fix: Disable attestations and SBOMs for Heroku's container registry (#3350)

jabrown85 · web-flow · commit cc64191097b8 · 2025-08-13T09:15:35.000-07:00
* Disable attestations and SBOMs for Heroku's container registry

- disable attestations and SBOMs if the docker version is &gt;= 24.0.0
- enforcing amd64 images coming from non-amd64 machines (aarch64)
- enforce amd64 on push in addition to build

Signed-off-by: Jesse Brown &lt;jabrown85@gmail.com&gt;

* fixup! Disable attestations and SBOMs for Heroku's container registry

Signed-off-by: Jesse Brown &lt;jabrown85@gmail.com&gt;

---------

Signed-off-by: Jesse Brown &lt;jabrown85@gmail.com&gt;
diff --git a/packages/cli/src/commands/container/push.ts b/packages/cli/src/commands/container/push.ts
@@ -113,7 +113,7 @@ export default class Push extends Command {
           hux.styledHeader(`Pushing ${job.name} (${job.dockerfile})`)
         }
 
-        await DockerHelper.pushImage(job.resource)
+        await DockerHelper.pushImage(job.resource, this.config.arch)
       }
 
       const plural = jobs.length !== 1
diff --git a/packages/cli/src/lib/container/docker_helper.ts b/packages/cli/src/lib/container/docker_helper.ts
@@ -182,7 +182,14 @@ export const buildImage = async function ({dockerfile, resource, buildArgs, path
   const args = ['build', '-f', dockerfile, '-t', resource]
   // Older Docker versions don't allow for this flag, but we are
   // adding it here when necessary to allow for pushing a docker build from m1/m2 Macs.
-  if (arch === 'arm64') args.push('--platform', 'linux/amd64')
+  if (arch === 'arm64' || arch === 'aarch64') args.push('--platform', 'linux/amd64')
+
+  // newer docker versions support attestations and software bill of materials, so we want to disable them to save time/space
+  // Heroku's container registry doesn't support pushing them right now
+  if (await version() >= [24, 0, 0]) {
+    args.push('--provenance', 'false')
+    args.push('--sbom', 'false')
+  }
 
   for (const element of buildArgs) {
     if (element.length > 0) {
@@ -195,9 +202,14 @@ export const buildImage = async function ({dockerfile, resource, buildArgs, path
   return cmd('docker', args)
 }
 
-export const pushImage = async function (resource: string) {
+export const pushImage = async function (resource: string, arch: string) {
   const args = ['push', resource]
 
+  // Older Docker versions don't allow for this flag, but we are
+  // adding it here when necessary to allow for pushing a docker build from m1/m2 Macs.
+  // Heroku's container registry doesn't support pushing multi-arch images so we need to push the expected arch
+  if (arch === 'arm64' || arch === 'aarch64') args.push('--platform', 'linux/amd64')
+
   return cmd('docker', args)
 }
 
diff --git a/packages/cli/test/unit/lib/container/docker_helper.unit.test.ts b/packages/cli/test/unit/lib/container/docker_helper.unit.test.ts
@@ -208,17 +208,43 @@ describe('DockerHelper', function () {
     })
 
     it('successfully pushes image to DockerHelper cmd', async function () {
+      const argsArray = ['push', 'registry.heroku.com/testapp/web', '--platform', 'linux/amd64']
       const eventStub = sandbox.stub(childProcess, 'spawn').callsFake(eventMock)
 
-      await DockerHelper.pushImage('registry.heroku.com/testapp/web')
+      await DockerHelper.pushImage('registry.heroku.com/testapp/web', 'arm64')
+      const options = eventStub.getCall(0).args[2]
+      expect(eventStub.calledWith('docker', argsArray, options)).to.equal(true)
+    })
 
-      expect(eventStub.calledOnce).to.equal(true)
+    it('includes the platform flag when the arch is aarch64', async function () {
+      const argsArray = ['push', 'registry.heroku.com/testapp/web', '--platform', 'linux/amd64']
+      const eventStub = sandbox.stub(childProcess, 'spawn').callsFake(eventMock)
+
+      await DockerHelper.pushImage('registry.heroku.com/testapp/web', 'aarch64')
+      const options = eventStub.getCall(0).args[2]
+      expect(eventStub.calledWith('docker', argsArray, options)).to.equal(true)
+    })
+
+    it('does not include the platform flag when the arch is not arm64', async function () {
+      const argsArray = ['push', 'registry.heroku.com/testapp/web']
+      const eventStub = sandbox.stub(childProcess, 'spawn').callsFake(eventMock)
+
+      await DockerHelper.pushImage('registry.heroku.com/testapp/web', 'amd64')
+      const options = eventStub.getCall(0).args[2]
+      expect(eventStub.calledWith('docker', argsArray, options)).to.equal(true)
     })
   })
 
   describe('.buildImage', function () {
     const sandbox = sinon.createSandbox()
 
+    let versionStub: sinon.SinonStub
+
+    beforeEach(function () {
+      versionStub = sandbox.stub(DockerHelper, 'version')
+      versionStub.resolves([23, 99, 99])
+    })
+
     afterEach(function () {
       return sandbox.restore()
     })
@@ -241,7 +267,56 @@ describe('DockerHelper', function () {
         buildArgs: [],
       })
       const options = eventStub.getCall(0).args[2]
-      console.log(eventStub.getCall(0).args)
+      expect(eventStub.calledWith('docker', argsArray, options)).to.equal(true)
+    })
+
+    it('includes the provenance and sbom flags when docker version is >= 24.0.0', async function () {
+      versionStub.resolves([24, 0, 0])
+
+      const argsArray = [
+        'build',
+        '-f',
+        'dockerfile',
+        '-t',
+        'registry.heroku.com/test-app/web',
+        '--platform',
+        'linux/amd64',
+        '--provenance',
+        'false',
+        '--sbom',
+        'false',
+        '.',
+      ]
+      const eventStub = sandbox.stub(childProcess, 'spawn').callsFake(eventMock)
+
+      await DockerHelper.buildImage({
+        dockerfile: 'dockerfile',
+        resource: 'registry.heroku.com/test-app/web',
+        buildArgs: [],
+        arch: 'arm64',
+      })
+      const options = eventStub.getCall(0).args[2]
+      expect(eventStub.calledWith('docker', argsArray, options)).to.equal(true)
+    })
+
+    it('does not include the platform flag when the arch is not arm64', async function () {
+      const argsArray = [
+        'build',
+        '-f',
+        'dockerfile',
+        '-t',
+        'registry.heroku.com/test-app/web',
+        '.',
+      ]
+
+      const eventStub = sandbox.stub(childProcess, 'spawn').callsFake(eventMock)
+
+      await DockerHelper.buildImage({
+        dockerfile: 'dockerfile',
+        resource: 'registry.heroku.com/test-app/web',
+        buildArgs: [],
+      })
+      const options = eventStub.getCall(0).args[2]
       expect(eventStub.calledWith('docker', argsArray, options)).to.equal(true)
     })
 
@@ -267,5 +342,28 @@ describe('DockerHelper', function () {
       const options = eventStub.getCall(0).args[2]
       expect(eventStub.calledWith('docker', argsArray, options)).to.equal(true)
     })
+
+    it('includes the platform flag when arch is aarch64', async function () {
+      const argsArray = [
+        'build',
+        '-f',
+        'dockerfile',
+        '-t',
+        'registry.heroku.com/test-app/web',
+        '--platform',
+        'linux/amd64',
+        '.',
+      ]
+      const eventStub = sandbox.stub(childProcess, 'spawn').callsFake(eventMock)
+
+      await DockerHelper.buildImage({
+        dockerfile: 'dockerfile',
+        resource: 'registry.heroku.com/test-app/web',
+        buildArgs: [],
+        arch: 'aarch64',
+      })
+      const options = eventStub.getCall(0).args[2]
+      expect(eventStub.calledWith('docker', argsArray, options)).to.equal(true)
+    })
   })
 })

Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ export default class Push extends Command {`
`113`	`113`	hux.styledHeader(`Pushing ${job.name} (${job.dockerfile})`)
`114`	`114`	`}`
`115`	`115`
`116`		`- await DockerHelper.pushImage(job.resource)`
	`116`	`+ await DockerHelper.pushImage(job.resource, this.config.arch)`
`117`	`117`	`}`
`118`	`118`
`119`	`119`	`const plural = jobs.length !== 1`