Add user field to artifact events and download and delete events #172
Conversation
afrittoli
changed the title
afrittoli
changed the title
afrittoli
force-pushed
the
artifact_events
branch
2 times, most recently
from
a08792a to
0d575b0
Compare
|
I don't really see why there would need to be an artifact.pulled CDEvent defined. What use case would it serve in a CI/CD context? |
|
My $0.02 for what it's worth @e-backmark-ericsson . . . Artifact pulled (or quarantined as I prefer because an "existing" but "un-useable" artifact helps to ensure that said "bad artifact" is not accidentally re-proxied/re-deployed) should initiate downstream actions that impact deployments (future or existing) for software and services which identifies said artifact within its SBOMs. An upstream deployment/release system could monitor for this event and "mark" said software/service un-useable. Reasons for this could be a high severity security finding such as RCE, a legal (licensing or patent) finding, the artifact becoming un-supported (internally or externally), or any other policy that a company might need to implement within this space, such as not using old major versions of a dependency. While not "best practices" from a pure CD point of view, automated roll-backs are performed based on some of these events in live systems today. Events in this space enable automation to be created that helps streamline processes that use this model today. Additionally, a quarantine event could trigger automated dependency update pipelines (such as those that might be done via Dependabot, Update-CLI or as otherwise suggested in #39). That would again streamline the process for companies that need to roll-forward as fast as they can. |
Heh, I might want to be notified if a certain artifact is downloaded. |
|
Definitely something an auditor would want to know; security/legal, info sec, regulatory auditor to name a few. Beyond that having a notification that tells me a bogus artifact (replacement entry for a `artifact.quarantined` object) has been downloaded. Publishing this as an event enables actions such as developer team notifications and initiation of automated dependency pipelines (as mentioned above).
Ref: #144, #143
|
afrittoli
force-pushed
the
artifact_events
branch
from
0d575b0 to
2a61b77
Compare
Thanks. I renamed "pulled" do "downloaded". I will follow up on the idea of "quarantined" in a separate PR |
|
@e-backmark-ericsson @xibz ready for review |
afrittoli
changed the title
afrittoli
force-pushed
the
artifact_events
branch
from
9d7cf1d to
360dfa6
Compare
Cleaned up some wrong references, left over when moving test events, added testing events to spec.md too. Partially-fixes: cdevents#143 Signed-off-by: Andrea Frittoli <andrea.frittoli@gmail.com>
afrittoli
force-pushed
the
artifact_events
branch
from
360dfa6 to
bb61766
Compare
afrittoli
changed the title
Signed-off-by: Andrea Frittoli <andrea.frittoli@gmail.com>
Changes
Cleaned up some wrong references, left over when moving test events, added both testing and artifact events to spec.md too. Add the
userfield to the artifact push event and it introduces the artifact pulled and deleted events, both with auserfield too.Partially-fixes: #143
Submitter Checklist
As the author of this PR, please check off the items in this checklist: