Conversation
willnorris
left a comment
willnorris
left a comment
There was a problem hiding this comment.
I've left a bunch of comments below. I worry about one of the last ones actually being a deal breaker, which is an easy way to test the image publication. We get that for free with our actions based workflow today, which you can see in my own fork here: https://github.com/willnorris/addlicense/pkgs/container/addlicense
Looking at the configuration required, I'm also surprised by the amount of additional config we have to do manually that was handled for us with the actions approach before (setting image tags, labels, etc). If signing images with cosign is the end goal, does that actually rely on goreleaser in any way? (Though I'm now also a little concerned that the OIDC support in cosign is still very experimental, so is it really ready for adoption yet?)
I know y'all put some real work into this which I appreciate, and I'm happy to continue talking through things, but I'm now a little more concerned about whether this is actually a good move.
.goreleaser.yaml
Outdated
| goarch: | ||
| - amd64 | ||
| - arm64 | ||
| #signs: |
There was a problem hiding this comment.
I think it'd be good to keep this PR focused on just switching how the docker image is published, without introducing any of the signing functionality. You have that, since this is commented out, but I think it'd be clearer to just leave it out of this PR entirely.
.github/workflows/release.yaml
Outdated
|
|
||
| permissions: | ||
| contents: write | ||
| id-token: write |
There was a problem hiding this comment.
I don't think this id-token permission is needed yet, is it? I believe that will be for signing (which we're not doing yet)?
.github/workflows/release.yaml
Outdated
| - | ||
| name: Run GoReleaser | ||
| uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 #v2.7.0 | ||
| - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # pin@v1 |
There was a problem hiding this comment.
our convention is to include the full version we are pinning to. So # v1.10.0 in this case. Same with version comments below.
.github/workflows/release.yaml
Outdated
| uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 #v2.7.0 | ||
| - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # pin@v1 | ||
| - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # pin@v1 | ||
| - uses: sigstore/cosign-installer@e5c096a9feb091d8afe0168547370270986f2f71 # pin@v1.3.1 |
There was a problem hiding this comment.
no need for this, since we're not signing right now.
| - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # pin@v1 | ||
| - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # pin@v1 | ||
| - uses: sigstore/cosign-installer@e5c096a9feb091d8afe0168547370270986f2f71 # pin@v1.3.1 | ||
| - name: dockerhub-login |
There was a problem hiding this comment.
we don't publish to dockerhub, so don't need this
.goreleaser.yaml
Outdated
| # - '${artifact}' | ||
| dockers: | ||
| - image_templates: | ||
| - 'google/addlicense:{{ .Tag }}-amd64' |
There was a problem hiding this comment.
we don't publish to dockerhub, so can remove this name throughout
Dockerfile.goreleaser
Outdated
| # make a bare minimal image | ||
| FROM scratch | ||
|
|
||
| WORKDIR app |
There was a problem hiding this comment.
we want to keep the behavior the same as the existing Dockerfile, so this should be:
# source to be scanned should be mounted to /src
WORKDIR /src
Dockerfile.goreleaser
Outdated
|
|
||
| WORKDIR app | ||
|
|
||
| COPY addlicense ./ |
There was a problem hiding this comment.
COPY addlicense /app/addlicense
.goreleaser.yaml
Outdated
| dockers: | ||
| - image_templates: | ||
| - 'google/addlicense:{{ .Tag }}-amd64' | ||
| - 'ghcr.io/google/addlicense:{{ .Tag }}-amd64' |
There was a problem hiding this comment.
this is really unfortunate that this is hardcoded. That makes it a lot harder to test this in forks, unless I'm missing something. For example, your https://github.com/developer-guy/addlicense/releases/tag/v0.999.0 tag demonstrates creating the release artifacts, but doesn't demonstrate publishing the docker image. That something we were able to do with the actions based approach.
It doesn't look like goreleaser's name templates supports the GitHub repo owner, and custom variables are a "pro" feature.
We need some way to test image publication to GHCR before making changes live.
There was a problem hiding this comment.
btw, we can use those variables as an environment variable to pass the registry and the image name to the GoReleaser by using the same syntax, can't we?
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }There was a problem hiding this comment.
hello @willnorris, I've updated the please see. We need environment variables named like this REGISTRY and IMAGE_NAME.
|
Given GitHub's blog post yesterday, I tried using the purely Actions based cosign workflow on a personal project of mine, and it worked really well. I wonder if we just do that here as well? Any major downside that I'm not seeing? |
No, there is no major downside at all. You're right. We can do it that way as well. Still, GoReleaser already supports that, but it should wait for cosign v1.4.x for the keyless feature, that's why I commented out the |
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
|
kindly ping @willnorris, cosign v1.4.1 with some bunch of fixes is released today, so, everything seems fine in cosign project which means that we can start using it to sign addlicense both binary and container image 🤩 similar works being done in several projects such as google/ko, goreleaser. |
willnorris
left a comment
willnorris
left a comment
There was a problem hiding this comment.
Okay, so there's a bunch of comments below. I also tried doing suggested edits to show the exact changes I had in mind.
By the end of all of this, I did get this working in my personal fork of the project (images published here: https://github.com/willnorris/addlicense/pkgs/container/addlicense).
But after all of that (and before you actually start implementing these changes), I'm honestly still not completely convinced that moving the docker build into goreleaser is really worth all this effort. I've certainly learned a lot through this process, getting these builds to work, playing with a lot of new features in both goreleaser and docker I've never used, and learning about cosign. So that's been fun. And it means I'm now coming from a much more informed position than when I started when I ask, what does using goreleaser to build the image actually gain us at this point? I'm not seeing it.
(That said, I'm certainly convinced on using cosign to sign binaries and docker images, which I think is what you were ultimately after?)
| env: | ||
| DOCKER_CLI_EXPERIMENTAL: "enabled" | ||
| REGISTYRY: "ghcr.io" | ||
| IMAGE_NAME: "google/addlicense" |
There was a problem hiding this comment.
this still has the same "testing in forks issues" if we hardcode the value.
| IMAGE_NAME: "google/addlicense" | |
| IMAGE_NAME: ${{ github.repository }} |
| - | ||
| name: Run GoReleaser | ||
| uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 #v2.7.0 | ||
| - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # pin@v1.2.0 |
There was a problem hiding this comment.
we had an existing convention for all of these comments that would be nice to not change... #v2.6.1. Though i guess a space helps with legibility.
The real reason I care is that I'm trying to get dependabot to add support for updating these comments, and I'd like to keep them in a consistent format.
| - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # pin@v1.2.0 | |
| - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0 |
| username: ${{ secrets.DOCKER_USERNAME }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
| - name: ghcr-login | ||
| if: startsWith(github.ref, 'refs/tags/v') |
There was a problem hiding this comment.
maybe change the trigger for this workflow to only match "v*" tags, so then we don't need this check here?
| if: startsWith(github.ref, 'refs/tags/v') |
| if: startsWith(github.ref, 'refs/tags/v') | ||
| uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 # pin@v1.10.0 | ||
| with: | ||
| registry: ghcr.io |
There was a problem hiding this comment.
| registry: ghcr.io | |
| registry: ${{ env.REGISTRY }} |
| @@ -5,65 +5,48 @@ on: | |||
| tags: | |||
| - '*' | |||
There was a problem hiding this comment.
| - '*' | |
| - 'v*' |
| - name: dockerhub-login | ||
| if: startsWith(github.ref, 'refs/tags/v') | ||
| uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 # pin@v1.10.0 | ||
| with: | ||
| username: ${{ secrets.DOCKER_USERNAME }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} |
There was a problem hiding this comment.
dockerhub login is still here, but should be removed.
| - name: dockerhub-login | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 # pin@v1.10.0 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} |
| - '*' | ||
|
|
||
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
need to re-add packages permission to publish images
| contents: write | |
| contents: write | |
| packages: write |
| - "--platform=linux/arm64" | ||
| goarch: arm64 | ||
| docker_manifests: | ||
| - name_template: '{{ .Env.REGISTRY }}/{{ .Env.IMAGE_NAME }}::{{ .Tag }}' |
There was a problem hiding this comment.
typo, fails to build image
| - name_template: '{{ .Env.REGISTRY }}/{{ .Env.IMAGE_NAME }}::{{ .Tag }}' | |
| - name_template: '{{ .Env.REGISTRY }}/{{ .Env.IMAGE_NAME }}:{{ .Tag }}' |
| image_templates: | ||
| - '{{ .Env.REGISTRY }}/{{ .Env.IMAGE_NAME }}:{{ .Tag }}-amd64' | ||
| - '{{ .Env.REGISTRY }}/{{ .Env.IMAGE_NAME }}:{{ .Tag }}-arm64' | ||
| - name_template: 'ghcr.io/google/addlicense:latest' |
There was a problem hiding this comment.
missed one hardcoded image name
| - name_template: 'ghcr.io/google/addlicense:latest' | |
| - name_template: '{{ .Env.REGISTRY }}/{{ .Env.IMAGE_NAME }}:latest' |
| - arm64 | ||
| dockers: | ||
| - image_templates: | ||
| - '{{ .Env.REGISTRY }}/{{ .Env.IMAGE_NAME }}:{{ .Tag }}-amd64' |
There was a problem hiding this comment.
I don't love having these extra *-{platform} images getting tagged 😕 (as seen here: https://github.com/willnorris/addlicense/pkgs/container/addlicense)
I tried doing multi-architecture builds using the the regular docker actions to build the image, and it's definitely possible to do multi-architecture images without the intermediate tags (the qemu tag here: https://github.com/willnorris/imageproxy-test/pkgs/container/imageproxy-test). I'm not sure if that can easily be done in goreleaser?
|
ugh, I really hate how GitHub shows comments sometimes. I actually missed your reply here. sigh So yeah, I think we should add signing support without goreleaser (at least for the docker images). But seriously, thanks for your patience with me on this PR. It's honestly been a lot of fun to learn about these things. |
|
Hello @willnorris, GoReleaser v1.2.2 has just been released yesterday, and now, GoReleaser is capable of signing releases with a keyless approach using GitHub Actions OIDC flow, and also, another notable feature has been added with v1.2.2 is SBOM support, again, now, GoReleaser can generate an SBOMs for container images by using Syft tool under the hood, please see it all in action on a sample repository: |
2 participants
Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com
Fixes #100
cc: @willnorris
https://github.com/developer-guy/addlicense/releases/tag/v0.999.0