bundle: improve determinism of file_rego_versions patterns with overlap.#8733
Open
philipaconrad wants to merge 1 commit into
Open
Conversation
This commit makes the behavior of pattern selection for determining file rego versions from a bundle manifest more deterministic when the pattern have overlap. The docs note that when overlapping patterns occur, the result is undefined. In practice, this meant that the map of patterns was iterated over in randomized order. We now iterate over the `file_rego_version` patterns in lexically-sorted order, which ensures a deterministic result, even when user-authored glob patterns overlap with each other. Signed-off-by: Philip Conrad <philip_conrad@apple.com>
philipaconrad
requested review from
anderseknert,
johanfylling,
srenatus and
sspaink
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What code changed, and why?
This PR makes the behavior of pattern selection for
file_rego_versionsfrom a bundle manifest more deterministic when the patterns have overlap.The Bundle docs note that when overlapping patterns occur, the result is undefined. In practice, this meant that the map of patterns was iterated over in randomized order.
We now iterate over the
file_rego_versionpatterns in lexically-sorted order, which ensures a deterministic result, even when user-authored glob patterns overlap with each other.This turned up when I was looking into making bundle builds reproducible, and while it's an uncommon edge case, it's still an edge case where two runs could produce different results.
How to test?
v1/bundle.