Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

requirements: bump sigstore-python #97

Merged
merged 3 commits into from
Dec 13, 2023
Merged

requirements: bump sigstore-python #97

merged 3 commits into from
Dec 13, 2023

Conversation

woodruffw
Copy link
Member

Seals off the resolution bug we saw in #94.

I'll do a release after this.

@woodruffw
requirements: bump sigstore-python
40ed3dd 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw woodruffw requested a review from jku December 13, 2023 15:30
@woodruffw woodruffw self-assigned this Dec 13, 2023
jku
jku approved these changes Dec 13, 2023
View reviewed changes
Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a fix looks correct to me.

I suppose an argument could be made to pin these exactly as well (==2.1.0) -- but I'm not sure about it and that sounds like a potential separate issue.

@woodruffw
Copy link
Member Author

I suppose an argument could be made to pin these exactly as well (==2.1.0) -- but I'm not sure about it and that sounds like a potential separate issue.

Yeah, I've gone back and forth on that -- on one hand the workflow should probably as hermetic/reproducible as possible, and on the other doing an exact pin means that every single sigstore-python release needs to be accompanied by a workflow release (eliminating the value of us using semver).

I don't have any strong opinions here, though -- if best practice on GHA is to make workflows hermetic, then we should do that 🙂

@di
Copy link
Member

di commented Dec 13, 2023

I think as long as there's enough information to determine what version was used in a given action run, it would be preferable for this to be unpinned or loosely pinned.

@woodruffw
Copy link
Member Author

Makes sense. We currently list the version as part of pip's output during the workflow's setup, but I can also make it more prominent/a dedicated output somewhere as well.

@woodruffw
setup: run sigstore --version
1328ff2 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
setup: debug
cad1224 
Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Member Author

I've made the sigstore-python version a bit more prominent, example here: https://github.com/sigstore/gh-action-sigstore-python/actions/runs/7201147355/job/19616624805#step:4:125

tetsuo-cpp
tetsuo-cpp approved these changes Dec 13, 2023
View reviewed changes
Copy link
Collaborator

@tetsuo-cpp tetsuo-cpp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tetsuo-cpp tetsuo-cpp merged commit f4ac35c into main Dec 13, 2023
22 checks passed
@tetsuo-cpp tetsuo-cpp deleted the ww/bump branch December 13, 2023 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jku jku jku approved these changes

@tetsuo-cpp tetsuo-cpp tetsuo-cpp approved these changes

@di di Awaiting requested review from di

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@woodruffw @di @jku @tetsuo-cpp