-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accept an array of arguments when building the provenance #2519
Conversation
This aligns the invocation of the provenance script with the provenance file it produces
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LG but is there any way of testing it with the transparent release repo? Or do we postpone that anyways?
scripts/build_provenance
Outdated
# build arguments. | ||
shift | ||
|
||
eval "./scripts/docker_run ${@}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm surprised this works with the the quotes, does eval do its own splitting / parsing? Or maybe docker_run does
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bash arg handling is very confusing, but: In docker_run
we use $*
when invoking the docker CLI. Afaik $*
effectively means args a delineated by whitespace. Hence passing as args as a joined string doesn't make difference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An upside of the code I wrote in this for formatting bash args into a toml string is that it doubles as a handy tool for investigating bash arg handling :p
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docker_run concats args into a single string by default. That string is passed to fix_docker_user_and_run
, which executes that string using su --session-command
. I think thats where the splitting happens?
@tiziano88 RE linking it with the repo, it's planned, not postponed. Here's my planned timeline:
Step 3) does two things which are pretty nice: It verifies that our SLSA files can be parsed by transparent release, B) It adds a continuous check that our builds stay reproducible. This is since the Kokoro CI action will fail if the build yields a different hash inside of GitHub actions and inside of Kokoro. (Not quite "same hash on three systems in a row", but close). 😇 cc @rbehjati on this too. |
Reproducibility Index:
Reproducibility Index diff: |
Just to clarify: Do you mean that the Kokoro CI action could verify all the provenances? This is what I understand from your point B on "It adds a continuous check...". |
@rbehjati It would be possible, yeah. Note that provenances are only generated for commits in main, so basically it would run for each commit in main to verify the provenances. We can tweak that if it's too much of a load, but it might not be much heavier than the Actions we already run. |
I think that would be an interesting check :) |
I'd be inclined towards running it right away like other actions. We can consider changing that approach in case of problems. It uses a different service, so I think that there would be no impact on the speed / availability of GitHub runners executing our PR CI actions. |
This aligns the invocation of the provenance script with the provenance file, which stores build arguments as an array.
Previously the build_provenance script accepted exactly two arguments 1) exactly one build arg, 2) the output path.
Now it accepts 1) the output path, followed by one or multiple build args.