ci: pin slsa-github-generator to commit SHA#7363
ci: pin slsa-github-generator to commit SHA#7363oindrilakha12-ui wants to merge 3 commits intokarmada-io:masterfrom
Conversation
karmada-bot
added
the
kind/cleanup
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
|
Welcome @oindrilakha12-ui! It looks like this is your first PR to karmada-io/karmada 🎉 |
karmada-bot
added
the
size/XS
There was a problem hiding this comment.
Pull request overview
This PR pins the slsa-framework/slsa-github-generator GitHub Action to a specific commit SHA (f7dd8c54c2067bafc12ca7a55595d5ee9b75204a, corresponding to v2.1.0) instead of using the tag reference, improving supply chain security by ensuring action integrity.
Changes:
- Updated 4 workflow jobs (
cli-provenance,crds-provenance,charts-provenance, andsbom-provenance) to reference the slsa-github-generator action using a commit SHA instead of thev2.1.0tag
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -71,7 +71,7 @@ jobs: | |||
| id-token: write # Needed for provenance signing and ID | |||
| contents: write # Needed for release uploads | |||
| # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |||
There was a problem hiding this comment.
The PR description states "The comments stating it 'Must be referenced by a tag' have been removed accordingly," but this comment is still present in the code at line 73 and other locations (115, 154, 197). Since the reference has been changed from a tag to a commit SHA, this comment is now misleading and should either be removed or updated to reflect the current implementation.
| @@ -113,7 +113,7 @@ jobs: | |||
| id-token: write # Needed for provenance signing and ID | |||
| contents: write # Needed for release uploads | |||
| # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |||
There was a problem hiding this comment.
The comment "Must be referenced by a tag" is now outdated since the action is being pinned to a commit SHA. This comment should be removed or updated to reflect the change.
| @@ -152,7 +152,7 @@ jobs: | |||
| id-token: write # Needed for provenance signing and ID | |||
| contents: write # Needed for release uploads | |||
| # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |||
There was a problem hiding this comment.
The comment "Must be referenced by a tag" is now outdated since the action is being pinned to a commit SHA. This comment should be removed or updated to reflect the change.
| @@ -195,7 +195,7 @@ jobs: | |||
| id-token: write # Needed for provenance signing and ID | |||
| contents: write # Needed for release uploads | |||
| # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |||
There was a problem hiding this comment.
The comment "Must be referenced by a tag" is now outdated since the action is being pinned to a commit SHA. This comment should be removed or updated to reflect the change.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #7363 +/- ##
=======================================
Coverage 42.03% 42.04%
=======================================
Files 874 874
Lines 53551 53544 -7
=======================================
+ Hits 22511 22512 +1
+ Misses 29349 29344 -5
+ Partials 1691 1688 -3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Oindrila Khan <oindrilakha12@gmail.com>
oindrilakha12-ui
force-pushed
the
fix-slsa-sha-pinning
branch
from
39f1dfd to
e7694da
Compare
karmada-bot
added
size/S
…tion The previous fix changed the condition from: condition.LastTransitionTime.After(lastTransitionTime) to: !condition.LastTransitionTime.Time.Before(lastTransitionTime.Truncate(time.Second)) This introduced a regression: when WaitKarmadaReady is called with the current LastTransitionTime (from GetLastTransitionTime) of an already-Ready instance, the >= comparison (from !Before) would return true immediately without waiting for the operator to complete a new reconciliation cycle. Fix: require the new LastTransitionTime to be strictly in the next second or later by checking: !condition.LastTransitionTime.Time.Before(lastTransitionTime.Truncate(time.Second).Add(time.Second)) This ensures that WaitKarmadaReady always waits for a genuinely new Ready=True condition that was set by the operator AFTER the spec update, while also handling the sub-second precision issue with time.Now().
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
This PR updates the
slsa-framework/slsa-github-generatorGitHub Action in the release workflow to be pinned to a specific commit SHA (f7dd8c54c2067bafc12ca7a55595d5ee9b75204a, which corresponds to thev2.1.0tag) instead of referencing it by a tag. This helps enhance supply chain security by ensuring the action's integrity, and resolves the tracking issue for SHA pinning support inslsa-github-generator.Which issue(s) this PR fixes:
Fixes #7337
Special notes for your reviewer:
The pinned SHA
f7dd8c54c2067bafc12ca7a55595d5ee9b75204ais verified to be the commit for thev2.1.0tag ofslsa-framework/slsa-github-generator. The comments stating it "Must be referenced by a tag" have been removed accordingly.Does this PR introduce a user-facing change?: