Add --reproducible flag to flux push artifact
#4769
Conversation
frekw
force-pushed
the
feat/reproducible-push
branch
from
a5740fb to
e10aa34
Compare
cmd/flux/push_artifact.go
Outdated
| @@ -202,6 +204,12 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error { | |||
| Annotations: annotations, | |||
| } | |||
|
|
|||
| if pushArtifactArgs.reproducible { | |||
| zeroTime := time.Unix(0, 0) | |||
| meta.Revision = "" | |||
There was a problem hiding this comment.
This is not Ok, a reproducible build is for a Git SHA.
There was a problem hiding this comment.
But if we annotate the artifact with the git SHA then the image digest (i.e the sha256:9328ca7d5a003880b9a31140436cf43bead8fa289fba55103e661e5aaf9ad1f3) will always differ regardless of it the contents differ or not. This is only for circumstances where you need the digest to be exactly the same for the same contents, akin to https://github.com/GoogleContainerTools/kaniko?tab=readme-ov-file#flag---reproducible
There was a problem hiding this comment.
This is not Ok, a reproducible build is for a Git SHA.
That's not true, a reproducible build is for an image digest, commit SHAs are completely unrelated.
There was a problem hiding this comment.
We could remove the meta.Revision = "" it we allow passing in an empty revision if reproducible is set;
diff --git a/cmd/flux/push_artifact.go b/cmd/flux/push_artifact.go
index d98361af..7a5063fe 100644
--- a/cmd/flux/push_artifact.go
+++ b/cmd/flux/push_artifact.go
@@ -151,7 +151,7 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
return fmt.Errorf("--source is required")
}
- if pushArtifactArgs.revision == "" {
+ if pushArtifactArgs.revision == "" && !pushArtifactArgs.reproducible {
return fmt.Errorf("--revision is required")
}There was a problem hiding this comment.
I'd say that reproducible should be just that, reproducible by default, what would the default behavior end up being here? As in would it be a bit unpredictable?
There was a problem hiding this comment.
Not having a revision goes against what I think Flux OCI should be, IMO every object managed by Flux should allow tracing back to its Git origin. If you don't care about this, then feel free to set the revision to some static value.
There was a problem hiding this comment.
@stefanprodan fair enough, pushed an update that only changes meta.Created 👍
frekw
force-pushed
the
feat/reproducible-push
branch
3 times, most recently
from
55720ba to
ea12aa7
Compare
stefanprodan
changed the title
--reprodicuble flag to flux push artifact--reproducible flag to flux push artifact
|
There is a typo in the commit message, please fix it to |
frekw
force-pushed
the
feat/reproducible-push
branch
from
ea12aa7 to
ba9e335
Compare
|
Whoops, sorry, typo should be fixed now! 🙏 |
|
Can you please squash and rebase with upstream main. |
This makes the pushed artifact have the exact same hash if the contents are the same. E.g ``` flux push artifact oci://repo/image:tag1 --source deploy --revision="test" --path=deploy --reproducible flux push artifact oci://repo/image:tag2 --source deploy --revision="test" --path=deploy --reproducible ``` will both result in the same sha hash, tagged with `tag1` and `tag2`. This is useful when producing flux artifacts in a monorepo setup where you don't want to unnecessarily push new artifacts unless something has actually changed. Signed-off-by: frekw <fredrik@warnsberg.se>
frekw
force-pushed
the
feat/reproducible-push
branch
from
704afb6 to
26109ee
Compare
|
Of course! |
This makes the pushed artifact have the exact same hash if the contents are the same.
E.g
will both result in the same sha hash, tagged with
tag1andtag2.This is useful when producing flux artifacts in a monorepo setup where you don't want to unnecessarily push new artifacts unless something has actually changed.