Conversation
terinjokes
left a comment
There was a problem hiding this comment.
I have 24 GB of RAM, and reviewing this PR took all of it.
This will ensure vendor dir is populated
This will avoid slow clones on CI
|
This change means that if one of the dependencies is no longer available to download, Unsee builds will break until you fix Unsee to either update the package path or rework the code to use another library. Since Go has no central repository for packages like RubyGems (GitHub is probably the closest equivalent), it's usually recommended to vendor dependencies. If we're happy to risk new builds breaking at any time, this change is fine. |
|
We have docker images already build at that point. |
|
@prymitive: The occasion where that approach falls short is when you need to cut a new release in a hurry, for example to fix a security issue. Unsee is intended as an internal tool, which mitigates that problem to some extent. I think we should either document our expectations around this (i.e. Unsee is for internal use only in 'trusted' environments), or vendor our dependencies so we are in a position to cut 'hotfix' releases if needs be. My preference is for the latter. |
vendor is committed to git mostly to speed up CI builds, but since the CI can cache this dir we can drop it and just enable cache