install: Add a config knob for container sigpolicy#2116
install: Add a config knob for container sigpolicy#2116jbtrystram wants to merge 1 commit intobootc-dev:mainfrom
Conversation
Surface the `--enforce-container-sigpolicy` flag as a config file option. Fixes bootc-dev#2112 Assisted-by: OpenCode.ai <Opus 4.6> Signed-off-by: jbtrystram <jbtrystram@redhat.com>
github-actions
bot
added
area/install
jbtrystram
force-pushed
the
sigpolicy-config-knob
branch
from
27089cc to
9f8f38a
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for the enforce-container-sigpolicy configuration option, allowing users to enforce container image signature policies via TOML drop-in files. The changes include updating the InstallConfiguration struct, implementing the necessary merging logic, adding unit tests, and updating the relevant documentation. The reviewer suggested refactoring the configuration merging logic to use if let for better readability and to avoid redundant assignments when configuration values are absent.
| if !config_opts.bootupd_skip_boot_uuid { | ||
| config_opts.bootupd_skip_boot_uuid = config | ||
| .bootupd | ||
| .as_ref() | ||
| .and_then(|b| b.skip_boot_uuid) | ||
| .unwrap_or(false); | ||
| } | ||
|
|
||
| if config_opts.bootloader.is_none() { | ||
| config_opts.bootloader = config.bootloader.clone(); | ||
| } | ||
|
|
||
| if !target_opts.enforce_container_sigpolicy { | ||
| target_opts.enforce_container_sigpolicy = config | ||
| .enforce_container_sigpolicy | ||
| .unwrap_or(false); | ||
| } |
There was a problem hiding this comment.
The logic for merging boolean options from the configuration file can be made more explicit to improve readability and avoid potentially redundant assignments.
When a boolean configuration option is not present, the current implementation with unwrap_or(false) assigns false to a variable that is already known to be false inside the if !... block.
Using if let to check for the presence of the config value before assigning makes the intent clearer and avoids this no-op assignment.
if !config_opts.bootupd_skip_boot_uuid {
if let Some(skip) = config.bootupd.as_ref().and_then(|b| b.skip_boot_uuid) {
config_opts.bootupd_skip_boot_uuid = skip;
}
}
if config_opts.bootloader.is_none() {
config_opts.bootloader = config.bootloader.clone();
}
if !target_opts.enforce_container_sigpolicy {
if let Some(enforce) = config.enforce_container_sigpolicy {
target_opts.enforce_container_sigpolicy = enforce;
}
}1 participant
Surface the
--enforce-container-sigpolicyflag as a config file option.Fixes #2112
Assisted-by: OpenCode.ai <Opus 4.6>