6031 Disable image provenance in Docker images for lambdas

patchwork01 · patchwork01 · commit 70206901ee82 · 2025-11-13T13:28:01.000Z
diff --git a/java/clients/src/main/java/sleeper/clients/deploy/container/UploadDockerImages.java b/java/clients/src/main/java/sleeper/clients/deploy/container/UploadDockerImages.java
@@ -100,7 +100,13 @@ private void buildAndPushImage(String tag, StackDockerImage image) throws IOExce
         if (image.isMultiplatform()) {
             commandRunner.runOrThrow("docker", "buildx", "build", "--platform", "linux/amd64,linux/arm64", "-t", tag, "--push", dockerfileDirectory.toString());
         } else {
-            commandRunner.runOrThrow("docker", "build", "-t", tag, dockerfileDirectory.toString());
+            if (image.getLambdaJar().isPresent()) {
+                // At time of writing AWS Lambda does not support images with provenance enabled.
+                // See https://docs.aws.amazon.com/lambda/latest/dg/java-image.html
+                commandRunner.runOrThrow("docker", "build", "--provenance=false", "-t", tag, dockerfileDirectory.toString());
+            } else {
+                commandRunner.runOrThrow("docker", "build", "-t", tag, dockerfileDirectory.toString());
+            }
             commandRunner.runOrThrow("docker", "push", tag);
         }
     }
diff --git a/java/clients/src/test/java/sleeper/clients/deploy/container/DockerImagesTestBase.java b/java/clients/src/test/java/sleeper/clients/deploy/container/DockerImagesTestBase.java
@@ -105,7 +105,7 @@ protected CommandPipeline buildImageCommand(String tag, String dockerDirectory)
     }
 
     protected CommandPipeline buildLambdaImageCommand(String tag, String dockerDirectory) {
-        return pipeline(command("docker", "build", "-t", tag, dockerDirectory));
+        return pipeline(command("docker", "build", "--provenance=false", "-t", tag, dockerDirectory));
     }
 
     protected CommandPipeline pullImageCommand(String tag) {

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ protected CommandPipeline buildImageCommand(String tag, String dockerDirectory)`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`protected CommandPipeline buildLambdaImageCommand(String tag, String dockerDirectory) {`
`108`		`- return pipeline(command("docker", "build", "-t", tag, dockerDirectory));`
	`108`	`+ return pipeline(command("docker", "build", "--provenance=false", "-t", tag, dockerDirectory));`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`protected CommandPipeline pullImageCommand(String tag) {`