[buildpacks] Support trusted builders

Signed-off-by: David Gageot <[email protected]>

docs/content/en/schemas/v2beta5.json

@@ -528,13 +528,20 @@
           "type": "string",
           "description": "overrides the stack's default run image.",
           "x-intellij-html-description": "overrides the stack's default run image."
+        },
+        "trustBuilder": {
+          "type": "boolean",
+          "description": "indicates that the builder should be trusted.",
+          "x-intellij-html-description": "indicates that the builder should be trusted.",
+          "default": "false"
         }
       },
       "preferredOrder": [
         "builder",
         "runImage",
         "env",
         "buildpacks",
+        "trustBuilder",
         "dependencies"
       ],
       "additionalProperties": false,

pkg/skaffold/build/buildpacks/build_test.go

@@ -65,16 +65,17 @@ func TestBuild(t *testing.T) {
 		},
 		{
 			description: "success with buildpacks",
-			artifact:    withBuildpacks([]string{"my/buildpack", "my/otherBuildpack"}, buildpacksArtifact("my/otherBuilder", "my/otherRun")),
+			artifact:    withTrustedBuilder(withBuildpacks([]string{"my/buildpack", "my/otherBuildpack"}, buildpacksArtifact("my/otherBuilder", "my/otherRun"))),
 			tag:         "img:tag",
 			api:         &testutil.FakeAPIClient{},
 			expectedOptions: &pack.BuildOptions{
-				AppPath:    ".",
-				Builder:    "my/otherBuilder",
-				RunImage:   "my/otherRun",
-				Buildpacks: []string{"my/buildpack", "my/otherBuildpack"},
-				Env:        map[string]string{},
-				Image:      "img:latest",
+				AppPath:      ".",
+				Builder:      "my/otherBuilder",
+				RunImage:     "my/otherRun",
+				Buildpacks:   []string{"my/buildpack", "my/otherBuildpack"},
+				TrustBuilder: true,
+				Env:          map[string]string{},
+				Image:        "img:latest",
 			},
 		},
 		{
@@ -257,6 +258,10 @@ func withSync(sync *latest.Sync, artifact *latest.Artifact) *latest.Artifact {
 	return artifact
 }
 
+func withTrustedBuilder(artifact *latest.Artifact) *latest.Artifact {
+	artifact.BuildpackArtifact.TrustBuilder = true
+	return artifact
+}
 func withBuildpacks(buildpacks []string, artifact *latest.Artifact) *latest.Artifact {
 	artifact.BuildpackArtifact.Buildpacks = buildpacks
 	return artifact

pkg/skaffold/build/buildpacks/lifecycle.go

@@ -95,13 +95,14 @@ func (b *Builder) build(ctx context.Context, out io.Writer, a *latest.Artifact,
 	alreadyPulled := images.AreAlreadyPulled(artifact.Builder, artifact.RunImage)
 
 	if err := runPackBuildFunc(ctx, out, b.localDocker, pack.BuildOptions{
-		AppPath:    workspace,
-		Builder:    artifact.Builder,
-		RunImage:   artifact.RunImage,
-		Buildpacks: buildpacks,
-		Env:        env,
-		Image:      latest,
-		NoPull:     alreadyPulled,
+		AppPath:      workspace,
+		Builder:      artifact.Builder,
+		RunImage:     artifact.RunImage,
+		Buildpacks:   buildpacks,
+		Env:          env,
+		Image:        latest,
+		NoPull:       alreadyPulled,
+		TrustBuilder: artifact.TrustBuilder,
 		// TODO(dgageot): Support project.toml include/exclude.
 		// FileFilter: func(string) bool { return true },
 	}); err != nil {

pkg/skaffold/schema/latest/config.go

@@ -750,6 +750,9 @@ type BuildpackArtifact struct {
 	// Order matters.
 	Buildpacks []string `yaml:"buildpacks,omitempty"`
 
+	// TrustBuilder indicates that the builder should be trusted.
+	TrustBuilder bool `yaml:"trustBuilder,omitempty"`
+
 	// Dependencies are the file dependencies that skaffold should watch for both rebuilding and file syncing for this artifact.
 	Dependencies *BuildpackDependencies `yaml:"dependencies,omitempty"`
 }