Skip to content

feat(ghattestation): non-default predicate type support #3794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 20, 2025
Merged

feat(ghattestation): non-default predicate type support #3794

merged 4 commits into from
Apr 20, 2025

Conversation

scop
Copy link
Contributor

@scop scop commented Apr 20, 2025
edited by suzuki-shunsuke
Loading

Closes #3793

Caveat: untested, but I suppose this could work.

Check List

e.g. https://github.com/pkdindustries/soulshack

https://github.com/pkdindustries/soulshack/blob/f625a32a1dd503edc0980eb081a2eae249cab578/.github/workflows/go.yml#L94

github_artifact_attestations:
  signer_workflow: pkdindustries/soulshack/.github/workflows/go.yml
  predicate_type: https://in-toto.io/attestation/release/v0.1

@suzuki-shunsuke
Copy link
Member

Thank you always!

I think you need to add a field to

aqua/pkg/config/registry/github_cli.go

Lines 3 to 9 in 610be7a

type GitHubArtifactAttestations struct {
Enabled *bool `json:"enabled,omitempty"`
// https://github.com/aquaproj/aqua/issues/3581
SignerWorkflow2 string `yaml:"signer_workflow,omitempty" json:"signer_workflow,omitempty"`
// Deprecated: We'll remove signer-workflow at aqua v3.
SignerWorkflow3 string `yaml:"signer-workflow,omitempty" json:"signer-workflow,omitempty"`
}

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Apr 20, 2025
edited
Loading

https://github.com/aquaproj/aqua/actions/runs/14557538836/job/40836506577?pr=3794

Hmm. Maybe this doesn't work well in case of pull requests from fork repositories.

/usr/bin/git fetch --depth=1 origin feat/gh-attestation-predicate-type
fatal: couldn't find remote ref feat/gh-attestation-predicate-type
Error: The process '/usr/bin/git' failed with exit code 128

I'll take a look.

suzuki-shunsuke
suzuki-shunsuke reviewed Apr 20, 2025
View reviewed changes
json-schema/registry.json
Comment on lines +263 to +265
"predicate_type": {
"type": "string"
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you update this manually?
If so, you can update JSON Schema by cmdx js command.
cmdx js updates JSON Schema according to Go codes.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And CI (autofix.ci) updates JSON Schema automatically, though there is something wrong now.

#3794 (comment)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I did update the schema manually. Thanks for the tips, I'll try to remember them for the future.

@scop
Copy link
Contributor Author

scop commented Apr 20, 2025

I think you need to add a field to

aqua/pkg/config/registry/github_cli.go

Lines 3 to 9 in 610be7a

type GitHubArtifactAttestations struct {
Enabled *bool `json:"enabled,omitempty"`
// https://github.com/aquaproj/aqua/issues/3581
SignerWorkflow2 string `yaml:"signer_workflow,omitempty" json:"signer_workflow,omitempty"`
// Deprecated: We'll remove signer-workflow at aqua v3.
SignerWorkflow3 string `yaml:"signer-workflow,omitempty" json:"signer-workflow,omitempty"`
}

Oh, for sure 🤦. Done (still untested) in b967432

suzuki-shunsuke
suzuki-shunsuke reviewed Apr 20, 2025
View reviewed changes
@suzuki-shunsuke suzuki-shunsuke added the enhancement New feature or request label Apr 20, 2025
@suzuki-shunsuke
Copy link
Member

I confirmed it works well.
I added a test case. ddb57ba

@suzuki-shunsuke suzuki-shunsuke added this to the v2.49.1 milestone Apr 20, 2025
@suzuki-shunsuke suzuki-shunsuke merged commit a3e7356 into aquaproj:main Apr 20, 2025
20 checks passed
@github-project-automation github-project-automation bot moved this to Done in main Apr 20, 2025
@suzuki-shunsuke
Copy link
Member

🎉 https://github.com/aquaproj/aqua/releases/tag/v2.50.0

@scop scop deleted the feat/gh-attestation-predicate-type branch April 20, 2025 12:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@suzuki-shunsuke suzuki-shunsuke suzuki-shunsuke left review comments

Assignees
No one assigned
Labels
enhancement New feature or request security
Projects
None yet
Milestone
v2.50.0
Development

Successfully merging this pull request may close these issues.

GH attestation support for non-default predicate types
2 participants
@scop @suzuki-shunsuke