Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix docs for goreleaser with the generic generator to include docker di… #1252

Merged
merged 6 commits into from
Nov 28, 2022

Conversation

gal-legit
Copy link
Contributor

goreleaser latest release includes a couple of new features that are useful for provenance generation:

The first one (published docker images) actually enables users to include the built dockers in their provenance documents.
The second one (checksums) is added mainly to simplify the usage.

This pull request updates the instructions in the documentation for the generic builder with goreleaser, to take advantage of these new features.

Copy link
Collaborator

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

@@ -351,9 +351,8 @@ jobs:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to be clear: the new feature does not break backward compatibility, correct?

If we update the code, will users of the older goreleaser versions break?

Copy link

@gofri gofri Nov 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid it will; it won't work for older versions.
I can edit the PR to also include the instructions for older versions (the current instructions) if that's preferred.
I can also rewrite the code with backwards compatibility, but that would result in a bit messier code.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please edits the PR to account for older version.

Btw, since it's breaking backward compatibility, should you not bump the Action tag to a major change, like v4.0.0 instead of v3.2.0?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

np, will do.
Regarding the version bump -

  1. The github action actually isn't relevant here. The version of the goreleaser is the one affecting the output (the version of goreleaser is passed as an argument to the action).
  2. The chnage in goreleaser is backwards compatible, i.e. any code written for older versions should still work. The code that breaks is the code I added in this PR, which uses the new features that weren't available in older goreleaser versions (specifically, using the checksum file still works, so the current instructions won't break).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pushed a new commit.
btw, I didn't want to amend (& force-push) the old commit to avoid noise, so note that I accidentally wrote "generic builder" rather than "generic generator" in the commit message, so you might want to fix that when you squash&merge.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

p.s. the instructions currently assume that the user didn't disable checksum generation in the goreleaser (see https://goreleaser.com/customization/checksum/).
It might be an obvious assumption, but disabling it would cause the job to hang (because of that cat $checksum_file when checksum_file is an empty string).
We might want to add a clarification for that. wdyt?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please add a note. Thank you.

@gal-legit gal-legit changed the title Fix docs for goreleaser with the generic builder to include docker di… Fix docs for goreleaser with the generic generator to include docker di… Nov 21, 2022
Copy link
Collaborator

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I proposed adding a link to goreleaser feature / doc for the docker. Let me know what you think.

@laurentsimon laurentsimon enabled auto-merge (squash) November 22, 2022 16:12
@laurentsimon laurentsimon merged commit ace776d into slsa-framework:main Nov 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants