chainguard-dev / digestabot Goto Github PK

Hi! Thanks for making this project; it looks extremely useful!

Could you add a license to this project? It would help me leverage it for professional projects.

At the moment, all relevant files in a repo are checked and a single PR is created updating all instances.

This works well for small projects, but is untenable for large repos (e.g. monorepos). We need a way to control the granularity of checks and PRs. For example, a configuration option to limit checks to certain directories or full control over the "find" command.

It would be great to add an optional extra step to verify provenance.

This could work by using cosign and taking issuer and identity arguments. (I'm not sure if issuer/identity regexps would also need to be supported). If these arguments are present and a new image is found, it should be verified with cosign. It's not clear what should happen after the failed verification; either open the PR and make the failure clear or don't open and log the error somehow?

Error
Failed to retrive digest info for 'cgr.dev/chainguard/node-lts:latest-dev
2024/01/02 00:13:18 HEAD request failed, falling back on GET: Get "https://'cgr.dev/v2/": dial tcp: lookup 'cgr.dev: no such host
Error: Get "https://'cgr.dev/v2/": dial tcp: lookup 'cgr.dev: no such host

These are in cloudbuild files and the image name is in single quotes as recommended by google. I believe that's why this is failing.

Also the word retrieve is spelt incorrectly above.

Really like the idea of this bot

#12