Skip to content

Pin Alpine image digest and add SHA256 verification for TF provider#4849

Merged
shreyas-goenka merged 6 commits intomainfrom
docker-pin
Mar 26, 2026
Merged

Pin Alpine image digest and add SHA256 verification for TF provider#4849
shreyas-goenka merged 6 commits intomainfrom
docker-pin

Conversation

@shreyas-goenka
Copy link
Copy Markdown
Contributor

@shreyas-goenka shreyas-goenka commented Mar 26, 2026
edited
Loading

Summary

  • Pin alpine:3.22 in Dockerfile to its @sha256 digest for reproducible builds
  • Add SHA256 checksum verification for the Terraform provider download in docker/setup.sh, matching the existing pattern for the TF binary
  • Auto-fetch provider checksums during codegen (go run .) from the GitHub release SHA256SUMS file, so bumping the provider version in version.go is the only manual step needed
  • The codegen also downloads the linux_amd64 zip as a sanity check to verify the parsed checksum is correct
  • Expose provider checksums via databricks bundle debug terraform --output json under providerChecksum
  • Gate the existing TestTerraformArchiveChecksums behind testing.Short() to avoid large downloads on every test run

Test plan

  • go build ./... compiles cleanly
  • go test -short ./bundle/deploy/terraform/ passes

This pull request was AI-assisted by Isaac.

@eng-dev-ecosystem-bot
Copy link
Copy Markdown
Collaborator

eng-dev-ecosystem-bot commented Mar 26, 2026
edited
Loading

Commit: faf0949

Run: 23601291987

Env 🟨​KNOWN 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip Time
🟨​ aws linux 7 10 270 804 6:59
🟨​ aws windows 7 10 272 802 6:52
💚​ aws-ucws linux 7 10 366 720 9:24
💚​ aws-ucws windows 7 10 368 718 8:40
💚​ azure linux 1 12 273 802 6:32
💚​ azure windows 1 12 275 800 6:05
🔄​ azure-ucws linux 2 1 12 369 716 10:58
🔄​ azure-ucws windows 1 1 12 372 714 10:06
💚​ gcp linux 1 12 269 805 6:47
💚​ gcp windows 1 12 271 803 6:18
20 interesting tests: 10 SKIP, 7 KNOWN, 3 flaky
Test Name aws linux aws windows aws-ucws linux aws-ucws windows azure linux azure windows azure-ucws linux azure-ucws windows gcp linux gcp windows
🟨​ TestAccept 🟨​K 🟨​K 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
🙈​ TestAccept/bundle/resources/permissions 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/with_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions 🟨​K 🟨​K 💚​R 💚​R 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=direct 🟨​K 🟨​K 💚​R 💚​R
🟨​ TestAccept/bundle/resources/permissions/jobs/destroy_without_mgmtperms/without_permissions/DATABRICKS_BUNDLE_ENGINE=terraform 🟨​K 🟨​K 💚​R 💚​R
🙈​ TestAccept/bundle/resources/postgres_branches/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/update_protected 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_branches/without_branch_id 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_endpoints/recreate 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/postgres_projects/update_display_name 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/bundle/resources/synced_database_tables/basic 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🙈​ TestAccept/ssh/connection 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
🔄​ TestSyncFullFileSync ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p ✅​p
🔄​ TestFilerWorkspaceNotebook ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p ✅​p ✅​p
🔄​ TestFilerWorkspaceNotebook/sqlNb.sql ✅​p ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f ✅​p ✅​p ✅​p
Top 20 slowest tests (at least 2 minutes):
duration env testname
4:14 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:54 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:47 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:40 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:39 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:16 gcp linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:16 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:14 azure linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
3:13 gcp windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
3:03 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:59 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:58 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:51 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:51 azure windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:43 azure-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:43 aws-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:41 aws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:41 azure-ucws linux TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=terraform
2:38 aws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct
2:35 aws-ucws windows TestAccept/bundle/resources/apps/inline_config/DATABRICKS_BUNDLE_ENGINE=direct

@shreyas-goenka
Auto-fetch provider checksums during codegen instead of hardcoding
fc48e0d 
The codegen tool (`go run .`) now automatically downloads the SHA256SUMS
file from the GitHub release and embeds the checksums into the generated
root.go. When bumping the provider version, developers only need to
update version.go — checksums are resolved automatically.

Co-authored-by: Isaac
@shreyas-goenka shreyas-goenka marked this pull request as ready for review March 26, 2026 14:41
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 26, 2026

Suggested reviewers

Based on git history of the changed files, these people are best suited to review:

  • @andrewnester -- recent work in bundle/internal/tf/schema/, bundle/deploy/terraform/
  • @pietern -- recent work in bundle/internal/tf/schema/, bundle/deploy/terraform/, ./
  • @anton-107 -- recent work in bundle/internal/tf/schema/, bundle/deploy/terraform/, bundle/internal/tf/codegen/generator/

Confidence: low

Eligible reviewers

Based on CODEOWNERS, these people or teams could also review:

@denik, @simonfaltum

Suggestions based on git history of 10 changed files (6 scored). See CODEOWNERS for path-specific ownership rules.

pietern
pietern reviewed Mar 26, 2026
View reviewed changes
@shreyas-goenka
Skip checksum download tests in short mode
cbbc9a3 
These tests download large archives from the internet. Gate them behind
`testing.Short()` so they're skipped during normal CI (`make test`) and
only run in nightly/long test sessions.

Co-authored-by: Isaac
@shreyas-goenka
Move provider checksum verification from unit test to codegen sanity …
cf17652 
…check

Instead of a separate test that downloads large archives on every test
run, verify the checksum inline during codegen: FetchProviderChecksums
now downloads the linux_amd64 zip and verifies it matches the parsed
SHA256SUMS entry. This runs once during `go run .` (provider version
bump) rather than on every `make test`.

Co-authored-by: Isaac
@shreyas-goenka shreyas-goenka requested a review from pietern March 26, 2026 15:06
@shreyas-goenka shreyas-goenka merged commit 19f9dbe into main Mar 26, 2026
19 checks passed
@shreyas-goenka shreyas-goenka deleted the docker-pin branch March 26, 2026 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pietern pietern pietern approved these changes

@andrewnester andrewnester Awaiting requested review from andrewnester andrewnester is a code owner

@anton-107 anton-107 Awaiting requested review from anton-107 anton-107 is a code owner

@denik denik Awaiting requested review from denik denik is a code owner

@simonfaltum simonfaltum Awaiting requested review from simonfaltum simonfaltum is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shreyas-goenka @eng-dev-ecosystem-bot @pietern