Skip to content

Image signing#7280

Open
nccatoni wants to merge 11 commits into
mainfrom
nccatoni/image-sign
Open

Image signing#7280
nccatoni wants to merge 11 commits into
mainfrom
nccatoni/image-sign

Conversation

@nccatoni

@nccatoni nccatoni commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Motivation

Changes

Workflow

  1. ⚠️ Create your PR as draft ⚠️
  2. Work on you PR until the CI passes
  3. Mark it as ready for review
    • Test logic is modified? -> Get a review from RFC owner.
    • Framework is modified, or non obvious usage of it -> get a review from R&P team

🚀 Once your PR is reviewed and the CI green, you can merge it!

🛟 #apm-shared-testing 🛟

Reviewer checklist

  • Anything but tests/ or manifests/ is modified ? I have the approval from R&P team
  • A docker base image is modified?
    • the relevant build-XXX-image label is present
  • A scenario is added, removed or renamed?

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

CODEOWNERS have been resolved as:

utils/ci/gitlab/build_ci_image.py                                       @DataDog/system-tests-core
utils/ci/gitlab/docker/docker-bake.hcl                                  @DataDog/system-tests-core
utils/ci/gitlab/docker/image-builder.Dockerfile                         @DataDog/system-tests-core
.gitlab-ci.yml                                                          @DataDog/system-tests-core
utils/ci/gitlab/docker/system-tests.Dockerfile                          @DataDog/system-tests-core
utils/ci/gitlab/main.yml                                                @DataDog/system-tests-core
utils/ci/gitlab/docker/git.Dockerfile                                   @DataDog/system-tests-core

@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jul 8, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 194c55a | Docs | Datadog PR Page | Give us feedback!

@nccatoni nccatoni changed the title Nccatoni/image sign Image signing Jul 8, 2026
@nccatoni nccatoni marked this pull request as ready for review July 8, 2026 15:30
@nccatoni nccatoni requested a review from a team as a code owner July 8, 2026 15:30

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f5e238cc72

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .gitlab-ci.yml Outdated

build_ci_image:
image: registry.ddbuild.io/images/docker:20.10.13-jammy
image: registry.ddbuild.io/system-tests/image-builder:6200a89c341d

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Use a stable bootstrap image for build_ci_image

When image-builder.Dockerfile changes, this job is configured to run inside registry.ddbuild.io/system-tests/image-builder:<hash of that same Dockerfile>, but the script below is also the only place that builds and pushes that tag. In a PR/main pipeline where the new tag has not already been pre-published, the runner has to pull this image before any script executes, so the job cannot start and cannot build/sign the image it needs. Use an already-existing bootstrap image or the previous image-builder tag, then build the new tag from there.

Useful? React with 👍 / 👎.

target "_common" {
context = "."
platforms = ["linux/amd64"]
provenance = false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Remove unsupported Bake provenance field

When build_ci_image actually has a missing target, it runs docker buildx bake against this file. Docker's Bake target schema supports attestation settings through target.attest and the buildx target definition has no provenance attribute, so this provenance = false entry is not valid target syntax and the bake file will fail to parse before any image is pushed or signed. Drop it or use a supported CLI/env setting for disabling provenance.

Useful? React with 👍 / 👎.

Comment thread .gitlab-ci.yml Outdated
Comment on lines +405 to +408
if docker manifest inspect "$image" > /dev/null 2>&1; then
echo "Image $image already exists, skipping build"
else
TARGETS="$TARGETS $name"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Sign existing images on reruns

If docker buildx bake --push succeeds but a later ddsign sign call fails or the job is cancelled, rerunning the job will hit this docker manifest inspect branch, remove the already-pushed image from TARGETS, and the signing loop below will never sign it. That lets a rerun pass with an unsigned image still published under the expected tag; track signing separately from image existence or sign existing digests before skipping.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant