Skip to content

Bump in-toto dependency.#226

Merged
tekton-robot merged 1 commit into
tektoncd:mainfrom
mattmoor:bump-in-toto
Sep 14, 2021
Merged

Bump in-toto dependency.#226
tekton-robot merged 1 commit into
tektoncd:mainfrom
mattmoor:bump-in-toto

Conversation

@mattmoor

Copy link
Copy Markdown
Member

I noticed that there were some breaking changes in the in-toto version pulled in compared with the version in sigstore. This updates things to HEAD.

@tekton-robot tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Sep 14, 2021
@mattmoor

Copy link
Copy Markdown
Member Author

cc @priyawadhwa @dlorenc

@mattmoor

Copy link
Copy Markdown
Member Author

Hmm...

tekton-chains-controller-7f4d9cc466-4mrdl   0/1   CrashLoopBackOff   5     5m10s

@mattmoor

Copy link
Copy Markdown
Member Author

Hello old friend:

kubectl logs -n tekton-chains      tekton-chains-controller-5bcfbf8484-rmk46
/ko-app/controller flag redefined: log_dir
panic: /ko-app/controller flag redefined: log_dir

@mattmoor

mattmoor commented Sep 14, 2021

Copy link
Copy Markdown
Member Author

Looks like chains is depending on the cli package, which pulls in glog (conflicts with K8s klog).

The two things I found that need to move out to make a depcheck_test pass for chains are:

  • cli.LoadECDSAPrivateKey
  • cli.DssePayloadType

I will look into splitting these out in the morning (unless someone beats me to it!)

EDIT: This is an example of the depcheck I added to sigstore when the cosigned webhook was hitting a similar problem: https://github.com/sigstore/cosign/blob/main/cmd/cosign/webhook/depcheck_test.go

@mattmoor mattmoor force-pushed the bump-in-toto branch 3 times, most recently from efcb0bc to 623b760 Compare September 14, 2021 20:48
@mattmoor

Copy link
Copy Markdown
Member Author

Ok, I am optimistic that this will pass, but I had to tweak an e2e test to reflect a change pulled in via the updated deps.

{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://in-toto.io/Provenance/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.1",

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@priyawadhwa LMK if this is expected, but this seems to be what the provenance type changed to in in-toto 🤷

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is expected

@dlorenc

dlorenc commented Sep 14, 2021

Copy link
Copy Markdown
Contributor

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 14, 2021
@dlorenc

dlorenc commented Sep 14, 2021

Copy link
Copy Markdown
Contributor

/approve

@tekton-robot

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlorenc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 14, 2021
@mattmoor

Copy link
Copy Markdown
Member Author

Merge conflict, fixing it now

I noticed that there were some breaking changes in the in-toto version pulled in compared with the version in sigstore.  This updates things to HEAD.
@tekton-robot tekton-robot removed the lgtm Indicates that a PR is ready to be merged. label Sep 14, 2021
@mattmoor

Copy link
Copy Markdown
Member Author

Rebased on main and updated deps, but I'll need a fresh /lgtm

@priyawadhwa

Copy link
Copy Markdown
Contributor

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 14, 2021
@tekton-robot tekton-robot merged commit 7d1f010 into tektoncd:main Sep 14, 2021
@mattmoor mattmoor deleted the bump-in-toto branch September 14, 2021 22:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants