November 8, 2021 Community Meeting

[gabemontero]

• Please add a topic in this thread and add a link to the Github issue associated with the topic.
• Please make sure you give folks enough time to review/discuss the topic offline on Github before coming into the meeting
• (optional) Paste the image of an animal

[gabemontero]

Allowing output images to be optional.

See discussion thread starting at shipwright-io/build#911 (comment)

[adambkaplan]

Moving to the 8th due to official holidays in Europe and India.

[SaschaSchwarze0]

Image signing using cosign. Do we want to use the traditional mode with a certificate that we create (and need to store as a secret). Or do we want to use the keyless mode as proposed in the pull requests. Issues with the latter:

1. It is experimental.
2. It uses the fulcio root ca which is in this state: fulcio is a work in progress. There's working code and a running instance and a plan, but you should not attempt to try to actually use it for anything.

   //
 _oo\
(__/ \  _  _
   \  \/ \/ \
   (         )\
    \_______/  \
     [[] [[]
     [[] [[]

[sbose78]

I would like to present my SHIP #41 on event driven Build executions.

[imjasonh]

State of moving images to ghcr.io and signing them:

• Move released images to ghcr.io build#913
  • build repo images are moved
  • sample base images moved, PRs in sample repos
  • blocked on moving source-bundle image, but it's not really urgent
• Sign released images build#907
  • nightly PR to sign them ready for approval: Sign nightly released images build#918
  • "real" release PR ready for approval after #918: Sign released images build#938

[adambkaplan]

Minutes:

• Output image being optional
  • Scenario came up with cosign.
  • Ideal is that Shipwright pushes container images to the container registry, build tool should output image to a location (i.e. as a tar file). Pushing optional makes the output image field also optional.
  • Predecessor OpenShift builds had this capability
  • Related issue - Remove image push steps from the build strategies build#165. However, the discussion of making image push optional should be done in a separate issue and require a SHIP.
• Signing releases
  • Keyless mode is considered experimental, but confidence in backing assets (fulcio, public rekor) is growing.
  • Current release signs the build controller container image. Other things could be signed.
  • Keyless mode uses ephemeral keys that are signed by GitHub Actions.
  • Concern that things like the fulcio root CA will go away -> signatures can't be verified.
  • Consensus - we can proceed with keyless mode for nightly releases.
• SHIP SHIP : Git event-driven build executions #41 - discussion and initial input.
• Moving images
  • Move released images to ghcr.io build#913 - in progress