-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update for new repository URL and switch over to Incus packages #2
Conversation
Okay, so I get things to build at least. Will be switching the tests to run against both stable and daily Incus packages and then see if I can figure out what's needed to get them passing, though that may be over my Terraform knowledge and something better handled by @mdavidsen and @maveonair :) |
d554a9c
to
2c62274
Compare
Looks like the switch to using tokens may require a bit of extra effort to get the testsuite to pass. |
04f9fe1
to
9b17c02
Compare
Signed-off-by: Stéphane Graber <[email protected]>
It doesn't seem like a great idea to have a GPG private key loaded into Github. For the limited amount of work needed to generate a tarball, sign and upload it, let's keep that manual for now. Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
@lxc/incus-terraform ready for review! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we planning on releasing this on registry.terraform.org? If we want people to use the provider, the answer should be yes. In that case, we probably still want this file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, we definitely want it on the registry though I'm not seeing any mention of this particular Github action being required when going through https://developer.hashicorp.com/terraform/registry/modules/publish
I definitely like signed release tarballs being attached to repositories, I don't quite like the idea of Github being the one with access to the private key quite so much :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless there's a hard requirement on the registry side, I'd prefer that whoever generates the tag also personally generates the release tarball and signs it with their own key. A keyring made of the different maintainer keys can be assembled for anyone wanting to validate the signature (or if they trust Github, they can fetch the GPG key from their Github profile, same as is done for commit signing).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They actually recommend the use of a GitHub Action, but it's not required. This is the relevant provider doc: https://developer.hashicorp.com/terraform/registry/providers/publishing
I'm on board if we aren't comfortable giving GitHub the private key. I do think it's a trade off of risk though. Trusting GitHub's systems to be secured versus trusting developer's systems to be secured.
I'll defer to others for signing if we would prefer to do it manually. I've happily lived without GPG for a few years now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the registry supports multiple signing keys so we should be fine to use goreleaser locally with private GPG keys and have those added on the registry side, that should give us the security benefits while also using GPG keys that are more meaningful than a randomly generated one hosted on Github's servers and exposed to Github runners.
No description provided.