Conversation
sarahchen6
force-pushed
the
sarahchen6/mirror-images
branch
from
dd3a574 to
cff9627
Compare
sarahchen6
force-pushed
the
sarahchen6/mirror-images
branch
from
cff9627 to
69469ea
Compare
| env: | ||
| PR_NUMBER: ${{ github.event.inputs.pr_number }} | ||
| run: | | ||
| python3 - <<'PYEOF' |
There was a problem hiding this comment.
❔ question: About this step, what motivated you to switch from bash to python as you had a working version in bash previously?
🎯 suggestion: It might be easier to run a script that is versioned in the repository rather than adding it inline into yml? 🤷 And as they are similar scripts in the update-mirror-digests workflow, you can reuse it there too
There was a problem hiding this comment.
❔ question: About this step, what motivated you to switch from bash to python as you had a working version in bash previously?
No good reason - I started with trying to bring the bash over, but found it easier to format and test out python with Claude... I think I ended up over-engineering with python though, so will switch back to bash!
🎯 suggestion: It might be easier to run a script that is versioned in the repository rather than adding it inline into yml? 🤷 And as they are similar scripts in the update-mirror-digests workflow, you can reuse it there too
Hmm that could make the workflows more readable too 🤔
There was a problem hiding this comment.
so will switch back to bash!
make the workflows more readable
Yeah, think about what could be the simplest bricks to be reused by the workflows.
Ideally, if we could run them outside the workflow (when needed or to test them) like you did for the pin system test script, that would be ideal.
About python or bash, whatever. Just pick one that work well for the task and that will be easy to maintain by the team :)
There was a problem hiding this comment.
In 8e3e105, I split the logic into 3 scripts:
The create-test-mirror-pr.yml workflow calls create-test-mirror-entries.sh which either adds test image entries or updates the existing test image digests in DataDog/images.
The update-mirror-digests.yml workflow calls update-ci-image-digests.sh which updates the existing ci-* image digests.
Both workflows source get-image-digests.sh which uses crane to get the latest digests for all CI variants in ghcr.io, given the prefix ci- or PRNUM_merge-.
The scripts were successful locally!
PerfectSlayer
left a comment
PerfectSlayer
left a comment
There was a problem hiding this comment.
That looks good. Thanks for keep refining the developer experience around testing!
gh-worker-ownership-write-b05516
bot
removed the request for review
from AlexeyKuznetsov-DD
2 participants
Description
dd-trace-javaCI now requires images to be signed. Images can be signed by first mirroring them intoregistry.ddbuild.io. This PR adds support for this new process with:docker-tagworkflow. It automatically opens a PR inDataDog/imageswith updatedci-*image digests.dd-trace-java-docker-buildPR being tested. It automatically opens a PR inDataDog/imageswith new or updated image digests that correspond to PR_NUMBER.Testing
Both workflows use scripts to update the
DataDog/imagesrepo and get latest image digests. These scripts were tested successfully locally by calling them from a cloned copy ofDataDog/images. The workflows need to land onmasterbefore being test-able.See comments in #141 for workflow testing.
Follow-ups
DataDog/imagesPR-approver bot.DataDog/imagestrust policy also needs to be refined to onlymasterafter testing (ref).