-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle private repositories dependencies #31
base: main
Are you sure you want to change the base?
Conversation
* feat: ✨ try support for multiple private repositories * fix: 🐛 try one pk only * feat: ✨ use multiple keys * feat: ✨ add admin module pk * fix: 🐛 some fixes * try one key * revert: ⏪ simpler approach * feat: ✨ add CARGO_NET_GIT_FETCH_WITH_CLI env * revert: 💚 try something out * feat: ✨ use deploy keys * feat: ✨ add cargo vendor * fix: 🐛 add CARGO_NET_GIT_FETCH_WITH_CLI at reproducible build * fix: 🐛 do not compile vendor directories * fix: 🐛 minor fix * fix: * fix: 🔥 avoid jq install
* feat: 🚧 try deploy keys as unique var * feat: ⚡ remove private dependencies input var * fix: 🐛 final fixes
any updates @andreibancioiu ? thank you! |
@@ -110,17 +121,20 @@ jobs: | |||
- name: Build the wasm contracts | |||
env: | |||
RUSTFLAGS: "" | |||
CARGO_NET_GIT_FETCH_WITH_CLI: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: Setup Credentials | ||
uses: webfactory/ssh-agent@v0.9.0 | ||
env: | ||
SUPER_SECRET: ${{ secrets.deploy-keys }} | ||
if: ${{ env.SUPER_SECRET != '' }} | ||
with: | ||
ssh-private-key: ${{ secrets.deploy-keys }} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'd like to avoid using an additional third party step, if possible (and only have it as a last resort).
toolchain: ${{ inputs.rust-toolchain }} | ||
target: wasm32-unknown-unknown | ||
|
||
- name: Vendored dependencies (if private dependencies are used) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thus, private dependencies are brought locally, before starting the build, correct (sorry if I misunderstood)?
If so, the usual contract verification flow (which relies on the Docker container to perform the whole build) would not be able to cover this case (however, for verified contracts, private dependencies would not be acceptable, anyway).
@@ -196,6 +210,14 @@ jobs: | |||
steps: | |||
- uses: actions/checkout@v3 | |||
|
|||
- name: Setup Credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For contracts.yml
(not for reproducible-build.yml
), the solution you've previously provided (without altering contracts.yml
) seems sufficient (an additional step in the workflow file of the repository itself):
multiversx/mx-sdk-rust-contract-builder#59 (comment)
Maybe we can promote and document that solution, and have contracts.yml
untouched (at least, from the perspective of setting up credentials)?
@@ -86,6 +90,42 @@ jobs: | |||
fetch-depth: 0 | |||
repository: ${{ env.GITHUB_REPOSITORY }} | |||
|
|||
- name: Setup Credentials |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We understand the need of a closed-source contract to depend on private dependencies, e.g. for development phase 👍 - of course, this is not wise for contracts deployed on mainnet - such contracts cannot pass the verified and reproducible build check.
Though, how would you feel about the options below?
(A) have your private dependencies brought as git submodules in your main private repository, then alter the Cargo.toml
to point to them (of course, making your project open-source would reveal the source code of the dependencies, as well).
(B) in the Docker images for reproducible builds, we can enable ssh-agent
, and run ssh-add
(if any key is provided in the Docker environment) - I did not yet test this approach, though.
(C) allow reproducible-build.yml
to be parametrized with the fully qualified-name of a Docker image (instead of image_tag
only) - this way, you can use a custom Docker image to perform the build of a closed-source contract.
@rvignolo, sorry for the delayed response 🙏 |
An action would look like:
or