Handle building unsigned containers #240
Conversation
tnevrlka
commented
Feb 3, 2025
tnevrlka
commented
- source-container-build fails fatally if the containers are unsigned
- Users should still be able to build even if they are unsigned (EC checks will still fail though)
Was the intention of the story to skip unsigned base images, or to use them even if they're unsigned?
Will they? I'm not sure if there's an EC check for base image sources being included |
tnevrlka
force-pushed
the
handle-missing-signature
branch
2 times, most recently
from
7daa363 to
b0834e2
Compare
- source-container-build fails fatally if the containers are unsigned - Users should still be able to build even if they are unsigned (EC checks will still fail though) Signed-off-by: Tomáš Nevrlka <[email protected]> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
tnevrlka
force-pushed
the
handle-missing-signature
branch
from
b0834e2 to
18aa012
Compare
I checked how we currently set the I also checked https://github.com/enterprise-contract/ec-policies/ and https://github.com/release-engineering/rhtap-ec-policy for occurrences of This introduces two problems
Thinking about this more, maybe we could do something different than ignore the |
|
But TBH, I also wouldn't mind leaving things as they are and letting the source-build task fail on failure 😄 (using TEST_OUTPUT here feels like abusing it) IMO we should ask Ralph what his expectations were about the "graceful failure" |
|
The original idea in Konflux ADR 14. Let Pipelines Proceed was that we want users to get functionally testable builds out of their pipeline as frequently as possible, even in the face of other failures so that scanning or linting issues don't prevent them from at least making progress in validating the functional state of their product. They might be blocked from releasing, but at least they won't be blocked from testing or messing around with their artifact in a dev environment. How do you see that idea apply or not apply here? |
Unlike scanning and linting, source-container build failures will usually be intermittent. It doesn't seem right in general to let those proceed, since the solution will be a retry. And if we let the pipeline proceed, then the feedback loop won't be just to keep retrying the build but will also involve waiting for the release pipeline to succeed/fail. |
But maybe we can re-consider if we want to fail the source builds because of missing signatures. During the build step, buildah pulled the base images without complaining, so perhaps the source-build step shouldn't care about the missing signatures either. |
|
I think we can have a task parameter that would control if the task should fail or not on missing signature. I'd keep fail as the default behaviour, but if a user wants to proceed with the build and skip the source image build problem for now, they still can. |
|
Hi @ralphbean, what do you think about the proposed solutions? |
|
@chmeliik Would you be okay with the task parameter? |
Sounds okay. Just to clarify what it would do: IMO when set to ignore missing signatures, the source build task should download the parent image even if it's unsigned |
