Image signing#7280
Conversation
|
|
🎉 All green!🧪 All tests passed 🔗 Commit SHA: 194c55a | Docs | Datadog PR Page | Give us feedback! |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f5e238cc72
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| build_ci_image: | ||
| image: registry.ddbuild.io/images/docker:20.10.13-jammy | ||
| image: registry.ddbuild.io/system-tests/image-builder:6200a89c341d |
There was a problem hiding this comment.
Use a stable bootstrap image for build_ci_image
When image-builder.Dockerfile changes, this job is configured to run inside registry.ddbuild.io/system-tests/image-builder:<hash of that same Dockerfile>, but the script below is also the only place that builds and pushes that tag. In a PR/main pipeline where the new tag has not already been pre-published, the runner has to pull this image before any script executes, so the job cannot start and cannot build/sign the image it needs. Use an already-existing bootstrap image or the previous image-builder tag, then build the new tag from there.
Useful? React with 👍 / 👎.
| target "_common" { | ||
| context = "." | ||
| platforms = ["linux/amd64"] | ||
| provenance = false |
There was a problem hiding this comment.
Remove unsupported Bake provenance field
When build_ci_image actually has a missing target, it runs docker buildx bake against this file. Docker's Bake target schema supports attestation settings through target.attest and the buildx target definition has no provenance attribute, so this provenance = false entry is not valid target syntax and the bake file will fail to parse before any image is pushed or signed. Drop it or use a supported CLI/env setting for disabling provenance.
Useful? React with 👍 / 👎.
| if docker manifest inspect "$image" > /dev/null 2>&1; then | ||
| echo "Image $image already exists, skipping build" | ||
| else | ||
| TARGETS="$TARGETS $name" |
There was a problem hiding this comment.
Sign existing images on reruns
If docker buildx bake --push succeeds but a later ddsign sign call fails or the job is cancelled, rerunning the job will hit this docker manifest inspect branch, remove the already-pushed image from TARGETS, and the signing loop below will never sign it. That lets a rerun pass with an unsigned image still published under the expected tag; track signing separately from image existence or sign existing digests before skipping.
Useful? React with 👍 / 👎.
Motivation
Changes
Workflow
🚀 Once your PR is reviewed and the CI green, you can merge it!
🛟 #apm-shared-testing 🛟
Reviewer checklist
tests/ormanifests/is modified ? I have the approval from R&P teambuild-XXX-imagelabel is present