Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add GH Action that builds PHAR files with build-release.sh #149

Closed
wants to merge 5 commits into from

Conversation

mlocati
Copy link
Contributor

@mlocati mlocati commented Dec 17, 2024

People may install pear in two ways (AFAIK):

  1. By using the https://pear.php.net/install-pear-nozlib.phar file (for example PHP uses it)
  2. By using https://pear.php.net/go-pear.phar (as described in the manual)

What about adding a GitHub Action that generates those two PHAR files (and attaches them to GitHub Releases autimatically when someone publishes a new release).

We'd also need to update the two PHARs on the pear.php.net website, but at least we don't have to compile them manually.

Copy link
Member

@CloCkWeRX CloCkWeRX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conceptually; great.

Probably warrants a little bit of security review around shivammathur/setup-php@v2 or any of the other actions; which we do already use; but not to create an artifact potentially many folks will access that persists beyond the life of a CI job.

May need to look at more exact version pinning/sha1 or something like that (https://github.com/shivammathur/setup-php/releases/tag/v2 for example says it was 'updated')

@mlocati
Copy link
Contributor Author

mlocati commented Dec 18, 2024

Probably warrants a little bit of security review around shivammathur/setup-php@v2

I've updated this PR with 060f823

or any of the other actions

The other actions are actions/checkout and actions/upload-artifact which are maintained by GitHub: should we use specific commits for them too?

@CloCkWeRX
Copy link
Member

IMO yes, when I think about stuff like https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
Dependabot... Should update it I think; so it's not a huge maintenance overhead, though may be a bit annoying as we are fairly low traffic vs volume of PRs.

Will let a few of the other maintainers add their thoughts

@mlocati
Copy link
Contributor Author

mlocati commented Dec 19, 2024

IMO yes

Done - I've added c49eb69

I've also added 8bef117 and c72b14b

@mlocati
Copy link
Contributor Author

mlocati commented Dec 19, 2024

We could also improve the way we publish GH releases...
We could switch to something like this:

  1. maintainers push a version-like tag (that is, something that matches /^(v\.?)?\d+.\d+.\d+/)
  2. a GH action detects that we have a new release to be published
  3. it builds the assets
  4. il publish a new GH release

I'm already doing this for https://github.com/mlocati/powershell-phpmanager (and somehow also for https://github.com/mlocati/docker-php-extension-installer)

@ashnazg
Copy link
Member

ashnazg commented Dec 22, 2024

Thanks for the effort on this, but for now, I'd prefer to continue generating and signing them myself. Your PR will be a useful reference to later implement this though, so it is definitely appreciated (and might get reopened/merged later).

@ashnazg ashnazg closed this Dec 22, 2024
@mlocati
Copy link
Contributor Author

mlocati commented Dec 23, 2024

@ashnazg what about keeping the GH workflow that builds the PHARs? That way we check if everything works as expected (and people have a working reference to see how to build them)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants