build: rego source policies #23782
build: rego source policies #23782
Conversation
dvdksn
added
the
status/do-not-merge
github-actions
bot
added
area/build
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dvdksn
force-pushed
the
build-input-policy
branch
from
640026d to
b152a76
Compare
dvdksn
force-pushed
the
build-input-policy
branch
2 times, most recently
from
1dcccf6 to
7741d9b
Compare
dvdksn
force-pushed
the
build-input-policy
branch
2 times, most recently
from
9ef9e13 to
04835cd
Compare
dvdksn
force-pushed
the
build-input-policy
branch
from
04835cd to
92feb6f
Compare
| ``` | ||
|
|
||
| When using Sigstore signatures, additional fields are available under | ||
| `input.image.signature` (singular) with details about the signing workflow. |
There was a problem hiding this comment.
Uuh I reckon this was a result of me starting to preemptively doc some fields before I was able to test. Then Claude went and mangled things.
| } | ||
| ``` | ||
|
|
||
| #### `input.git.commitChecksum` |
There was a problem hiding this comment.
There is also checksum isAnnotatedTag.
There was a problem hiding this comment.
Adding these and a couple other fields I noticed were missing. Not adding fullUrl and isSha256 just yet - I noticed they exist but I'm not really able to test those.
dvdksn
force-pushed
the
build-input-policy
branch
from
92feb6f to
2040f30
Compare
dvdksn
force-pushed
the
build-input-policy
branch
from
2040f30 to
d94ec3e
Compare
dvdksn
removed
status/do-not-merge
Signed-off-by: David Karlsson <[email protected]>
dvdksn
force-pushed
the
build-input-policy
branch
from
d94ec3e to
d803575
Compare
dvdksn
force-pushed
the
build-input-policy
branch
from
d803575 to
c7656bd
Compare
| $ docker buildx policy test --filename app.Dockerfile . | ||
| ``` | ||
|
|
||
| This loads `app.Dockerfile.rego` and runs `*_test.rego` files against it. |
There was a problem hiding this comment.
Same as above. What is the expected outcome? A short sentence might help wrap up what to expect
|
Left some minor comments @dvdksn. Looks great overall! |
| > like `allow if { input.image; print(...) }` only prints for image inputs, | ||
| > not for Git repos, HTTP downloads, or local files. | ||
|
|
||
| ## Common issues |
There was a problem hiding this comment.
What do we think about separating debugging reference from troubleshooting? It doesn't have to be for teh release, but maybe for future work. I think while the two types of info are similar, debugging reads as things a user can do to find an unknown issue whereas troubleshooting are topics that we know are common missteps.
I also might include specific error codes of some kind, or specific error message a user might encounter related to these topics if we have that info readily available. Not a blocker just an idea!
akristen
left a comment
akristen
left a comment
There was a problem hiding this comment.
These are really informative docs w/ a lot of good details. Some copy level things beyond the general suggestions i left in the PR:
- Our style guide suggests we use
-construction sparingly. I might get a list of all the times you use a-and rework those sentences to use:s, semicolons, commons, whatever you want. - Do we always capitalize git? I didn't see anything in our style guide on guidance and I could be wrong... might be handy for me to know, lol.
Overall the one thing I might add to the introduction is more frontloaded context about WHO WHAT WHEN re: creating build policies. Is it something we recommend for larger enterprise orgs? Individual devs? What is the purpose of including these in production or dev: is it better security and compliance, or are there other benefits?
Signed-off-by: David Karlsson <[email protected]>
dvdksn
force-pushed
the
build-input-policy
branch
from
c7656bd to
2c7b95a
Compare
4 participants
Description
Buildx support for rego policies for validating build inputs (local, http, git, image).
Preview: https://deploy-preview-23782--docsdocker.netlify.app/build/policies/
Related issues or tickets