Skip to content

feat(recipes): pin nodewright-customizations packages by digest#1037

Merged
mchmarny merged 7 commits into
mainfrom
feat/nodewright-containersha-1031
May 27, 2026
Merged

feat(recipes): pin nodewright-customizations packages by digest#1037
mchmarny merged 7 commits into
mainfrom
feat/nodewright-containersha-1031

Conversation

@ayuskauskas

Copy link
Copy Markdown
Contributor

Summary

Pin every Skyhook Package in nodewright-customizations by containerSHA: sha256:... and teach the BOM extractor to recognize that field as the OCI digest, removing the per-image digest-pin test exemptions for the three nodewright-packages refs.

Motivation / Context

The Skyhook Package CRD does not accept an @sha256:... digest inside its image: value, but it does carry an explicit containerSHA field for the same purpose. We were exempting these refs from the ADR-006 layer 2 digest-pin gate in recipes/manifest_images_test.go. Now that the CRD field is populated, the gate can enforce the pin directly.

Fixes: #1031
Related: #745

Type of Change

  • New feature (non-breaking change that adds functionality)

Component(s) Affected

  • Recipe engine / data (pkg/recipe)
  • Bundlers (pkg/bundler, pkg/component/*)
  • Docs/examples (docs/, examples/)

Implementation Notes

  • recipes/components/nodewright-customizations/manifests/tuning.yaml and tuning-gke.yaml: added containerSHA to every package entry (nvidia-setup-kernel, nvidia-tuned, nvidia-setup-full, and the GKE tuning package). Digests resolved via crane digest <ref>:
    • ghcr.io/nvidia/nodewright-packages/nvidia-setup:0.2.2sha256:76913a5d…
    • ghcr.io/nvidia/nodewright-packages/nvidia-tuned:0.3.0sha256:cc99c8c0…
    • ghcr.io/nvidia/nodewright-packages/nvidia-tuning-gke:0.1.2sha256:6671d49f…
  • pkg/bom/extract.go: walkForImages now also collects a sibling containerSHA scalar, and a new appendContainerSHA helper folds it onto the combined CRD-style ref as @<sha>. An in-line @digest in image continues to win — containerSHA never overwrites or double-appends. This keeps the change local to the extractor: callers (BOM, digest-pin test, PURL) consume the resulting @sha256:... without any special-casing.
  • recipes/manifest_images_test.go: removed the three nodewright-packages/* entries from imageDigestExemptions. skyhook-packages/shellscript:1.1.1 stays exempt — upstream does not currently surface a containerSHA for it.
  • docs/user/container-images.md: regenerated via make bom-docs; the three nodewright-packages refs now appear as :tag@sha256:....

Testing

go test -race ./pkg/bom/... ./pkg/bundler/... ./recipes/...
golangci-lint run -c .golangci.yaml ./pkg/bom/... ./recipes/...
make bom-docs

All green. Two new test cases were added in pkg/bom/extract_test.go:

  • Skyhook Package with containerSHA sibling folds in as digest — verifies the fold-in path.
  • inline @digest in image takes precedence over containerSHA sibling — guards the precedence rule so a stale containerSHA cannot silently overwrite an explicit in-line digest.

Coverage delta: pkg/bom: 89.7% → 90.0% (+0.3%).

The TestComponentManifestImagesAreDigestPinned log now lists only the four expected exemptions (three Mellanox NicClusterPolicy refs + shellscript) — the three nodewright-packages refs are accepted as digest-pinned.

Risk Assessment

  • Low — Isolated change, well-tested, easy to revert

Rollout notes: Pure supply-chain hardening. The image tags are unchanged, so resolved manifests deploy the same artifacts they did before — Skyhook now additionally validates the digest at install time. No migration needed.

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality
  • I updated docs if user-facing behavior changed
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

Adds containerSHA: sha256:<digest> to every Skyhook Package entry in
the nodewright-customizations manifests so the GPU node setup,
tuning, and GKE tuning containers are pulled by digest rather than
the mutable image tag.

Teach pkg/bom.ExtractImagesFromYAML to fold a sibling containerSHA
scalar onto the combined CRD-style image reference as @sha256:...,
so the digest is preserved in the BOM and the recipes/ digest-pin
test recognizes the ref as pinned without a per-image exemption.

Removes the three nodewright-packages entries from
recipes/manifest_images_test.go imageDigestExemptions; only
skyhook-packages/shellscript stays exempt (upstream does not surface
a containerSHA for it). docs/user/container-images.md regenerated
via make bom-docs.

Fixes #1031.
@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai

coderabbitai Bot commented May 26, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: d6ed0d56-7dc6-4759-af30-1f32d3e36d80

📥 Commits

Reviewing files that changed from the base of the PR and between f2367fc and e881b3e.

📒 Files selected for processing (2)
  • pkg/bom/extract.go
  • pkg/bom/extract_test.go

📝 Walkthrough

Walkthrough

This PR adds support for a CRD sibling field containerSHA in the BOM image extractor, validates and folds it into image references as an @sha256:... digest (preserving existing inline digests), propagates traversal errors, updates unit tests for valid and invalid SHA handling, adds containerSHA entries to nodewright-customizations tuning manifests (including GKE), narrows the manifest image-exemption list, and updates documentation to reflect the pinned digests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

area/tests

Suggested reviewers

  • mchmarny
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately captures the main change: pinning nodewright-customizations packages by digest using the containerSHA field.
Description check ✅ Passed The description clearly explains the changes, motivation, implementation details, testing, and risk assessment related to pinning Skyhook Package digests.
Linked Issues check ✅ Passed All PR objectives directly address issue #1031: containerSHA fields populated for nodewright-customizations, BOM extractor recognizes the field, test exemptions removed, and full coverage achieved.
Out of Scope Changes check ✅ Passed All changes are directly scoped to implementing containerSHA support and removing exemptions. No unrelated modifications detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/nodewright-containersha-1031

Comment @coderabbitai help to get the list of available commands and usage tips.

@mchmarny mchmarny enabled auto-merge (squash) May 26, 2026 19:49
@github-actions

github-actions Bot commented May 26, 2026

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 77.0%
Threshold 75%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-77.0%25-green)

Merging this branch will increase overall coverage

Impacted Packages Coverage Δ 🤖
github.com/NVIDIA/aicr/pkg/bom 90.26% (+0.58%) 👍

Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/NVIDIA/aicr/pkg/bom/extract.go 98.46% (+0.20%) 130 (+15) 128 (+15) 2 👍

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

mchmarny
mchmarny previously approved these changes May 26, 2026

@mchmarny mchmarny left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean supply-chain hardening change. The extractor logic for containerSHA matches the existing CRD-triplet pattern (image/repository/version sibling scalars), preserves precedence (inline @digest wins, empty is a no-op, otherwise append), and the two new test cases lock both branches in. Removing the three nodewright-packages exemptions from recipes/manifest_images_test.go and keeping just the shellscript carve-out is the right call.

CI: ClamAV, grype, and all completed Tier-1 matrix jobs are green; a handful of flux-oci variants are still running but the extractor change is unrelated to those code paths. CodeQL conclusion is "neutral" (skipped, normal here).

One non-blocking nit on appendContainerSHA — see inline.

Comment thread pkg/bom/extract.go Outdated
mchmarny and others added 2 commits May 26, 2026 13:11
Validate `containerSHA` against `^sha256:[a-f0-9]{64}$` inside
appendContainerSHA and return an error from ExtractImagesFromYAML
when a Skyhook Package carries a malformed digest. A typo,
truncation, or user value-override that lands in a containerSHA
field can no longer slip through to the BOM, PURL, or SBOM output —
extraction itself fails with the offending value in the message.

Propagate the error through walkForImages so every recursion path
surfaces it. Add three regression cases covering non-sha256 prefix,
short hex, and uppercase hex (the OCI digest grammar is lowercase).

Addresses Mark's nit on #1037.
@mchmarny mchmarny disabled auto-merge May 26, 2026 22:55
@mchmarny mchmarny enabled auto-merge (squash) May 27, 2026 00:11
@mchmarny mchmarny merged commit cce25f0 into main May 27, 2026
106 checks passed
@mchmarny mchmarny deleted the feat/nodewright-containersha-1031 branch May 27, 2026 00:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature]: Move nodewright-customizations to use sha for their container value

2 participants