log: remove zap & go-chi dependecy from pkg/types#2667
Merged
Hayden-IO merged 1 commit intosigstore:mainfrom Nov 4, 2025
Merged
log: remove zap & go-chi dependecy from pkg/types#2667Hayden-IO merged 1 commit intosigstore:mainfrom
Hayden-IO merged 1 commit intosigstore:mainfrom
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2667 +/- ##
===========================================
- Coverage 66.46% 26.12% -40.34%
===========================================
Files 92 191 +99
Lines 9258 20112 +10854
===========================================
- Hits 6153 5254 -899
- Misses 2359 14029 +11670
- Partials 746 829 +83
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
|
Can you add the license header to the new file? |
Currently the uber/zap logger and go-chi middleware have leaked into the library packages in pkg/types imported by other projects. This adds internal dependency-free logger as default for these library packages. Any user of Zap or the Rekor CLI utilities can continue to use `pkg/log` to use and configure Zap without any changes. The internal logger is silent by default as suitable for libraries. Signed-off-by: Tonis Tiigi <[email protected]>
tonistiigi
force-pushed
the
log-dependency-fix
branch
from
81c0f4e to
09290ed
Compare
Contributor
Author
Done |
Hayden-IO
approved these changes
Nov 4, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rekor currently depends on Uber’s Zap logging framework (with go-chi middleware integration). It’s unclear to me why this particular stack was introduced, as other Sigstore projects don’t seem to use it.
However, this dependency leaks into library packages such as those under
pkg/types, which are meant to be reused by other projects likesigstore-gowhen running TLog verification. This adds an unnecessary heavy dependency and also causes out-of-place log output in importing applications.This PR fixes that by adding a lightweight, dependency-free internal logger (
pkg/internal/log) as the default for these library packages. The internal logger is silent by default, which is suitable for libraries. Any user of Zap or the Rekor CLI utilities can continue to configure logging viapkg/logwithout any code or behavior changes(Rekor CLI still gets all the same logs as before). If an importing application wants to capture logs from Rekor libs, it can configure thepkg/logpackage as before.Dependency footprint change for
sigstore-go/verifier:Release Note
Documentation