --git a/pkg/buildx/bake/buildflags/cache.go b/pkg/buildx/bake/buildflags/cache.go
@@ -1,15 +1,11 @@
 package buildflags
 
 import (
-	"context"
 	"encoding/csv"
 	"encoding/json"
 	"maps"
-	"os"
-	"strconv"
 	"strings"
 
-	awsconfig "github.com/aws/aws-sdk-go-v2/config"
 	"github.com/moby/buildkit/client"
 	"github.com/pkg/errors"
 	"github.com/zclconf/go-cty/cty"
@@ -187,9 +183,6 @@ func CreateCaches(entries []*CacheOptionsEntry) []client.CacheOptionsEntry {
 		return nil
 	}
 	for _, entry := range entries {
-		addGithubToken(entry)
-		addAwsCredentials(entry)
-
 		out := client.CacheOptionsEntry{
 			Type:  entry.Type,
 			Attrs: map[string]string{},
@@ -201,67 +194,3 @@ func CreateCaches(entries []*CacheOptionsEntry) []client.CacheOptionsEntry {
 	}
 	return outs
 }
-
-func addGithubToken(ci *CacheOptionsEntry) {
-	if ci.Type != "gha" {
-		return
-	}
-	version, ok := ci.Attrs["version"]
-	if !ok {
-		// https://github.com/actions/toolkit/blob/2b08dc18f261b9fdd978b70279b85cbef81af8bc/packages/cache/src/internal/config.ts#L19
-		if v, ok := os.LookupEnv("ACTIONS_CACHE_SERVICE_V2"); ok {
-			if b, err := strconv.ParseBool(v); err == nil && b {
-				version = "2"
-			}
-		}
-	}
-	if _, ok := ci.Attrs["token"]; !ok {
-		if v, ok := os.LookupEnv("ACTIONS_RUNTIME_TOKEN"); ok {
-			ci.Attrs["token"] = v
-		}
-	}
-	if _, ok := ci.Attrs["url_v2"]; !ok && version == "2" {
-		// https://github.com/actions/toolkit/blob/2b08dc18f261b9fdd978b70279b85cbef81af8bc/packages/cache/src/internal/config.ts#L34-L35
-		if v, ok := os.LookupEnv("ACTIONS_RESULTS_URL"); ok {
-			ci.Attrs["url_v2"] = v
-		}
-	}
-	if _, ok := ci.Attrs["url"]; !ok {
-		// https://github.com/actions/toolkit/blob/2b08dc18f261b9fdd978b70279b85cbef81af8bc/packages/cache/src/internal/config.ts#L28-L33
-		if v, ok := os.LookupEnv("ACTIONS_CACHE_URL"); ok {
-			ci.Attrs["url"] = v
-		} else if v, ok := os.LookupEnv("ACTIONS_RESULTS_URL"); ok {
-			ci.Attrs["url"] = v
-		}
-	}
-}
-
-func addAwsCredentials(ci *CacheOptionsEntry) {
-	if ci.Type != "s3" {
-		return
-	}
-	_, okAccessKeyID := ci.Attrs["access_key_id"]
-	_, okSecretAccessKey := ci.Attrs["secret_access_key"]
-	// If the user provides access_key_id, secret_access_key, do not override the session token.
-	if okAccessKeyID && okSecretAccessKey {
-		return
-	}
-	ctx := context.TODO()
-	awsConfig, err := awsconfig.LoadDefaultConfig(ctx)
-	if err != nil {
-		return
-	}
-	credentials, err := awsConfig.Credentials.Retrieve(ctx)
-	if err != nil {
-		return
-	}
-	if !okAccessKeyID && credentials.AccessKeyID != "" {
-		ci.Attrs["access_key_id"] = credentials.AccessKeyID
-	}
-	if !okSecretAccessKey && credentials.SecretAccessKey != "" {
-		ci.Attrs["secret_access_key"] = credentials.SecretAccessKey
-	}
-	if _, ok := ci.Attrs["session_token"]; !ok && credentials.SessionToken != "" {
-		ci.Attrs["session_token"] = credentials.SessionToken
-	}
-}
diff --git a/pkg/buildx/build/build.go b/pkg/buildx/build/build.go
@@ -401,7 +401,7 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
 	supportsAttestations := true
 	if len(attests) > 0 {
 		for k, v := range attests {
-			so.FrontendAttrs["attest:"+k] = v
+			so.FrontendAttrs[k] = v
 		}
 	}
 	if _, ok := opt.Attests["attest:provenance"]; !ok && supportsAttestations {
diff --git a/pkg/helpers/gha.go b/pkg/helpers/gha.go
@@ -7,13 +7,11 @@ import "os"
 func FixGitHubActionsCacheEnv() {
 	original := os.Getenv("UPSTREAM_ACTIONS_CACHE_URL")
 
-	if original != "" {
-		os.Setenv("ACTIONS_CACHE_URL", original)
+	if original == "" {
+		original = os.Getenv("GACTIONSCACHE_URL")
 	}
 
-	original = os.Getenv("UPSTREAM_ACTIONS_RESULTS_URL")
-
 	if original != "" {
-		os.Setenv("ACTIONS_RESULTS_URL", original)
+		os.Setenv("ACTIONS_CACHE_URL", original)
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -401,7 +401,7 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op`
`401`	`401`	`supportsAttestations := true`
`402`	`402`	`if len(attests) > 0 {`
`403`	`403`	`for k, v := range attests {`
`404`		`- so.FrontendAttrs["attest:"+k] = v`
	`404`	`+ so.FrontendAttrs[k] = v`
`405`	`405`	`}`
`406`	`406`	`}`
`407`	`407`	`if _, ok := opt.Attests["attest:provenance"]; !ok && supportsAttestations {`
Original file line number	Diff line number	Diff line change
`@@ -7,13 +7,11 @@ import "os"`
`7`	`7`	`func FixGitHubActionsCacheEnv() {`
`8`	`8`	`original := os.Getenv("UPSTREAM_ACTIONS_CACHE_URL")`
`9`	`9`
`10`		`- if original != "" {`
`11`		`- os.Setenv("ACTIONS_CACHE_URL", original)`
	`10`	`+ if original == "" {`
	`11`	`+ original = os.Getenv("GACTIONSCACHE_URL")`
`12`	`12`	`}`
`13`	`13`
`14`		`- original = os.Getenv("UPSTREAM_ACTIONS_RESULTS_URL")`
`15`		`-`
`16`	`14`	`if original != "" {`
`17`		`- os.Setenv("ACTIONS_RESULTS_URL", original)`
	`15`	`+ os.Setenv("ACTIONS_CACHE_URL", original)`
`18`	`16`	`}`
`19`	`17`	`}`