Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update for new repository URL and switch over to Incus packages #2

Merged
merged 19 commits into from
Dec 15, 2023

Conversation

stgraber
Copy link
Member

No description provided.

@stgraber
Copy link
Member Author

Okay, so I get things to build at least. Will be switching the tests to run against both stable and daily Incus packages and then see if I can figure out what's needed to get them passing, though that may be over my Terraform knowledge and something better handled by @mdavidsen and @maveonair :)

@stgraber stgraber force-pushed the main branch 2 times, most recently from d554a9c to 2c62274 Compare December 15, 2023 17:29
@stgraber
Copy link
Member Author

Looks like the switch to using tokens may require a bit of extra effort to get the testsuite to pass.

@stgraber stgraber force-pushed the main branch 6 times, most recently from 04f9fe1 to 9b17c02 Compare December 15, 2023 21:01
Signed-off-by: Stéphane Graber <[email protected]>
It doesn't seem like a great idea to have a GPG private key loaded into Github.
For the limited amount of work needed to generate a tarball, sign and
upload it, let's keep that manual for now.

Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
@stgraber
Copy link
Member Author

@lxc/incus-terraform ready for review!

Copy link
Contributor

@adamcstephens adamcstephens Dec 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we planning on releasing this on registry.terraform.org? If we want people to use the provider, the answer should be yes. In that case, we probably still want this file.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we definitely want it on the registry though I'm not seeing any mention of this particular Github action being required when going through https://developer.hashicorp.com/terraform/registry/modules/publish

I definitely like signed release tarballs being attached to repositories, I don't quite like the idea of Github being the one with access to the private key quite so much :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless there's a hard requirement on the registry side, I'd prefer that whoever generates the tag also personally generates the release tarball and signs it with their own key. A keyring made of the different maintainer keys can be assembled for anyone wanting to validate the signature (or if they trust Github, they can fetch the GPG key from their Github profile, same as is done for commit signing).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They actually recommend the use of a GitHub Action, but it's not required. This is the relevant provider doc: https://developer.hashicorp.com/terraform/registry/providers/publishing

I'm on board if we aren't comfortable giving GitHub the private key. I do think it's a trade off of risk though. Trusting GitHub's systems to be secured versus trusting developer's systems to be secured.

I'll defer to others for signing if we would prefer to do it manually. I've happily lived without GPG for a few years now.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the registry supports multiple signing keys so we should be fine to use goreleaser locally with private GPG keys and have those added on the registry side, that should give us the security benefits while also using GPG keys that are more meaningful than a randomly generated one hosted on Github's servers and exposed to Github runners.

@stgraber stgraber merged commit 5c97542 into lxc:main Dec 15, 2023
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants