-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support cachi2 config passing in prefetch-dependencies #1169
Conversation
The cachi2 config doesn't contain any options that would compromise SBOM accuracy, right? Maybe the goproxy_url, since that would allow the user to make cachi2 download through a private proxy. But I think the purl spec doesn't account for that anyway :-/ |
From PURL spec you wouldn't really know. As for the options, I'd imagine the idea to be that options can only modify the behaviour without deliberately causing a regressive behaviour on the output, IOW I can imagine existence of options improving the quality of the SBOM, not decreasing it, especially as a side effect. |
So what does all this mean for the goproxy_url option? |
What it probably means is that cachi2 will either have to abuse the Zooming out slightly, should the |
Not a blocker as long as it's tracked. Removing the option could be a good start 🙂 |
Okay, I can 'sed' it out for now. |
I meant removing it from cachi2 until it's needed / until cachi2 can report it. But yeah, trying to avoid usage of it until it can be removed from cachi2 is probably a good idea. |
Oh, then I misunderstood. That would break backwards compatibility though, in general we don't know whether any option is in active use anywhere (like yeah, nobody is likely using this one, but still...), so disabling it in the tekton task seems like a more practical workaround that can be replaced with a proper solution at any time. |
Yeah, that's fine. I'll just mention that the sed command will have to be pretty gnarly if we want it robust (one could e.g. use YAML multiline strings to try and avoid detection, pass the file formatted as JSON, ...). Maybe we just shouldn't bother with it and accept that it's an inherent shortcoming in the current version of cachi2 |
Hmm, is
That way we're relying on
EDIT: and see if |
yq would make this very easy, yeah: But it is not installed in the prefetch env (the cachi2 container)
There is a konflux-ci/yq container though:
To make use of it, you would have to:
|
7cba0d3
to
226b65b
Compare
@acmiel thanks for the guidance, I tried adjusting the task as advised. |
1d42045
to
81965b5
Compare
ca4addd
to
e046b0c
Compare
/ok-to-test |
Some behaviour configuring options are (rightfully) not exposed via CLI options, e.g. setting a timeout on HTTP requests which may be useful for users to set on slower connections and large artifact downloads where the default backend timeouts are simply not long enough. Allow consumers to pass a configuration YAML file to cachi2 to tweak supported behavioural traits. Signed-off-by: Erik Skultety <[email protected]>
e046b0c
to
17a20ee
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Allow consumers to pass a cachi2 config to the tool in the prefetch task.
Before you complete this pull request ...
Look for any open pull requests in the repository with the title "e2e-tests update" and
see if there are recent e2e-tests updates that will be applicable to your change.