-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(EC-972): Add support for attaching trusted artifacts #138
Conversation
2f1c523
to
bc463b0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure why we need this, attaching artifacts to a build could have been its own (separate) thing
@@ -1,32 +1,20 @@ | |||
FROM scratch AS files |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could have been a separate commit/PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will plan to move it to its own commit. I made this change to make debugging faster as I didn't have to reinstall all dependencies every time I modified the scripts.
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" \ | ||
--distribution-spec v1.1-referrers-api "${store}" "${attached_artifacts[@]}" | ||
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" \ | ||
--distribution-spec v1.1-referrers-tag "${store}" "${attached_artifacts[@]}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to force both options, ORAS will pick the best one available
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" \ | |
--distribution-spec v1.1-referrers-api "${store}" "${attached_artifacts[@]}" | |
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" \ | |
--distribution-spec v1.1-referrers-tag "${store}" "${attached_artifacts[@]}" | |
oras attach "${oras_opts[@]}" --no-tty --registry-config <(select-oci-auth.sh ${repo}) --artifact-type "${oci_artifact_type}" "${store}" "${attached_artifacts[@]}" |
If trusted artifacts are generated after an image has been built, we can use oras to attach the artifacts instead of just pushing them to the same registry location and tag where the image will eventually be pushed. Signed-off-by: arewm <[email protected]>
The model is the same, we are pushing related files to the registry and recording the digest in results. The difference is just the mechanism of the push -- if we have an artifact, we don't have to rely on the (potentially fragile) tag-based association. We can instead rely on the referrer's API. A future change can add retrieving attached artifacts, but since that is not an immediate requirement, I didn't pursue that in the current PR. |
We should strive to have simple tools that do one thing well, this change doesn't have a use case in maintaining the trust between Tasks which is the focus of this repositorty. It seems to me that it is convenient to put this functionality here -- not necessary. I think this should be part of a different tool, one that focuses on image attachments. |
Closing as I implemented this functionality in |
If trusted artifacts are generated after an image has been built, we can use oras to attach the artifacts instead of just pushing them to the same registry location and tag where the image will eventually be pushed.