Conversation
tasks/wait-for-image-task.yaml
Outdated
| raw_info="$(skopeo inspect \ | ||
| --retry-times 10 \ | ||
| --format '{{.Digest}} {{ index .Labels "vcs-ref" }} {{ index .Labels "source-location" }}' \ | ||
| --no-tags \ | ||
| "docker://$(params.IMAGE)")" |
There was a problem hiding this comment.
If skopeo inspect here exits with no-zero, it will interrupt the script due to set -euo pipefail.
Demo:
$ foo="$(/bin/false)"
$ echo $?
1
$ foo="$(/bin/true)"
$ echo $?
0It's possible to assign in if:
#!/usr/bin/env bash
set -euo pipefail
if blah="pre-$(/bin/false)-post"; then
echo "success"
else
echo "failure"
fi
echo "blah:|$blah|"$ ./a.sh
failure
blah:|pre--post|Not the most elegant but can't offer anything better.
We need a sleep instruction here in case skopeo inspect exited with no-zero.
There was a problem hiding this comment.
Added an if ! raw_info=$(...); then sleep; continue in 4601f0b
tasks/wait-for-image-task.yaml
Outdated
| - name: DESIRED_GIT_REF | ||
| valueFrom: | ||
| fieldRef: | ||
| fieldPath: metadata.labels['pipelinesascode.tekton.dev/sha'] |
There was a problem hiding this comment.
- Note that scanner v2, collector and fact images will have a different commit than the one in the executing stackrox/stackrox pipeline. Therefore, we need an ability to turn off this check for those containers.
- I suggest adding a short
description:here to say what the default thing does and how to turn it off.
Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>
tommartensen
force-pushed
the
tm/spike-wait-for-image-task-with-commit-sha
branch
from
e6d244d to
08dc186
Compare
tommartensen
changed the title
| description: Image reference. | ||
| type: string | ||
| - name: ENABLE_GIT_REF_CHECK | ||
| description: Whether to check if the image was built for the same commit as the one specified in the `DESIRED_GIT_REF` parameter. |
There was a problem hiding this comment.
[nit] DESIRED_GIT_REF is no longer the task's parameter, it's actually an implementation detail now. We need to say something different here.
For example:
| description: Whether to check if the image was built for the same commit as the one specified in the `DESIRED_GIT_REF` parameter. | |
| description: Whether to check if the image was built for the same commit as the one for which the pipeline executes. |
And when I write this and want to expand the thought further, I realize that (going back to (1) in #87 (comment)) we can auto-sense the value of ENABLE_GIT_REF_CHECK.
We will have this check enabled in pipelines in stackrox/stackrox for images built in stackrox/stackrox. If the pipeline executing in stackrox/stackrox waits for an image from stackrox/(collector|fact|scanner), we'd disable the check.
We have the info on the image from which repo it comes, that's vcs-ref label. We will have the info in which repo this task executes. Therefore, we could compare those and do git ref check when repos match.
A bit magical but does not require changes to existing pipelines when updating the task.
It could be that in the future we'll need a way to disable the check in an override manner but I wouldn't build this now without a case.
WDYT?
2 participants
Context: https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1765875791688849
Proof of successful run: stackrox/stackrox@7da2815
In another commit in the same PR, I enabled the check for scanner v2 and as expected, the operator-bundle pipeline times out waiting for the correct image: stackrox/stackrox@866c4ee, https://konflux-ui.apps.stone-prd-rh01.pg1f.p1.openshiftapps.com/ns/rh-acs-tenant/applications/acs/pipelineruns/operator-bundle-on-push-288xv