build: stronger pinning of jsonnet dependencies?

[flokli]

It seems this project uses jsonnet-builder as a way to manage jsonnet dependencies.

I peeked at the jsonnetfile.json in the repo:

{
  "version": 1,
  "dependencies": [
    {
      "source": {
        "git": {
          "remote": "https://github.com/grafana/grafonnet-lib.git",
          "subdir": "grafonnet"
        }
      },
      "version": "master"
    },
    {
      "source": {
        "git": {
          "remote": "https://github.com/grafana/jsonnet-libs.git",
          "subdir": "grafana-builder"
        }
      },
      "version": "master"
    }
  ],
  "legacyImports": false
}

This just seems to use the master branch, but doesn't use any strong pinning.

This means, it's not possible to ensure the same outputs are produced, or building in a sandbox where network access is blocked (except for dependencies where the hash is already provided upfront).

Does jsonnet-builder provide some sort of lockfile, or could you use their vendoring function instead of loosely tracking master?

[arajkumar]

Hey, have you come across any problem due to this?

jsonnet bundler(jb) does have a way to pin the dependencies. Look at https://github.com/prometheus-operator/kube-prometheus/blob/main/jsonnetfile.lock.json for example.

[flokli]

Hey, have you come across any problem due to this?

Yes, I can't build this project in a sandboxed environment without network access. If you'd either ship the dependencies vendored-in, or commit a lockfile with hashes, that should work.

[github-actions[bot]]

This issue has not had any activity in the past 30 days, so the stale label has been added to it.

• The stale label will be removed if there is new activity
• The issue will be closed in 7 days if there is no new activity
• Add the keepalive label to exempt this issue from the stale check action

Thank you for your contributions!

[flokli]

still relevant

[skl]

Thanks @flokli, I added the keepalive label to prevent it getting closed.