-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add automatic releases using goreleaser #234
Add automatic releases using goreleaser #234
Conversation
Pull Request Test Coverage Report for Build 1986889394
💛 - Coveralls |
I would appreciate it if @trishankatdatadog, @shibumi and/or @developer-guy can have a look and share their feedback. Thanks in advance! 👍 |
@rdimitrov left a few comments. Can you elaborate why you removed the SBOM and signature creation? I am not sure if releasing binaries without signatures matches the security requirements of TUF, but @trishankatdatadog might have more to say about this :D IMO, as long as the signature creation is not properly discussed it would still make sense to create SBOMs for the projects. |
Not a priority right now: we need to nail down a release process advertising backwards-incompatible changes first, then we can do all else. I also don't see the value of signing go-tuf releases on Rekor when Go modules get added to the gosumdb anyway, and go tooling doesn't support Rekor (yet) but they do support gosumdb. |
@trishankatdatadog, @shibumi and @developer-guy - Thank you for your feedback 👍 Apart from the SBOM generation, which Trishank already addressed, I think I've covered the rest of the review comments. Let me know if there's anything else we want to add or we can proceed with merging it 👍 |
Thanks @rdimitrov and friends! Have we decided how to answer these Qs?
|
@trishankatdatadog - I've just added a comment to @asraa in #190 if we can address these in the same PR, otherwise we can merge it and I'll prepare a separate one. As a preliminary check, do we have any comments on the suggested conventions, or we can agree on them? |
The goreleaser configuration in this PR is covering this already: https://github.com/theupdateframework/go-tuf/pull/234/files#diff-2e9100addf89d1dc73418f538ce4f3d8fcea7d07ab9379f7309e6ce4f4c2cd83R25 It is just key that every dev uses conventional commits in their commit messages.... I would suggest adding some sort of linter that checks git commit messages for conventional commits. Because, if you don't use conventional commits, all commits will be sorted into the "Others" section and this is not what you want when you try to generate the changelog via Goreleaser.
GoReleaserer covers this as well via a
Conventional commits and Semver are the documents you want to have a look at. Conventional commits suggest adding a And: https://semver.org/ |
Agree with both of your recommendations about marking commits and preleases.
Also agree with this, but want to make sure we can make breaking changes now without bumping MAJOR version from 0, which I understand is possible with SemVer. |
@trishankatdatadog - Agree 👍 As per the spec, everything should be considered as breakable until we have a MAJOR version of 1. @shibumi - I was imagining a less strict process of using conventional commits, but you have a point that it may easily become useless unless we use it as it should. I've already added the flag for automatic prereleases and I'll see a bit later today what are the available linters for enforcing conventional commit messages 👍 |
Small note:
The goreleaser conventional commit changes nor the semver would prevent us from not bumping MAJOR. It's absolutely up to us how we "interpret" the semver definition and how we release it... What GoReleaser does with conventional commits and SemVer are just two things:
If you want an example how this look like. Have a look on the Testifysec/Witness repository, where I have implemented such a pipeline already: https://github.com/testifysec/witness/releases/tag/v0.1.2 |
So we have full control of version number, correct? |
@trishankatdatadog this is correct! |
FYI golangci-lint now fails because of #236 |
a5dd2dc
to
0567ab9
Compare
This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance
Adds also github style changelog in which it tags people who contributed to the last release. It also groups breaking commits into a separate group that is on top of the changelog for better visibility. Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
Fix also some of the linter errors so it doesn't fail. Signed-off-by: Radoslav Dimitrov <[email protected]>
… building Signed-off-by: Radoslav Dimitrov <[email protected]>
… prereleases Signed-off-by: Radoslav Dimitrov <[email protected]>
…in go.mod Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
6e3bf9a
to
25e6ace
Compare
Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
Signed-off-by: Radoslav Dimitrov <[email protected]>
…hub actions Signed-off-by: Radoslav Dimitrov <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is huge, let's get it merged. Looks like an excellent starting point. Thank you everyone!
Absolutely right @trishankatdatadog |
If you would please help fix and approve it, I'll approve that also and then we'll get both merged, thx |
One of the effects of this PR is that you have to format every commit message using the Conventional Commit format, even though we squash merge PRs. I don't think commits that make up a PR need to be that rigorously named, since the history is squashed on merge and work-in-progress commits probably don't belong in a changelog. Could we instead only check that the PR titles follow conventional commit format? |
@ethan-lowman-dd your information is partly incorrect. Developers can decide if they use conventional commits.. if they do the commit will get sorted into the correct section in the Changelog. If they do not follow, the commit will still land in the Changelog, it will just be a in a "general" section. Using PR titles is not possible, because goreleaser only reads the commit message titles. |
See the CI failures https://github.com/theupdateframework/go-tuf/runs/5841476493?check_suite_focus=true on PR #175 -- this appears to enforce the format for all commit messages. Is the intention to merge PRs despite failure of this CI check? |
PR titles become part of the squashed commit message upon merge. Isn't goreleaser only run from |
Hmm, let's sort this out one way or another. |
Having several commits like "test", "test1" and so on is definitely not a best practice, so it should be something we aim to deprecate from ending up in the squashed commit message anyway. I'll have a look at the linter we are using now and see if it's possible to check for the PR title only and ignore the commits in it. Considering that we only do squash and merge, this is indeed the only thing that goreleaser takes into account while generating the changelog. |
Please see my suggested change here: #264 |
The following PR is a continuation of the effort in #226 by @trishankatdatadog with some additional changes. If this one gets merged, #226 can be closed.
Details:
Tests
run on push and pull requests whileRelease
runs only on tags being pushed. SemVer is assumed, but not enforced. These configs were tested in another private repo.Braking changes
group created every time there’s a breaking change introduced in the given release (has to be stated either by the author of the PR or by the maintainer merging it)GitHub
-style mannerRelated topics to discuss:
Before merging it would be nice if we have the following decided and merged in the guideline too.
Define the convention in our contributing guidelines for:
fix
,feature
, orbreaking
in our contributing guidelines in docs: Add contributing guidelines for go-tuf #190v0.1.0-rc1
)