-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
workflows: simplify build image CI #3031
base: main
Are you sure you want to change the base?
Conversation
403e90a
to
effc224
Compare
Since the Image CI Build is the most sensitive of our workflows since it runs in the context of pull_request_target, let's make it simple as nobody currently properly maintains the signing and the BOM. I don't think anybody expect the CI builds to be fully shipped with BOM and signing anyway. Signed-off-by: Mahe Tardy <[email protected]>
5c61f49
to
059348e
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Follow security best practices for this sensitive pull_request_target workflow and simplify it for easy maintenance. Signed-off-by: Mahe Tardy <[email protected]>
059348e
to
7cdcad7
Compare
cc @piergiorgioladisa if you want to take a look at this simplification. I believe it's not fixing any actual security issue, but this would make the workflow more resilient for future evolution given the sensitivity since it's running in the context of |
really great job in simplifying and securing the workflow. I can't see any issue, so everything looks good to me |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
run: | | ||
cosign sign -y quay.io/${{ github.repository_owner }}/${{ matrix.name }}-ci@${{ steps.docker_build_ci_main.outputs.digest }} | ||
|
||
- name: Generate SBOM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A counter argument for removing this might be that we will get a chance to notice 'SBOM' breaking before an actual release. I don't mind that, and we can always try to do -rc
prereleases to catch such issues.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep that's true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However one of my arguments would be that maybe we should remove it everywhere since nobody's maintaining it, and if somebody actually needsit, maybe we should dedicate time and effort.
Follow security best practices for this sensitive pull_request_target workflow and simplify it for easy maintenance.