Merge pull request #43 from infosiftr/defense-in-depth

yosifkit · web-flow · commit 468ffc568749 · 2024-05-06T15:49:35.000-07:00
Add more "defense in depth" to collecting manifests for deploy
diff --git a/deploy.jq b/deploy.jq
@@ -8,7 +8,12 @@ def tagged_manifests(builds_selector; tags_extractor):
 			$i
 			| tags_extractor
 			| ..|strings # no matter what "tags_extractor" gives us, this will flatten us to a stream of strings
-		] += $i.build.resolved.manifests
+		] += [
+			# as an extra protection against cross-architecture "bleeding" ("riscv64" infra pushing "amd64" images, for example), filter the list of manifests to those whose architecture matches the architecture it is supposed to be for
+			# to be explicitly clear, this filtering is *also* done as part of our "builds.json" generation, so this is an added layer of best-effort protection that will be especially important to preserve and/or replicate if/when we solve the "not built yet so include the previous contents of the tag" portion of the problem at this layer instead of in the currently-separate put-shared process
+			$i.build.resolved.manifests[]
+			| select(.annotations["com.docker.official-images.bashbrew.arch"] // "" == $i.build.arch) # this assumes "registry.SynthesizeIndex" created this list of manifests (because it sets this annotation), but it would be reasonable for us to reimplement that conversion of "OCI platform object" to "bashbrew architecture" in pure jq if it was prudent or necessary to do so
+		]
 	)
 ;
 def arch_tagged_manifests($arch):

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,12 @@ def tagged_manifests(builds_selector; tags_extractor):`
`8`	`8`	`$i`
`9`	`9`	`\| tags_extractor`
`10`	`10`	`\| ..\|strings # no matter what "tags_extractor" gives us, this will flatten us to a stream of strings`
`11`		`- ] += $i.build.resolved.manifests`
	`11`	`+ ] += [`
	`12`	`+ # as an extra protection against cross-architecture "bleeding" ("riscv64" infra pushing "amd64" images, for example), filter the list of manifests to those whose architecture matches the architecture it is supposed to be for`
	`13`	`+ # to be explicitly clear, this filtering is also done as part of our "builds.json" generation, so this is an added layer of best-effort protection that will be especially important to preserve and/or replicate if/when we solve the "not built yet so include the previous contents of the tag" portion of the problem at this layer instead of in the currently-separate put-shared process`
	`14`	`+ $i.build.resolved.manifests[]`
	`15`	`+ \| select(.annotations["com.docker.official-images.bashbrew.arch"] // "" == $i.build.arch) # this assumes "registry.SynthesizeIndex" created this list of manifests (because it sets this annotation), but it would be reasonable for us to reimplement that conversion of "OCI platform object" to "bashbrew architecture" in pure jq if it was prudent or necessary to do so`
	`16`	`+ ]`
`12`	`17`	`)`
`13`	`18`	`;`
`14`	`19`	`def arch_tagged_manifests($arch):`