fix: chain of trust should influence cache digest

bhearsum · ahal · commit 18ffe2affea0 · 2024-06-11T10:44:08.000-04:00
Chain of trust being enabled or disabled influences the outcome of a task. Specifically, it controls whether or not chain of trust artifacts will be present on the task. Without this impacting the cache digest, cached tasks will continue to be cached when chain of trust is enabled on them, and if there is a chain of trust verifier downstream, this will cause verification issues.

BREAKING CHANGE: worker.chain-of-trust now influences cache digests
diff --git a/src/taskgraph/transforms/cached_tasks.py b/src/taskgraph/transforms/cached_tasks.py
@@ -77,7 +77,14 @@ def cache_task(config, tasks):
                         task["label"], p
                     )
                 )
+
         digest_data = cache["digest-data"] + sorted(dependency_digests)
+
+        # Chain of trust affects task artifacts therefore it should influence
+        # cache digest.
+        if task.get("worker", {}).get("chain-of-trust"):
+            digest_data.append(str(task["worker"]["chain-of-trust"]))
+
         add_optimization(
             config,
             task,
diff --git a/test/test_transforms_cached_tasks.py b/test/test_transforms_cached_tasks.py
@@ -91,6 +91,19 @@ def assert_cache_with_non_cached_dependency(e):
     handle_exception(e, exc=Exception)
 
 
+def assert_chain_of_trust_influences_digest(tasks):
+    assert len(tasks) == 3
+    # The first two tasks are chain-of-trust unspecified, and chain-of-trust: False
+    # which should result in the same digest.
+    digest_0 = tasks[0]["attributes"]["cached_task"]["digest"]
+    digest_1 = tasks[1]["attributes"]["cached_task"]["digest"]
+    assert digest_0 == digest_1
+
+    # The third task is chain-of-trust: True, and should have a different digest
+    digest_2 = tasks[2]["attributes"]["cached_task"]["digest"]
+    assert digest_0 != digest_2
+
+
 @pytest.mark.parametrize(
     "tasks, kind_config, deps",
     (
@@ -177,6 +190,45 @@ def assert_cache_with_non_cached_dependency(e):
             {"dep": make_task("dep")},
             id="cache_with_non_cached_dependency",
         ),
+        pytest.param(
+            # tasks
+            [
+                {
+                    "cache": {
+                        "type": "cached-task.v2",
+                        "name": "cache-foo",
+                        "digest-data": ["abc"],
+                    },
+                    # no explicit chain of trust configuration; should be the
+                    # same as when it is set to False
+                },
+                {
+                    "cache": {
+                        "type": "cached-task.v2",
+                        "name": "cache-foo",
+                        "digest-data": ["abc"],
+                    },
+                    "worker": {
+                        "chain-of-trust": False,
+                    },
+                },
+                {
+                    "cache": {
+                        "type": "cached-task.v2",
+                        "name": "cache-foo",
+                        "digest-data": ["abc"],
+                    },
+                    "worker": {
+                        "chain-of-trust": True
+                    },
+                },
+            ],
+            # kind config
+            {},
+            # kind deps
+            {},
+            id="chain_of_trust_influences_digest",
+        ),
     ),
 )
 def test_transforms(
