search

sonatype-nexus-community / nancy

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
Apache License 2.0
564 stars 74 forks source link

GoReleaser #80

Closed DarthHater closed 4 years ago

DarthHater commented 4 years ago

@nrcook is typically a genius, this is a freshened up version of what he did in #20 .

This pull request makes the following changes:

This should support Alpine Linux as we disable CGO, so all current cases should be covered.

We were able to 1:1 it with the current Nancy releases, and tested it out on @allenhsieh fork of Nancy:

https://github.com/allenhsieh/nancy/releases/tag/v0.1.7

We added a few builds as well, while doing that, mostly for 32 bit use.

cc @bhamail / @DarthHater / @zendern / @fitzoh

zendern commented 4 years ago

I do have a concern when a test fails in CI currently it just shows nothing in output. image

But maybe thats fine cause CircleCI has this tab?? Which maybe has more details when something fails?? #circleCiNewb image

DarthHater commented 4 years ago

@zendern here's an example with a failing test: https://app.circleci.com/jobs/github/sonatype-nexus-community/nancy/19

Also you can see the old experience here: https://circleci.com/gh/sonatype-nexus-community/nancy/19#tests/containers/0

Those steps I believe run no matter what to store artifacts/test results, so we should get the info all the time! You can see the details from the test failure in that tab.

An alternative would be to run go test ./... -v independently so it shows up in the build log, but I don't mind it being on the tests tab, personally.

DarthHater commented 4 years ago

@zendern @fitzoh @greut : we tested the goreleaser release on tag stuff on @allenhsieh 's fork: https://github.com/allenhsieh/nancy/releases/tag/v0.1.1 https://circleci.com/gh/allenhsieh/nancy/6

The only thing I noticed that I'm like EHHHH on is it's creating zips/tar.gz's so it adds a step to someone's download process. I think that's OK, but I wanted to run it past a few other people.

zendern commented 4 years ago

@DarthHater Looks good to me. We still need to update the README.md regarding install with tars being involved now and if I understand how it will work now it will no longer be on merge into master. It'll be when a tag is created so we should update that.

image

I do feel like we should probably bump it to 1.0.0. With this and #59 technically changing a public method signature (not sure if anyone is using it in that way) simply just changing to a minor version doesn't feel like enough since this is a breaking change there and in packaging.

DarthHater commented 4 years ago

@zendern @fitzoh @greut , we got it ALL figured out, and @allenhsieh just pushed up the changes to make it happen. If you'd like to approve/rubber stamp, now is a good time :)

DarthHater commented 4 years ago

I did!

On Wed, Feb 26, 2020 at 4:52 PM Nathan Zender notifications@github.com wrote:

@zendern commented on this pull request.

In README.md https://github.com/sonatype-nexus-community/nancy/pull/80#discussion_r384872153 :

@@ -5,6 +5,8 @@ Build Status

I should have been clearer here..... :) we should also delete the .travis.yml as well :) No need to support both CI's.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/sonatype-nexus-community/nancy/pull/80?email_source=notifications&email_token=ABKJTBTIM5OWGNXGDGTCWE3RE4MHLA5CNFSM4KZU32JKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCXDRCLA#discussion_r384872153, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKJTBRM6BVIVMUQQ5VF6R3RE4MHLANCNFSM4KZU32JA .

zendern commented 4 years ago

I did! On Wed, Feb 26, 2020 at 4:52 PM Nathan Zender @.> wrote: @*.** commented on this pull request. ------------------------------ In README.md <#80 (comment)> : > @@ -5,6 +5,8 @@ <img](https://travis-ci.org/sonatype-nexus-community/nancy%22><img) src="https://travis-ci.org/sonatype-nexus-community/nancy.svg?branch=master" alt="Build Status"> I should have been clearer here..... :) we should also delete the .travis.yml as well :) No need to support both CI's. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#80?email_source=notifications&email_token=ABKJTBTIM5OWGNXGDGTCWE3RE4MHLA5CNFSM4KZU32JKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCXDRCLA#discussion_r384872153>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKJTBRM6BVIVMUQQ5VF6R3RE4MHLANCNFSM4KZU32JA .

Current changelist looks like so :) maybe you forgot to push it??

screencapture-github-sonatype-nexus-community-nancy-pull-80-files-2020-02-26-20_55_14

zendern commented 4 years ago

@DarthHater do we also need this anymore?? https://github.com/sonatype-nexus-community/nancy/blob/master/bumpver.sh

DarthHater commented 4 years ago

Removed that and .travis.yml in 1861022 @zendern

DarthHater commented 4 years ago

And README.md looks good to me in: https://github.com/sonatype-nexus-community/nancy/pull/80/files#diff-04c6e90faac2675aa89e2176d2eec7d8R6-R7