Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix docs for goreleaser with the generic generator to include docker di… #1252

Merged
merged 6 commits into from
Nov 28, 2022
Merged
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 18 additions & 6 deletions internal/builders/generic/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,11 @@ This section explains how to generate non-forgeable SLSA provenance with existin
If you use [GoReleaser](https://github.com/goreleaser/goreleaser-action) to generate your build, you can easily
generate SLSA3 provenance by updating your existing workflow with the steps indicated in the workflow below:

**Notes**:
- Make sure you did not disable checksum generation in the goreleaser yml.
- Make sure you specified sha256 as the algorithm for the checksum or left it empty (sha256 is the default).
- To enable provenance generation for dockers (as well as artifacts), use goreleaser version >= v1.13.0.
laurentsimon marked this conversation as resolved.
Show resolved Hide resolved

1. Declare an `outputs` for the GoReleaser job:

```yaml
Expand All @@ -338,7 +343,7 @@ jobs:
[...]
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b # tag=v3
uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # tag=v3.2.0

```

Expand All @@ -351,9 +356,12 @@ jobs:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to be clear: the new feature does not break backward compatibility, correct?

If we update the code, will users of the older goreleaser versions break?

Copy link

@gofri gofri Nov 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid it will; it won't work for older versions.
I can edit the PR to also include the instructions for older versions (the current instructions) if that's preferred.
I can also rewrite the code with backwards compatibility, but that would result in a bit messier code.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please edits the PR to account for older version.

Btw, since it's breaking backward compatibility, should you not bump the Action tag to a major change, like v4.0.0 instead of v3.2.0?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

np, will do.
Regarding the version bump -

  1. The github action actually isn't relevant here. The version of the goreleaser is the one affecting the output (the version of goreleaser is passed as an argument to the action).
  2. The chnage in goreleaser is backwards compatible, i.e. any code written for older versions should still work. The code that breaks is the code I added in this PR, which uses the new features that weren't available in older goreleaser versions (specifically, using the checksum file still works, so the current instructions won't break).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pushed a new commit.
btw, I didn't want to amend (& force-push) the old commit to avoid noise, so note that I accidentally wrote "generic builder" rather than "generic generator" in the commit message, so you might want to fix that when you squash&merge.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

p.s. the instructions currently assume that the user didn't disable checksum generation in the goreleaser (see https://goreleaser.com/customization/checksum/).
It might be an obvious assumption, but disabling it would cause the job to hang (because of that cat $checksum_file when checksum_file is an empty string).
We might want to add a clarification for that. wdyt?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, please add a note. Thank you.

checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
if test "$hashes" = ""; then # goreleaser < v1.13.0
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
hashes=$(cat $checksum_file | base64 -w0)
fi
echo "hashes=$hashes" >> $GITHUB_OUTPUT
```

4. Call the generic workflow to generate provenance by declaring the job below:
Expand Down Expand Up @@ -394,8 +402,12 @@ jobs:
run: |
set -euo pipefail

checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
if test "$hashes" = ""; then # goreleaser < v1.13.0
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
hashes=$(cat $checksum_file | base64 -w0)
fi
echo "hashes=$hashes" >> $GITHUB_OUTPUT

provenance:
needs: [goreleaser]
Expand Down