Skip to content

spike: wait for image for specific commit #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
tommartensen wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

spike: wait for image for specific commit #87

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 23 additions & 16 deletions tasks/wait-for-image-task.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ spec:
- name: IMAGE
description: Image reference.
type: string
- name: DESIRED_GIT_REF
valueFrom:
fieldRef:
fieldPath: metadata.labels['pipelinesascode.tekton.dev/sha']
Comment on lines +11 to +14
Copy link
Contributor

@msugakov msugakov Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Note that scanner v2, collector and fact images will have a different commit than the one in the executing stackrox/stackrox pipeline. Therefore, we need an ability to turn off this check for those containers.
  2. I suggest adding a short description: here to say what the default thing does and how to turn it off.

results:
- name: IMAGE_DIGEST
description: Image digest in the format `sha256:abcdef0123`.
Expand All @@ -27,27 +31,30 @@ spec:

echo "Waiting for image $(params.IMAGE) to become available..."
while true; do
if skopeo inspect --raw "docker://$(params.IMAGE)"; then
raw_info="$(skopeo inspect \
--retry-times 10 \
--format '{{.Digest}} {{ index .Labels "vcs-ref" }} {{ index .Labels "source-location" }}' \
--no-tags \
"docker://$(params.IMAGE)")"
Comment on lines +34 to +38
Copy link
Contributor

@msugakov msugakov Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If skopeo inspect here exits with no-zero, it will interrupt the script due to set -euo pipefail.
Demo:

$ foo="$(/bin/false)"
$ echo $?
1

$ foo="$(/bin/true)"
$ echo $?
0

It's possible to assign in if:

#!/usr/bin/env bash

set -euo pipefail

if blah="pre-$(/bin/false)-post"; then
	echo "success"
else
	echo "failure"
fi

echo "blah:|$blah|"
$ ./a.sh
failure
blah:|pre--post|

Not the most elegant but can't offer anything better.
We need a sleep instruction here in case skopeo inspect exited with no-zero.


# Turning raw_info into an array for easier handling.
infos=( $raw_info )
if [[ "${#infos[@]}" -ne 3 ]]; then
>&2 echo "ERROR: Not all required information was found. Verify that the 'vcs-ref' and 'source-location' labels are set on the image $(params.IMAGE)."
exit 1
fi

if [[ "${infos[1]}" == "$(params.DESIRED_GIT_REF)" ]]; then
break
else
>&2 echo "ERROR: The Git reference of the image $(params.IMAGE) does not match the desired Git reference $(params.DESIRED_GIT_REF)."
Copy link
Contributor

@msugakov msugakov Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Subjective] Well, if it's an expected situation, calling it an error could be a bit of a stretch. Error is more for a situation we foresee but don't know how to handle. In this case, we do know how to handle: try wait more.
I suggest also reword to inform user why the script continues waiting.

Suggested change
>&2 echo "ERROR: The Git reference of the image $(params.IMAGE) does not match the desired Git reference $(params.DESIRED_GIT_REF)."
>&2 echo "WARNING: The found image $(params.IMAGE)${infos[0]} seems to be built for a different commit (${infos[1]}) than the one expected ($(params.DESIRED_GIT_REF)). This could happen for a tagged build when a git tag was moved and newly-triggered pipelines haven't finished yet. This task will keep waiting for the image with the matching tag to appear."

# Continue waiting
sleep 1m
fi
sleep 1m
done

echo "Image $(params.IMAGE) found."

raw_info="$(skopeo inspect \
--retry-times 10 \
--format '{{.Digest}} {{ index .Labels "vcs-ref" }} {{ index .Labels "source-location" }}' \
--no-tags \
"docker://$(params.IMAGE)")"

# Turning raw_info into an array for easier handling.
infos=( $raw_info )
if [[ "${#infos[@]}" -ne 3 ]]; then
>&2 echo "ERROR: Not all required information was found. Verify that the 'vcs-ref' and 'source-location' labels are set on the image $(params.IMAGE)."
exit 1
fi


# Output
echo -n "${infos[0]}" | tee "$(results.IMAGE_DIGEST.path)"
echo
Expand Down