Open oschwald opened 4 years ago
@viceice so is this something that's not going to be supported in the hosted version?
this was a starter to fully support lfs by renovate. feel free to take and complete it 🤗
Not in the foreseeable future for security reasons
@viceice so is this something that's not going to be supported in the hosted version?
probably yes, until someone finds a way without git hooks.
Thanks @rarkins and @viceice -- I'm pretty familiar with git-lfs but I went and did a bit of reading. You said not going to be allowed due to hooks
being not supported for security reasons, but as far as I know git-lfs
doesn't actually use any hooks, at least not the traditional .git/hooks
.
If we were to install git-lfs
for the user running renovate and more specifically the git
commands, the git lfs install
simply adds a filter stanza to the users ~/.gitconfig
which is then used during clone and checkout to read the .gitattributes
and look for matching filters to do the git-lfs things which to my knowledge filters is in internal git supported mechanism.
I've checked my configuration, and I'm looking at some additional things right now but I can't find any use of hooks or reference to hooks. Am I missing something?
it's using hooks somewhere to push the lfs files, see comments above. that's why you can allow hooks for self-host
@viceice ah, that's the missing link, for pushing, I see a post-checkout too (now that I'm looking a bit deeper), wonder if they are used for initial cloning though.
What if we supported git-lfs for cloning but not for pushing, make that a limitation. Then for cloning it would work for go mods and others that have hashes of their contents but wouldn't support renovating any files that are actually in git-lfs?
Another approach could be to take the direnv.net approach and allow only hooks that meet a specific hash. For example, we could allow the 3 hook files that get created so long as their hash matches.
#!/bin/sh
command -v git-lfs >/dev/null 2>&1 || { echo >&2 "\nThis repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting '.git/hooks/pre-push'.\n"; exit 2; }
git lfs pre-push "$@"
This is the pre-push
in a cloned repo that has git-lfs file, renovate could allow this file to exist in the repo as long as the file matches 911a6ef2ce82426869f449da86b8ca5f7cb6205dfd8236b35ef277b26aef9fed
if it doesn't match it's removed?
Thoughts?
@rarkins i think we need to revert git-lfs install. otherwise the hosted app will start downloading all lfs files on checkout.
we need a very defensive setting first: https://github.com/renovatebot/renovate/pull/10748
What would you like Renovate to be able to do?
Use renovate with files stored in git lfs.
We use Yarn's offline-mirror feature to vendor the packages. The vendored packages are stored in Git using LFS. When Renovate tries to push the changes, it fails with the message below.
Relevant debug logs
Slightly sanitized error message.