refactor(ci): use common cicd library for build #75
Conversation
Victoremepunto
force-pushed
the
update-build-deploy
branch
from
e0d1c56 to
fcef463
Compare
| export CICD_BOOTSTRAP_REPO_ORG='RedHatInsights' | ||
| CICD_TOOLS_URL="https://raw.githubusercontent.com/${CICD_BOOTSTRAP_REPO_ORG}/cicd-tools/${CICD_BOOTSTRAP_REPO_BRANCH}/src/bootstrap.sh" | ||
| # shellcheck source=/dev/null | ||
| source <(curl -sSL "$CICD_TOOLS_URL") image_builder |
There was a problem hiding this comment.
@Victoremepunto is there something better than sourcing random code from github?
There was a problem hiding this comment.
Deferred to Security for feedback
There was a problem hiding this comment.
I was suggesting signed files or commits. Otherwise RHTAP might help.
There was a problem hiding this comment.
We can configure the project (I think it is already) to only allow verified (signed) git commits.
However that's only checked on Github's side (hence the ✔️ next to the commit). The client "doesn't have a way" to check the commit signature - not a "nice and simple" one anyways.
The "signed files" - same story, the client needs to verify the validity of the signature.
RHTAP will only provide tools via Docker images (won't load stuff dynamically) - which doesn't really work for Scripts.
BUT - it's true that RHTAP will fix the "build part" - once a service is onboarded, we shall not need any build script anymore.
question is - what we do in between ?
This uses the common CICD tools scripts for
build_deploy.shthis requires RedHatInsights/cicd-tools#22 to be merged(Merged)