legal: Include license in release zip, Docker image and linux packages#34977
legal: Include license in release zip, Docker image and linux packages#34977
Conversation
| @@ -29,8 +29,23 @@ LABEL version=$PRODUCT_VERSION | |||
| # Historical Terraform-specific label preserved for backward compatibility. | |||
| LABEL "com.hashicorp.terraform.version"="${PRODUCT_VERSION}" | |||
|
|
|||
There was a problem hiding this comment.
Question for RelEng: Is this the actual Dockerfile that is in use today? Because there is also https://github.com/hashicorp/terraform-releases/blob/master/build-support/docker-release/Dockerfile-release but that has been updated a lot less recently (last update was 4 years ago) so my assumption is that is no longer used.
There was a problem hiding this comment.
Yes afaik the one in terraform-releases is a legacy one from before y'all onboarded to our Common Release Tooling - you have the correct one here (build-Dockerfile)
| ACTIONSOS: ${{ inputs.runson }} | ||
| CGO_ENABLED: ${{ inputs.cgo-enabled }} | ||
| uses: hashicorp/[email protected].7 | ||
| uses: hashicorp/actions-go-build@e20c6be7bf010e40e930dab20e6da63176725ec1 # v0.1.9 |
There was a problem hiding this comment.
I noticed that we were a couple of versions behind of this action so it seemed like a good idea to upgrade, but I do worry a little whether I'm introducing more change in this PR than I need to.
There was a problem hiding this comment.
this should be totally safe to do - other product repos are using 0.1.9 successfully
There was a problem hiding this comment.
I agree upgrading should be fine, but why is this a specific commit sha and not @v0.1.9?
There was a problem hiding this comment.
Using SHAs is generally considered a best practice for security -- while in this case it's perhaps less of an issue since HashiCorp owns actions-go-build, it's still technically an open-source project and so it's a good idea to reference an immutable release as described here. I've also generally found it easiest to default to using purely SHAs these days.
| zip_name: ${{ env.ARTIFACT_BASENAME }} | ||
| instructions: |- | ||
| mkdir dist out | ||
| set -x | ||
| go build -ldflags "${{ inputs.ld-flags }}" -o dist/ . | ||
| zip -r -j out/${{ env.ARTIFACT_BASENAME }} dist/ | ||
| go build -ldflags "${{ inputs.ld-flags }}" -o "$BIN_PATH" -trimpath -buildvcs=false | ||
| cp LICENSE "$TARGET_DIR/LICENSE.txt" |
There was a problem hiding this comment.
This is the part that I'm least confident about; as I was going through https://github.com/hashicorp/actions-go-build/blob/main/README.md I realized our implementation is wildly different from all the examples there. Notably, we currently run the zip command manually while the action seems to be intended to abstract that away. It seems like a good idea to me to be more consistent with how the action is intended to be used, but I worry a little that there might be unintended side effects.
Specific questions:
- Is it okay to remove the
set -xin ourinstructions? Can I safely assume that the action is taking care of that? - We don't currently use the
-trimpath -buildvcs=falseflags but all of the examples use them, should we be using them as well? - Where does the zip file actually get created as part of this? (See also question on line 69 below.)
There was a problem hiding this comment.
Is it okay to remove the set -x in our instructions? Can I safely assume that the action is taking care of that?
Yes this should be fine as set -x enables a mode of the shell where all executed commands are printed to the terminal for debugging purposes. If you specifically want to leave this in then that's also not a problem!
We don't currently use the -trimpath -buildvcs=false flags but all of the examples use them, should we be using them as well?
You don't have to, this is used to help ensure that builds are reproducible (see https://github.com/hashicorp/actions-go-build?tab=readme-ov-file#build-path and https://github.com/hashicorp/actions-go-build?tab=readme-ov-file#vcs-information
Where does the zip file actually get created as part of this? (See also question on line 69 below.)
the Zip file will automatically get uploaded to the workflow run so you shouldn't need to do this in a separate step
| with: | ||
| name: ${{ env.ARTIFACT_BASENAME }} | ||
| path: out/${{ env.ARTIFACT_BASENAME }} | ||
| path: ${{ env.ARTIFACT_BASENAME }} |
There was a problem hiding this comment.
Related to the above, if we're no longer manually creating the out dir, where does the zip file get created? One thing that surprised me as I was navigating the actions-go-build docs is that I couldn't find a single example of any workflows that do something with the created zip file in subsequent steps, which seems like it'd be a common use case.
| - name: Determine artifact basename | ||
| run: echo "ARTIFACT_BASENAME=${{ inputs.package-name }}_${{ inputs.product-version }}_${{ inputs.goos }}_${{ inputs.goarch }}.zip" >> $GITHUB_ENV |
There was a problem hiding this comment.
@sarahethompson One more question (tysm for your help!) -- based on what you said about actions-go-build taking care of uploading the zip, from what I can tell in that case, it should no longer be necessary for us to determine the artifact name here and so I removed this step as well, but please let me know if you think this will cause any issues!
There was a problem hiding this comment.
Yes as far as I can tell you are totally right here!
|
Regarding the changelog: I'd bet that at least some Terraform CLI users have automation that fetches the zip archives and extracts them directly into a While extracting a non-executable For those who are using the typical |
| env: | ||
| LICENSE_DIR: ".release/linux/package/usr/share/doc/${{ inputs.package-name }}" | ||
| run: | | ||
| mkdir -p "$LICENSE_DIR" && cp LICENSE "$LICENSE_DIR/LICENSE.txt" |
There was a problem hiding this comment.
For Debian-based distributions in particular there's a convention for this directory to contain a file named copyright which follows a machine-readable format.
While of course we aren't compelled to follow that convention since we aren't intending these packages to go into the main Debian archive, following the distribution conventions might make it easier for folks to use existing tools to catalog the licenses of software they have installed, to aid with verifying license compliance.
As far as I know the specified format for these files is a relatively new thing and there are various existing official Debian packages that instead just place the license text verbatim into the file without any special formatting, and so a pragmatic compromise might be to just change the name of the file from LICENSE.txt to copyright but leave its contents otherwise unchanged, rather than trying to maintain or generate a separate file that uses the Debian-specific file format. 🤔
(I expect there's probably an established convention for RPM-based distributions too, but I'm not familiar with that ecosystem.)
There was a problem hiding this comment.
FYI I've flagged this for the RelEng team to consider and they'll be looking into this suggestion this week.
There was a problem hiding this comment.
RelEng has decided they'd like to stick with the original (current) approach, keeping the licenses as .txt files.
kmoe
added
the
1.8-backport
|
Approved following successful manual test |
|
Reminder for the merging maintainer: if this is a user-visible change, please update the changelog on the appropriate release branch. |
ghost
mentioned this pull request
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
5 participants
We have a new requirement from Legal to include a copy of the license with all release .zip files, Docker images, and linux packages. This PR is based on guidance from this doc as well as the work the Nomad team did over in hashicorp/nomad#20345.
Target Release
1.8.2
Draft CHANGELOG entry
UPGRADE NOTES
Starting with this release, we are including a copy of our license file in all packaged versions of our releases, such as the release
.zipfiles. If you are consuming these files directly and would prefer to extract the one terraform file instead of extracting everything, you need to add an extra argument specifying the file to extract, like this: