feat(pipelines): add git-archive built-in for local monorepo sources#2549
Draft
astrojerms wants to merge 7 commits into
Draft
feat(pipelines): add git-archive built-in for local monorepo sources#2549astrojerms wants to merge 7 commits into
astrojerms wants to merge 7 commits into
Conversation
Add a git-archive pipeline that populates the build workspace from a subtree of the local git repository at a pinned ref, host-side, without cloning over the network and without mounting the repository's .git history into the sandbox. Intended for monorepos where the package definition and the source it packages live in the same repository. By default it archives the requested path at the commit melange is building, so the packaged source is exactly the source as it existed in that commit. An explicit ref/tag is still supported and is verified against expected-commit. The archive runs before the sandbox starts: melange resolves the commit, verifies it, and extracts only the requested path into a temp dir that becomes the source dir. The resolved commit is recorded back into the step so SBOM provenance reflects the exact source even when the manifest omits a ref. Falls back to the git CLI to resolve HEAD when go-git cannot determine the build commit (e.g. in a linked worktree).
The git and tar commands are constructed from melange build configuration inputs (path/ref) and a melange-created temp dir, the same trust model as the existing git-checkout and patch pipelines. Annotate with #nosec G204 to satisfy the linter, matching the convention used elsewhere in the tree.
Replace the single 'ref' input with 'tag' and 'branch' (mutually exclusive), matching the established git-checkout pipeline vocabulary for familiarity and to align with wolfictl's bump handling, which keys off 'tag' and 'expected-commit'. When neither tag nor branch is given, the build commit is still used (and its assurance), preserving the bare co-located form.
Archives a committed fixture subtree from the local repository at the build commit and verifies the files land in the workspace with their path prefix preserved, and that files outside the archived subtree are not present. Uses the build-commit default (no tag/branch) so it works on the shallow CI checkout without relying on tags or history.
- gitArchive: always wait on tar and errors.Join both commands so the originating failure is surfaced and the tar child is never leaked (was returning on archive failure without reaping tar, and masking tar failures behind git's EPIPE). - maybeGitArchiveSource: hard-error on more than one git-archive step or on placement in a nested/subpackage pipeline (was silently ignoring all but the first). Error when combined with an empty workspace. - Preflight host git/tar with exec.LookPath for a clear error, since the archive runs host-side (the pipeline 'needs' only covers the sandbox). - Honor and document .gitattributes (export-ignore/export-subst): soften the 'exactly as committed' wording and note the export-subst content consideration in multi-contributor repos. - Share config.UnknownCommit instead of the bare "unknown" sentinel. - Return a non-nil no-op cleanup func so callers can defer unconditionally. - Comment the SBOM write-back's per-build-config safety and the intentional double-copy trade-off; drop duplicate log line. - Tests: export-ignore omission, tag and branch refs, and the multiple/misplaced git-archive guards.
…guard - pass -- / --end-of-options to git so config-supplied path/ref cannot inject options (host-side arbitrary file write via --output) - branch + expected-commit now matches git-checkout: expected-commit may be an older commit on the branch and is what gets archived - reject git-archive in test pipelines (melange test never archives) - warn when archiving HEAD with uncommitted changes under path - drop redundant re-substitution; Compile already resolves step.With
436725c to
94e2476
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a git-archive pipeline that populates the build workspace from a subtree of the local git repository at a pinned ref, host-side, without cloning over the network and without mounting the repository's .git history into the sandbox.
Intended for monorepos where the package definition and the source it packages live in the same repository. By default it archives the requested path at the commit melange is building, so the packaged source is exactly the source as it existed in that commit. An explicit ref/tag is still supported and is verified against expected-commit.
The archive runs before the sandbox starts: melange resolves the commit, verifies it, and extracts only the requested path into a temp dir that becomes the source dir. The resolved commit is recorded back into the step so SBOM provenance reflects the exact source even when the manifest omits a ref. Falls back to the git CLI to resolve HEAD when go-git cannot determine the build commit (e.g. in a linked worktree).
Melange Pull Request Template
Functional Changes
Notes:
SCA Changes
Notes:
Linter
Notes: