Update for new repository URL and switch over to Incus packages #2
Conversation
|
Okay, so I get things to build at least. Will be switching the tests to run against both stable and daily Incus packages and then see if I can figure out what's needed to get them passing, though that may be over my Terraform knowledge and something better handled by @mdavidsen and @maveonair :) |
stgraber
force-pushed
the
main
branch
2 times, most recently
from
d554a9c
to
2c62274
Compare
|
Looks like the switch to using tokens may require a bit of extra effort to get the testsuite to pass. |
stgraber
force-pushed
the
main
branch
6 times, most recently
from
04f9fe1
to
9b17c02
Compare
Signed-off-by: Stéphane Graber <[email protected]>
It doesn't seem like a great idea to have a GPG private key loaded into Github. For the limited amount of work needed to generate a tarball, sign and upload it, let's keep that manual for now. Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
|
@lxc/incus-terraform ready for review! |
There was a problem hiding this comment.
Are we planning on releasing this on registry.terraform.org? If we want people to use the provider, the answer should be yes. In that case, we probably still want this file.
There was a problem hiding this comment.
Yeah, we definitely want it on the registry though I'm not seeing any mention of this particular Github action being required when going through https://developer.hashicorp.com/terraform/registry/modules/publish
I definitely like signed release tarballs being attached to repositories, I don't quite like the idea of Github being the one with access to the private key quite so much :)
There was a problem hiding this comment.
Unless there's a hard requirement on the registry side, I'd prefer that whoever generates the tag also personally generates the release tarball and signs it with their own key. A keyring made of the different maintainer keys can be assembled for anyone wanting to validate the signature (or if they trust Github, they can fetch the GPG key from their Github profile, same as is done for commit signing).
There was a problem hiding this comment.
They actually recommend the use of a GitHub Action, but it's not required. This is the relevant provider doc: https://developer.hashicorp.com/terraform/registry/providers/publishing
I'm on board if we aren't comfortable giving GitHub the private key. I do think it's a trade off of risk though. Trusting GitHub's systems to be secured versus trusting developer's systems to be secured.
I'll defer to others for signing if we would prefer to do it manually. I've happily lived without GPG for a few years now.
There was a problem hiding this comment.
Looks like the registry supports multiple signing keys so we should be fine to use goreleaser locally with private GPG keys and have those added on the registry side, that should give us the security benefits while also using GPG keys that are more meaningful than a randomly generated one hosted on Github's servers and exposed to Github runners.
No description provided.