On Wed, May 31, 2023 at 08:30:58AM +0200, pascal.jaeger leimstift.de wrote: > > > Arthur Zamarin <arthur...@gentoo.org> hat am 30.05.2023 18:35 CEST > > geschrieben: > > > > > > Currently the best solution *per package* is to speak with upstream, to > > add a CI workflow which create a source tarball which includes `vendor` > > dir. This is the best way, and I'm doing that for multiple upstream of > > some random Go packages in ::gentoo. But I know the disadvantage - > > requirement to speak with upstream, explain why, and add it to the > > system. This is best long-run solution, but more hardships. > > > > I would like to add to this, that even if upstream is not willing to do this, > devs could automate the creation of vendor tarballs using GitHub actions. I > only did this for an upstream repositories that are also on GitHub and for > projects written in Rust. Initially I did this for complicated Rust projects > with several git submodules and submodules of submodules. But with a little > tweaking of the GitHub actions I think it would be possible to use it for Go > as well. > https://wiki.gentoo.org/wiki/User:Schievel/autocreate_rust_sources > > This is additional initial work, but once you set it up, you don't even have > the extra work of creating a new EGO_SUM for every package release. Ideally > you just have to change the version in the file name of the ebuild to bump a > package. > > Security wise I do not see a difference between this and creating the vendor > tarball manually and uploading it to GitHub, as many proxy maintainers > without devspace do it.
Can we please avoid vendor tarballs? there are situations, say when a dependency includes non-go code, when vendor tarballs do not work. That is why I went with the dependency tarballs. I haven't written github actions, but here is the script I use to create them, partly thanks to Sam for this. This is stored in my ~/bin directory and I run it from the top level of a go project which does not have a "vendor" directory. William
#!/bin/bash if [[ -z $1 ]]; then printf "no tarball name specified\n" >&2 return 1 fi GOMODCACHE=${PWD}/go-mod go mod download -modcacherw XZ_OPT='-T0 -9' \ tar --owner 0 --group 0 --posix -acf ${1}-deps.tar.xz go-mod rm -fr go-mod
signature.asc
Description: PGP signature