sources: verify git refs with checksum#1059
Open
cpuguy83 wants to merge 2 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds git source checksum support so tag/branch refs can be fetched while verifying they resolve to an expected commit, and updates docs/schema/tests around that behavior.
Changes:
- Adds
SourceGit.Checksum, validation, build-arg substitution, LLBGitChecksumwiring, and doc output. - Adds unit/integration coverage for checksum attributes and preserving tag metadata with
keepGitDir. - Updates JSON schema and website docs with checksum/tag-pinning guidance.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
source_git.go |
Adds checksum field handling for git sources. |
source_test.go |
Extends git source LLB assertions for checksum and keepGitDir. |
load_test.go |
Adds checksum validation and substitution test cases. |
test/source_test.go |
Adds integration test for checksum with tag metadata preservation. |
docs/spec.schema.json |
Updates generated schema for git checksum and field descriptions. |
website/docs/spec.md |
Updates sources example to show tag plus checksum usage. |
website/docs/sources.md |
Documents git refs and checksum behavior. |
cpuguy83
force-pushed
the
fetch_by_tag_with_checksum
branch
from
5cb7e3d to
00f2ab3
Compare
cpuguy83
force-pushed
the
fetch_by_tag_with_checksum
branch
from
00f2ab3 to
8254914
Compare
cpuguy83
force-pushed
the
fetch_by_tag_with_checksum
branch
from
8254914 to
9210be9
Compare
cpuguy83
force-pushed
the
fetch_by_tag_with_checksum
branch
from
9210be9 to
81f0d10
Compare
cpuguy83
force-pushed
the
fetch_by_tag_with_checksum
branch
from
81f0d10 to
0792097
Compare
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Add an optional git source checksum that is passed to BuildKit so tags and branches can be fetched by ref while ensuring they resolve to the expected commit. This preserves .git tag metadata when keepGitDir is enabled, which lets tools derive version information from tags without giving up source pinning. If a tag or branch moves away from the expected commit, checksum verification fails the build. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
cpuguy83
force-pushed
the
fetch_by_tag_with_checksum
branch
from
0792097 to
a0562b1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
checksumfield that verifies a fetched ref resolves to the expected commit.keepGitDir: truekeeps useful git metadata for build tooling.