From 26ce4f3617d984971843709eac3477851b4df584 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Tue, 20 Dec 2022 06:17:29 +0100
Subject: [PATCH] provenance: set mode max and builder-id for public repos by
 default

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 .github/workflows/ci.yml |  4 +---
 src/context.ts           | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cdcb319..bc273ca 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -529,9 +529,7 @@ jobs:
           file: ./test/go/Dockerfile
           target: ${{ matrix.target }}
           outputs: ${{ matrix.output }}
-          attests: |
-            type=sbom
-            type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}
+          sbom: true
           cache-from: type=gha,scope=attests-${{ matrix.target }}
           cache-to: type=gha,scope=attests-${{ matrix.target }},mode=max
       -
diff --git a/src/context.ts b/src/context.ts
index 25b7a91..0405a02 100644
--- a/src/context.ts
+++ b/src/context.ts
@@ -164,6 +164,10 @@ async function getBuildArgs(inputs: Inputs, defaultContext: string, context: str
   if (buildx.satisfies(buildxVersion, '>=0.10.0')) {
     if (inputs.provenance) {
       args.push('--provenance', inputs.provenance);
+    } else if (fromPayload('repository.private') !== false) {
+      args.push('--provenance', `mode=min,inline-only=true`);
+    } else {
+      args.push('--provenance', `mode=max,builder-id=${process.env.GITHUB_SERVER_URL || 'https://github.com'}/${github.context.repo.owner}/${github.context.repo.repo}/actions/runs/${github.context.runId}`);
     }
     if (inputs.sbom) {
       args.push('--sbom', inputs.sbom);
@@ -264,3 +268,21 @@ export const asyncForEach = async (array, callback) => {
     await callback(array[index], index, array);
   }
 };
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function fromPayload(path: string): any {
+  return select(github.context.payload, path);
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function select(obj: any, path: string): any {
+  if (!obj) {
+    return undefined;
+  }
+  const i = path.indexOf('.');
+  if (i < 0) {
+    return obj[path];
+  }
+  const key = path.slice(0, i);
+  return select(obj[key], path.slice(i + 1));
+}