syft icon indicating copy to clipboard operation
syft copied to clipboard

Published 20 hours ago verified publisher icon anchore

Remove the docker installation from the release process

Open wagoodman opened this issue 3 years ago • 3 comments

What would you like to be added: Run the majority of the release steps on a linux runner. Split darwin-related post-build tasks (homebrew + mac signing) to a separate runner during release and attach the signed artifacts to the release created on the linux runner. The linux runner would still be responsible for creating the darwin binary and uploading as a pipeline artifact so that the mac runner can download it and commence signing / homebrew steps.

Why is this needed: We spend a lot of time installing docker in the release pipeline, which is only needed for building/publishing docker images with goreleaser and our changelog generator (which may be replaced soon).

Additional context: Experimenting on a fork would be a good idea. This has some interplay with https://github.com/anchore/syft/issues/576

Related to #519

wagoodman avatar Oct 20 '21 16:10 wagoodman

There is an alternative path here which is worth taking a closer look at. The notarization path only needs to be run on mac, and there are other tools that can take over the artifact signing step. This is important as it allows for goreleaser to run on linux, simplifies our local development when changing this process if we use self-signed certs locally, and we can push the artifacts to a mac runner for the notarization process out-of-band (after) goreleaser completes.

wagoodman avatar Dec 23 '21 20:12 wagoodman

From refinement:

  1. Possible solution: we could move the release process to a linux box, remove signing from the goreleaser process, post a draft release with unsigned mac assets, spin up a post-release mac runner that would fulfill signing and notarization of mac assets, and replace the mac assets on the release before publishing.
  2. Possible solution: use quill to do signing on a linux box within the goreleaser workflow and move notarization to a separate post-release workflow.

wagoodman avatar Jan 11 '22 19:01 wagoodman

Would it be worth using ko for building container images? I've seen more folks using it for building images w/ static Go binaries, since ko requires a whole lot less from the underlying build infrastructure.

luhring avatar Feb 10 '22 13:02 luhring

We no longer rely on docker being installed and have broken this off into its own block: https://github.com/anchore/syft/pull/1133

spiffcs avatar Oct 20 '22 19:10 spiffcs