From 48c0b63bc88b7fb8a67504b7a47f2f659934d92d Mon Sep 17 00:00:00 2001 From: Rune Soerensen Date: Tue, 14 Apr 2026 21:01:33 -0400 Subject: [PATCH 1/4] Add failing test for builder inspect not trusting known builders Signed-off-by: Rune Soerensen --- internal/commands/builder_inspect_test.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/internal/commands/builder_inspect_test.go b/internal/commands/builder_inspect_test.go index 9e4189bf71..636ed289a3 100644 --- a/internal/commands/builder_inspect_test.go +++ b/internal/commands/builder_inspect_test.go @@ -215,6 +215,25 @@ func testBuilderInspectCommand(t *testing.T, when spec.G, it spec.S) { }) }) + when("image is a known trusted builder", func() { + it("passes builder info with trusted true to the writer's `Print` method", func() { + builderWriter := newDefaultBuilderWriter() + + command := commands.BuilderInspect( + logger, + config.Config{}, + newDefaultBuilderInspector(), + newWriterFactory(returnsForWriter(builderWriter)), + ) + command.SetArgs([]string{"heroku/builder:24"}) + + err := command.Execute() + assert.Nil(err) + + assert.Equal(builderWriter.ReceivedBuilderInfo.Trusted, true) + }) + }) + when("default builder is configured and is the same as specified by the command", func() { it("passes builder info with isDefault true to the writer's `Print` method", func() { cfg.DefaultBuilder = "the/default-builder" From be7891c51da8727c711b8f8bfb9101e60824a0a6 Mon Sep 17 00:00:00 2001 From: Rune Soerensen Date: Tue, 14 Apr 2026 21:04:43 -0400 Subject: [PATCH 2/4] Check known trusted builders in builder inspect Signed-off-by: Rune Soerensen --- internal/commands/builder_inspect.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/commands/builder_inspect.go b/internal/commands/builder_inspect.go index 36fa93be93..04d014c454 100644 --- a/internal/commands/builder_inspect.go +++ b/internal/commands/builder_inspect.go @@ -71,7 +71,7 @@ func inspectBuilder( builderInfo := writer.SharedBuilderInfo{ Name: imageName, IsDefault: imageName == cfg.DefaultBuilder, - Trusted: isTrusted, + Trusted: isTrusted || bldr.IsKnownTrustedBuilder(imageName), } localInfo, localErr := inspector.InspectBuilder(imageName, true, client.WithDetectionOrderDepth(flags.Depth)) From e4379ce5fe2ba02bee185eaad9e999e2af28046e Mon Sep 17 00:00:00 2001 From: Rune Soerensen Date: Tue, 14 Apr 2026 21:10:20 -0400 Subject: [PATCH 3/4] Add failing test for `IsTrustedBuilder` not matching tagless known builders Signed-off-by: Rune Soerensen --- internal/builder/trusted_builder_test.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/internal/builder/trusted_builder_test.go b/internal/builder/trusted_builder_test.go index 90e7599cd8..a537814d99 100644 --- a/internal/builder/trusted_builder_test.go +++ b/internal/builder/trusted_builder_test.go @@ -30,6 +30,23 @@ func trustedBuilder(t *testing.T, when spec.G, it spec.S) { }) when("IsTrustedBuilder", func() { + it("trusts known trusted builders", func() { + // Known builder with exact tag match + isTrusted, err := bldr.IsTrustedBuilder(config.Config{}, "heroku/builder:24") + h.AssertNil(t, err) + h.AssertTrue(t, isTrusted) + + // Known builder without tag should match any tag + isTrusted, err = bldr.IsTrustedBuilder(config.Config{}, "paketobuildpacks/builder-jammy-base:latest") + h.AssertNil(t, err) + h.AssertTrue(t, isTrusted) + + // Unknown builder should not be trusted + isTrusted, err = bldr.IsTrustedBuilder(config.Config{}, "my/private/builder") + h.AssertNil(t, err) + h.AssertFalse(t, isTrusted) + }) + it("trust image without tag", func() { cfg := config.Config{ TrustedBuilders: []config.TrustedBuilder{ From ad1df62a58a555b79bee22e717fda6d5332d3594 Mon Sep 17 00:00:00 2001 From: Rune Soerensen Date: Tue, 14 Apr 2026 21:17:05 -0400 Subject: [PATCH 4/4] Consolidate trust logic in IsTrustedBuilder with smart tag matching Signed-off-by: Rune Soerensen --- internal/builder/trusted_builder.go | 21 ++++++++++++++++++++- internal/commands/build.go | 2 +- internal/commands/builder_inspect.go | 2 +- internal/commands/config_trusted_builder.go | 2 +- 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/internal/builder/trusted_builder.go b/internal/builder/trusted_builder.go index 6e3923ba2b..03511ce62c 100644 --- a/internal/builder/trusted_builder.go +++ b/internal/builder/trusted_builder.go @@ -115,11 +115,29 @@ func IsTrustedBuilder(cfg config.Config, builderName string) (bool, error) { if err != nil { return false, err } + + // Collect all trusted builder names + var trustedBuilderNames []string + + // Add known trusted builders + for _, knownBuilder := range KnownBuilders { + if knownBuilder.Trusted { + trustedBuilderNames = append(trustedBuilderNames, knownBuilder.Image) + } + } + + // Add user-configured trusted builders for _, trustedBuilder := range cfg.TrustedBuilders { - trustedBuilderReference, err := name.ParseReference(trustedBuilder.Name, name.WithDefaultTag("")) + trustedBuilderNames = append(trustedBuilderNames, trustedBuilder.Name) + } + + // Check if builder matches any trusted builder + for _, trustedBuilderName := range trustedBuilderNames { + trustedBuilderReference, err := name.ParseReference(trustedBuilderName, name.WithDefaultTag("")) if err != nil { return false, err } + if trustedBuilderReference.Identifier() != "" { if builderReference.Name() == trustedBuilderReference.Name() { return true, nil @@ -130,5 +148,6 @@ func IsTrustedBuilder(cfg config.Config, builderName string) (bool, error) { } } } + return false, nil } diff --git a/internal/commands/build.go b/internal/commands/build.go index d3db7a69b9..2b75bcbb53 100644 --- a/internal/commands/build.go +++ b/internal/commands/build.go @@ -121,7 +121,7 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob if err != nil { return err } - trustBuilder := isTrusted || bldr.IsKnownTrustedBuilder(builder) || flags.TrustBuilder + trustBuilder := isTrusted || flags.TrustBuilder if trustBuilder { logger.Debugf("Builder %s is trusted", style.Symbol(builder)) if flags.LifecycleImage != "" { diff --git a/internal/commands/builder_inspect.go b/internal/commands/builder_inspect.go index 04d014c454..36fa93be93 100644 --- a/internal/commands/builder_inspect.go +++ b/internal/commands/builder_inspect.go @@ -71,7 +71,7 @@ func inspectBuilder( builderInfo := writer.SharedBuilderInfo{ Name: imageName, IsDefault: imageName == cfg.DefaultBuilder, - Trusted: isTrusted || bldr.IsKnownTrustedBuilder(imageName), + Trusted: isTrusted, } localInfo, localErr := inspector.InspectBuilder(imageName, true, client.WithDetectionOrderDepth(flags.Depth)) diff --git a/internal/commands/config_trusted_builder.go b/internal/commands/config_trusted_builder.go index 36bcfb6018..713feaa0fd 100644 --- a/internal/commands/config_trusted_builder.go +++ b/internal/commands/config_trusted_builder.go @@ -55,7 +55,7 @@ func addTrustedBuilder(args []string, logger logging.Logger, cfg config.Config, if err != nil { return err } - if isTrusted || bldr.IsKnownTrustedBuilder(imageName) { + if isTrusted { logger.Infof("Builder %s is already trusted", style.Symbol(imageName)) return nil }