You can see the general shape of this workflow here: https://www.pantsbuild.org/docs/plugins-codegen. I don't know much about the Helm backend, but it seems like a natural workflow to support so maybe @witty-family-13337 has some input. This was one of the first things I added to my OCI/kustomize/kubectl stack 😄

i essentially want to make a goal called get-digest, that if i run over ::, will build all docker targets and give me the image digest

I'm curious to know how you are intended to use it though, as if there is a potential improvement for the

helm

backend

worth saying that current behavior was implemented before the Docker backend was capable of returning an

image_id

, do you mind describing what problem do you have now using the Helm backend so I may come up with some enhancement for a future release?

i just can’t figure out how to get the digest

This isn't a limitation of Pants, it's a limitation of Docker in general. OCI images solve this better, but I don't think basic Docker can tell you even if you instruct it to build OCI images. And even there, technically your image could be modified once pushed and your local SHA is wrong

So the only way to truly know for sure is to push and then ask the remote what sha256 it got

i manage to solve around the image by essentially grabbing all docker targets, using the plugin rules mechanism to force them to run

packaeg

, then taking the output

BuiltPackage

's image_id field, and pushing it into a ``docker inspect --format='{{index .RepoDigests 0}}' $IMAGE`` command. This lets me iterate over all images that need to be build using the

MutliGet

method to then run the attestation. So that part is fine, what im still stuck on is how do i elegantly pass the digests upstream to helm for deployment, if i can't do that, you'd have to manually run

package

(or my new plugin

pants attest_image ::

, and manually enter the digests for the GKE deployment