twoliter: allow partial lockfile validation in some scenarios #361
Conversation
cbgbt
force-pushed
the
partial-verifications
branch
2 times, most recently
from
5eefd51 to
8c37c49
Compare
|
Sorry for the churn. I have another TL interface change I'd like to make. I can save it for a subsequent PR, though. |
|
I disabled some additional, unnecessary artifact fetching. Some make targets needlessly requested workspace sources as an artifact of previously being part of the monorepo. I need to test that specific change a bit more before merging, though. |
| @@ -1398,7 +1410,6 @@ pubsys \ | |||
| # Rather than depend on "build", which currently rebuilds images each run, we | |||
| # depend on publish-tools and check for the input file below to save time. | |||
| # This does mean that `cargo make ami` must be run before `cargo make validate-ami`. | |||
| dependencies = ["fetch-sources"] | |||
There was a problem hiding this comment.
Seems like we can get rid of most of these 'Rather than depend on "build"' comments now, since these tasks don't depend on "publish-tools" or anything else.
twoliter/src/cmd/make.rs
Outdated
| // | ||
| // `twoliter make` targets in the following list will skip kit validation IFF they also explicitly | ||
| // list their SDK dependency in Twoliter.toml. | ||
| const SKIP_KIT_VALIDATION_TARGETS: &[&str] = &["repack-variant", "repo", "fetch-sdk"]; |
There was a problem hiding this comment.
Seems like we would want to list all of the repo, AMI, ssm, and OVA operations in this list:
- repo
- validate-repo
- check-repo-expirations
- refresh-repo
- ami
- ami-public
- ami-private
- grant-ami
- revoke-ami
- validate-ami
- ssm
- promote-ssm
- validate-ssm
Optionally:
- upload-ova
- vmware-template
Unsure:
- all the test related tasks
- all the clean related tasks
I know allowlists are preferred over denylists, but we only really need kit validation to occur in the places where we're building something - build-package, build-variant, and build-all. So it might be better to just enforce it there?
cbgbt
force-pushed
the
partial-verifications
branch
3 times, most recently
from
90fce5b to
1921801
Compare
|
Commenting so that GitHub will provide a useful comparison view. |
cbgbt
force-pushed
the
partial-verifications
branch
from
1921801 to
90fce5b
Compare
|
^ addresses feedback from @bcressey |
|
LGTM! 👍 |
cbgbt
force-pushed
the
partial-verifications
branch
from
90fce5b to
f6aabae
Compare
|
Force push to remove erroneous |
cbgbt
force-pushed
the
partial-verifications
branch
from
f6aabae to
fbb866f
Compare
|
|
cbgbt
force-pushed
the
partial-verifications
branch
from
fbb866f to
98728ac
Compare
|
^ rebase (without changes) on to develop |
The build-kit tests significantly balloon twoliter's test time. This marks them with `#[ignore]`, which will have them run on `make integ` or `make build`, but not on `cargo test`.
cbgbt
force-pushed
the
partial-verifications
branch
from
98728ac to
3680a75
Compare
|
^ make changes to work with #357 |
cbgbt
force-pushed
the
partial-verifications
branch
from
3680a75 to
4703ab6
Compare
|
^ force push because I missed |
In some CI scenarios, it's useful to drop previously-built variant images into a Twoliter project's build directory and use Twoliter to publish those variant images. In these cases, Kit dependencies are not necessary, and it can be useful to avoid resolving them and comparing them against Twoliter.lock. This change allows skipping Kit lockfile verification only when executing certain `twoliter make` targets.
Switches to a builder-style mechanism for disabling metadata fetching. Since Rust doesn't have named args, it can be hard to know what boolean function flags do at a callsite without going to the function signature.
Many cargo-make targets were fetching sources as an artifact from when publication tools were built as part of the bottlerocket monorepo. Now that Twoliter builds bundles these publication tools, we have need to fetch project sources.
Description of changes:
Testing done:
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.