Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add attestation to installer #17827

Merged
merged 11 commits into from
Aug 19, 2024
Merged

feat: add attestation to installer #17827

merged 11 commits into from
Aug 19, 2024

Conversation

SMillerDev
Copy link
Member

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

We have one more artifact that's compiled by us that we can add attestation for.

@SMillerDev
Copy link
Member Author

Actually, we do docker too. Not sure if that can have attestation?

@woodruffw
Copy link
Member

Actually, we do docker too. Not sure if that can have attestation?

Like a docker image? I believe those can have attestations as well (anything that's an OCI blob can), although I haven't played with that part of GH attestations as much.

Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @SMillerDev! IMO docs on brew.sh for verifying this would be nice, although arguably most users won't have gh to verify it with until after they install brew...

.github/workflows/docker.yml Outdated Show resolved Hide resolved
.github/workflows/pkg-installer.yml Outdated Show resolved Hide resolved
Co-authored-by: Patrick Linnane <patrick@linnane.io>
Copy link

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale No recent activity label Aug 14, 2024
@woodruffw woodruffw added in progress Maintainers are working on this and removed stale No recent activity labels Aug 14, 2024
@SMillerDev
Copy link
Member Author

I changed the docker attestation to only run on tags. It might be good to make it continue on errors.

@MikeMcQuaid
Copy link
Member

I changed the docker attestation to only run on tags.

I think it'd be good to always attest, partly because I'm not sure I understand why it would fail without and partly to ensure this PR passes before merging 😁

It might be good to make it continue on errors.

I'd rather we didn't add this functionality if we think it's likely to fail.

@SMillerDev
Copy link
Member Author

I think it'd be good to always attest, partly because I'm not sure I understand why it would fail without and partly to ensure this PR passes before merging 😁

It's an annoying docker thing. The attestation uses the package digest. But there is no package digest before it's uploaded somewhere. And we don't upload without a tag.

So there are two solutions to this:

  • We always upload the containers
  • We only do attestation on tags

I'd rather we didn't add this functionality if we think it's likely to fail.

Not particularly. I just have no way to test it.

@MikeMcQuaid
Copy link
Member

And we don't upload without a tag.

Do we (n)ever upload the master Docker image? I thought we did but maybe I'm wrong.

  • We only do attestation on tags

This seems reasonable, I'm just concerned (kinda like .pkg generation) it breaks on the tag and we don't notice.

At least if it's continue-on-error this would be mitigated so I'm 👍🏻 on that if you're 👍🏻 to keep an eye on next few tags.

@SMillerDev
Copy link
Member Author

Do we (n)ever upload the master Docker image? I thought we did but maybe I'm wrong.

We don't, it surprised me a bit too.

This seems reasonable, I'm just concerned (kinda like .pkg generation) it breaks on the tag and we don't notice.

Yeah, I share your concern there. I'm fine having a look on tags, or changing it to upload for protected branches too.

@MikeMcQuaid
Copy link
Member

Do we (n)ever upload the master Docker image? I thought we did but maybe I'm wrong.

We don't, it surprised me a bit too.

Just checked: we do. It's just in tests.yml, confusingly? Should probably move this to docker.yml instead.

@SMillerDev
Copy link
Member Author

Yeah, we can attest those to try and then expand it after.

Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, thanks! Some tiny naming tweaks then good to 🚢 and keep an eye on this.

.github/workflows/tests.yml Outdated Show resolved Hide resolved
.github/workflows/tests.yml Outdated Show resolved Hide resolved
Co-authored-by: Mike McQuaid <mike@mikemcquaid.com>
@SMillerDev SMillerDev merged commit 2a5eb02 into master Aug 19, 2024
29 checks passed
@SMillerDev SMillerDev deleted the SMillerDev-patch-1 branch August 19, 2024 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in progress Maintainers are working on this
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants