Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure images stored in registry mirrors are signed #4262

Merged
merged 1 commit into from
Sep 28, 2021
Merged

Make sure images stored in registry mirrors are signed #4262

merged 1 commit into from
Sep 28, 2021

Conversation

priyawadhwa
Copy link

Changes

We were't previously signing these images because we weren't storing them in the IMAGES result when releaseAsLatest=true.

Since releaseAsLatest=true by default for releases, these images were never getting signed.

This change includes mirror images in the result, so they should be picked up by Chains and signed from now on.

Ref tektoncd/chains#241

/kind misc

cc @pritidesai

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Docs included if any changes are user facing
  • Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Release notes block below has been filled in or deleted (only if no user facing changes)

Release Notes

NONE

@tekton-robot tekton-robot added kind/misc Categorizes issue or PR as a miscellaneuous one. release-note-none Denotes a PR that doesnt merit a release note. labels Sep 27, 2021
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Sep 27, 2021
pritidesai
pritidesai reviewed Sep 28, 2021
View reviewed changes
tekton/publish.yaml Outdated Show resolved Hide resolved
Make sure images stored in registry mirrors are signed
1add3de 
We were't previously signing these images because we weren't storing them in the `IMAGES` result when releaseAsLatest=true.

Since releaseAsLatest=true by default for releases, these images were never getting signed.

This change includes mirror images in the result, so they should be picked up by Chains and signed from now on.
@priyawadhwa
Copy link
Author

/test pull-tekton-pipeline-alpha-integration-tests

@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 28, 2021
@pritidesai
Copy link
Member

thanks @priyawadhwa

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 28, 2021
@pritidesai
Copy link
Member

/test pull-tekton-pipeline-alpha-integration-tests

@pritidesai
Copy link
Member

I don't think this is a legit failure:

        >>> Container step-curl:
        2021/09/28 18:44:59 Error executing command: fork/exec /tekton/scripts/script-0-79bnt: permission denied
    build_logs.go:37: build logs 
        >>> Container step-curl:
        + curl google.com
          % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                         Dload  Upload   Total   Spent    Left  Speed
        
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   219  100   219    0     0   6127      0 --:--:-- --:--:-- --:--:--  6257
        <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
        <TITLE>301 Moved</TITLE></HEAD><BODY>
        <H1>301 Moved</H1>
        The document has moved
        <A HREF="http://www.google.com/">here</A>.
        </BODY></HTML>
    build_logs.go:35: Could not get logs for pod not-hermetic-run-as-root-pod-qxl6c: pods "not-hermetic-run-as-root-pod-qxl6c" not found
    build_logs.go:37: build logs

Two hermetic alpha tests are failing for the other PRs as well (PR #4251). Any ideas?

@priyawadhwa
Copy link
Author

Two hermetic alpha tests are failing for the other PRs as well (PR #4251). Any ideas?

I wasn't able to reproduce this locally, the test must be flaky. I'm still not sure why, but it did pass in the most recent run of #4265.

I might try rerunning one more time to see what happens.

@priyawadhwa
Copy link
Author

/test pull-tekton-pipeline-alpha-integration-tests

@tekton-robot tekton-robot merged commit 6b6c672 into tektoncd:main Sep 28, 2021
@priyawadhwa priyawadhwa deleted the sign-everything branch September 28, 2021 23:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pritidesai pritidesai pritidesai left review comments

@vdemeester vdemeester vdemeester approved these changes

@dibyom dibyom Awaiting requested review from dibyom

Assignees

@pritidesai pritidesai

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@priyawadhwa @tekton-robot @pritidesai @vdemeester