diff --git a/internal/builder/trusted_builder.go b/internal/builder/trusted_builder.go index e7f245789..d0d579e10 100644 --- a/internal/builder/trusted_builder.go +++ b/internal/builder/trusted_builder.go @@ -122,11 +122,29 @@ func IsTrustedBuilder(cfg config.Config, builderName string) (bool, error) { if err != nil { return false, err } + + // Collect all trusted builder names + var trustedBuilderNames []string + + // Add known trusted builders + for _, knownBuilder := range KnownBuilders { + if knownBuilder.Trusted { + trustedBuilderNames = append(trustedBuilderNames, knownBuilder.Image) + } + } + + // Add user-configured trusted builders for _, trustedBuilder := range cfg.TrustedBuilders { - trustedBuilderReference, err := name.ParseReference(trustedBuilder.Name, name.WithDefaultTag("")) + trustedBuilderNames = append(trustedBuilderNames, trustedBuilder.Name) + } + + // Check if builder matches any trusted builder + for _, trustedBuilderName := range trustedBuilderNames { + trustedBuilderReference, err := name.ParseReference(trustedBuilderName, name.WithDefaultTag("")) if err != nil { return false, err } + if trustedBuilderReference.Identifier() != "" { if builderReference.Name() == trustedBuilderReference.Name() { return true, nil @@ -137,5 +155,6 @@ func IsTrustedBuilder(cfg config.Config, builderName string) (bool, error) { } } } + return false, nil } diff --git a/internal/builder/trusted_builder_test.go b/internal/builder/trusted_builder_test.go index 90e7599cd..a537814d9 100644 --- a/internal/builder/trusted_builder_test.go +++ b/internal/builder/trusted_builder_test.go @@ -30,6 +30,23 @@ func trustedBuilder(t *testing.T, when spec.G, it spec.S) { }) when("IsTrustedBuilder", func() { + it("trusts known trusted builders", func() { + // Known builder with exact tag match + isTrusted, err := bldr.IsTrustedBuilder(config.Config{}, "heroku/builder:24") + h.AssertNil(t, err) + h.AssertTrue(t, isTrusted) + + // Known builder without tag should match any tag + isTrusted, err = bldr.IsTrustedBuilder(config.Config{}, "paketobuildpacks/builder-jammy-base:latest") + h.AssertNil(t, err) + h.AssertTrue(t, isTrusted) + + // Unknown builder should not be trusted + isTrusted, err = bldr.IsTrustedBuilder(config.Config{}, "my/private/builder") + h.AssertNil(t, err) + h.AssertFalse(t, isTrusted) + }) + it("trust image without tag", func() { cfg := config.Config{ TrustedBuilders: []config.TrustedBuilder{ diff --git a/internal/commands/build.go b/internal/commands/build.go index d3db7a69b..2b75bcbb5 100644 --- a/internal/commands/build.go +++ b/internal/commands/build.go @@ -121,7 +121,7 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob if err != nil { return err } - trustBuilder := isTrusted || bldr.IsKnownTrustedBuilder(builder) || flags.TrustBuilder + trustBuilder := isTrusted || flags.TrustBuilder if trustBuilder { logger.Debugf("Builder %s is trusted", style.Symbol(builder)) if flags.LifecycleImage != "" { diff --git a/internal/commands/builder_inspect.go b/internal/commands/builder_inspect.go index 04d014c45..36fa93be9 100644 --- a/internal/commands/builder_inspect.go +++ b/internal/commands/builder_inspect.go @@ -71,7 +71,7 @@ func inspectBuilder( builderInfo := writer.SharedBuilderInfo{ Name: imageName, IsDefault: imageName == cfg.DefaultBuilder, - Trusted: isTrusted || bldr.IsKnownTrustedBuilder(imageName), + Trusted: isTrusted, } localInfo, localErr := inspector.InspectBuilder(imageName, true, client.WithDetectionOrderDepth(flags.Depth)) diff --git a/internal/commands/config_trusted_builder.go b/internal/commands/config_trusted_builder.go index 36bcfb601..713feaa0f 100644 --- a/internal/commands/config_trusted_builder.go +++ b/internal/commands/config_trusted_builder.go @@ -55,7 +55,7 @@ func addTrustedBuilder(args []string, logger logging.Logger, cfg config.Config, if err != nil { return err } - if isTrusted || bldr.IsKnownTrustedBuilder(imageName) { + if isTrusted { logger.Infof("Builder %s is already trusted", style.Symbol(imageName)) return nil }