Skip to content

feat: generate checksum cosign config #3649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 15, 2025
Merged

feat: generate checksum cosign config #3649

merged 1 commit into from
Mar 15, 2025

Conversation

scop
Copy link
Contributor

@scop scop commented Mar 14, 2025
edited
Loading

This adds support for generating cosign configs for checksum files in gr.

Lightly tested, may have bugs. But a happy path exists: aquaproj/aqua-registry#33234

Check List

@scop scop mentioned this pull request Mar 14, 2025
Closed
53 tasks
scop
scop commented Mar 14, 2025
View reviewed changes
pkg/controller/generate-registry/group.go
Comment on lines -251 to +254
pkgInfo := &registry.PackageInfo{}
pkgInfo := &registry.PackageInfo{
RepoOwner: pkgInfo.RepoOwner,
RepoName: pkgInfo.RepoName,
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This and carrying the pkgInfo around is not too nice at all, but I needed some way to get the repo owner and name down to patchRelease. Figured I'd start simple, this appears to work at least for some cases.

scop
scop commented Mar 14, 2025
View reviewed changes
pkg/controller/generate-registry/generate.go
Comment on lines +319 to +321
`^https://github\.com/%s/%s/\.github/workflows/.+\.ya?ml@refs/tags/`,
regexp.QuoteMeta(pkgInfo.RepoOwner),
regexp.QuoteMeta(pkgInfo.RepoName),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't be correct for everything (if the identity is from another project), but I thought it would be ok to do it this way and leave it for humans to fix where necessary.

scop
scop commented Mar 14, 2025
View reviewed changes
pkg/controller/generate-registry/generate.go
Opts: []string{
"--certificate-identity-regexp",
fmt.Sprintf(
`^https://github\.com/%s/%s/\.github/workflows/.+\.ya?ml@refs/tags/`,
Copy link
Contributor Author

@scop scop Mar 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left {{.Version}} out from here, mostly because I feel simply having the version replaced here literally by templating would not be a good thing to do as the version could contain regex metacharacters -- and in fact it in the vast majority of cases does: the period is one (a regexp . matches a literal . so it would kind of work, but be hacky).

We could go with this though, on a second look I think I'd actually like this better. Thoughts?

Suggested change
`^https://github\.com/%s/%s/\.github/workflows/.+\.ya?ml@refs/tags/`,
`^https://github\.com/%s/%s/\.github/workflows/.+\.ya?ml@refs/tags/\Q{{.Version}}\E$`,

@scop scop mentioned this pull request Mar 14, 2025
Merged
5 tasks
@suzuki-shunsuke suzuki-shunsuke added the enhancement New feature or request label Mar 15, 2025
@suzuki-shunsuke
Copy link
Member

Thank you for your contribution!

@suzuki-shunsuke suzuki-shunsuke added this to the v2.45.2 milestone Mar 15, 2025
@suzuki-shunsuke
Copy link
Member

Great work.
Honestly, I'm not sure if this works well actually unless we try it out.
If there are any problems, we can fix them.

suzuki-shunsuke
suzuki-shunsuke reviewed Mar 15, 2025
View reviewed changes
pkg/controller/generate-registry/generate.go
Comment on lines +320 to +321
regexp.QuoteMeta(pkgInfo.RepoOwner),
regexp.QuoteMeta(pkgInfo.RepoName),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
regexp.QuoteMeta(pkgInfo.RepoOwner),
regexp.QuoteMeta(pkgInfo.RepoName),
pkgInfo.RepoOwner,
pkgInfo.RepoName,

In my understanding, regular expression metacharacters aren't available in GitHub repository owners and names.
So we don't need to use regexp.QuoteMeta here.
But there is no problem even if it is used.

@suzuki-shunsuke suzuki-shunsuke merged commit 5e805c4 into aquaproj:main Mar 15, 2025
15 checks passed
@github-project-automation github-project-automation bot moved this to Done in main Mar 15, 2025
@scop scop deleted the feat/gr-checksum-cosign branch March 16, 2025 08:34
scop added a commit to scop/aqua that referenced this pull request Mar 16, 2025
@scop
feat(cosign): include version in generated cert id regexp
fcd575d 
For tighter matching.

Refs aquaproj#3649 (comment)
@scop scop mentioned this pull request Mar 16, 2025
Merged
6 tasks
suzuki-shunsuke pushed a commit that referenced this pull request Mar 16, 2025
@scop
feat(cosign): include version in generated cert id regexp (#3663)
08d5adf 
For tighter matching.

Refs #3649 (comment)
@suzuki-shunsuke
Copy link
Member

🎉 https://github.com/aquaproj/aqua/releases/tag/v2.46.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@suzuki-shunsuke suzuki-shunsuke suzuki-shunsuke left review comments

Assignees
No one assigned
Labels
command:generate-registry cosign enhancement New feature or request
Projects
None yet
Milestone
v2.46.0
Development

Successfully merging this pull request may close these issues.
2 participants
@scop @suzuki-shunsuke