Skip to content

Pin AL2023 BusyBox image via dependency inventory#2514

Merged
grcevski merged 1 commit into
open-telemetry:mainfrom
MrAlias:bpf-verifier-pin-digest
Jun 26, 2026
Merged

Pin AL2023 BusyBox image via dependency inventory#2514
grcevski merged 1 commit into
open-telemetry:mainfrom
MrAlias:bpf-verifier-pin-digest

Conversation

@MrAlias

@MrAlias MrAlias commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Motivation

  • Prevent a CI supply-chain integrity weakness by pinning the BusyBox image used to build the AL2023 verifier initramfs to an immutable digest, avoiding mutable tag retargeting that could allow a compromised image to falsify verifier results.
  • Keep the pinned BusyBox image visible to Renovate so future digest updates are handled by the normal Dockerfile dependency flow.

Description

  • Add busybox:musl to dependencies.Dockerfile as the busybox-musl stage, pinned to the digest for the busybox:musl tag.
  • Update internal/test/vm/lvh/al2023/run.sh to resolve the BusyBox image from dependencies.Dockerfile at runtime instead of hard-coding the reference in the script.
  • Preserve the existing --platform linux/amd64 selection and BusyBox copy behavior for the AL2023 verifier initramfs.

Testing

  • bash -n internal/test/vm/lvh/al2023/run.sh
  • awk '$1=="FROM" && $4=="busybox-musl" {print $2}' dependencies.Dockerfile
  • ./scripts/lint-dependency-policy.sh --all

@MrAlias MrAlias requested a review from a team as a code owner June 26, 2026 15:21
@codecov

codecov Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.01%. Comparing base (914ffa4) to head (053cf84).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2514      +/-   ##
==========================================
- Coverage   69.24%   69.01%   -0.24%     
==========================================
  Files         345      345              
  Lines       46747    46747              
==========================================
- Hits        32372    32261     -111     
- Misses      12330    12439     +109     
- Partials     2045     2047       +2
Flag Coverage Δ
integration-test 50.91% <ø> (-0.02%) ⬇️
integration-test-arm 27.10% <ø> (-1.21%) ⬇️
integration-test-vm-5.15-lts 28.03% <ø> (+0.20%) ⬆️
integration-test-vm-6.18-lts 27.02% <ø> (-0.23%) ⬇️
k8s-integration-test 35.77% <ø> (+0.07%) ⬆️
oats-test 35.31% <ø> (-0.05%) ⬇️
unittests 63.31% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

grcevski
grcevski approved these changes Jun 26, 2026
View reviewed changes

@grcevski grcevski left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@grcevski grcevski merged commit a69f4c1 into open-telemetry:main Jun 26, 2026
104 checks passed
@MrAlias MrAlias deleted the bpf-verifier-pin-digest branch June 26, 2026 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grcevski grcevski grcevski approved these changes
@mmat11 mmat11 mmat11 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MrAlias @grcevski @mmat11