Skip to content

pkg: remove viper config from spec definitions #2669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 5, 2025
Merged

pkg: remove viper config from spec definitions #2669

merged 1 commit into from
Nov 5, 2025

Conversation

@tonistiigi
Copy link
Contributor

@tonistiigi tonistiigi commented Nov 4, 2025

Summary

CLI config reading routines from Viper should not be included in spec definition types under pkg because
- this creates unnecessarily huge dependency
- it creates an unexpected reconfiguration/attack method to applications importing the types.

Instead, read viper config in Rekor CLI and pass to the types packages to reconfigure them. The default size limit remains unchanged.

Optionally, I could instead create a limits pkg with no dependencies that spec types import for shared implementation. In that case, let me know where you want that pkg defined.

Footprint reduction to sigstore-go/verifier from this change:

 218 files changed, 33 insertions(+), 35989 deletions(-)

Release Note

Documentation

@tonistiigi tonistiigi requested a review from a team as a code owner November 4, 2025 01:41
haydentherapper
haydentherapper previously approved these changes Nov 4, 2025
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with this approach, I don't think we need a shared limits package. Thanks!

@haydentherapper
Copy link
Contributor

haydentherapper commented Nov 4, 2025

Just need to fix the test.

@tonistiigi
pkg: remove viper config from spec definitions
b5fd8f0 
CLI config reading routines from Viper should not be
included in spec definition types under pkg because
- this creates unnecessarily huge dependency
- it creates unexpected reconfiguration/attack method
  to applications importing the types.

Instead, read viper config in Rekor CLI and pass to the
types packages to reconfigure them. Default size limit
remains unchanged.

Signed-off-by: Tonis Tiigi <[email protected]>
@tonistiigi tonistiigi force-pushed the viper-spec-types-fix branch from 8c0bdd2 to b5fd8f0 Compare November 4, 2025 18:20
@tonistiigi
Copy link
Contributor Author

tonistiigi commented Nov 4, 2025

@haydentherapper I fixed the test, but I'm a bit confused now. Was this expected to fail by default when packages were used without the flag definition in rekor-server/app? That's what the test seemed to assume.

@codecov
Copy link

codecov bot commented Nov 4, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 75.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 26.16%. Comparing base (488eb97) to head (b5fd8f0).
⚠️ Report is 559 commits behind head on main.

Files with missing lines Patch % Lines
pkg/types/intoto/v0.0.1/entry.go 50.00% 2 Missing ⚠️
pkg/types/intoto/v0.0.2/entry.go 50.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #2669       +/-   ##
===========================================
- Coverage   66.46%   26.16%   -40.30%     
===========================================
  Files          92      190       +98     
  Lines        9258    20115    +10857     
===========================================
- Hits         6153     5263      -890     
- Misses       2359    14023    +11664     
- Partials      746      829       +83
Flag Coverage Δ
e2etests 49.70% <62.50%> (+2.14%) ⬆️
unittests 16.69% <25.00%> (-31.00%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@haydentherapper haydentherapper merged commit 018dd64 into sigstore:main Nov 5, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tonistiigi @haydentherapper