edmorley
commented
2 months ago This affects:
- https://github.com/heroku/libcnb.rs/pull/851
- https://github.com/heroku/buildpacks-procfile/pull/239
- https://github.com/heroku/buildpacks-nodejs/pull/911
- https://github.com/heroku/buildpacks-jvm/pull/717
- https://github.com/heroku/buildpacks-python/pull/250
- https://github.com/heroku/buildpacks-dotnet/pull/120
As part of the security related fixes in Pack CLI v0.35.0, trusted builders are now now downgraded to untrusted if any additional buildpacks are added beyond the buildpacks that are part of the builder: https://github.com/buildpacks/pack/issues/2221
Since
libcnb-testtests the buildpack in question via--buildpacks, this means as of Pack CLI v0.35.0 the build is run as untrusted, and so the log output contains the prefixes naming the stage of the build (such as[builder]): https://github.com/buildpacks/pack/issues/2228This then breaks test cases where multi-line log output is asserted against, such as: https://github.com/heroku/buildpacks-procfile/blob/798f602616353c15d6068e4b8ab29d164fe8a1cf/tests/integration_test.rs#L23-L26
Initially Pack CLI didn't have a way to say "no really, please still trust the builder", however, a new
--trust-extra-buildpacksargument topack buildwas added in Pack CLI v 0.35.1: https://github.com/buildpacks/pack/pull/2230We should update
libcnb-testto pass this arg (alongside the existing--trust-builderarg it already passes), so that builds are run in trusted mode, to (a) improve performance, (b) mean the log output doesn't contain the stage name prefixes (so matches how the output used to be previously).Since older Pack versions don't support
--trust-extra-buildpacksthis will be a breaking change (it's not worth the complexity or performance hit of runningpack --versionprior to every integration test to decide whether to pass the arg or not). However, downstream buildpack repos can update the Pack GitHub Action at the same time as libcnb to work around this.