search

thoughtworks / talisman

Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
https://thoughtworks.github.io/talisman/
MIT License
1.89k stars 241 forks source link

Support Talisman installed from package managers #304

Open herbygillot opened 3 years ago

herbygillot commented 3 years ago

Describe the solution you'd like Talisman has now been added to MacPorts: https://ports.macports.org/port/talisman/summary

This means that through MacPorts, taliasman can be installed to /opt/local/bin/talisman.

Unfortunately the setup and install shell scripts don't really know how to set up repositories to work with a talisman binary that lives in a centralized path.

svishwanath-tw commented 3 years ago

@herbygillot : Many thanks for making talisman available via ports

AFAIK talisman by itself doesn't care where it is installed but the scanWithHTML might look for the specific path in $HOME/.talisman/

I got a chance to look at https://github.com/macports/macports-ports/blob/a9ccdd32d96b632f77fbe0e8866d209326398dae/devel/talisman/Portfile and it looks 💯 👍🏽 (great)

Firstly, some changes I would suggest to the Portfile:

  1. The current/latest version fo talisman is built on go 1.16 https://github.com/thoughtworks/talisman/blob/3bacef3d34240432b4b89ea930f07ee85b4ad933/.github/workflows/test-and-coverage.yml#L19 , but the portfile specifies go 1.11.0
  2. talisman is completely based on go modules so vendoring isn't needed / recommended

Now, to your question of talisman not knowing how to work from a central location, it was targeted at individual developers initially, and the tool itself is very git centric currently, so making it machine global didn't make sense.
Having said that, i suggest:

  1. the port could install its own talisman_hook_script, which on detecting a newer release/version, urges the ports user to update talisman.
  2. create an issue/submit a PR, to do the version check from within the talisman binary. Then talisman won't need extra scripts and worry about installation paths.
herbygillot commented 3 years ago

Thank you for taking a look, @svishwanath-tw.

To provide some context here:

On 1., the format of this line is go.setup <go module> <module version> <branch prefix> <branch suffix>, so the 1.11.0 in this case is the version of talisman that the Portfile is building, as that is the latest proper release that I see available.

In response to point 2., the vendoring is a MacPorts-specific idiosyncrasy. MacPorts wants to mirror all deps for the software in its catalogue, so that includes the individual go modules. This is not done for all Go software in MacPorts, but it is done to the extent that it can be.

Thanks for your suggestions, I think it might be best to have the Talisman binrary aware enough so that external scripts aren't needed.