Makefile: Add update-embedded-root rule #1301
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This uses the "plumbing" command to ensure the newest root has been downloaded and verified. Then it copies the newest TUF root and the trusted_root.json into the sources. The benefit here is that one does not need to manually find the cache directories when an update should be done. This hard codes XDG_DATA_HOME and XDG_CACHE_HOME for simplicity. We could later add a workflow that runs this on cron and files an issue if the sources changed as a result. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Creates a new issue once a week if * the embedded TUF root (or trusted_root.json) differs from the current one served by root-signing * and there is no open issue with same label already This does add a new CI-dependency (github-script) but I believe the currently used actions do not provide the capabilities needed here. The "embedded-root-update" label likely needs to be created by a maintainer manually. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
361859f to
3bfc067
Compare
woodruffw
reviewed
Feb 14, 2025
Comment on lines
+34
to
+36
| - if: failure() | ||
| name: Create an issue if embedded root is not up-to-date | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 |
There was a problem hiding this comment.
We're also using peter-evans/create-issue-from-file for this in the staging-tests.yml workflow, although I like this approach better, especially since it avoids duplicate issue filing!
This was referenced Feb 21, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
make update-embedded-rootruleI'm not sure if the workflow is really needed but I decided to include it. I think automatically making a PR might be a bad idea (since there are no test suite tests for this we'd be trusting CI 100% and that doesn't sound right in this case).
Makefile rule uses the "plumbing" command to ensure the newest root has been downloaded and verified. Then it copies the newest TUF root and the trusted_root.json into the sources. The benefit here is that one does not need to manually find the cache directories when an update should be done.
Makefile rule hard codes XDG_DATA_HOME and XDG_CACHE_HOME for simplicity.
The workflow adds a new CI-dependency (github-script) but I believe the currently used actions do not provide the capabilities needed here.
I've created the "embedded-root-update" label manually in this project already so this should just work.