Closed gedw99 closed 1 week ago
Given this issue and the others (#6549 and #6548, and the linked https://github.com/infogulch/xtemplate/issues/19), I think you're using the wrong tool for the job. The add-package
and remove-package
are not build systems to expect them to produce SBOMs. The 2 commands use our build-server (same used by download page) for the builds, which comes without any SLA. We also run the risk of reinventing goreleaser, which does everything you want and more.
If you want to achieve automation, use xcaddy (standalone or in combination with goreleaser) to control your builds. Baking everything into Caddy is the wrong way to go about it.
Yeah, I think I agree; I haven't intended those commands to automate builds, not in this way. There are better ways to do it with xcaddy.
Got it . Thanks all for the steeeing !!
We could add JSON out on
caddy add-package
,caddy remove-package
andcaddy list-modules --packages --versions
commands, so that we can do solid automation, to help have a good SBOM practices.I often do this so that I know whats inside at all times, and pipe it to a file as meta data for all systems.
JSON seems like the defecto format.
Its also a good way to do higher level automations.