Support Platform API 0.14 - Add -run flag to restorer #2516
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
type/enhancement
This implements the missing feature from Platform API 0.14 where the restorer should accept a -run flag to enable read access validation for run images selected by extensions during the restore phase. When extensions switch the run image to one listed in run.toml, the restorer needs to verify accessibility using the platform's authentication context (CNB_REGISTRY_AUTH). This prevents builds from proceeding with images the system cannot actually access. Changes: - Add -run flag to restorer when Platform API >= 0.14 - Write run.toml file via WriteRunToml operation - Add tests verifying flag is present for Platform API >= 0.14 - Add tests verifying flag is absent for Platform API < 0.14 Fixes #2515 References: - Spec PR: buildpacks/spec#408 - Lifecycle PR: buildpacks/lifecycle#1364 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Juan Bustamante <bustamantejj@gmail.com>
jjbustamante
force-pushed
the
feature/platform-api-0.14-restorer-run-flag
branch
from
52b4d03 to
153d0e9
Compare
When the restorer checks read access to run images using the -run flag, it needs authentication credentials for those images. This adds all run images and their mirrors from the builder to the registry images list so the restorer can properly authenticate when checking access. This fixes acceptance test failures where the restorer would fail to check access to run images due to missing authentication credentials. Signed-off-by: Juan Bustamante <bustamantejj@gmail.com>
jjbustamante
force-pushed
the
feature/platform-api-0.14-restorer-run-flag
branch
from
2b14376 to
73de2b3
Compare
Per Platform API 0.14 spec, the -run flag for the restorer is only needed when using image extensions to extend the run image. This updates the implementation to conditionally pass the flag only when extensions are detected (l.hasExtensions()). This prevents unnecessary run image access checks and auth setup when extensions are not in use, matching the intended behavior from the spec. Signed-off-by: Juan Bustamante <bustamantejj@gmail.com>
Tests now verify: - Platform API >= 0.14 WITH extensions: -run flag is provided - Platform API >= 0.14 WITHOUT extensions: -run flag is NOT provided - Platform API < 0.14 (even with extensions): -run flag is NOT provided This matches the spec requirement that the -run flag is only needed when using image extensions to extend the run image. Signed-off-by: Juan Bustamante <bustamantejj@gmail.com>
The restorer doesn't need to add all run images to the registry auth list because the existing logic at line 576 already adds the selected run image via l.runImageNameAfterExtensions(). Adding all run images (including inaccessible ones like pack-test/run) was causing auth failures. The restorer should only need auth for the run image that was actually selected by the analyzer, which is already handled by the existing code. Signed-off-by: Juan Bustamante <bustamantejj@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR implements support for Platform API 0.14 by adding the
-runflag to the restorer phase. This was the missing feature preventing full Platform API 0.14 compliance.Changes
-runflag to restorer when Platform API >= 0.14Background
Platform API 0.14 introduced the
-runflag for the restorer to enable read access validation for run images selected by extensions during the restore phase. When extensions switch the run image to one listed inrun.toml, the restorer needs to verify accessibility using the platform's authentication context (CNB_REGISTRY_AUTH). This prevents builds from proceeding with images the system cannot actually access.Implementation Details
The implementation follows the same pattern as the analyzer (Platform API >= 0.12) and exporter (Platform API >= 0.12):
When Platform API >= 0.14, the restorer receives:
-runflag pointing to/layers/run.tomlWriteRunTomloperation to create the run.toml fileThe run.toml file contains the run image configuration from the builder
Testing
References
-runflag to therestorerbinary spec#408Checklist