-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update notary with attestation #15568
base: master
Are you sure you want to change the base?
Conversation
5d155e0
to
6ed0a4b
Compare
This comment has been minimized.
This comment has been minimized.
The Test PR GHA failure is complaining about not being able to find Who can restart the GHA to retry? |
@whalelines I think this is a problem of the tag existing but not being updated anymore (not supported).I do feel like upgrading to a supported version of Go goes beyond the scope of this change |
Is this |
@tianon it can be but this is mostly to prevent duplicate builds of the same thing |
I'm not sure that the build is heavy (or non-deterministic) enough for that to make much difference, right? 😅 (It feels like leaking an implementation detail of the new build system to users in a place that's already pretty consistently confusing: "which tag do I use?") |
I could rework the upstream to use one Dockerfile with conditions with templating |
Yeah, solving the "maintaining the same thing twice" problem sounds like a better fit for templating 🙇 ❤️ |
6ed0a4b
to
321ba0d
Compare
Diff for 321ba0d:diff --git a/_bashbrew-cat b/_bashbrew-cat
index c7e8026..7aacc96 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,7 +1,7 @@
Maintainers: Justin Cormack (@justincormack)
Architectures: amd64, arm32v6, arm64v8, i386, ppc64le, s390x
GitRepo: https://github.com/docker/notary-official-images.git
-GitCommit: 77b9b7833f8dd6be07104b214193788795a320ff
+GitCommit: 6f17ffbcfd207a1783f20b65ba85d9577c84214f
Builder: buildkit
Tags: server-0.7.0, server
diff --git a/notary_server/Dockerfile b/notary_server/Dockerfile
index 832912f..d325276 100644
--- a/notary_server/Dockerfile
+++ b/notary_server/Dockerfile
@@ -1,3 +1,9 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
FROM golang:1.19-alpine3.16 AS build
RUN apk add --no-cache git make
@@ -10,6 +16,8 @@ ENV GOFLAGS -mod=vendor
WORKDIR /go/src/$NOTARYPKG
RUN set -eux; \
git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
+# In case the version in file doens't match the tag (like in 0.7.0)
+ echo "${TAG//v/}" > NOTARY_VERSION; \
# https://github.com/notaryproject/notary/pull/1635
git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
git -c user.name=foo -c user.email=foo@example.com cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
@@ -17,10 +25,12 @@ RUN set -eux; \
go get github.com/dvsekhvalnov/jose2go@v0.0.0-20200901110807-248326c1351b; \
go mod vendor; \
# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
+# Make the version detectable by scanners
+ sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
/notary-server --version; \
- /notary-signer --version
+ /notary-signer --version;
FROM alpine:3.16
diff --git a/notary_signer/Dockerfile b/notary_signer/Dockerfile
index 15bab3f..7cd6f79 100644
--- a/notary_signer/Dockerfile
+++ b/notary_signer/Dockerfile
@@ -1,3 +1,9 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
FROM golang:1.19-alpine3.16 AS build
RUN apk add --no-cache git make
@@ -10,6 +16,8 @@ ENV GOFLAGS -mod=vendor
WORKDIR /go/src/$NOTARYPKG
RUN set -eux; \
git clone -b "$TAG" --depth 1 "https://$NOTARYPKG.git" .; \
+# In case the version in file doens't match the tag (like in 0.7.0)
+ echo "${TAG//v/}" > NOTARY_VERSION; \
# https://github.com/notaryproject/notary/pull/1635
git fetch --depth 2 origin efc35b02698644af16f6049c7b585697352451b8; \
git -c user.name=foo -c user.email=foo@example.com cherry-pick -x efc35b02698644af16f6049c7b585697352451b8; \
@@ -17,10 +25,12 @@ RUN set -eux; \
go get github.com/dvsekhvalnov/jose2go@v0.0.0-20200901110807-248326c1351b; \
go mod vendor; \
# TODO remove for the next release of Notary (which should include efc35b02698644af16f6049c7b585697352451b8 & ca095023296d2d710ad9c6dec019397d46bf8576)
+# Make the version detectable by scanners
+ sed -i -r -E 's|(version.NotaryVersion=\$\(NOTARY_VERSION\))|\1 -X $(NOTARY_PKG)/version.Version=$(NOTARY_VERSION)|' Makefile; \
make SKIPENVCHECK=1 PREFIX=. ./bin/static/notary-server ./bin/static/notary-signer; \
cp -vL ./bin/static/notary-server ./bin/static/notary-signer /; \
/notary-server --version; \
- /notary-signer --version
+ /notary-signer --version;
FROM alpine:3.16 Relevant Maintainers:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Should we wait to merge this until the signing code has been updated?
How can we get the Both of them are past end of life in their respective upstream releases: Go 1.19 on 06 Sep 2023 and Alpine 3.16 on 23 May 2024. The |
I've opened docker/notary-official-images#38, but it might be worth considering how we can stay on top of it better (perhaps we need to get more folks with merge access/maintainership on that packaging repository so it doesn't always end up on Jonny's plate?) |
(we should also update |
No description provided.