-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds new Github actions identity issuer #559
Conversation
Codecov Report
@@ Coverage Diff @@
## main #559 +/- ##
==========================================
+ Coverage 36.84% 40.81% +3.96%
==========================================
Files 19 22 +3
Lines 1441 1563 +122
==========================================
+ Hits 531 638 +107
- Misses 851 861 +10
- Partials 59 64 +5
Continue to review full report at Codecov.
|
271157f
to
ba3cf26
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something to consider - By only adding files without refactoring the underlying code, it's hard to confirm that no business logic is changing. I definitely prefer smaller PRs though. Maybe in the PR description, pointing to the places in the code where the logic originated?
I'm a little nervous about breaking something subtly, and we don't have great test coverage besides the large API test file so it's hard to verify that nothing has changed.
|
||
// Parse claims on authenticated token | ||
var claims struct { | ||
JobWorkflowRef string `json:"job_workflow_ref"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I think the rest of the code base uses '
, any reason to switch to `?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the struct tags us ` I believe so you don't need to escape the ". I'm guessing you mean my ` usage for strings instead of " elsewhere? Its just a habit of mine to use them if I'm not using escape characters but I can change that to be in keeping with the rest of the code base
I'm wondering if, once you've added all of the base structs/functions/etc, it would be better to try and make these changes piecemeal, where you change the portion of the code that's affected at the same time as making these improvements. I would greatly prefer refactors (still concise) are done in one PR, rather than just having PRs with only additions or mostly only removals. |
The problem I see is that I'd have to put something like branch by abstraction in place in front of the old implementation to cut over the issuer implementations one by one. This is probably my lack of imagination but I can't think of an easy way to get that branch by abstraction bit in place. Can you think of a strategy that would be easy to implement? I agree this is somewhat scary because we're replacing a lot of poorly tested code, but perhaps we can integration test heavily in staging to alleviate some of those fears of regression? |
I can certainly point out in each PR the bits of code that will eventually be removed because of them if that helps out. I've also been trying add really thorough test coverage for everything I've written to improve our confidence in the refactor. |
Issuer implements the new identity issuer abstraction Signed-off-by: Nathan Smith <nathan@chainguard.dev>
With refactoring, I prefer one refactor at a time. This refactor involves moving functions, adding an abstraction layer, adding tests, moving constants, etc. These changes in this PR can be composed slightly different with more intermediate steps - it might take a few more PRs, but it'd give reviewers more confidence that no business logic is changing. I have a good understanding of how everything will be structured at the end from your design doc, so I don't mind a few more intermediate steps. I'd just prefer avoiding anything breaking while we move logic around, and as a reviewer, I can quickly approve PRs that are moving code since that code was previously reviewed. For example, would you consider doing the following:
There's a lot of helpful refactoring tips here. |
🤔 Yup ok I think I can do this better |
Summary
Implements the new issuer abstraction for github actions OIDC issuer.
Thoughts / questions for reviewers:
Ticket Link
Relates to #275
Release Note