-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(dist): add cargo-dist #559
Conversation
da31004
to
f1e0c04
Compare
to test this out we could push a pre-release tag and it would generate a github release. let me know if that sounds like a good plan and if you'd like to add or remove any targets or installers i picked. |
Thanks for the PR! I'll take a closer look tomorrow. |
Thanks! Two things of note:
|
i can write up an additional workflow that could do aarch64 linux- cargo-dist doesn't currently support it (the workflow committed in this PR is fully generated, i can also hand edit the release workflow, but it's generally better to add an additional workflow that does the additional target). and happy to remove the other workflow. |
In that case I'd prefer to stick to the fully generated workflow in the interest of reducing the maintenance burden and making upgrading to newer The previous release workflow would need to be removed, but other than that this looks good to go. |
ok cool! also, now that we have a request for aarch64 linux we can look into getting it into cargo-dist :) i'll get the changes up momentarily for this PR |
Thanks! My thinking is that Raspberry Pis need prebuilt binaries really badly, and ARM servers are increasingly popular as well because of the way cloud providers price them. But it's not really needed for |
That said... We just build an ARM GitHub runner and would love this :) but yeah... Not too important |
hey! realized i fell off on this and would love to pick it back up. will update to the latest cargo-dist now, and let me know what else i need to add to get this over the finish line! sorry about the delay |
2f69762
to
ace0a2d
Compare
re linux arm- if there's acgustom runner we can point to i can add this as a target. at axo we use buildjet for this- costs us an incredibly small amount of money, would recommend (but also understand not wanting to). |
The PR is still marked as draft. I understand it is ready for review now? |
@Shnatsel this is ready for review now. Would you be willing to take a look? |
Yes! Thank you. I will take a look in the next few days. |
Any chance of getting a review of this PR? |
Sorry for dragging my feet on the review. Unfortunately this runs into some thorny issues with the way the crates are currently published. None of the active maintainers have access to the publishing token, and the original maintainers are incommunicado. This leaves us with publishing releases to crates.io using a token stored in a github action secret. We recently had to add another crate to the project, because procedural macros require a separate crate for technical reasons. This complicates the release process even further. I want to sort out the release process with the extra added crate first, which is required for the crucial CycloneDX v1.5 support in the library, and only then deal with further less critical changes including this PR. |
@Shnatsel ping me on Slack and we'll sort it out. |
There already is a workflow we inherited from the previous maintainers that compiles and publishing binaries to Github releases. Having two of them at the same time is obviously not a good idea. Compiling binaries should be disentangled from the publishing workflow before I can land this PR. I am being extra cautious with changes to the publishing workflow because without access to the publishing token we wouldn't be able to yank published crates, which makes correcting any mistakes in the release process very difficult. |
a point that may be valuable to note: this current workflow does not include publishing to crates.io. i agree that extra consideration should be made there because it is a one way door. the pr included is for building binaries, and then also building a curl | sh installer, and a powershell installer. these installers are preferable on CI platforms because they do not require compilation (which a cargo install does). we can also add a homebrew and npm installer if that's desirable with a bit of config, but that is not part of this PR. everything in this PR generates something that is a two way door: all bins, installers, and github releases are mutable (deletable/fixable). |
it is possible that a sync conversation about this may help any confusion. i am happy to make myself available on slack and/or a zoom call |
I understand that this PR does not publish to crates.io. We have a legacy workflow which does, and which also compiled binaries. The binary publishing part will have to be removed from the legacy workflow before this one can be merged. This should (hopefully) be as easy as reverting #488. Actually doing that is a prerequisite for landing this PR. We already have a Github release with published binaries for the current version of
My guesstimate for the ETA on all of this is 2 weeks. I hope this sounds good? |
We have sorted out the publishing permissions (thanks, Steve!) so the release process should be a lot less risky now. I was about to ask how to go about upgrading to a newer version, but the cargo-dist book already covers it. Nice! |
@Shnatsel awesome news. let me know how i can help. additionally- if it comes up that there's targets or package manager systems this project needs that cargo-dist does not yet support, we are extremely open and excited about feature requests, so don't hesitate to let us know. once this is merged, my goal is to integrate cyclonedx BOM generation as a configurable feature in cargo-dist. i've filed an issue to track work on it here: axodotdev/cargo-dist#1016 |
Signed-off-by: Ashley Williams <[email protected]>
Signed-off-by: Ashley Williams <[email protected]>
9633651
to
92e2b92
Compare
I've published |
The CI failure is due to an issue with the nightly compiler, already worked around in main. So I'm going to go ahead and merge this PR. All right, let's give this a shot! |
Well, the tag for v0.5.1 has been created, but I don't think the release workflow has been triggered. Any idea why? |
hrmmmm, let me see |
ok yes! the reason is the tag structure - looking into how we can fix this, one sec |
actually that's not correct at all. i am not sure what's going on, but i have to assume it's CI related- as everything works correctly locally, and we fully support the tag structure you have. continuing to investigate. |
The tag structure looks correct to me. This is the code that pushes the tag: cyclonedx-rust-cargo/.github/workflows/deploy_cargo_cyclonedx.yml Lines 36 to 41 in f04196f
Also nothing out of the ordinary there, it is a push. Perhaps Github has some protections against actions triggering other actions, so that you don't end up in an infinite loop? |
so i have been running some tests on our fork here: https://github.com/axodotdev/cyclonedx-rust-cargo/actions/runs/9197176872 i think that you are right- there is some sort of protection if the tag is originating from an action itself it seems? |
ah @mistydemeo found this https://github.com/orgs/community/discussions/27028#discussioncomment-3254360 which seems to suggest that it's not possible to trigger one action from another |
Okay, I see that I'll need to gut the release workflow and remove tagging from it. In the meantime, how do I trigger the cargo-dist workflow for v0.5.1? Is deleting and recreating the tag sufficient? |
apologies for the delay, yes deleting and recreating the tag will be sufficient to trigger the flow. so sorry for this oversight and the hassle that ensued! i have learned of some (arguably not pleasant) workarounds if you'd like to try to keep the tagging in the workflow. likely best to do manually for now but then we can discuss |
I've manually recreated the tag, and the binary release is now up: https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/tag/cargo-cyclonedx-0.5.1 However, I am seeing these warnings printed multiple times in the global artifact workflow: I admit I do not understand what "system keys" are. Is this a misconfiguration on our side? Also, the Markdown extracted from the changelog that goes onto the release page doesn't handle links correctly when the URL is provided separately instead of inline. Note the release page showing |
thanks for letting me know about the markdown thing. we are not formally parsing the markdown so i wonder if this is a github thing. regardless i'll take a further look. i know that we have users who do similar style linking, but we haven't seen this so i'm curious what's going on. as for that warning... i have never seen that in the wild. only development, and very early on. i'm running a test right now (https://github.com/axodotdev/cyclonedx-rust-cargo/actions/runs/9213869039). i am wondering if it is related to the bumpy tagging situation. once i can repro i'll dig in further. your release appears completely fine and the installers work great so i'm hoping it's a false positive. here's where in our code it is triggered: https://github.com/axodotdev/cargo-dist/blob/632d7584d0732c2ee10e19561f168811c4f92c38/cargo-dist/src/manifest.rs#L132 |
ok, confirmed. that warning is a false positive, you can safely ignore and we'll remove it for the next release |
Thanks for looking into the warning!
I think your code just grabs everything under the appropriate header. Our changelog has the URLs for the links at the end of the file, so the URLs do not get included into the snippet posted to the release page. But this is an edge case, and I'm not sure it's worth the trouble of introducing a markdown parser just to get such style of links to work. Especially since Markdown is so loosely specified and all the parsers end up being subtly incompatible anyway. |
Now that the release binaries are published, it should be easy to integrate Speaking of SBOMs, there are people requesting |
oh that's super awesome. yes cargo auditable integration would definitely be welcome! will let you know. i dont know if you use discord but we have one: https://discord.gg/hucxPFB6. otherwise i'm honestly happy to just keep using this PR as a convo space :) |
@ashleygwilliams I've published a new release, v0.5.2, and
If I use
Which leads me to believe that Could you take a look and see what's up with that? |
@Shnatsel oh huh! that is very weird, and yeah we'll take a look right now. cargo binstall works on cargo-dist and so i wonder if there's something perhaps with tag structure or the workspace that is making the lookup fail |
ok! so the issue is that your tag structure is not one of the two default tag structures that binstall looks up. if you run
luckily, binstall lets you write config (docs) to change the structure of the tag and the package url in general. you'll probably want something like this:
you can make sure this is 100% correct by running the dry run command from above. because binstall uses crates.io metadata as their source of truth, this config won't apply retroactively to previous version but all future versions with this config should work. |
(sorry for not catching this sooner, we should honestly doc this better on our end and will do so!) |
Yeah, it would be neat if The config snippet you provided does indeed work. I've opened a PR to add it: #727 Thanks a lot! |
@Shnatsel yeah that's an interesting idea. my thought was honestly wondering if cargo dist init could write the binstall config for you. this would require knowing your tag structure, so i'll have to think through how we might want to do that, but i agree there's some work here to make this a nicer experience!! |
It could also verify that it matches in CI on pull requests. There's already tag verification at that stage. |
addresses #552 - marked as draft as i made some calls about what targets and installers you'd like to support. happy to talk through those and update.
you can run
cargo dist plan
locally to see what this workflow will generate. i've also put the output here: