Skip to content

Refine the definition of Artifact IDs  #38

New issue
New issue
Closed
#76
Closed
Refine the definition of Artifact IDs #38
#76
Assignees
afrittoli
Milestone
v0.1
@afrittoli

Description

@afrittoli
afrittoli
opened on Jun 4, 2022

Build and artifact events today include an "artifact id".

This is identified as a unique identifier of an artifact.
There are open questions about which ID is available to which event though:

  • when an artifact is built locally (i.e. not pushed yet), what is its ID? possibly the hash? Perhaps we could introduce an optional artifact hash for this?
  • when an artifact is published, how do we link the events build, artifact packaged and artifact published events? Do we do that through the links in the event? That is a valid option, but it adds more requirements:
    1. the system doing the build and push must have a shared context (which is likely to be the case, but worth noting)
    2. the consumer must receive and store all relevant events
  • is the artifact ID associated to the artifact type or the artifact storage system?

We should be more specific on what the artifact ID is to better guide implementors (event producers and consumers alike):

  • identify well known types of artifacts (container images, jar files, python wheels, platform specific binaries, etc)
  • identify vendor neutral storage types (OCI container registry, else?) and what the ID is for each

What extra standard data shall we include for artifact?

  • optional rekor UUID
  • optional signature
  • optional hash

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

CDEvents Releases

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions