-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use a non-alpha tagged defaultBaseImage image for ko builds #6456
Comments
Hey, thanks for raising this. Sorry I didn't see this earlier. I'm not sure why the Secondly, there's currently no need for an agreement between Chainguard and Tekton to pull any available tag of If you can identify a date that this last worked for you, you can pin to I'll look into when |
It looks like the change was made some time in early Feb:
This happens because These Alpine-based Chainguard Images are a bit of a weird bird, since they depend on Alpine's packages and release schedules. This is a good example of where we don't have as much control/visibility as we'd like, and where changes outside our control can cause confusion downstream. I'm sorry about that. |
Thanks @imjasonh -- The pre-amble in the README here -- https://github.com/chainguard-images/images/tree/main/images/static -- led me to think we could only use "latest". |
That's helpful to know. The intention of that wasn't to indicate that older tags aren't available for Since |
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
Rotten issues close after 30d of inactivity. /close Send feedback to tektoncd/plumbing. |
@tekton-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen @imjasonh @afrittoli @pritidesai -- sorry to flag but really need help here |
@skaegi: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/remove-lifecycle rotten -- more housekeeping -- we really need this addressed. |
/lifecycle frozen |
Yes, what is triggering the problem is the contents of ... but I think even if clair had support we would still get flagged because of using an alpha release...
Just to be clear, as this is our base image you get the same result when using -- |
Using
The last five releases of
Checking the alpine version for each of them:
I see that the switch to edge happened in September:
We should pin Tekton builds to |
The "latest" tag in the distroless image we use as base image is based on and alpha release of Alpine 3.19_alpha20230901. Pin the image instead to the latest available version that is based on Alpine 3.18.0 instead. Fixes: tektoncd#6456 Signed-off-by: Andrea Frittoli <[email protected]>
The "latest" tag in the distroless image we use as base image is based on and alpha release of Alpine 3.19_alpha20230901. Pin the image instead to the latest available version that is based on Alpine 3.18.0 instead. Fixes: #6456 Signed-off-by: Andrea Frittoli <[email protected]>
The "latest" tag in the distroless image we use as base image is based on and alpha release of Alpine 3.19_alpha20230901. Pin the image instead to the latest available version that is based on Alpine 3.18.0 instead. Fixes: tektoncd#6456 Signed-off-by: Andrea Frittoli <[email protected]>
The "latest" tag in the distroless image we use as base image is based on and alpha release of Alpine 3.19_alpha20230901. Pin the image instead to the latest available version that is based on Alpine 3.18.0 instead. Fixes: tektoncd#6456 Signed-off-by: Andrea Frittoli <[email protected]>
The "latest" tag in the distroless image we use as base image is based on and alpha release of Alpine 3.19_alpha20230901. Pin the image instead to the latest available version that is based on Alpine 3.18.0 instead. Fixes: #6456 Signed-off-by: Andrea Frittoli <[email protected]>
The "latest" tag in the distroless image we use as base image is based on and alpha release of Alpine 3.19_alpha20230901. Pin the image instead to the latest available version that is based on Alpine 3.18.0 instead. Fixes: #6456 Signed-off-by: Andrea Frittoli <[email protected]>
This is required too for a full fix #7366 |
As of yesterday, the default base is Wolfi-based, so this shouldn't be an issue. |
Tekton is currently using
cgr.dev/chainguard/static
as ourdefaultBaseImage
. This recently has caused us problems as apparently in the 0.46 Tekton release the/etc/alpine-release
is set to3.18_alpha20230208
which is leading out security team to think this image contains alpha packages.We are in a really awkward situation here as we cannot even rebuild easily as apparently the tags are not available outside of an agreement with Chainguard so without deep thought can only rebuild with "latest".
My ask here is...
The text was updated successfully, but these errors were encountered: