-
Notifications
You must be signed in to change notification settings - Fork 690
Update go-containerregsitry dependency to 0.4.1 #1829
Conversation
Thank you for being so reactive, but 👎 Github branch/commit tarballs are dynamically generated. Don't depend on them having a stable SHA256. If the upstream rule is not distributing built artefacts, you'll need to use git_repository or go_repository or whatever rule that is stable. In this case, use |
Fetch repository using commit and importpath, instead of using dynamically generated archive.
3bb82d7
to
7ed4277
Compare
I've updated this PR to use I haven't touched the other dependencies, but I can update those if you'd like. |
Not my call, but I feel this could be a good idea. Or let go_repository pull them as in module mode maybe? |
The |
It is not downloaded as a module, but via a git commit, which is safe. |
Downloading an archive just based on a git commit is not safe. All content must be verified, whether it be through the |
Previously the bazel build would fail because the sha on github's side changed. The fix was merged upstream in PR bazelbuild/rules_docker#1829 and released with version 0.17.0.
Fetch repository using commit and importpath, instead of using dynamically generated archive.
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Issue Number: #1814
What is the new behavior?
This updates the go-containerregistry dependency from 0.1.4 (October 2020) to 0.4.1 (March 2021)
This removes a dependency on a non-deterministic package resulting in inconsistent archive SHAs generated by GitHub's archive server. That upstream issue was also fixed in kubernetes/kubernetes#99376.
Other than removing this non-determinism, no major functional changes are expected. Some performance improvements and bugfixes have been added since 0.1.4, which might be beneficial.
Does this PR introduce a breaking change?
Other information