Smarter Chains: check taskrun level results for Subjects #866
Conversation
tekton-robot
added
the
size/L
Prior, we received slsa-related configs from configmap and passed them via separate arguments down to GenerateAttestation. Now, we pass them via context instead of separate args. Benefits: - make `GenerateAttestation` function interface cleaner which ends up receiving only 2 args: ctx and TektonObject. - be extensible to receive more slsa-related configs without having to change downstream functions' interface i.e. config option [`ObserveMode`](tektoncd#866 (comment)) which customizes how Chains observes inputs/outputs. Signed-off-by: Chuang Wang <[email protected]>
Prior, we received slsa-related configs from configmap and passed them via separate arguments down to GenerateAttestation. Now, we pass them via a struct as a whole instead of separate args. This will enable slsa formatters to be extensible to receive more slsa-related configs without having to change downstream functions' interface i.e. config option [`ObserveMode`](tektoncd#866 (comment)) which customizes how Chains observes inputs/outputs. Signed-off-by: Chuang Wang <[email protected]>
…#885) Prior, we received slsa-related configs from configmap and passed them via separate arguments down to GenerateAttestation. Now, we pass them via a struct as a whole instead of separate args. This will enable slsa formatters to be extensible to receive more slsa-related configs without having to change downstream functions' interface i.e. config option [`ObserveMode`](#866 (comment)) which customizes how Chains observes inputs/outputs. Signed-off-by: Chuang Wang <[email protected]>
|
The following is the coverage report on the affected files.
|
chuangw6
force-pushed
the
smarter-chains
branch
2 times, most recently
from
f6677c5
to
6df2fb5
Compare
|
The following is the coverage report on the affected files.
|
tekton-robot
added
the
do-not-merge/work-in-progress
chuangw6
force-pushed
the
smarter-chains
branch
2 times, most recently
from
c58bf20
to
c7cb7b6
Compare
tekton-robot
removed
the
do-not-merge/work-in-progress
|
The following is the coverage report on the affected files.
|
chuangw6
force-pushed
the
smarter-chains
branch
from
c7cb7b6
to
ccc2fb6
Compare
|
The following is the coverage report on the affected files.
|
| case *v1beta1.PipelineRun: | ||
| subjects = subjectsFromPipelineRun(ctx, obj, slsaconfig) | ||
| case *v1beta1.TaskRun: | ||
| subjects = subjectsFromTektonObject(ctx, obj) |
There was a problem hiding this comment.
Why not call it subjectsFromTaskRun? Tekton Object refers to both task and pipeline runs.
There was a problem hiding this comment.
subjectsFromPipelineRun also passes PipelineRunObject to subjectsFromTektonObject if pr mode is configured.
chuangw6
force-pushed
the
smarter-chains
branch
from
ccc2fb6
to
6e9ddf1
Compare
|
The following is the coverage report on the affected files.
|
chuangw6
force-pushed
the
smarter-chains
branch
from
6e9ddf1
to
70f0f98
Compare
|
The following is the coverage report on the affected files.
|
|
The following is the coverage report on the affected files.
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lcarva The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
chuangw6
force-pushed
the
smarter-chains
branch
2 times, most recently
from
dae980f
to
e690eac
Compare
|
The following is the coverage report on the affected files.
|
|
/lgtm |
1 similar comment
|
/lgtm |
|
The following is the coverage report on the affected files.
|
Step 1/2 of tektoncd#850 Prior, Chains only looks for pipeline results to understand what artifacts were generated in a pipeline. That means pipeline authors need to propagate child TaskRun results to pipeline level and name the pipeline results in type hinting way even though the pulled tasks already produce type hinting results. Now, we introduced a new configmap field `artifacts.pipelinerun.enable-deep-inspection` to allow Chains to inspect both pipeline results and child task results to understand what artifacts were generated throughout a pipeline. This way, pipeline authors no longer need to worry about the rules when writting a pipeline as long as they pull in right tasks that produce type hinting results. That said, users still have ability to propagate task results to pipeline level if the tasks they referenced do not produce type hinting results. Signed-off-by: Chuang Wang <[email protected]>
chuangw6
force-pushed
the
smarter-chains
branch
from
e690eac
to
4b8acd4
Compare
|
Sorry made a minor change (unit test name) |
|
The following is the coverage report on the affected files.
|
|
/lgtm |
|
The following is the coverage report on the affected files.
|
|
/kind feature |
tekton-robot
added
the
kind/feature
Changes
/kind feature
Step 1/2 of #850
Prior, Chains only looks for pipeline results to understand what
artifacts were generated in a pipeline. That means pipeline authors need
to propagate child TaskRun results to pipeline level and name the pipeline
results in type hinting way even though the pulled tasks already produce
type hinting results.
Now, we introduced a new configmap field
artifacts.pipelinerun.enable-deep-inspectionto allow Chains to inspect both pipeline results and child task results
to understand what artifacts were generated throughout a pipeline.
This way, pipeline authors no longer need to worry about the rules when
writting a pipeline as long as they pull in right tasks that produce type hinting results.
That said, users still have ability to propagate task results to pipeline
level if the tasks they referenced do not produce type hinting results.
Signed-off-by: Chuang Wang [email protected]
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes