Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add vcsinfo when building with goreleaser #3993

Merged
merged 2 commits into from Mar 28, 2023
Merged

Add vcsinfo when building with goreleaser #3993

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f537b3e
Use go mod proxy when building the release
wallyqs Mar 27, 2023
1281ca6
Remove gomod proxy, build by installing package instead
wallyqs Mar 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 6 additions & 1 deletion .goreleaser.yml
View file
Open in desktop
@@ -1,5 +1,8 @@
project_name: nats-server

gomod:
proxy: true

release:
github:
owner: nats-io
Expand All @@ -11,8 +14,10 @@ changelog:
skip: true

builds:
- main: ./main.go
- main: .
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@philpennock actually this is only what is needed to remove the false positives from trivy / grype. By building as a package rather than the file, then the package itself is not included as a dependency:

before:

# building main.go
go version -m dist/nats-server_darwin_amd64_v1/nats-server 
dist/nats-server_darwin_amd64_v1/nats-server: go1.19.5
	path	command-line-arguments
	dep	github.com/klauspost/compress	v1.16.0	h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4=
	dep	github.com/minio/highwayhash	v1.0.2	h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
	dep	github.com/nats-io/jwt/v2	v2.3.0	h1:z2mA1a7tIf5ShggOFlR1oBPgd6hGqcDYsISxZByUzdI=
	dep	github.com/nats-io/nats-server/v2	(devel)	
	dep	github.com/nats-io/nkeys	v0.3.0	h1:cgM5tL53EvYRU+2YLXIK0G2mJtK12Ft9oeooSZMA2G8=
	dep	github.com/nats-io/nuid	v1.0.1	h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
	dep	go.uber.org/automaxprocs	v1.5.1	h1:e1YG66Lrk73dn4qhg8WFSvhF0JuFQF0ERIp4rpuV8Qk=
	dep	golang.org/x/crypto	v0.6.0	h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
	dep	golang.org/x/sys	v0.5.0	h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
	dep	golang.org/x/time	v0.3.0	h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=

after:

# installing package (.)
go version -m dist/nats-server_darwin_amd64_v1/nats-server 
dist/nats-server_darwin_amd64_v1/nats-server: go1.19.5
	path	github.com/nats-io/nats-server/v2
	mod	github.com/nats-io/nats-server/v2	(devel)	
	dep	github.com/klauspost/compress	v1.16.0	h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4=
	dep	github.com/minio/highwayhash	v1.0.2	h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
	dep	github.com/nats-io/jwt/v2	v2.3.0	h1:z2mA1a7tIf5ShggOFlR1oBPgd6hGqcDYsISxZByUzdI=
	dep	github.com/nats-io/nkeys	v0.3.0	h1:cgM5tL53EvYRU+2YLXIK0G2mJtK12Ft9oeooSZMA2G8=
	dep	github.com/nats-io/nuid	v1.0.1	h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
	dep	go.uber.org/automaxprocs	v1.5.1	h1:e1YG66Lrk73dn4qhg8WFSvhF0JuFQF0ERIp4rpuV8Qk=
	dep	golang.org/x/crypto	v0.6.0	h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
	dep	golang.org/x/sys	v0.5.0	h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
	dep	golang.org/x/time	v0.3.0	h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=

Still the only way for the module to be tagged with v2.9.15 instead of (devel) would be to use some sort of go mod proxy so that go install can tag it as such, but we can consider to do that in another PR/later:

mod	github.com/nats-io/nats-server/v2	(devel)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears to be back-to-front. go build and go build . yield the same dependency chain for me. But if I go build main.go and specify a file, then the package disappears from the list?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Difference between go build main.go and go build .:

# go build main.go :: Adds package itself as a devel dep dependency, omits vcsinfo
$ go build -o nats-server main.go 
$ go version -m nats-server
nats-server: go1.19.5
	path	command-line-arguments
	dep	github.com/klauspost/compress	v1.16.0	h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4=
	dep	github.com/minio/highwayhash	v1.0.2	h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
	dep	github.com/nats-io/jwt/v2	v2.3.0	h1:z2mA1a7tIf5ShggOFlR1oBPgd6hGqcDYsISxZByUzdI=
	>> dep	github.com/nats-io/nats-server/v2	(devel)	<< trips up vulnerability scanners
	dep	github.com/nats-io/nkeys	v0.3.0	h1:cgM5tL53EvYRU+2YLXIK0G2mJtK12Ft9oeooSZMA2G8=
	dep	github.com/nats-io/nuid	v1.0.1	h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
	dep	go.uber.org/automaxprocs	v1.5.1	h1:e1YG66Lrk73dn4qhg8WFSvhF0JuFQF0ERIp4rpuV8Qk=
	dep	golang.org/x/crypto	v0.6.0	h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
	dep	golang.org/x/time	v0.3.0	h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
	build	-compiler=gc
	build	CGO_ENABLED=1
	build	CGO_CFLAGS=
	build	CGO_CPPFLAGS=
	build	CGO_CXXFLAGS=
	build	CGO_LDFLAGS=
	build	GOARCH=arm64
	build	GOOS=darwin

# Adds vcsinfo, package is not a dependency of itself but mod is tagged with `devel` instead. This does not cause issues with vuln scanners.
$ go build -o nats-server . 
$ go version -m nats-server
nats-server: go1.19.5
	path	github.com/nats-io/nats-server/v2
	mod	github.com/nats-io/nats-server/v2	(devel)	
	dep	github.com/klauspost/compress	v1.16.0	h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4=
	dep	github.com/minio/highwayhash	v1.0.2	h1:Aak5U0nElisjDCfPSG79Tgzkn2gl66NxOMspRrKnA/g=
	dep	github.com/nats-io/jwt/v2	v2.3.0	h1:z2mA1a7tIf5ShggOFlR1oBPgd6hGqcDYsISxZByUzdI=
	dep	github.com/nats-io/nkeys	v0.3.0	h1:cgM5tL53EvYRU+2YLXIK0G2mJtK12Ft9oeooSZMA2G8=
	dep	github.com/nats-io/nuid	v1.0.1	h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
	dep	go.uber.org/automaxprocs	v1.5.1	h1:e1YG66Lrk73dn4qhg8WFSvhF0JuFQF0ERIp4rpuV8Qk=
	dep	golang.org/x/crypto	v0.6.0	h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
	dep	golang.org/x/time	v0.3.0	h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
	build	-compiler=gc
	build	CGO_ENABLED=1
	build	CGO_CFLAGS=
	build	CGO_CPPFLAGS=
	build	CGO_CXXFLAGS=
	build	CGO_LDFLAGS=
	build	GOARCH=arm64
	build	GOOS=darwin
	build	vcs=git
	build	vcs.revision=1281ca690c8fe396f4075ac4aff20f14a18362ba
	build	vcs.time=2023-03-28T15:16:33Z
	build	vcs.modified=true

binary: nats-server
flags:
- -trimpath
ldflags:
- -w -X github.com/nats-io/nats-server/v2/server.gitCommit={{.ShortCommit}}
env:
Expand Down