diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c3760300..de6b6fcc 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -63,7 +63,7 @@ jobs: - . - e2e/wasm - e2e/smoke - - e2e/pull + - e2e/assertion bzlmodEnabled: [true, false] exclude: @@ -71,11 +71,11 @@ jobs: - os: macos-13 folder: e2e/wasm - os: macos-13 - folder: e2e/pull + folder: e2e/assertion - os: macos-13 bazelversion: 6.4.0 - # e2e/pull is bzlmod only but it has test for both cases. - - folder: e2e/pull + # e2e/assertion is bzlmod only but it has test for both cases. + - folder: e2e/assertion bzlmodEnabled: false # TODO: fix - folder: e2e/wasm diff --git a/e2e/platforms/.bazelignore b/e2e/assertion/.bazelignore similarity index 100% rename from e2e/platforms/.bazelignore rename to e2e/assertion/.bazelignore diff --git a/e2e/platforms/.bazelrc b/e2e/assertion/.bazelrc similarity index 100% rename from e2e/platforms/.bazelrc rename to e2e/assertion/.bazelrc diff --git a/e2e/assertion/BUILD.bazel b/e2e/assertion/BUILD.bazel new file mode 100644 index 00000000..0b91aa84 --- /dev/null +++ b/e2e/assertion/BUILD.bazel @@ -0,0 +1,65 @@ +load("@aspect_bazel_lib//lib:bats.bzl", "bats_test") + +[ + bats_test( + name = "test_oci_pull_auth_%s" % name, + size = "large", + srcs = [ + "oci_pull_auth_tests.bats", + ], + args = [ + "--verbose-run", + "--timing", + "--trace", + ], + data = glob(["credential-helper/**"]) + [ + "wksp", + "//registry:auth", + ], + env = { + "WKSP": "$(location :wksp)", + "REGISTRY": "$(rootpath //registry:auth)", + "BAZEL_FLAGS": flags, + }, + tags = [ + "exclusive", + "local", + "no-remote", + "no-remote-exec", + ], + ) + for (name, flags) in [ + ("bzlmod", "--noenable_bzlmod"), + ("nobzlmod", "--enable_bzlmod"), + ] +] + +[ + bats_test( + name = "test_oci_pull_%s" % name, + size = "large", + srcs = [ + "oci_pull_tests.bats", + ], + args = [ + "--verbose-run", + "--timing", + "--trace", + ], + data = [":wksp"], + env = { + "WKSP": "$(location :wksp)", + "BAZEL_FLAGS": flags, + }, + tags = [ + "exclusive", + "local", + "no-remote", + "no-remote-exec", + ], + ) + for (name, flags) in [ + ("bzlmod", "--noenable_bzlmod"), + ("nobzlmod", "--enable_bzlmod"), + ] +] diff --git a/e2e/pull/MODULE.bazel b/e2e/assertion/MODULE.bazel similarity index 100% rename from e2e/pull/MODULE.bazel rename to e2e/assertion/MODULE.bazel diff --git a/e2e/pull/credential-helper/docker-credential-evil b/e2e/assertion/credential-helper/docker-credential-evil similarity index 100% rename from e2e/pull/credential-helper/docker-credential-evil rename to e2e/assertion/credential-helper/docker-credential-evil diff --git a/e2e/pull/credential-helper/docker-credential-new b/e2e/assertion/credential-helper/docker-credential-new similarity index 100% rename from e2e/pull/credential-helper/docker-credential-new rename to e2e/assertion/credential-helper/docker-credential-new diff --git a/e2e/pull/credential-helper/docker-credential-oci b/e2e/assertion/credential-helper/docker-credential-oci similarity index 100% rename from e2e/pull/credential-helper/docker-credential-oci rename to e2e/assertion/credential-helper/docker-credential-oci diff --git a/e2e/pull/test.bats b/e2e/assertion/oci_pull_auth_tests.bats similarity index 100% rename from e2e/pull/test.bats rename to e2e/assertion/oci_pull_auth_tests.bats diff --git a/e2e/platforms/test.bats b/e2e/assertion/oci_pull_tests.bats similarity index 73% rename from e2e/platforms/test.bats rename to e2e/assertion/oci_pull_tests.bats index c39ad254..059c686c 100644 --- a/e2e/platforms/test.bats +++ b/e2e/assertion/oci_pull_tests.bats @@ -46,3 +46,16 @@ setup() { run bazel build @distroless_base_single_arch_wrong_amd64_platforms_attr//... --platforms=//platforms:linux_arm64 $BAZEL_FLAGS assert_failure } + + +@test "when oci_pull with a tag, it should print a warning" { + # Even if the target + run bazel build @distroless_base_with_tag//... --platforms=//platforms:linux_x86_64 $BAZEL_FLAGS + assert_output --partial 'WARNING: Fetching from distroless/cc-debian12@latest without an integrity hash, result will not be cached' + assert_output --partial 'For reproducible builds, a digest is recommended.' + assert_output --partial "Either set 'reproducible = False' to silence this warning" + assert_output --partial "or run the following command to change" + assert_output --partial "to use a digest:" + assert_output --partial "'remove tag' 'remove platforms'" + assert_output --partial 'add platforms "linux/amd64" "linux/arm64/v8" "linux/arm/v7" "linux/s390x" "linux/ppc64le"' +} diff --git a/e2e/pull/registry/BUILD.bazel b/e2e/assertion/registry/BUILD.bazel similarity index 100% rename from e2e/pull/registry/BUILD.bazel rename to e2e/assertion/registry/BUILD.bazel diff --git a/e2e/pull/registry/go.mod b/e2e/assertion/registry/go.mod similarity index 100% rename from e2e/pull/registry/go.mod rename to e2e/assertion/registry/go.mod diff --git a/e2e/pull/registry/go.sum b/e2e/assertion/registry/go.sum similarity index 100% rename from e2e/pull/registry/go.sum rename to e2e/assertion/registry/go.sum diff --git a/e2e/pull/registry/main.go b/e2e/assertion/registry/main.go similarity index 100% rename from e2e/pull/registry/main.go rename to e2e/assertion/registry/main.go diff --git a/e2e/platforms/wksp/.bazelrc b/e2e/assertion/wksp/.bazelrc similarity index 50% rename from e2e/platforms/wksp/.bazelrc rename to e2e/assertion/wksp/.bazelrc index eeeb84f2..2d7d41bd 100644 --- a/e2e/platforms/wksp/.bazelrc +++ b/e2e/assertion/wksp/.bazelrc @@ -1,2 +1,2 @@ -common --symlink_prefix=/ + common --repository_cache= \ No newline at end of file diff --git a/e2e/platforms/wksp/.bazelversion b/e2e/assertion/wksp/.bazelversion similarity index 100% rename from e2e/platforms/wksp/.bazelversion rename to e2e/assertion/wksp/.bazelversion diff --git a/e2e/pull/wksp/BUILD.bazel b/e2e/assertion/wksp/BUILD.bazel similarity index 100% rename from e2e/pull/wksp/BUILD.bazel rename to e2e/assertion/wksp/BUILD.bazel diff --git a/e2e/platforms/wksp/MODULE.bazel b/e2e/assertion/wksp/MODULE.bazel similarity index 59% rename from e2e/platforms/wksp/MODULE.bazel rename to e2e/assertion/wksp/MODULE.bazel index 4f9cab92..b8c6be45 100644 --- a/e2e/platforms/wksp/MODULE.bazel +++ b/e2e/assertion/wksp/MODULE.bazel @@ -1,7 +1,7 @@ "Bazel dependencies" -bazel_dep(name = "rules_oci", version = "0.0.0", dev_dependency = True) -bazel_dep(name = "platforms", version = "0.0.7") +bazel_dep(name = "rules_oci", version = "0.0.0") +bazel_dep(name = "platforms", version = "0.0.8") local_path_override( module_name = "rules_oci", @@ -9,13 +9,25 @@ local_path_override( ) oci = use_extension("@rules_oci//oci:extensions.bzl", "oci") - +oci.pull( + name = "empty_image", + digest = "sha256:e40e202a677ddddeaaf4603df278a6da42130d750622f1b1130bdafe6876a6e0", + image = "http://localhost:1447/empty_image", +) +use_repo(oci, "empty_image") +oci.pull( + name = "distroless_base_with_tag", + image = "gcr.io/distroless/cc-debian12", + platforms = [ + "linux/amd64", + ], + tag = "latest", +) oci.pull( name = "distroless_base_single_arch_no_platforms_attr", digest = "sha256:71b79745bb79377e88d936fd362bf505ad9f278f6a613233f0be2f10b96b1b21", image = "gcr.io/distroless/base", ) - oci.pull( name = "distroless_base_single_arch_correct_arm64_platforms_attr", digest = "sha256:71b79745bb79377e88d936fd362bf505ad9f278f6a613233f0be2f10b96b1b21", @@ -24,7 +36,6 @@ oci.pull( "linux/arm64", ], ) - oci.pull( name = "distroless_base_single_arch_wrong_amd64_platforms_attr", digest = "sha256:71b79745bb79377e88d936fd362bf505ad9f278f6a613233f0be2f10b96b1b21", @@ -33,9 +44,13 @@ oci.pull( "linux/amd64", ], ) - -use_repo(oci, - "distroless_base_single_arch_no_platforms_attr", +use_repo( + oci, "distroless_base_single_arch_correct_arm64_platforms_attr", + "distroless_base_single_arch_correct_arm64_platforms_attr_linux_arm64", + "distroless_base_single_arch_no_platforms_attr", "distroless_base_single_arch_wrong_amd64_platforms_attr", + "distroless_base_single_arch_wrong_amd64_platforms_attr_linux_amd64", + "distroless_base_with_tag", + "distroless_base_with_tag_linux_amd64", ) diff --git a/e2e/platforms/wksp/WORKSPACE b/e2e/assertion/wksp/WORKSPACE similarity index 75% rename from e2e/platforms/wksp/WORKSPACE rename to e2e/assertion/wksp/WORKSPACE index f5f0f3cf..4fdc788b 100644 --- a/e2e/platforms/wksp/WORKSPACE +++ b/e2e/assertion/wksp/WORKSPACE @@ -13,6 +13,12 @@ oci_register_toolchains(name = "oci") load("@rules_oci//oci:pull.bzl", "oci_pull") +oci_pull( + name = "empty_image", + digest = "sha256:e40e202a677ddddeaaf4603df278a6da42130d750622f1b1130bdafe6876a6e0", + image = "http://localhost:1447/empty_image", +) + oci_pull( name = "distroless_base_single_arch_no_platforms_attr", digest = "sha256:71b79745bb79377e88d936fd362bf505ad9f278f6a613233f0be2f10b96b1b21", @@ -36,3 +42,12 @@ oci_pull( "linux/amd64", ], ) + +oci_pull( + name = "distroless_base_with_tag", + image = "gcr.io/distroless/cc-debian12", + platforms = [ + "linux/amd64", + ], + tag = "latest", +) diff --git a/e2e/platforms/wksp/WORKSPACE.bzlmod b/e2e/assertion/wksp/WORKSPACE.bzlmod similarity index 100% rename from e2e/platforms/wksp/WORKSPACE.bzlmod rename to e2e/assertion/wksp/WORKSPACE.bzlmod diff --git a/e2e/platforms/wksp/platforms/BUILD.bazel b/e2e/assertion/wksp/platforms/BUILD.bazel similarity index 100% rename from e2e/platforms/wksp/platforms/BUILD.bazel rename to e2e/assertion/wksp/platforms/BUILD.bazel diff --git a/e2e/platforms/BUILD.bazel b/e2e/platforms/BUILD.bazel deleted file mode 100644 index db16d7a7..00000000 --- a/e2e/platforms/BUILD.bazel +++ /dev/null @@ -1,31 +0,0 @@ -load("@aspect_bazel_lib//lib:bats.bzl", "bats_test") - -[ - bats_test( - name = "test_%s" % name, - size = "large", - srcs = [ - "test.bats", - ], - env = { - "WKSP": "$(location :wksp)", - "BAZEL_FLAGS": flags - }, - args = [ - "--verbose-run", - "--timing", - "--trace" - ], - data = [":wksp"], - tags = [ - "local", - "exclusive", - "no-remote", - "no-remote-exec" - ] - ) - for (name, flags) in [ - ("bzlmod", "--noenable_bzlmod"), - ("nobzlmod", "--enable_bzlmod") - ] -] diff --git a/e2e/platforms/MODULE.bazel b/e2e/platforms/MODULE.bazel deleted file mode 100644 index 20b19a9f..00000000 --- a/e2e/platforms/MODULE.bazel +++ /dev/null @@ -1,3 +0,0 @@ -"Bazel dependencies" - -bazel_dep(name = "aspect_bazel_lib", version = "2.7.2") diff --git a/e2e/platforms/WORKSPACE.bazel b/e2e/platforms/WORKSPACE.bazel deleted file mode 100644 index e69de29b..00000000 diff --git a/e2e/platforms/wksp/BUILD.bazel b/e2e/platforms/wksp/BUILD.bazel deleted file mode 100644 index e69de29b..00000000 diff --git a/e2e/pull/.bazelignore b/e2e/pull/.bazelignore deleted file mode 100644 index 81642cb7..00000000 --- a/e2e/pull/.bazelignore +++ /dev/null @@ -1 +0,0 @@ -wksp \ No newline at end of file diff --git a/e2e/pull/.bazelrc b/e2e/pull/.bazelrc deleted file mode 100644 index e69de29b..00000000 diff --git a/e2e/pull/BUILD.bazel b/e2e/pull/BUILD.bazel deleted file mode 100644 index b48766b7..00000000 --- a/e2e/pull/BUILD.bazel +++ /dev/null @@ -1,32 +0,0 @@ -load("@aspect_bazel_lib//lib:bats.bzl", "bats_test") - -[ - bats_test( - name = "test_%s" % name, - size = "large", - srcs = [ - "test.bats", - ], - env = { - "WKSP": "$(location :wksp)", - "REGISTRY": "$(rootpath //registry:auth)", - "BAZEL_FLAGS": flags - }, - args = [ - "--verbose-run", - "--timing", - "--trace" - ], - data = glob(["credential-helper/**"]) + ["wksp", "//registry:auth"], - tags = [ - "local", - "exclusive", - "no-remote", - "no-remote-exec" - ] - ) - for (name, flags) in [ - ("bzlmod", "--noenable_bzlmod"), - ("nobzlmod", "--enable_bzlmod") - ] -] diff --git a/e2e/pull/WORKSPACE.bazel b/e2e/pull/WORKSPACE.bazel deleted file mode 100644 index e69de29b..00000000 diff --git a/e2e/pull/wksp/.bazelrc b/e2e/pull/wksp/.bazelrc deleted file mode 100644 index 2e41cb72..00000000 --- a/e2e/pull/wksp/.bazelrc +++ /dev/null @@ -1,2 +0,0 @@ -common --noexperimental_convenience_symlinks -common --repository_cache= \ No newline at end of file diff --git a/e2e/pull/wksp/.bazelversion b/e2e/pull/wksp/.bazelversion deleted file mode 100644 index 4ac4fded..00000000 --- a/e2e/pull/wksp/.bazelversion +++ /dev/null @@ -1 +0,0 @@ -6.2.0 \ No newline at end of file diff --git a/e2e/pull/wksp/MODULE.bazel b/e2e/pull/wksp/MODULE.bazel deleted file mode 100644 index cc1cb644..00000000 --- a/e2e/pull/wksp/MODULE.bazel +++ /dev/null @@ -1,17 +0,0 @@ -"Bazel dependencies" - -bazel_dep(name = "rules_oci", version = "0.0.0") -bazel_dep(name = "platforms", version = "0.0.7") - -local_path_override( - module_name = "rules_oci", - path = "../../..", -) - -oci = use_extension("@rules_oci//oci:extensions.bzl", "oci") -oci.pull( - name = "empty_image", - digest = "sha256:e40e202a677ddddeaaf4603df278a6da42130d750622f1b1130bdafe6876a6e0", - image = "http://localhost:1447/empty_image", -) -use_repo(oci, "empty_image") diff --git a/e2e/pull/wksp/WORKSPACE b/e2e/pull/wksp/WORKSPACE deleted file mode 100644 index e3dc7354..00000000 --- a/e2e/pull/wksp/WORKSPACE +++ /dev/null @@ -1,20 +0,0 @@ -local_repository( - name = "rules_oci", - path = "../../../", -) - -load("@rules_oci//oci:dependencies.bzl", "rules_oci_dependencies") - -rules_oci_dependencies() - -load("@rules_oci//oci:repositories.bzl", "oci_register_toolchains") - -oci_register_toolchains(name = "oci") - -load("@rules_oci//oci:pull.bzl", "oci_pull") - -oci_pull( - name = "empty_image", - digest = "sha256:e40e202a677ddddeaaf4603df278a6da42130d750622f1b1130bdafe6876a6e0", - image = "http://localhost:1447/empty_image", -) diff --git a/e2e/wasm/MODULE.bazel b/e2e/wasm/MODULE.bazel new file mode 100644 index 00000000..56b6b266 --- /dev/null +++ b/e2e/wasm/MODULE.bazel @@ -0,0 +1,12 @@ +bazel_dep(name = "rules_oci", version = "0.0.0") +bazel_dep(name = "aspect_bazel_lib", version = "2.7.2") +bazel_dep(name = "bazel_skylib", version = "1.5.0") +bazel_dep(name = "platforms", version = "0.0.8") +bazel_dep(name = "rules_rust", version = "0.45.1") +bazel_dep(name = "rules_pkg", version = "0.10.1") +bazel_dep(name = "hermetic_cc_toolchain", version = "3.1.0") + +local_path_override( + module_name = "rules_oci", + path = "../..", +) diff --git a/e2e/pull/wksp/WORKSPACE.bzlmod b/e2e/wasm/WORKSPACE.bzlmod similarity index 100% rename from e2e/pull/wksp/WORKSPACE.bzlmod rename to e2e/wasm/WORKSPACE.bzlmod diff --git a/oci/private/authn.bzl b/oci/private/authn.bzl index 8a2f5317..88ae6c89 100644 --- a/oci/private/authn.bzl +++ b/oci/private/authn.bzl @@ -4,7 +4,6 @@ load("@aspect_bazel_lib//lib:base64.bzl", "base64") load("@aspect_bazel_lib//lib:repo_utils.bzl", "repo_utils") load(":util.bzl", "util") - # Unfortunately bazel downloader doesn't let us sniff the WWW-Authenticate header, therefore we need to # keep a map of known registries that require us to acquire a temporary token for authentication. _WWW_AUTH = { @@ -101,7 +100,7 @@ def _get_auth_file_path(rctx): return None -def _fetch_auth_via_creds_helper(rctx, raw_host, helper_name): +def _fetch_auth_via_creds_helper(rctx, raw_host, helper_name, allow_fail = False): if rctx.os.name.startswith("windows"): executable = "{}.bat".format(helper_name) rctx.file( @@ -120,7 +119,10 @@ exec "docker-credential-{}" get <<< "$1" """.format(helper_name), ) result = rctx.execute([rctx.path(executable), raw_host]) if result.return_code: - fail("credential helper failed: \nSTDOUT:\n{}\nSTDERR:\n{}".format(result.stdout, result.stderr)) + if not allow_fail: + fail("credential helper failed: \nSTDOUT:\n{}\nSTDERR:\n{}".format(result.stdout, result.stderr)) + else: + return {} response = json.decode(result.stdout) @@ -183,7 +185,7 @@ def _get_auth(rctx, state, registry): # look for generic credentials-store all lookups for host-specific auth fails if "credsStore" in config and len(pattern.keys()) == 0: - pattern = _fetch_auth_via_creds_helper(rctx, registry, config["credsStore"]) + pattern = _fetch_auth_via_creds_helper(rctx, registry, config["credsStore"], allow_fail = True) # cache the result so that we don't do this again unnecessarily. state["auth"][registry] = pattern @@ -232,7 +234,7 @@ def _get_token(rctx, state, registry, repository): state["token"][url] = pattern return pattern -NO_CONFIG_FOUND_ERROR="""\ +NO_CONFIG_FOUND_ERROR = """\ Could not find the `$HOME/.docker/config.json` and `$XDG_RUNTIME_DIR/containers/auth.json` file Running one of `podman login`, `docker login`, `crane login` may help. @@ -242,7 +244,6 @@ def _explain(state): if not state["config"]: return NO_CONFIG_FOUND_ERROR return None - def _new_auth(rctx, config_path = None): if not config_path: @@ -257,15 +258,15 @@ def _new_auth(rctx, config_path = None): } return struct( get_token = lambda reg, repo: _get_token(rctx, state, reg, repo), - explain = lambda: _explain(state) + explain = lambda: _explain(state), ) authn = struct( - new = _new_auth, + new = _new_auth, ENVIRON = [ "DOCKER_CONFIG", "REGISTRY_AUTH_FILE", "XDG_RUNTIME_DIR", "HOME", - ] -) \ No newline at end of file + ], +)