search

jthegedus / meta-cloud-builders

Build custom GCP Cloud Build builders from a config file. Deploy all your GCP Cloud Build Triggers from config files.
6 stars 2 forks source link

Investigate a method for versioning builders #20

Open jthegedus opened 4 years ago

jthegedus commented 4 years ago

I don't want to use the latest tag exclusively in case of a bad update. What methods could be used to version these?

dbrtly commented 2 months ago

Should the custom-builders.yaml file include a sha256 key with value matching a specific commit?

jthegedus commented 2 months ago

Yes, I think that would be the ideal method. Should probably also support a "major" version as has become the trend with GitHub Actions, so people can use builder@1 and automatically get the latest for that major version... not sure.

It becomes a question of ease-of-use vs what is the most secure. Given no dependabot support, a builder which runs and checks builder versions would also be useful. Or just get https://github.com/sethvargo/ratchet to support meta-builders (if it even needs changes to :thinking:)

What I described above are called "versioned" (sha) and "unversioned" (major semver #) in Ratchet - https://github.com/sethvargo/ratchet#terminology