New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add .apko.lock.json to APK control section #802
base: main
Are you sure you want to change the base?
Conversation
This generates the locked apko config for the guest container image that is used to build the APK and puts writes it as .apko.lock.json in the APK's control section. We could alternatively stick this in the (or another) SBOM, but that has triggered false positives with security scanners in the past. Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
ic := bc.ImageConfiguration() | ||
pkgs, _, err := bc.BuildPackageList(ctx) | ||
if err != nil { | ||
return fmt.Errorf("resolving package versions: %w", err) | ||
} | ||
resolved := make([]string, 0, len(pkgs)) | ||
for _, pkg := range pkgs { | ||
resolved = append(resolved, fmt.Sprintf("%s=%s", pkg.Name, pkg.Version)) | ||
} | ||
ic.Contents.Packages = resolved | ||
ic.Archs = []apko_types.Architecture{b.Arch} | ||
ic.Contents.Repositories = append(ic.Contents.Repositories, b.ExtraRepos...) | ||
ic.Contents.Keyring = append(ic.Contents.Keyring, b.ExtraKeys...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems fine for now, but can I request that we hoist the resolution / locking logic into a shared place so that this and tf-apko
and anywhere else we do this don't diverge?
It'd actually also make a great apko
sub-comment to produce the resolved config (I know we have show-packages
, but I'm thinking something focused around this logic specifically).
if err != nil { | ||
return nil, fmt.Errorf("unable to marshal apko config: %w", err) | ||
} | ||
if err := fsys.WriteFile(".apko.lock.json", locked, 0644); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(i know this is a bike-shed, but...) WDYT about .LOCK.apko.json
of .BUILDLOCK.apko.json
🤔
My thinking is that we use .apko.yaml
elsewhere to indicate things are the apko dialect of yaml. Here it's json, but similar idea. The "build" qualifier is so it's clearer what it's the locked apko configuration of.
This generates the locked apko config for the guest container image that is used to build the APK and puts writes it as .apko.lock.json in the APK's control section.
We could alternatively stick this in the (or another) SBOM, but that has triggered false positives with security scanners in the past.
Melange Pull Request Template
Functional Changes
Notes:
SCA Changes
Notes:
Linter
Notes: