libcnb-test: Pass --trust-extra-buildpacks when running pack build
#854
Assignees
Labels
Comments
This was referenced Aug 27, 2024
edmorley
changed the title
--trust-additional-buiildpacks when running pack build--trust-extra-buildpacks when running pack build
|
I've updated libcnb+setup-pack for all affected repos: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As part of the security related fixes in Pack CLI v0.35.0, trusted builders are now now downgraded to untrusted if any additional buildpacks are added beyond the buildpacks that are part of the builder:
buildpacks/pack#2221
Since
libcnb-testtests the buildpack in question via--buildpacks, this means as of Pack CLI v0.35.0 the build is run as untrusted, and so the log output contains the prefixes naming the stage of the build (such as[builder]):buildpacks/pack#2228
This then breaks test cases where multi-line log output is asserted against, such as:
https://github.com/heroku/buildpacks-procfile/blob/798f602616353c15d6068e4b8ab29d164fe8a1cf/tests/integration_test.rs#L23-L26
Initially Pack CLI didn't have a way to say "no really, please still trust the builder", however, a new
--trust-extra-buildpacksargument topack buildwas added in Pack CLI v 0.35.1:buildpacks/pack#2230
We should update
libcnb-testto pass this arg (alongside the existing--trust-builderarg it already passes), so that builds are run in trusted mode, to (a) improve performance, (b) mean the log output doesn't contain the stage name prefixes (so matches how the output used to be previously).Since older Pack versions don't support
--trust-extra-buildpacksthis will be a breaking change (it's not worth the complexity or performance hit of runningpack --versionprior to every integration test to decide whether to pass the arg or not). However, downstream buildpack repos can update the Pack GitHub Action at the same time as libcnb to work around this.The text was updated successfully, but these errors were encountered: