Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Script to extract prefetch dependencies artifacts #2219

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Script to extract prefetch dependencies artifacts #2219

wants to merge 1 commit into from
+53 −0

Conversation

simonbaird
Copy link
Member

I'm experimenting here, but it's motivated by the idea from this slack thread:

https://redhat-internal.slack.com/archives/C031J4KBFME/p1734017813281479

@simonbaird
Script to extract prefetch dependencies artifacts
e15f9c8 
I'm experimenting here, but it's motivated by the idea from this
slack thread:

https://redhat-internal.slack.com/archives/C031J4KBFME/p1734017813281479
@codecov Codecov
Copy link

codecov bot commented Dec 12, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 71.19%. Comparing base (9110d5f) to head (e15f9c8).
Report is 10 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #2219   +/-   ##
=======================================
  Coverage   71.19%   71.19%           
=======================================
  Files          88       88           
  Lines        7520     7520           
=======================================
  Hits         5354     5354           
  Misses       2166     2166
Flag Coverage Δ
generative 71.19% <ø> (ø)
integration 71.19% <ø> (ø)
unit 71.19% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

@zregvart
Copy link
Member

I don't want shell scripts to become load bearing, I want to promote using EC with OPA to perform this.

Given ta.rego as:

package ta

img_ref := sprintf("%v", [input])

opts := {
  "certificate_identity": "",
  "certificate_identity_regexp": "",
  "certificate_oidc_issuer": "",
  "certificate_oidc_issuer_regexp": "",
  "rekor_url": "",
  "ignore_rekor": true,
  "public_key": `-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA
naYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==
-----END PUBLIC KEY-----`
}

verified := ec.sigstore.verify_attestation(img_ref, opts)

prefetch_artifacts contains ref if {
  some attestation in verified.attestations
  some task in attestation.statement.predicate.buildConfig.tasks
  some param in task.ref.params
  param.name == "bundle"
  startswith(param.value, "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta")

  some result in task.results
  endswith(result.name, "_ARTIFACT")
  startswith(result.value, "oci:")
  ref := result.value
}

When EC CLI is invoked as:

$ echo '"quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v04/cli-v04@sha256:267765750250ee46facd9adf1b6f4ec0f954a09d182070d600232582cb17d1e7"' | ec opa eval --v1-compatible --data rule.rego --stdin-input --format raw 'data.ta.prefetch_artifacts'
["oci:quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v04/cli-v04@sha256:02809288a41e5ace82431cc01b6ef2c60ed957f31cd10079752170d24a428c84","oci:quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v04/cli-v04@sha256:4dc5c91379ace13a368681fb6cc77d40f2b1849928b826a0e41f04f883f72b69"]

It is not only much safer than shell scripts, it also performs signature validation of the attestation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@simonbaird @zregvart