-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Golang API users do not get proper trusted builder behavior #1254
Comments
I believe that this is by design. At least in it's initial implementation. IIRC, there was a discussion about delegating the fact of whether a builder should be trusted to the platform that may be using the pack client. I can see an improvement where we can have both. We can have a |
@aemengo, thanks for the response. Does it make sense to add the check (the one you mentioned) in |
/cc @jromero, do you think it would be wise to move the check? 😅 |
Yes. In general I agree that it should be moved. I think the only requirement that I would ask for is that it could be replaced. Basically the two supported use cases should be:
I hope that makes sense. |
Does this imply that, even if I have one of the trusted builders and the user chooses to NOT trust the builder, the builder shouldn't be trusted? But then how would we differentiate between the 2 cases, by default the |
/cc @jromero, it'd be great if you can clear this up! |
@jimil749 one way to achieve this is to replace TrustBuilder option from being a boolean to being a function that returns a boolean. The default function could look at the config you just mentioned (along with any existing logic in the cmd package) but the user of the library can the provide a very different function with their own logic as to whether a builder should be trusted. It's a lot like providing a |
Having a func makes sense @jromero! Just a final question, since we have the |
@jimil749 ugh, import cycles. 🤢 Yes, do what you must. LOL. We can discuss it further as part of the PR if we can somehow improve it. It's typically easier to discuss once we have something to look at. |
Alright! 👍 |
Summary
Using the pack golang API does not have the same behavior as the pack CLI regarding trusted builders. In particular, trusted builders are not automatically detected as trusted. The ramification is that the creator workflow does not run, when it should.
Reproduction
Example
Expected behavior
In the above example,
heroku/buildpacks:18
is a trusted builder and the creator workflow would run using the CLI. But sinceopts.TrustBuilder
defaults tofalse
here, the same code path does not run. In the following output, the lifecycle gets downloaded when it shouldn't beEnvironment
pack info
v0.20.0
The text was updated successfully, but these errors were encountered: