-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update for new repository URL and switch over to Incus packages #2
Merged
Merged
Changes from all commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
affd48b
github: Add commit checks
stgraber c97ef48
github: Remove release workflow
stgraber 75282be
github: Update test workflow for Incus
stgraber 2a1fe40
docs: Switch to Incus package
stgraber 42ed01a
Makefile: Allow overriding Go binary
stgraber f54357f
Makefile: Add update-gomod target
stgraber ad7f076
global: Update package URL
stgraber ee61be4
global: Switch to incus packages
stgraber 01a5012
provider-config: Fix GetRemoteCertificate
stgraber c8a0c48
provider-config: Use trust tokens
stgraber 728ca1d
provider-config: Update for incus protocol
stgraber 6572351
provider-config: Update env variables
stgraber cf94113
provider-config: Update socket paths
stgraber f0b8913
provider-config: Replace Password with Token
stgraber 318e227
provider: Replace Password with Token
stgraber cc8a4bf
provider: Replace client config paths
stgraber a274f64
provider-config: Update supported versions
stgraber d33ad64
tests: Update for incusbr0
stgraber 9ec0b6c
tests: Update for security.guestapi
stgraber File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
name: Commits | ||
on: | ||
- pull_request | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
dco-check: | ||
permissions: | ||
pull-requests: read # for tim-actions/get-pr-commits to get list of commits from the PR | ||
name: Signed-off-by (DCO) | ||
runs-on: ubuntu-22.04 | ||
steps: | ||
- name: Get PR Commits | ||
id: 'get-pr-commits' | ||
uses: tim-actions/get-pr-commits@master | ||
with: | ||
token: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Check that all commits are signed-off | ||
uses: tim-actions/dco@master | ||
with: | ||
commits: ${{ steps.get-pr-commits.outputs.commits }} | ||
|
||
target-branch: | ||
permissions: | ||
contents: none | ||
name: Branch target | ||
runs-on: ubuntu-22.04 | ||
steps: | ||
- name: Check branch target | ||
env: | ||
TARGET: ${{ github.event.pull_request.base.ref }} | ||
TITLE: ${{ github.event.pull_request.title }} | ||
run: | | ||
set -eux | ||
TARGET_FROM_PR_TITLE="$(echo "${TITLE}" | sed -n 's/.*(\(stable-[0-9]\.[0-9]\))$/\1/p')" | ||
if [ -z "${TARGET_FROM_PR_TITLE}" ]; then | ||
TARGET_FROM_PR_TITLE="main" | ||
else | ||
echo "Branch target overridden from PR title" | ||
fi | ||
[ "${TARGET}" = "${TARGET_FROM_PR_TITLE}" ] && exit 0 | ||
|
||
echo "Invalid branch target: ${TARGET} != ${TARGET_FROM_PR_TITLE}" | ||
exit 1 |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we planning on releasing this on registry.terraform.org? If we want people to use the provider, the answer should be yes. In that case, we probably still want this file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, we definitely want it on the registry though I'm not seeing any mention of this particular Github action being required when going through https://developer.hashicorp.com/terraform/registry/modules/publish
I definitely like signed release tarballs being attached to repositories, I don't quite like the idea of Github being the one with access to the private key quite so much :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless there's a hard requirement on the registry side, I'd prefer that whoever generates the tag also personally generates the release tarball and signs it with their own key. A keyring made of the different maintainer keys can be assembled for anyone wanting to validate the signature (or if they trust Github, they can fetch the GPG key from their Github profile, same as is done for commit signing).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They actually recommend the use of a GitHub Action, but it's not required. This is the relevant provider doc: https://developer.hashicorp.com/terraform/registry/providers/publishing
I'm on board if we aren't comfortable giving GitHub the private key. I do think it's a trade off of risk though. Trusting GitHub's systems to be secured versus trusting developer's systems to be secured.
I'll defer to others for signing if we would prefer to do it manually. I've happily lived without GPG for a few years now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the registry supports multiple signing keys so we should be fine to use goreleaser locally with private GPG keys and have those added on the registry side, that should give us the security benefits while also using GPG keys that are more meaningful than a randomly generated one hosted on Github's servers and exposed to Github runners.