-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: add provenance file handling into run_macaron.sh #698
chore: add provenance file handling into run_macaron.sh #698
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. LGTM.
@@ -439,6 +443,16 @@ if [[ -n "${arg_prov_exp:-}" ]]; then | |||
fi | |||
fi | |||
|
|||
# Determine the provenance expectation path to be mounted into ${MACARON_WORKSPACE}/prov_files/${pf_name} where pf_name is a file name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Determine the provenance expectation path to be mounted into ${MACARON_WORKSPACE}/prov_files/${pf_name} where pf_name is a file name. | |
# Mount the provenance file into ${MACARON_WORKSPACE}/prov_files/${pf_name} where pf_name is a file name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in bf2f407
Not a comment for this PR in particular, but a general comment: We should probably rethink where the expected result files should be stored. To me, it makes more sense to store all expected files for a particular test case in the same directory instead of scattering it through multiple different directories, making it hard to understand which expected file belongs to which test. |
I will remove the |
08ed216
to
fc998db
Compare
@behnazh-w @nathanwn I have updated the integration test case:
For the
This combination will be handled inside this block macaron/src/macaron/slsa_analyzer/analyzer.py Lines 702 to 708 in e214326
However, its logic doesn't extract the commit hash from provenance, which leave macaron/src/macaron/slsa_analyzer/analyzer.py Lines 819 to 825 in e214326
which will fail because the target repository doesn't have any release on GitHub (see https://github.com/behnazh-w/example-maven-app/releases).
Please let me know what you think. |
I think the proposed fix is the correct behaviour, but I think that commit should be separated into its own PR and merged prior to finishing this one (since it isn't really related to this change, more a continuation of #708 that happens to be a prerequisite for this one). |
In your fix, if I understand it right, the user-provided digest takes precedence over the commit in the provenance. macaron/src/macaron/slsa_analyzer/analyzer.py Lines 725 to 729 in 82e241b
I agree with Nick that this should be in another PR. Do open it and I can approve it for you. |
Thanks everyone! I will bring the fix commit to a difference Pull request shortly.
This is True, the digest provided from the user takes precedence.
Yes this is True. I meant to put it there originally as a "default" case because mypy doesn't recognize that we have covered all possible cases. |
I now remember why the last |
82e241b
to
f3449a1
Compare
…d integration test case to integration_tests_docker.sh
Closes #697