Build via multi-stage, update to Go 1.19, Alpine 3.16 #30
Conversation
|
Heh, at least #29 works to successfully catch the bug! I guess we need a new Notary release before we can actually do this? 😬 |
tianon
force-pushed
the
multistage
branch
2 times, most recently
from
d195fd7
to
44c3bbd
Compare
|
Welp, apparently I don't understand notaryproject/notary#1602 as well as I thought I did because that manual cherry-pick of the jose2go module update didn't fix the failing tests. 🙈 |
|
We might also need to cherry-pick notaryproject/notary#1635 for this to work on Go 1.17+. Hopefully we'll make a new notary release soon which will include all of these fixes! |
|
Dang, that was an easy one to cherry-pick 😅 (and it looks like it worked! 🤘) Do you think these changes are pretty reasonable for us to backport into new builds of the older release this way? Do you have any objectionary thoughts on the PR in general? 😇 |
|
Awesome, glad that was painless 🎉
I'm not sure, I think I'll defer to you on that! Do we often backport these kind of changes for old releases, or is notary unique? I think these changes are pretty harmless but I guess it could be confusing for a user if, say, the official image works and the release from notary does not. Hopefully we can have a notary release this week so it might be better to wait for that, but I appreciate we've been saying it will happen soon for a long time! 😬 My only other thought on this PR is that it might be nice to have a single Dockerfile with three stages, one that does the build step, and then two more stages for the server and signer, each of which just copies over the appropriate binary. This way we wouldn't need to duplicate the build step. I'm not sure if this is possible with the rest of the build pipeline though, and definitely not for this PR! |
The Official Images build pipeline does not support a |
|
Yeah, with only two files it should be pretty easy to keep them in sync, but templating would be my recommended solution if we want something more explicit. 👍 Given "Notary" doesn't release binaries, this is probably fine for us to release, but if you really do believe a new release is imminent I don't see a lot of damage in waiting instead. 😄 |
|
OK, yeah I thought the pipeline might not support that yet. Ahh yes it looks like the 0.7.0 release was weird as there's no actual 'release' in GitHub, just a tag 🤔 It looks like previous releases have got binaries linked from the GitHub releases, I assume that's the intended correct way to release 🤔 Yes I think it's fine to release this 👍 |
|
Alright, let's do it! 😄 |
This is possible now thanks to docker-library/bashbrew#43 -- there are some more dependencies before we can take this all the way linked from docker-library/bashbrew#43 (comment), but we're close enough that we can start testing at this level. 👍