Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move the plugin installation properties from sign to setup action #55

Open
FeynmanZhou opened this issue Jan 30, 2024 · 2 comments
Open
Labels
question Further information is requested

Comments

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Jan 30, 2024

The sign action requires users to input notation plugin installation properties. As a user, I would expect the plugin installation can be configured and completed in the setup action.

It would be much efficient and flexible if users sign a image multiple times using a Notation Sign action, without specifying the plugin installation each time.

In addition, if users have multiple plugins, they just need to specify which plugin to use in signing, without installing the plugin per running sign action.

Is it possible to move the plugin installation properties from sign action to setup action as follows?

Notation Setup

- name: setup Notation CLI
  uses: notaryproject/notation-action/setup@v1
  with:
    version: <version_of_official_Notation_CLI_release>
    url: <url_of_customized_Notation_CLI>
    checksum: <SHA256_of_the_customized_Notation_CLI>
    plugin_name: <notation_signing_plugin_name>
    plugin_url: <plugin_download_url>
    plugin_checksum: <SHA256_of_the_signing_plugin>

Notation Sign

- name: sign releasd artifact with signing plugin
  uses: notaryproject/notation-action/sign@v1
  with:
    plugin: <which_plugin_to_use>
    key_id: <key_identifier_to_sign>
    target_artifact_reference: <target_artifact_reference_in_remote_registry>
    signature_format: <signature_envelope_format>
    plugin_config: <list_of_plugin_defined_configs>
    allow_referrers_api: <boolean_flag_for_referrers_api>
@Two-Hearts
Copy link
Contributor

Two-Hearts commented Jan 30, 2024

An open discussion with my thoughts:
The current design is extensible. Because the verify action is not supporting verification through a plugin at the moment. If one day we want to support it, then a user can setup a Notation CLI, use plugin 1 for sign and use plugin 2 for verify. (given plugin 1 only has signing capability and plugin 2 only has verification capability).
(@FeynmanZhou, JFYI, the current design does check if plugin already exists. If yes, it won't install it again. so we are not installing the plugin per running.)

The proposed design moves plugin installation to setup, which is not as flexible as the current design? Because, now the user needs to provide both plugin 1 and plugin 2 to setup action. In addition, they also need to tell Notation GHA which plugin should be used for sign and verify accordingly.

@FeynmanZhou @shizhMSFT Any thoughts/comments/suggestions on this one?

@cmaclaughlin
Copy link

cmaclaughlin commented Mar 22, 2024

The current design is flexible and if/when verify plugins are supported, it would indeed be complicated to move all plugin config on setup and configure multiple at that time.

However, the current setup is inviting human error. For instance, if an image, SBOM and vulnerability scan result are all being signed in a single job, I have to include all required plugin information 3 times. When I go to upgrade the plugin version, I'll have multiple places to update the URL and checksum. Missing one property could result in an error, e.g. a conflict between version and checksum. What happens if a job refers to 2 versions of the same plugin with the same name -- is the determination that the plugin exists checking by name or by name & version?

Maybe the solution is to have a "setup-plugin" action? This could be done once per plugin in the job/workflow, regardless of how often said plugin is used. Yes, the name will still have to be provided with every sign and verify, but this will ensure the same version of the plugin is used and reduces the chance of user-introduced errors or confusion.

@FeynmanZhou FeynmanZhou added the question Further information is requested label Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants