feat: Relax constraints for alpine utilities #4024
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'm totally fine with 2, and due to the issues this brings, pinning to the major version is totally fine. |
jamengual
approved these changes
Dec 8, 2023
ijames-gc
pushed a commit
to gocardless/atlantis
that referenced
this pull request
Feb 13, 2024
ijames-gc
pushed a commit
to gocardless/atlantis
that referenced
this pull request
Feb 13, 2024
1 task
terakoya76
pushed a commit
to terakoya76/atlantis
that referenced
this pull request
Dec 31, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
what
Relax constraints for utility packages installed in the alpine-based docker image
why
Right now, these packages require specific major and minor version but take the newest patch at build time. However, since we use a slim alpine version and no cache, that means as soon as a new minor version is released, build (and thus CI) will immediately fail. See for example: #4019
I understand the benefit of pinning versions (reproducible builds, etc.), but in this case I think relaxing the constraints is a net positive for two reasons:
curl for example, has an expected cadence for minor releases of about 8 weeks (https://curl.se/docs/releases.html), which will then block a completely unrelated PR, as well as any new PRs. At that point maintainers must make a manual but mechanical update before any subsequent changes can be made.
My argument for 2) is that the packages this affects (git, curl, bash, ...) are very stable projects and are (I believe) used in relatively vanilla ways throughout atlantis, such that minor releases are very unlikely to break anything. Of course any dependency can have bugs, so this is definitely a tradeoff, but again since we're already accepting any patch updates we already accept that risk, so we're just moving the needle slightly more towards the "get me fixes quickly" end of the spectrum.
For debian the pinning was removed entirely (#3528) due to an issue with the semantics of
apt-get. If maintainers would prefer we go that route with alpine for consistency and to remove this problem entirely, I'd be happy to make that change instead.Another direction would be to figure out how to pull down specific versions of packages (maybe apk has some kind of "archive" repo?) and actually pin all the versions, then periodically do a dedicated update.
tests
docker buildx build --target alpine .builds finereferences