From 59fcbcb09231b8f9abd27ad75a010bbc392e223e Mon Sep 17 00:00:00 2001 From: Hiroshi Hayakawa Date: Mon, 10 Jun 2024 14:00:06 +0900 Subject: [PATCH 1/3] Update references to lifecycle image to use fully qualified image name. Signed-off-by: Hiroshi Hayakawa --- internal/config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/config/config.go b/internal/config/config.go index de370ef727..0f6a9fb1a9 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -128,4 +128,4 @@ func GetRegistry(cfg Config, registryName string) (Registry, error) { return Registry{}, errors.Errorf("registry %s is not defined in your config file", style.Symbol(registryName)) } -const DefaultLifecycleImageRepo = "buildpacksio/lifecycle" +const DefaultLifecycleImageRepo = "docker.io/buildpacksio/lifecycle" From e8a0c7f10eed9bd384fb6c5c5e08f9d12b8ccf95 Mon Sep 17 00:00:00 2001 From: Hiroshi Hayakawa Date: Mon, 10 Jun 2024 14:20:09 +0900 Subject: [PATCH 2/3] Update image references in internal documents and ci settings to use fully qualified names. Signed-off-by: Hiroshi Hayakawa --- .github/workflows/check-latest-release.yml | 4 ++-- .github/workflows/delivery-docker.yml | 5 +++-- DEVELOPMENT.md | 24 +++++++++++----------- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/.github/workflows/check-latest-release.yml b/.github/workflows/check-latest-release.yml index 542e03a2e9..d2fa7575bd 100644 --- a/.github/workflows/check-latest-release.yml +++ b/.github/workflows/check-latest-release.yml @@ -72,7 +72,7 @@ jobs: id: scan-image uses: anchore/scan-action@v3 with: - image: buildpacksio/pack:${{ steps.read-go.outputs.latest-release-version }} + image: docker.io/buildpacksio/pack:${{ steps.read-go.outputs.latest-release-version }} - name: Create issue if needed if: failure() && steps.scan-image.outcome == 'failure' env: @@ -91,7 +91,7 @@ jobs: search_output=$(gh issue list --search "$title" --label "$label") GITHUB_WORKFLOW_URL=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID - body="Latest buildpacksio/pack v${{ steps.read-go.outputs.latest-release-version }} triggered CVE(s) from Grype. For further details, see: $GITHUB_WORKFLOW_URL" + body="Latest docker.io/buildpacksio/pack v${{ steps.read-go.outputs.latest-release-version }} triggered CVE(s) from Grype. For further details, see: $GITHUB_WORKFLOW_URL" if [ -z "${search_output// }" ] then diff --git a/.github/workflows/delivery-docker.yml b/.github/workflows/delivery-docker.yml index 61c0650bd3..6a3594603f 100644 --- a/.github/workflows/delivery-docker.yml +++ b/.github/workflows/delivery-docker.yml @@ -17,7 +17,8 @@ on: env: IMG_NAME: 'pack' - USERNAME: 'buildpacksio' + USER_NAME: 'buildpacksio' + REGISTRY_NAME: 'docker.io' jobs: deliver-docker: @@ -52,7 +53,7 @@ jobs: with: ref: v${{ steps.version.outputs.result }} - name: Determine App Name - run: 'echo "IMG_NAME=${{ env.USERNAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV' + run: 'echo "IMG_NAME=${{ env.REGISTRY_NAME }}/${{ env.USER_NAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV' - name: Login to Dockerhub uses: docker/login-action@v3 with: diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 9bdd4c7a19..aca19787d3 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -104,15 +104,15 @@ make prepare-for-pr ### Acceptance Tests Some options users can provide to our acceptance tests are: -| ENV_VAR | Description | Default | -|--------------|------------------------------------------------------------------------|---------| -| ACCEPTANCE_SUITE_CONFIG | A set of configurations for how to run the acceptance tests, describing the version of `pack` used for testing, the version of `pack` used to create the builders used in the test, and the version of `lifecycle` binaries used to test with Github | `[{"pack": "current", "pack_create_builder": "current", "lifecycle": "default"}]'` | -| COMPILE_PACK_WITH_VERSION | Tell `pack` what version to consider itself | `dev` | -| GITHUB_TOKEN | A Github Token, used when downloading `pack` and `lifecycle` releases from Github during the test setup | "" | -| LIFECYCLE_IMAGE | Image reference to be used in untrusted builder workflows | buildpacksio/lifecycle: | -| LIFECYCLE_PATH | Path to a `.tgz` file filled with a set of `lifecycle` binaries | The Github release for the default version of lifecycle in `pack` | -| PACK_PATH | Path to a `pack` executable. | A compiled version of the current branch | -| PREVIOUS_LIFECYCLE_IMAGE | Image reference to be used in untrusted builder workflows, used to test compatibility of `pack` with the n-1 version of the `lifecycle` | buildpacksio/lifecycle:, buildpacksio/lifecycle: | -| PREVIOUS_LIFECYCLE_PATH | Path to a `.tgz` file filled with a set of `lifecycle` binaries, used to test compatibility of `pack` with the n-1 version of the `lifecycle` | The Github release for n-1 release of `lifecycle` | -| PREVIOUS_PACK_FIXTURES_PATH | Path to a set of fixtures, used to override the most up-to-date fixtures, in case of changed functionality | `acceptance/testdata/pack_previous_fixtures_overrides` | -| PREVIOUS_PACK_PATH | Path to a `pack` executable, used to test compatibility with n-1 version of `pack` | The most recent release from `pack`'s Github release | +| ENV_VAR | Description | Default | +|--------------|------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------| +| ACCEPTANCE_SUITE_CONFIG | A set of configurations for how to run the acceptance tests, describing the version of `pack` used for testing, the version of `pack` used to create the builders used in the test, and the version of `lifecycle` binaries used to test with Github | `[{"pack": "current", "pack_create_builder": "current", "lifecycle": "default"}]'` | +| COMPILE_PACK_WITH_VERSION | Tell `pack` what version to consider itself | `dev` | +| GITHUB_TOKEN | A Github Token, used when downloading `pack` and `lifecycle` releases from Github during the test setup | "" | +| LIFECYCLE_IMAGE | Image reference to be used in untrusted builder workflows | docker.io/buildpacksio/lifecycle: | +| LIFECYCLE_PATH | Path to a `.tgz` file filled with a set of `lifecycle` binaries | The Github release for the default version of lifecycle in `pack` | +| PACK_PATH | Path to a `pack` executable. | A compiled version of the current branch | +| PREVIOUS_LIFECYCLE_IMAGE | Image reference to be used in untrusted builder workflows, used to test compatibility of `pack` with the n-1 version of the `lifecycle` | docker.io/buildpacksio/lifecycle:, buildpacksio/lifecycle: | +| PREVIOUS_LIFECYCLE_PATH | Path to a `.tgz` file filled with a set of `lifecycle` binaries, used to test compatibility of `pack` with the n-1 version of the `lifecycle` | The Github release for n-1 release of `lifecycle` | +| PREVIOUS_PACK_FIXTURES_PATH | Path to a set of fixtures, used to override the most up-to-date fixtures, in case of changed functionality | `acceptance/testdata/pack_previous_fixtures_overrides` | +| PREVIOUS_PACK_PATH | Path to a `pack` executable, used to test compatibility with n-1 version of `pack` | The most recent release from `pack`'s Github release | From 280cd56e7e8314be5db373fbd3d39cf13aec6ed9 Mon Sep 17 00:00:00 2001 From: Juan Bustamante Date: Wed, 13 Nov 2024 08:19:45 -0500 Subject: [PATCH 3/3] Fixing lifecycle validation to use fully qualified names Signed-off-by: Juan Bustamante --- internal/commands/build.go | 7 ++++++- internal/commands/build_test.go | 7 +++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/internal/commands/build.go b/internal/commands/build.go index 1d34c2ccca..5a3b7ed508 100644 --- a/internal/commands/build.go +++ b/internal/commands/build.go @@ -436,7 +436,12 @@ func isForbiddenTag(cfg config.Config, input, lifecycle, builder string) error { } } - if inputImage.Context().RepositoryStr() == config.DefaultLifecycleImageRepo { + defaultLifecycleImageRef, err := name.ParseReference(config.DefaultLifecycleImageRepo) + if err != nil { + return errors.Wrapf(err, "parsing default lifecycle image %s", config.DefaultLifecycleImageRepo) + } + + if inputImage.Context().RepositoryStr() == defaultLifecycleImageRef.Context().RepositoryStr() { return fmt.Errorf("name must not match default lifecycle image name") } diff --git a/internal/commands/build_test.go b/internal/commands/build_test.go index 1d4f4b5296..7137dfcb5c 100644 --- a/internal/commands/build_test.go +++ b/internal/commands/build_test.go @@ -164,6 +164,13 @@ func testBuildCommand(t *testing.T, when spec.G, it spec.S) { h.AssertNotNil(t, command.Execute()) h.AssertContains(t, outBuf.String(), "name must not match default lifecycle image name") }) + + it("refuses to build when using fully qualified name", func() { + logger.WantVerbose(true) + command.SetArgs([]string{"docker.io/buildpacksio/lifecycle:test", "--builder", "test", "--trust-builder"}) + h.AssertNotNil(t, command.Execute()) + h.AssertContains(t, outBuf.String(), "name must not match default lifecycle image name") + }) }) when("the builder is not trusted", func() {