search

sigstore / cosign-gatekeeper-provider

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures
Apache License 2.0
75 stars 23 forks source link

Change `go` base image in `Dockerfile` #27

Closed mathieu-benoit closed 1 year ago

mathieu-benoit commented 1 year ago

As per the discussion in there: https://github.com/sigstore/cosign-gatekeeper-provider/pull/24#pullrequestreview-1284605329.

Instead of using go:1.20 as the base image in the Dockerfile, the proposal is to use cgr.dev/chainguard/go.

If there is an agreement with that, let's have a dedicated PR opened for that.

Additionally, some questions top of mind with that:

  1. Why rekor or fulcio are using golang:1.20 and not
  2. Based on 1., do we want to have this current project not doing like the other projects?
  3. In the Dockerfile, the base image is in an ARG, which will prevent dependabot (#21) to update any update of this base image, do we also want to change that?
  4. In the other projects, sha is used for the go:1.20 image, not here, should we do that here too?
Dentrax commented 1 year ago

Hey @cpanato 👋 Do you have any ideas on this?

Why rekor or fulcio are using golang:1.20 and not cgr.dev/chainguard/go? Are there any tracking issue or plan for this?

cpanato commented 1 year ago

I can take a look on that and propose a PR

cpanato commented 1 year ago

using ko to build and not a dockerfile, introduced in this pr #32

closing this issue