-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Smarter Chains: check taskrun level results for Subjects #866
Conversation
Prior, we received slsa-related configs from configmap and passed them via separate arguments down to GenerateAttestation. Now, we pass them via context instead of separate args. Benefits: - make `GenerateAttestation` function interface cleaner which ends up receiving only 2 args: ctx and TektonObject. - be extensible to receive more slsa-related configs without having to change downstream functions' interface i.e. config option [`ObserveMode`](tektoncd#866 (comment)) which customizes how Chains observes inputs/outputs. Signed-off-by: Chuang Wang <[email protected]>
Prior, we received slsa-related configs from configmap and passed them via separate arguments down to GenerateAttestation. Now, we pass them via a struct as a whole instead of separate args. This will enable slsa formatters to be extensible to receive more slsa-related configs without having to change downstream functions' interface i.e. config option [`ObserveMode`](tektoncd#866 (comment)) which customizes how Chains observes inputs/outputs. Signed-off-by: Chuang Wang <[email protected]>
…#885) Prior, we received slsa-related configs from configmap and passed them via separate arguments down to GenerateAttestation. Now, we pass them via a struct as a whole instead of separate args. This will enable slsa formatters to be extensible to receive more slsa-related configs without having to change downstream functions' interface i.e. config option [`ObserveMode`](#866 (comment)) which customizes how Chains observes inputs/outputs. Signed-off-by: Chuang Wang <[email protected]>
The following is the coverage report on the affected files.
|
f6677c5
to
6df2fb5
Compare
The following is the coverage report on the affected files.
|
c58bf20
to
c7cb7b6
Compare
The following is the coverage report on the affected files.
|
c7cb7b6
to
ccc2fb6
Compare
The following is the coverage report on the affected files.
|
case *v1beta1.PipelineRun: | ||
subjects = subjectsFromPipelineRun(ctx, obj, slsaconfig) | ||
case *v1beta1.TaskRun: | ||
subjects = subjectsFromTektonObject(ctx, obj) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not call it subjectsFromTaskRun
? Tekton Object
refers to both task and pipeline runs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
subjectsFromPipelineRun also passes PipelineRunObject to subjectsFromTektonObject if pr
mode is configured.
ccc2fb6
to
6e9ddf1
Compare
The following is the coverage report on the affected files.
|
6e9ddf1
to
70f0f98
Compare
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lcarva The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
dae980f
to
e690eac
Compare
The following is the coverage report on the affected files.
|
/lgtm |
1 similar comment
/lgtm |
The following is the coverage report on the affected files.
|
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to propagate child TaskRun results to pipeline level and name the pipeline results in type hinting way even though the pulled tasks already produce type hinting results. Now, we introduced a new configmap field `artifacts.pipelinerun.enable-deep-inspection` to allow Chains to inspect both pipeline results and child task results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, users still have ability to propagate task results to pipeline level if the tasks they referenced do not produce type hinting results. Signed-off-by: Chuang Wang <[email protected]>
e690eac
to
4b8acd4
Compare
Sorry made a minor change (unit test name) |
The following is the coverage report on the affected files.
|
/lgtm |
The following is the coverage report on the affected files.
|
/kind feature |
Changes
/kind feature
Step 1/2 of #850
Prior, Chains only looks for pipeline results to understand what
artifacts were generated in a pipeline. That means pipeline authors need
to propagate child TaskRun results to pipeline level and name the pipeline
results in type hinting way even though the pulled tasks already produce
type hinting results.
Now, we introduced a new configmap field
artifacts.pipelinerun.enable-deep-inspection
to allow Chains to inspect both pipeline results and child task results
to understand what artifacts were generated throughout a pipeline.
This way, pipeline authors no longer need to worry about the rules when
writting a pipeline as long as they pull in right tasks that produce type hinting results.
That said, users still have ability to propagate task results to pipeline
level if the tasks they referenced do not produce type hinting results.
Signed-off-by: Chuang Wang [email protected]
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes