semgrep icon indicating copy to clipboard operation
semgrep copied to clipboard
verified publisher icon semgrep

Publiush fat source tarballs info on release?

Open bollwyvl opened this issue 9 months ago • 1 comments

Is your feature request related to a problem? Please describe.

Packaging (and then maintaining) semgrep for downstreams is challenging. Part of the challenge for tarballs-based builds is getting all the submodules right. Further, GitHub-generated tarballs can change over time.

Describe the solution you'd like

During the release, build and upload a fat tarball (akin to this gist) and one or two rider files:

semgrep-{tag}.tar.gz     # or some other archive format, with all submodules
semgrep-{tag}.sha256sum  # the SHA256 of the tar.gz, or pick your crypto poison
semgrep-{tag}.asc        # optional a GPG-signed attestation

Describe alternatives you've considered

  • keep trying to wrangle submodules
    • not infeasible, but requires significant human intervention per release
  • use git instead of tarball URLs
    • generally worse for caching
  • repackage binary wheels
    • this is generally undesirable for some downstreams

Use case

Building semgrep from source.

Additional context

The intended downstream is conda-forge, where this has been a multi-year goal. We finally got opam, but our ocaml lags behind a bit.

bollwyvl avatar Mar 04 '25 15:03 bollwyvl

We used to do this, but ended up dropping it as it didn't seem to be used and it was a maintenance burden (albeit a minor one). We're going to be revamping our release process in the next couple of months. I can't promise anything but I'll keep this request in mind and see if I can squeeze it in.

nmote avatar Mar 04 '25 18:03 nmote