-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attestations: widen the beta #17692
attestations: widen the beta #17692
Conversation
This widens the beta to include people with developer mode enabled, as well as those with HOMEBREW_DEVELOPER set in their environment. Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
What's the status of sigstore-ruby? Thought we were waiting to see how that went. If we are wanting to force install |
It's still under active development here: https://github.com/sigstore/sigstore-ruby. I don't think it's ready for prime-time here yet, though.
I might be misunderstanding, but |
Yes, but we don't have |
I think this should ideally just check if we have a valid bottle for this, then, and only auto-install if so. |
Ah, gotcha! Yeah, IMO we can carve those users out for the next round of expansion. |
Signed-off-by: William Woodruff <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome!
If you're wanting a quick way to do this, it would be worthwhile adding |
@Bo98 @woodruffw |
@shivammathur Thanks for raising this. Should be resolved with #17713. |
@p-linnane @MikeMcQuaid Thanks for resolving this quickly. |
@shivammathur you're welcome! |
@shivammathur to help us understand how to proceed here: is there a reason your action is using Homebrew with developer mode enabled? Most users shouldn't need to do this, especially when just using Homebrew to set up an action's dependencies. (Similarly, is there a reason you're tracking I'd like to flip this on by default more in the coming days, so it'd be helpful to understand whether this needs to affect you yet or whether it's something that can be addressed per above 🙂 |
I agree that action probably shouldn't use
Even when ignoring the desire to avoid having to bootstrap
I completely forgot that was a requirement when initially reviewing this. |
Yes, I will remove We sync brew to master instead of a release as that has been a better experience to sync the core tap in cases when updates in the core tap require latest changes from brew. To @Bo98 point, yes, if this becomes a default, then anyone using brew in CI would have to provide a token, it would be great if the env flag to disable this is kept permanently so that we can recommend providing a token moving forward rather than it being a requirement. |
I agree with this. To be clear: I'm not talking about widening the beta to GA in the coming days, I meant widening it back out to people with
TL;DR my position is that we should widen this back to Edit: sorry, forgot to add my response to @shivammathur here as well: Thank you for looking into this! Per above, I 100% agree that requiring GH auth cannot be a default for when we move this feature to GA. |
This seems like a good idea 👍🏻 Could also probably consider documenting the opt-out variable, too.
Agreed. |
I don't really agree with this. There's quite a large range of users with 13.5% of our analytics are from users with
This could work, though might suggest adjusting the messaging and/or handling for the invalid credentials case to potentially be non-fatal for this subset of users. |
Hmm, that's a much higher number than I realized. Given that, yeah, I can see how developer mode is not a strong precedent for expecting GH creds to be present.
Yes, agreed -- I think it makes sense to make it a non-fatal warning for this phase. |
Take 2 of #17692 but with: - provide and document `HOMEBREW_NO_VERIFY_ATTESTATIONS` - don't try to run unless there's a GitHub token set - don't try to run unless `gh` is installed - don't try to run in CI While we're here: - split out a `Homebrew::EnvConfig.devcmdrun?` helper method - default `HOMEBREW_GITHUB_API_TOKEN` to `$GITHUB_TOKEN` if unset. - add some missing `Homebrew::EnvConfig.github_api_token` presence checks
Take 2 of #17692 but with: - provide and document `HOMEBREW_NO_VERIFY_ATTESTATIONS` - don't try to run unless there's GitHub credentials - don't try to run unless `gh` is installed - don't try to run in CI While we're here: - split out a `Homebrew::EnvConfig.devcmdrun?` helper method - add some missing `Homebrew::EnvConfig.github_api_token` presence checks
Take 2 of #17692 but with: - provide and document `HOMEBREW_NO_VERIFY_ATTESTATIONS` - don't try to run unless there's GitHub credentials - don't try to run unless `gh` is installed - don't try to run in CI While we're here: - split out a `Homebrew::EnvConfig.devcmdrun?` helper method - add some missing `Homebrew::EnvConfig.github_api_token` presence checks
Take 2 of Homebrew#17692 but with: - provide and document `HOMEBREW_NO_VERIFY_ATTESTATIONS` - don't try to run unless there's GitHub credentials - don't try to run unless `gh` is installed - don't try to run in CI While we're here: - split out a `Homebrew::EnvConfig.devcmdrun?` helper method - add some missing `Homebrew::EnvConfig.github_api_token` presence checks
This widens the attestations beta to include people with developer mode enabled, as well as those with
HOMEBREW_DEVELOPER
set in their environment.Needs tests.brew style
with your changes locally?brew typecheck
with your changes locally?brew tests
with your changes locally?