Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove cobra #54

Closed
ianlewis opened this issue May 18, 2022 · 5 comments
Closed

Remove cobra #54

ianlewis opened this issue May 18, 2022 · 5 comments
Labels
area:generic Issue with the generic generator type:feature New feature or request

Comments

@ianlewis
Copy link
Member

github.com/spf13/cobra is nice and all but the amount of dependencies it brings in is pretty ridiculous.

Maybe we can consider using something more reasonable like https://github.com/google/subcommands ?

@ianlewis ianlewis added type:feature New feature or request area:generic Issue with the generic generator labels May 18, 2022
@ianlewis
Copy link
Member Author

I forgot. cobra gets pulled in anyway because cosign depends on it. Removing it won't help anything.

@joshuagl
Copy link
Member

Agree with the motivation here, we should try and reduce build time for the slsa-github-generator binaries. In my experimentation I have projects which take about ~30s to build but building slsa-github-generator to generate provenance takes >2min.

One thing that will likely help here is cosign's efforts to reduce their dependency tree and factor out more of their reusable logic into sigstore/sigstore, see sigstore/cosign#1462

@ianlewis
Copy link
Member Author

Yeah, right now our direct dependencies are small(ish) but the cosign cli packages import a lot of stuff (including cobra and tools for parsing flags etc.) that we don't technically need so the indirect dependencies are pretty crazy. I think the major part of the 2min compilation is downloading the dependencies.

However, even if we remove cobra it's in the cosign cli packages we use so it will still get pulled by our CI (go mod vendor) and will get into the binary.

cobra is particularly bad with regard to indirect dependencies (it's kind of infamous at this point). It brings in stuff like etcd libraries, mongodb drivers, runc, ... (though, I suspect most don't actually make it into the binary).

@ianlewis
Copy link
Member Author

@joshuagl Could you create an issue specifically about build time? maybe we can think about and address it at some point.

@joshuagl
Copy link
Member

Filed as #74 and changed to generic title of "reducing action runtime"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:generic Issue with the generic generator type:feature New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants