workflows: simplify build image CI #3031
Conversation
mtardy
force-pushed
the
pr/mtardy/build-image-ci-rewrite
branch
3 times, most recently
from
403e90a
to
effc224
Compare
Since the Image CI Build is the most sensitive of our workflows since it runs in the context of pull_request_target, let's make it simple as nobody currently properly maintains the signing and the BOM. I don't think anybody expect the CI builds to be fully shipped with BOM and signing anyway. Signed-off-by: Mahe Tardy <[email protected]>
mtardy
force-pushed
the
pr/mtardy/build-image-ci-rewrite
branch
2 times, most recently
from
5c61f49
to
059348e
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Follow security best practices for this sensitive pull_request_target workflow and simplify it for easy maintenance. Signed-off-by: Mahe Tardy <[email protected]>
mtardy
force-pushed
the
pr/mtardy/build-image-ci-rewrite
branch
from
059348e
to
7cdcad7
Compare
|
cc @piergiorgioladisa if you want to take a look at this simplification. I believe it's not fixing any actual security issue, but this would make the workflow more resilient for future evolution given the sensitivity since it's running in the context of |
really great job in simplifying and securing the workflow. I can't see any issue, so everything looks good to me |
| run: | | ||
| cosign sign -y quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} | ||
|
|
||
| - name: Generate SBOM |
There was a problem hiding this comment.
A counter argument for removing this might be that we will get a chance to notice 'SBOM' breaking before an actual release. I don't mind that, and we can always try to do -rc prereleases to catch such issues.
There was a problem hiding this comment.
However one of my arguments would be that maybe we should remove it everywhere since nobody's maintaining it, and if somebody actually needsit, maybe we should dedicate time and effort.
Follow security best practices for this sensitive pull_request_target workflow and simplify it for easy maintenance.