Skip to content

cmd-sign: make staging location stream-specific #4317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jlebon merged 2 commits into from
Sep 11, 2025
Merged

cmd-sign: make staging location stream-specific #4317

jlebon merged 2 commits into from
Sep 11, 2025

Conversation

@jlebon
Copy link
Member

@jlebon jlebon commented Sep 11, 2025

We want to store all the signatures in the same location rather than
stream-specific. But ideally we still want the staging location for
signing to be stream-specific so that we can safely garbage collect
stale files there without worrying about stepping on concurrent runs.

Just pick up the stream from the metadata and use that to build the
staging location.

See also coreos/fedora-coreos-pipeline#1218.

@jlebon
cmd-sign: simplify variables switcheroo
7a04e81 
Create a new variable for the staging location instead of pushing the
staging path on the prefix, only to then peel it off later to get back
to its original value.
@jlebon
cmd-sign: make staging location stream-specific
22655ce 
We want to store all the signatures in the same location rather than
stream-specific. But ideally we still want the staging location for
signing to be stream-specific so that we can safely garbage collect
stale files there without worrying about stepping on concurrent runs.

Just pick up the stream from the metadata and use that to build the
staging location.

See also coreos/fedora-coreos-pipeline#1218.
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 11, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the OCI signing process to use a stream-specific staging location in S3. This is a valuable change that enhances safety by isolating concurrent signing runs for different streams, preventing them from interfering with each other. The implementation correctly determines the stream from build metadata and applies it to the staging path, while keeping the final signature destination unchanged, as described. The code is clear and the changes are consistent with the stated goal. I have one minor suggestion to improve the robustness of how the stream name is parsed.

dustymabe
dustymabe approved these changes Sep 11, 2025
View reviewed changes
Copy link
Member

@dustymabe dustymabe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jlebon jlebon merged commit 8932119 into coreos:main Sep 11, 2025
5 of 6 checks passed
@jlebon jlebon deleted the pr/sigs-staging branch September 11, 2025 18:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dustymabe dustymabe dustymabe approved these changes

@jbtrystram jbtrystram jbtrystram approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jlebon @dustymabe @jbtrystram