Ignore tag when matching trusted builders #2266
Conversation
github-actions
bot
added
the
type/enhancement
modulo11
force-pushed
the
match-trusted-builders
branch
2 times, most recently
from
eebc93a
to
a8f525c
Compare
Signed-off-by: Johannes Dillmann <[email protected]>
modulo11
force-pushed
the
match-trusted-builders
branch
from
a8f525c
to
cb8f978
Compare
There was a problem hiding this comment.
Thank you for the contribution @modulo11 - the implementation looks solid.
I do want to circulate this a bit more to ensure that folks are on board with it - I've added it to the agenda for the next working group. There are two things to note:
- We'll auto trust deprecated images (e.g., heroku/builder:22) in this case, but we do that already (because heroku/builder:22 is on the trusted list though it's not suggested)
- We could end up auto-trusting "dev" images, which worries me a little. Folks might not be placing the same care into the creation of those images compared to ones that get promoted to production. But that seems more of a risk for bugs vs malicious content.
|
@natalieparellano any updates from the working group meeting? |
I missed it 🙀 - @jabrown85 do you recall if this was discussed? |
|
Ah yeah - we did discuss this one the other day. The consensus of the those in the Working Group was that we like the idea of being able to trust a repo. E.g. |
|
Awesome - thank you @jabrown85! @modulo11 would you be able to update the implementation to reflect that? |
Summary
With this change, the tag part of a trusted builder is ignored. Trusting a builder
my/registry/builderat the moment does not also trustmy/registry/builder:latest, which should be the same image. Following up on a Slack discussion, it might be more intuitive for users to trust an image regardless of any tag.I took the opportunity to extract trusted/known builder handling into a common location.
Documentation