Skip to content

feat(bundler): enable --attest and --data for argocd-helm (#573)#627

Merged
lockwobr merged 2 commits into
mainfrom
feat/attestation-dynamic
Apr 21, 2026
Merged

feat(bundler): enable --attest and --data for argocd-helm (#573)#627
lockwobr merged 2 commits into
mainfrom
feat/attestation-dynamic

Conversation

@lockwobr

Copy link
Copy Markdown
Contributor

Summary

  • Adds DataFiles field to argocd.Generator and argocdhelm.Generator
  • Extracts deployer.ResolveDataFilePaths and checksum.WriteChecksums so all three deployers share one SafeJoin + checksum-finalize path
  • Simplifies buildDeployer: single upfront debug log, direct returns
  • Deletes obsolete rejection tests; adds DataFiles coverage for argocd and argocd-helm plus unit tests for the new shared helpers
  • Add some missing docs around dynamic and api server, which just merged.

Attestation binds the shipped bundle (defaults, stubs, data files); it does not bind install-time values supplied via helm --set or Argo Application parameters. Policy enforcement of install-time values is out of scope and belongs to admission control or sync hooks.

Closes #573

Motivation / Context

PR #527 introduced the argocd-helm deployer with explicit rejection guards for --attest and --data (pending follow-up). The post-#575 refactor made the wiring straightforward: copyDataFiles and attestBundle already run in Make()/runDeployer for all deployers, so the guards were the only thing blocking parity. Separately, #575's review surfaced that the argocd deployer has never included its --data files in checksums.txt — bundle integrity claims were incomplete for that deployer.

Related: #527, #575

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactoring (no functional changes)
  • Build/CI/tooling

Component(s) Affected

  • CLI (cmd/aicr, pkg/cli)
  • API server (cmd/aicrd, pkg/api, pkg/server)
  • Recipe engine / data (pkg/recipe)
  • Bundlers (pkg/bundler, pkg/component/*)
  • Collectors / snapshotter (pkg/collector, pkg/snapshotter)
  • Validator (pkg/validator)
  • Core libraries (pkg/errors, pkg/k8s)
  • Docs/examples (docs/, examples/)
  • Other: ____________

Implementation Notes

Testing

# Commands run (prefer `make qualify` for non-trivial changes)
make qualify

Risk Assessment

  • Low — Isolated change, well-tested, easy to revert
  • Medium — Touches multiple components or has broader impact
  • High — Breaking change, affects critical paths, or complex rollout

Rollout notes:

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality
  • I updated docs if user-facing behavior changed
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S) — GPG signing info

@github-actions

Copy link
Copy Markdown
Contributor

@lockwobr lockwobr force-pushed the feat/attestation-dynamic branch from 7a50d9c to fccc330 Compare April 21, 2026 00:04
@coderabbitai

coderabbitai Bot commented Apr 21, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Documents new POST /v1/bundle query parameters dynamic and repo, and adds argocd-helm to the documented deployer options. Removes pre-flight rejection of --attest and --data for the argocd-helm path and propagates external data via a new exported DataFiles []string field on generator types. Introduces WriteChecksums to centralize checksum file creation and bookkeeping and adds Output.AddDataFiles to include external data files in bundle outputs. Updates deployer generators to call these helpers, adds tests for checksum and data-file behaviors, and deletes tests that expected argocd-helm rejections.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

Suggested reviewers

  • ayuskauskas
  • ArangoGutierrez
  • yuanchen8911
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the primary change: enabling attestation and data file support for the argocd-helm deployer, which is the main objective of the PR.
Description check ✅ Passed The description comprehensively explains the changes, including the motivation, implementation strategy, and testing performed. It directly relates to the changeset across all modified files.
Linked Issues check ✅ Passed The PR successfully addresses all primary objectives from issue #573: removes --attest and --data rejection guards, adds DataFiles support to argocd-helm and argocd generators, implements checksum inclusion for data files, and includes test coverage for the new functionality.
Out of Scope Changes check ✅ Passed All changes are directly aligned with issue #573 objectives: DataFiles support, shared checksum handling, documentation updates on attestation scope, and removal of obsolete rejection tests. No unrelated changes detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/attestation-dynamic

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Apr 21, 2026

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 74.5%
Threshold 70%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-74.5%25-green)

Merging this branch changes the coverage (2 decrease, 4 increase)

Impacted Packages Coverage Δ 🤖
github.com/NVIDIA/aicr/pkg/bundler 60.69% (-2.54%) 👎
github.com/NVIDIA/aicr/pkg/bundler/checksum 85.90% (+0.82%) 👍
github.com/NVIDIA/aicr/pkg/bundler/deployer 92.94% (+1.16%) 👍
github.com/NVIDIA/aicr/pkg/bundler/deployer/argocd 87.14% (+0.66%) 👍
github.com/NVIDIA/aicr/pkg/bundler/deployer/argocdhelm 72.15% (+2.57%) 👍
github.com/NVIDIA/aicr/pkg/bundler/deployer/helm 87.57% (-0.52%) 👎

Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/NVIDIA/aicr/pkg/bundler/bundler.go 56.33% (-3.45%) 371 (-7) 209 (-17) 162 (+10) 👎
github.com/NVIDIA/aicr/pkg/bundler/checksum/checksum.go 85.90% (+0.82%) 78 (+11) 67 (+10) 11 (+1) 👍
github.com/NVIDIA/aicr/pkg/bundler/deployer/argocd/argocd.go 87.14% (+0.66%) 70 (-4) 61 (-3) 9 (-1) 👍
github.com/NVIDIA/aicr/pkg/bundler/deployer/argocdhelm/argocdhelm.go 72.15% (+2.57%) 237 (-3) 171 (+4) 66 (-7) 👍
github.com/NVIDIA/aicr/pkg/bundler/deployer/deployer.go 100.00% (+100.00%) 12 (+12) 12 (+12) 0 🌟
github.com/NVIDIA/aicr/pkg/bundler/deployer/helm/helm.go 87.57% (-0.52%) 185 (-8) 162 (-8) 23 👎

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/user/api-reference.md`:
- Around line 336-337: The docs currently state that the `repo` parameter is
used with `deployer=argocd` only, but `pkg/bundler/bundler.go` forwards
`RepoURL` to both `argocd.Generator` and `argocdhelm.Generator`, so update the
API reference entry for `repo` to indicate it is required/used for both `argocd`
and `argocd-helm` deployers (mention `RepoURL`, `argocd.Generator`, and
`argocdhelm.Generator` to guide readers); change the description on the `repo`
row to clearly list both deployer values (`argocd`, `argocd-helm`) so users of
`argocd-helm` know `repo` is honored.

In `@docs/user/cli-reference.md`:
- Line 1253: The sentence uses "embedded `--data` files" which is inaccurate;
update the text in the Attestation paragraph to replace "embedded `--data`
files." with wording that clarifies `--data` files are external inputs copied
into the bundle (for example: "external `--data` files copied into the bundle.")
so the sentence reads that attestation binds the shipped bundle — defaults,
dynamic-value stubs, and any external `--data` files copied into the bundle;
ensure the new wording does not imply `--data` files are embedded assets and
keeps the rest of the sentence unchanged.

In `@pkg/bundler/checksum/checksum.go`:
- Around line 97-99: The call to GenerateChecksums currently wraps any error as
errors.ErrCodeInternal which can overwrite the original pkg/errors code;
instead, propagate GenerateChecksums' error as-is (do not re-wrap) so existing
structured codes (e.g., context-cancel/unavailable) are preserved—replace the
errors.Wrap return in the GenerateChecksums error branch with a direct return of
the err (or, if you must inspect codes, check the error's code via the package's
accessor and only wrap when it lacks a code), referencing the GenerateChecksums
call and the current errors.Wrap(..., errors.ErrCodeInternal, ...) usage.

In `@pkg/bundler/deployer/argocd/argocd.go`:
- Around line 239-245: The code appends dataPaths (from
deployer.ResolveDataFilePaths(outputDir, g.DataFiles)) to output.Files but does
not add their sizes to output.TotalSize; update the code after output.Files =
append(output.Files, dataPaths...) to iterate the appended dataPaths (or sum
sizes from dataPaths) and add each file's size to output.TotalSize so TotalSize
reflects the included DataFiles (use the existing dataPaths variable and
output.TotalSize field to perform the accumulation).

In `@pkg/bundler/deployer/argocdhelm/argocdhelm.go`:
- Around line 192-198: The data file paths returned by
deployer.ResolveDataFilePaths are appended to output.Files but their sizes are
never added to output.TotalSize; update the block that handles dataPaths (where
dataPaths, err := deployer.ResolveDataFilePaths(outputDir, g.DataFiles) is
called) to stat each path, add its file size to output.TotalSize, and
handle/stat error returns appropriately before appending to output.Files (i.e.,
for each path use os.Stat(path) -> fi.Size() and accumulate into
output.TotalSize, returning the error if stat fails).

In `@pkg/bundler/deployer/helm/helm.go`:
- Around line 160-164: The data files returned by deployer.ResolveDataFilePaths
(called with outputDir and g.DataFiles) are appended to output.Files but their
sizes are not added to output.TotalSize; update the block after output.Files =
append(output.Files, dataPaths...) to iterate the returned dataPaths, stat each
file to get its size (or use the project utility that computes file size), sum
those sizes and add the total to output.TotalSize so the reported bundle size
includes --data files.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: fadd2ede-0fc5-4400-8159-f31a36fb8b3b

📥 Commits

Reviewing files that changed from the base of the PR and between f1212ad and fccc330.

📒 Files selected for processing (14)
  • docs/contributor/api-server.md
  • docs/user/api-reference.md
  • docs/user/cli-reference.md
  • pkg/bundler/bundler.go
  • pkg/bundler/bundler_test.go
  • pkg/bundler/checksum/checksum.go
  • pkg/bundler/checksum/checksum_test.go
  • pkg/bundler/deployer/argocd/argocd.go
  • pkg/bundler/deployer/argocd/argocd_test.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm_test.go
  • pkg/bundler/deployer/helm/helm.go
  • pkg/bundler/deployer/helpers.go
  • pkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
  • pkg/bundler/bundler_test.go

Comment thread docs/user/api-reference.md Outdated
Comment thread docs/user/cli-reference.md Outdated
Comment thread pkg/bundler/checksum/checksum.go
Comment thread pkg/bundler/deployer/argocd/argocd.go
Comment thread pkg/bundler/deployer/argocdhelm/argocdhelm.go
Comment thread pkg/bundler/deployer/helm/helm.go Outdated
@lockwobr lockwobr force-pushed the feat/attestation-dynamic branch from fccc330 to 93aae4f Compare April 21, 2026 00:26

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
pkg/bundler/deployer/argocdhelm/argocdhelm.go (1)

198-200: 🧹 Nitpick | 🔵 Trivial

Avoid double-wrapping the already-structured error from finalizeOutput.

checksum.WriteChecksums returns errors with proper ErrCodeInternal codes. Wrapping again at line 199 duplicates the code and adds unnecessary nesting. The other deployers (argocd.go, helm.go) return the error from WriteChecksums as-is.

Proposed fix
 	// Generate checksums and finalize output
 	if err := g.finalizeOutput(ctx, output, outputDir, start); err != nil {
-		return nil, errors.Wrap(errors.ErrCodeInternal, "failed to finalize output", err)
+		return nil, err
 	}

Based on learnings: "if an error was already created/wrapped with pkg/errors ... and includes the correct structured error code, then returning it should use the bare form return nil, err."

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@pkg/bundler/deployer/argocdhelm/argocdhelm.go` around lines 198 - 200, The
call in finalizeOutput handling currently double-wraps structured errors
(errors.Wrap(...)) after g.finalizeOutput(ctx, output, outputDir, start);
instead of preserving the original error code; change the return to propagate
the original error directly (i.e., return nil, err) when g.finalizeOutput
returns a non-nil error so checksum.WriteChecksums/Finalize errors keep their
existing ErrCodeInternal and avoid extra nesting; mirror the behavior used in
argocd.go and helm.go.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/bundler/checksum/checksum.go`:
- Around line 96-107: WriteChecksums currently dereferences the pointer
parameter output (output.Files / output.TotalSize) and panics when nil; add a
nil-check at the start of WriteChecksums and return a proper error instead of
panicking. Concretely, in function WriteChecksums validate that output != nil
before calling GenerateChecksums or touching output.Files/TotalSize, and if nil
return a wrapped error (consistent with the package’s error style) so callers
get a normal error path; keep the rest of the flow (GenerateChecksums,
GetChecksumFilePath, os.Stat, append to output.Files and increment
output.TotalSize) unchanged.

In `@pkg/bundler/deployer/deployer.go`:
- Around line 58-71: The AddDataFiles method on type Output doesn't check for a
nil receiver and will panic when called on a nil *Output; add an explicit nil
check at the start of Output.AddDataFiles (the method shown with signature func
(o *Output) AddDataFiles(outputDir string, dataFiles []string) error) and if o
== nil return a wrapped errors.ErrCodeInvalidRequest error (use the existing
errors.Wrap pattern and a clear message like "nil output receiver") so callers
get a structured invalid-request error instead of a panic; preserve the existing
error wrapping style and return immediately before any append or size
operations.

In `@pkg/bundler/deployer/helpers_test.go`:
- Around line 139-163: Update the subtests that call Output.AddDataFiles to
assert the structured sentinel errors using errors.Is instead of only substring
checks: for the "rejects path traversal without mutating output" and "rejects
absolute path" tests use errors.Is(err, ErrUnsafeDataFilePath) and for the
"errors when file missing" test use errors.Is(err, ErrFailedToStatDataFile) (or
the repository's equivalent sentinel error names) and keep the existing
substring checks as secondary assertions; import the standard errors package if
needed and ensure you still fail the test when err is nil before calling
errors.Is.

---

Outside diff comments:
In `@pkg/bundler/deployer/argocdhelm/argocdhelm.go`:
- Around line 198-200: The call in finalizeOutput handling currently
double-wraps structured errors (errors.Wrap(...)) after g.finalizeOutput(ctx,
output, outputDir, start); instead of preserving the original error code; change
the return to propagate the original error directly (i.e., return nil, err) when
g.finalizeOutput returns a non-nil error so checksum.WriteChecksums/Finalize
errors keep their existing ErrCodeInternal and avoid extra nesting; mirror the
behavior used in argocd.go and helm.go.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: e8707c0d-9e19-4c96-a330-b98a598d7d09

📥 Commits

Reviewing files that changed from the base of the PR and between fccc330 and 93aae4f.

📒 Files selected for processing (14)
  • docs/contributor/api-server.md
  • docs/user/api-reference.md
  • docs/user/cli-reference.md
  • pkg/bundler/bundler.go
  • pkg/bundler/bundler_test.go
  • pkg/bundler/checksum/checksum.go
  • pkg/bundler/checksum/checksum_test.go
  • pkg/bundler/deployer/argocd/argocd.go
  • pkg/bundler/deployer/argocd/argocd_test.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm_test.go
  • pkg/bundler/deployer/deployer.go
  • pkg/bundler/deployer/helm/helm.go
  • pkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
  • pkg/bundler/bundler_test.go

Comment thread pkg/bundler/checksum/checksum.go
Comment thread pkg/bundler/deployer/deployer.go
Comment thread pkg/bundler/deployer/helpers_test.go
@lockwobr lockwobr force-pushed the feat/attestation-dynamic branch from 93aae4f to 0c46c32 Compare April 21, 2026 01:10

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/bundler/deployer/deployer.go`:
- Around line 64-66: The code currently always wraps joinErr from SafeJoin with
errors.ErrCodeInvalidRequest, which can overwrite SafeJoin's original structured
error code; change the logic so that if joinErr already carries a
structured/typed error code (i.e., represents the package's error type returned
by SafeJoin) you return joinErr directly, otherwise wrap it with
errors.Wrap(errors.ErrCodeInvalidRequest, "unsafe data file path", joinErr);
locate the conditional around joinErr in deployer.go and implement a short check
(using the existing error typing/inspection utilities in the errors package or
errors.As) to decide whether to propagate joinErr as-is or to wrap it.

In `@pkg/bundler/deployer/helpers_test.go`:
- Around line 160-176: The tests named "rejects path traversal without mutating
output", "rejects absolute path", and "errors when file missing" only assert the
returned error; update each subtest to also assert that the Output object
remains unchanged after AddDataFiles returns by checking o.Files and o.TotalSize
(use the initial values set before calling AddDataFiles). Locate the Output
instance in each subtest (o := &Output{...} or o := &Output{}), call
AddDataFiles as before, then add assertions that o.Files equals the original
slice and o.TotalSize equals the original integer to guarantee immutability on
error paths.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 014d4d94-0b84-4b18-868f-2f40021bfd2f

📥 Commits

Reviewing files that changed from the base of the PR and between 93aae4f and 0c46c32.

📒 Files selected for processing (14)
  • docs/contributor/api-server.md
  • docs/user/api-reference.md
  • docs/user/cli-reference.md
  • pkg/bundler/bundler.go
  • pkg/bundler/bundler_test.go
  • pkg/bundler/checksum/checksum.go
  • pkg/bundler/checksum/checksum_test.go
  • pkg/bundler/deployer/argocd/argocd.go
  • pkg/bundler/deployer/argocd/argocd_test.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm_test.go
  • pkg/bundler/deployer/deployer.go
  • pkg/bundler/deployer/helm/helm.go
  • pkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
  • pkg/bundler/bundler_test.go

Comment thread pkg/bundler/deployer/deployer.go
Comment thread pkg/bundler/deployer/helpers_test.go
@lockwobr lockwobr force-pushed the feat/attestation-dynamic branch from 0c46c32 to a27a60b Compare April 21, 2026 01:33

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/bundler/checksum/checksum_test.go`:
- Around line 290-367: Refactor TestWriteChecksums into a table-driven test that
iterates over cases (name, setup func or inputs for tmpDir + deployer.Output,
wantError bool, expectedErrorType/code/message, and any post-check assertions)
and for each case run t.Run(tc.name, func(t *testing.T){ t.Parallel(); ... });
keep the existing behaviors for the success case (create files a.txt/b.txt, call
WriteChecksums, assert output.Files length and ChecksumFileName suffix and
TotalSize update using os.Stat), the missing-source case (use a non-existent
file and assert error is *errors.StructuredError via stderrors.As with Code ==
errors.ErrCodeInternal and error string contains "failed to compute checksum"),
and the nil-output case (call WriteChecksums with nil and assert
ErrCodeInvalidRequest). Ensure every t.Fatal/t.Fatalf path is immediately
followed by return to avoid further execution inside subtests. Use the same
unique symbols from the diff (TestWriteChecksums, WriteChecksums,
deployer.Output, ChecksumFileName, errors.StructuredError, stderrors.As,
errors.ErrCodeInternal, errors.ErrCodeInvalidRequest) to locate and update the
test logic.

In `@pkg/bundler/deployer/argocd/argocd_test.go`:
- Around line 423-499: Refactor TestGenerate_DataFiles into a table-driven test:
create a tests slice of structs (e.g., name, setup function or fields for
RecipeResult, Generator fields like DataFiles and IncludeChecksums, pre-create
files if needed, wantError bool, wantErrSubstring string, wantChecksumsEntry
bool) and loop over it with t.Run(tc.name, func(t *testing.T){...}); inside each
case construct the Generator (referencing Generator, RecipeResult, DataFiles,
IncludeChecksums), call Generate and assert either an expected error (check
tc.wantErrSubstring, e.g., "escapes base directory") or on success assert
output.Files contains the data file and checksums.txt contains
"data/overrides.yaml" when tc.wantChecksumsEntry is true; reuse existing setup
code for creating the data/overrides.yaml in the success case.

In `@pkg/bundler/deployer/argocdhelm/argocdhelm_test.go`:
- Around line 255-327: Convert TestGenerate_DataFiles into a table-driven test:
create a slice of test cases (struct with name, setup function or input fields
for Generator like DataFiles and IncludeChecksums, expectedError bool,
expectedErrorSubstring string, and expectedFiles/expectedChecksums content),
then loop over cases with t.Run(tc.name, func(t *testing.T){...}) and for each
case create the temp outputDir, stage any data files when needed, instantiate
the Generator (use the same fields currently set in TestGenerate_DataFiles such
as RecipeResult, ComponentValues, Version, RepoURL) and call g.Generate(ctx,
outputDir); for success cases assert output.Files contains the data file and
checksums.txt contains the entry, and for failure cases assert an error is
returned and contains expectedErrorSubstring (e.g., "escapes base directory" for
path traversal). Ensure you reuse Generator.Generate, DataFiles, and
IncludeChecksums symbols from the existing test to locate code.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 11b3bf6e-9d34-47f6-a093-8ae07e0b9955

📥 Commits

Reviewing files that changed from the base of the PR and between 0c46c32 and a27a60b.

📒 Files selected for processing (15)
  • docs/contributor/api-server.md
  • docs/user/api-reference.md
  • docs/user/cli-reference.md
  • pkg/bundler/bundler.go
  • pkg/bundler/bundler_test.go
  • pkg/bundler/checksum/checksum.go
  • pkg/bundler/checksum/checksum_test.go
  • pkg/bundler/deployer/argocd/argocd.go
  • pkg/bundler/deployer/argocd/argocd_test.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm_test.go
  • pkg/bundler/deployer/deployer.go
  • pkg/bundler/deployer/helm/helm.go
  • pkg/bundler/deployer/helm/helm_test.go
  • pkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
  • pkg/bundler/bundler_test.go

Comment thread pkg/bundler/checksum/checksum_test.go
Comment thread pkg/bundler/deployer/argocd/argocd_test.go
Comment thread pkg/bundler/deployer/argocdhelm/argocdhelm_test.go
@lockwobr lockwobr force-pushed the feat/attestation-dynamic branch from a27a60b to dae15b3 Compare April 21, 2026 03:34

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/user/cli-reference.md`:
- Around line 1249-1250: Update the earlier flag table rows for --deployer and
--repo to match the later statement that attestation supports helm, argocd and
argocd-helm: change the --deployer allowed values from "helm|argocd" to
"helm|argocd|argocd-helm" and revise the --repo description to indicate which
deployers it applies to (argocd and argocd-helm) and how external --data files
are handled (included in checksums.txt / listed as resolved dependencies) so the
table and the attestation paragraph are consistent; locate the flag-table
entries (rows referencing --deployer and --repo) and update their value list and
descriptive text accordingly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 079f0006-fdc2-4148-93fe-f07962af1be7

📥 Commits

Reviewing files that changed from the base of the PR and between a27a60b and dae15b3.

📒 Files selected for processing (15)
  • docs/contributor/api-server.md
  • docs/user/api-reference.md
  • docs/user/cli-reference.md
  • pkg/bundler/bundler.go
  • pkg/bundler/bundler_test.go
  • pkg/bundler/checksum/checksum.go
  • pkg/bundler/checksum/checksum_test.go
  • pkg/bundler/deployer/argocd/argocd.go
  • pkg/bundler/deployer/argocd/argocd_test.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm.go
  • pkg/bundler/deployer/argocdhelm/argocdhelm_test.go
  • pkg/bundler/deployer/deployer.go
  • pkg/bundler/deployer/helm/helm.go
  • pkg/bundler/deployer/helm/helm_test.go
  • pkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
  • pkg/bundler/bundler_test.go

Comment thread docs/user/cli-reference.md
- Adds DataFiles field to argocd.Generator and argocdhelm.Generator
- Extracts deployer.ResolveDataFilePaths and checksum.WriteChecksums
  so all three deployers share one SafeJoin + checksum-finalize path
- Simplifies buildDeployer: single upfront debug log, direct returns
- Deletes obsolete rejection tests; adds DataFiles coverage for argocd
  and argocd-helm plus unit tests for the new shared helpers

Attestation binds the shipped bundle (defaults, stubs, data files); it
does not bind install-time values supplied via helm --set or Argo
Application parameters. Policy enforcement of install-time values is
out of scope and belongs to admission control or sync hooks.

Closes #573
@lockwobr lockwobr force-pushed the feat/attestation-dynamic branch from dae15b3 to e53a28f Compare April 21, 2026 04:03
@lockwobr lockwobr merged commit 1e550c7 into main Apr 21, 2026
35 checks passed
@lockwobr lockwobr deleted the feat/attestation-dynamic branch April 21, 2026 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add attestation support to argocd-helm deployer

2 participants