Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hack: do not cache rootless stage on release #5302

Merged
merged 1 commit into from
Sep 6, 2024
Merged

hack: do not cache rootless stage on release #5302

merged 1 commit into from
Sep 6, 2024

Conversation

crazy-max
Copy link
Member

similar to #3543
fixes #5279

We got some false-positive reported in security tab when rootless image is analyzed by Docker Scout because alpine packages are cached. With this change we make sure this stage is not cached on release.

cc @cdupuis

@github-actions github-actions bot added area/project area/hack building buildkit itself labels Sep 5, 2024
@thaJeztah
Copy link
Member

thaJeztah commented Sep 5, 2024
edited
Loading

I was curious "why cache at all?" but recalled we had a discussion about that on the other PR; #3543 (review)

I'm not sure we need to disable cache for releases completely. The cache is already scoped. Having these separate codepaths makes it possible that the CI works fine, we tag a release and that release does not build at all.

Still curious though if we could somehow have a workflow where the build is run and tested, then if everything is successful, the images (and repo?) tagged and pushed without rebuilding,

But perhaps provenance won't allow such a workflow though (moby/moby#48391) 🤔

@crazy-max
hack: do not cache rootless stage on release
b0e8368 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
@crazy-max crazy-max force-pushed the dockerfile-rootless-cache branch from d908ae3 to b0e8368 Compare September 5, 2024 11:24
@crazy-max crazy-max changed the title hack: do not cache rootless base stage on release hack: do not cache rootless stage on release Sep 5, 2024
thompson-shaun
thompson-shaun previously approved these changes Sep 5, 2024
View reviewed changes
@thompson-shaun thompson-shaun dismissed their stale review September 5, 2024 18:05

Still reading 😌

@crazy-max crazy-max merged commit 436609d into moby:master Sep 6, 2024
92 checks passed
@crazy-max crazy-max deleted the dockerfile-rootless-cache branch September 6, 2024 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

@thompson-shaun thompson-shaun thompson-shaun left review comments

Assignees
No one assigned
Labels
area/hack building buildkit itself
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix code scanning alert - CVE-2024-7264
4 participants
@crazy-max @thaJeztah @tonistiigi @thompson-shaun