Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: verify shasum for finch dependencies #969

Conversation

austinvazquez
Copy link
Member

@austinvazquez austinvazquez commented Jun 5, 2024

Issue #, if available:
Finch dependencies must be verified against known good shasum at pull time.

Description of changes:
This change refactors Finch to use the dependency mechanism in finch-core for pulling and verifying core dependencies such as the OS image and Lima bundle for macOS and the rootfs archive for Windows platforms.

As a side effect of this change, dependency updates are now 1-to-1 with finch-core updates. This is a simplification on the current mechanism which duplicated the effort for updates.

Testing done:
Ran make on macOS.

  • I've reviewed the guidance in CONTRIBUTING.md

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@austinvazquez austinvazquez changed the title Verify shasum for finch dependencies fix: verify shasum for finch dependencies Jun 5, 2024
@austinvazquez austinvazquez force-pushed the verify-shasum-for-finch-dependencies branch 3 times, most recently from 6fd0211 to 6ac74d6 Compare June 5, 2024 22:37
austinvazquez added a commit that referenced this pull request Jun 21, 2024
Issue #, if available:
Split from #969 

*Description of changes:*
This change fixes SOCI installation to verify pull artifacts matches
hardcoded hashchecks.

*Testing done:*
Updated unit tests to check for new hashcheck.

- [x] I've reviewed the guidance in CONTRIBUTING.md


#### License Acceptance

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@austinvazquez austinvazquez force-pushed the verify-shasum-for-finch-dependencies branch from 6ac74d6 to 533cb36 Compare June 24, 2024 23:51
deps/finch-core Outdated Show resolved Hide resolved
@austinvazquez austinvazquez force-pushed the verify-shasum-for-finch-dependencies branch 6 times, most recently from 364a557 to 90d648c Compare June 26, 2024 16:48
@austinvazquez austinvazquez marked this pull request as ready for review June 26, 2024 18:07
@austinvazquez austinvazquez requested a review from a team as a code owner June 26, 2024 18:07
Makefile Show resolved Hide resolved
This change refactors the build system to use finch-core's dependency
mechanism for installing and verifying the base OS image, rootfs
archive, and Lima bundle needed for macOS and Windows platforms.

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
@austinvazquez austinvazquez force-pushed the verify-shasum-for-finch-dependencies branch from 90d648c to 96f6cf5 Compare June 27, 2024 17:18
@austinvazquez austinvazquez merged commit 9d85f25 into runfinch:main Jun 27, 2024
22 checks passed
@austinvazquez austinvazquez deleted the verify-shasum-for-finch-dependencies branch June 27, 2024 22:01
austinvazquez pushed a commit that referenced this pull request Jul 1, 2024
Issue #, if available:

*Description of changes:*
Recently in #969, the Makefile was
refactored significantly, and the mechanism that was used to override
the installation directory was removed ([used
here](https://github.com/runfinch/finch/blob/main/.github/workflows/build-pkg.yaml#L57)).
This just adds that mechanism back. There could be a better way to do
this, but for now just reverting back to how it was done before the
recent change.

*Testing done:*
Tested locally. The `_output/os/finch.yaml` file correctly used
`/Applications/Finch/`, which was the path I overwrote, as a prefix


- [x] I've reviewed the guidance in CONTRIBUTING.md


#### License Acceptance

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
austinvazquez pushed a commit that referenced this pull request Jul 2, 2024
🤖 I have created a release *beep* *boop*
---


## [1.2.1](v1.2.0...v1.2.1)
(2024-07-02)


### Build System or External Dependencies

* **deps:** Bump github.com/aws/aws-sdk-go-v2 from 1.27.0 to 1.27.1
([#963](#963))
([4c2dc12](4c2dc12))
* **deps:** Bump github.com/aws/aws-sdk-go-v2 from 1.27.1 to 1.27.2
([#974](#974))
([54aa67c](54aa67c))
* **deps:** bump github.com/aws/aws-sdk-go-v2 from 1.27.2 to 1.30.0
([#991](#991))
([bbcb8e7](bbcb8e7))
* **deps:** Bump github.com/docker/cli from 26.1.3+incompatible to
26.1.4+incompatible
([#973](#973))
([f774e2d](f774e2d))
* **deps:** bump github.com/docker/cli from 26.1.4+incompatible to
27.0.2+incompatible
([#999](#999))
([0244698](0244698))
* **deps:** bump github.com/docker/cli from 27.0.2+incompatible to
27.0.3+incompatible
([#1005](#1005))
([c801e69](c801e69))
* **deps:** Bump github.com/docker/docker from 26.1.3+incompatible to
26.1.4+incompatible
([#972](#972))
([05b9c05](05b9c05))
* **deps:** bump github.com/docker/docker from 26.1.4+incompatible to
27.0.1+incompatible
([#996](#996))
([1f68260](1f68260))
* **deps:** bump github.com/docker/docker from 27.0.1+incompatible to
27.0.2+incompatible
([#1001](#1001))
([50a639b](50a639b))
* **deps:** bump github.com/docker/docker from 27.0.2+incompatible to
27.0.3+incompatible
([#1006](#1006))
([537abad](537abad))
* **deps:** bump github.com/spf13/cobra from 1.8.0 to 1.8.1
([#983](#983))
([7b2bed6](7b2bed6))
* **deps:** bump golang.org/x/image from 0.12.0 to 0.18.0
([#998](#998))
([398658e](398658e))
* **deps:** Bump golang.org/x/text from 0.15.0 to 0.16.0
([#964](#964))
([8a3973a](8a3973a))
* **deps:** Bump golang.org/x/tools from 0.21.0 to 0.22.0
([#967](#967))
([3921b00](3921b00))
* **deps:** bump k8s.io/apimachinery from 0.30.1 to 0.30.2
([#981](#981))
([c8ebf20](c8ebf20))
* **deps:** Bump submodules and dependencies
([#1008](#1008))
([6134a5a](6134a5a))
* **deps:** Bump submodules and dependencies
([#949](#949))
([b5ee424](b5ee424))


### Bug Fixes

* add SOCI snapshotter hash check
([#985](#985))
([563f346](563f346))
* Allow to use the COMPOSE_FILE variable in finch compose
([#994](#994))
([17d4bc8](17d4bc8))
* Enable `finch support-bundle generate` to execute on Windows whe…
([#976](#976))
([9c1caf0](9c1caf0))
* update snapshotters reference
([#986](#986))
([06b9027](06b9027))
* verify shasum for finch dependencies
([#969](#969))
([9d85f25](9d85f25))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants