The main benefit of pinning GitHub actions is the determinism it brings
in terms of what version of a given action will be executed. This is
a step towards having hermetic builds.
Once pinned to a commit, dependabot will automatically issue PRs to update
to newer versions.
Pinned versions is the only security metric from OpenSSF scorecard that
this repository currently have a zero score.
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
Using the directory cmd/flux/manifests as a prerequisite causes a
problem: if the script that creates the files within fails, the next
invocation of make will see the directory and assume it
succeeded. Since the executable expects certain files to be present,
but they are not explicit prerequisites of the recipe for building the
binary, this results in a successful build but a broken `flux`
executable.
Instead, depend on a file that's explicitly updated when the script
has succeeded, and which itself depends on the inputs.
A couple of the CI workflows run
make cmd/flux/manifests
before doing other things, presumably as a way to avoid running the
whole test suite in a CI pipeline for some purpose other than testing,
so these needed changing as well.
Signed-off-by: Michael Bridgen <michael@weave.works>
This commit changes the way the build of manifests is triggered by
making smarter use of the capabilities of Make. The result should be
that the manifests are only regenerated if:
1. There is no `cmd/flux/manifests/` directory.
2. There have been made changes to the YAML files in the `manifests/`
directory that are newer than the files in `cmd/flux/manifests/`.
Signed-off-by: Hidde Beydals <hello@hidde.co>
- add make target for generating the install manifests using kustomize
- embed the generated manifests in flux binary
- the install and bootstrap commands default to using the embedded manifests
- download the install manifests from GitHub only if the install/bootstrap version arg is set
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
dependabot[bot]
Paulo Gomes
Stefan Prodan
Eddie Knight
Adrien Fillon
Michael Bridgen
Hidde Beydals