Add GoReleaser #1549
Add GoReleaser #1549
Conversation
lucacome
requested review from
pleshakov and
soneillf5
and removed request for
pleshakov
lucacome
force-pushed
the
chore/goreleaser
branch
5 times, most recently
from
f9217bb
to
3c66548
Compare
lucacome
force-pushed
the
chore/goreleaser
branch
from
3c66548
to
c0b36a5
Compare
| @@ -46,6 +45,8 @@ jobs: | |||
| steps: | |||
| - name: Checkout Repository | |||
| uses: actions/checkout@v2 | |||
| with: | |||
| fetch-depth: 0 | |||
There was a problem hiding this comment.
why do we do this? does it break otherwise ?
There was a problem hiding this comment.
yeah, the docs for GoReleaser say:
Note the fetch-depth: 0 option on the Checkout workflow step. It is required for GoReleaser to work properly. Without that, GoReleaser might fail or behave incorrectly.
this is the description of the parameter:
Number of commits to fetch. 0 indicates all history for all branches and tags.
| @@ -53,3 +53,5 @@ hack/controller-gen-* | |||
| docs-web/.netlify/state.json | |||
| site/ | |||
| venv/ | |||
|
|
|||
| dist/ | |||
| - GO111MODULE=on | ||
| before: | ||
| hooks: | ||
| - go mod tidy |
There was a problem hiding this comment.
are tidy and verify commands really necessary?
if they are expected to change the repo contents, would it be better if our pipeline had a check in a separate stage - to check that the repo files do not change after tidy and verify?
There was a problem hiding this comment.
they're not expected to change the repository's content, it's just a check to make sure everything is fine.
There was a problem hiding this comment.
go mod tidy exits with 0 status code even if it updates the go.mod. so it will silently fix the files.
| @@ -272,7 +272,7 @@ RUN mkdir -p /var/lib/nginx /etc/nginx/secrets /etc/nginx/stream-conf.d \ | |||
| && chown -R nginx:0 /etc/nginx /var/cache/nginx /var/lib/nginx \ | |||
| && rm -f /etc/nginx/conf.d/* /etc/apt/apt.conf.d/90nginx /etc/apt/sources.list.d/nginx-plus.list | |||
|
|
|||
| COPY internal/configs/version1/nginx$PLUS.ingress.tmpl \ | |||
| COPY --chown=nginx:0 internal/configs/version1/nginx$PLUS.ingress.tmpl \ | |||
There was a problem hiding this comment.
why is this change necessary?
for the template files, it is ok if root owns it, because the IC only need to read it and only to read it on the start.
There was a problem hiding this comment.
We had a problem not long ago with permissions and having nginx be the owner of the files will fix that. Since we set nginx as the user and run the binary as nginx user, it makes sense that nginx owns the files.
There was a problem hiding this comment.
for the files that the IC or NGINX workers can change, it makes sense. But for the files that IC or NGINX only need to read, I think it makes sense to be owned by root and allow read/execute on those, to follow the principle of least privilege. For example, as NGINX binary:
ls -la /usr/sbin/nginx
-rwxr-xr-x 1 root root 1698544 Nov 26 13:00 /usr/sbin/nginx
There was a problem hiding this comment.
isn't it least privilege if the user is nginx instead of root?
github-actions
bot
added
the
documentation
This will get the wrongtaguntil #1544 is merged.Removed
edgefrom the version name in the Makefile, it will now be something likev1.11.1-SNAPSHOT-00f0053for local builds (same that GoReleaser uses foredge), so it will remove the need to update the version in the Makefile.(When we make a stable release, GoReleaser will use
v1.11.1)GoReleaser builds binaries for:
and we push Docker images for the same architectures.
Addresses #944, #974 and #1310