Handle private repositories dependencies #31
Conversation
* feat: ✨ try support for multiple private repositories * fix: 🐛 try one pk only * feat: ✨ use multiple keys * feat: ✨ add admin module pk * fix: 🐛 some fixes * try one key * revert: ⏪ simpler approach * feat: ✨ add CARGO_NET_GIT_FETCH_WITH_CLI env * revert: 💚 try something out * feat: ✨ use deploy keys * feat: ✨ add cargo vendor * fix: 🐛 add CARGO_NET_GIT_FETCH_WITH_CLI at reproducible build * fix: 🐛 do not compile vendor directories * fix: 🐛 minor fix * fix: * fix: 🔥 avoid jq install
* feat: 🚧 try deploy keys as unique var * feat: ⚡ remove private dependencies input var * fix: 🐛 final fixes
rvignolo
changed the title
|
any updates @andreibancioiu ? thank you! |
| @@ -110,17 +121,20 @@ jobs: | |||
| - name: Build the wasm contracts | |||
| env: | |||
| RUSTFLAGS: "" | |||
| CARGO_NET_GIT_FETCH_WITH_CLI: true | |||
There was a problem hiding this comment.
| - name: Setup Credentials | ||
| uses: webfactory/[email protected] | ||
| env: | ||
| SUPER_SECRET: ${{ secrets.deploy-keys }} | ||
| if: ${{ env.SUPER_SECRET != '' }} | ||
| with: | ||
| ssh-private-key: ${{ secrets.deploy-keys }} | ||
|
|
There was a problem hiding this comment.
We'd like to avoid using an additional third party step, if possible (and only have it as a last resort).
| toolchain: ${{ inputs.rust-toolchain }} | ||
| target: wasm32-unknown-unknown | ||
|
|
||
| - name: Vendored dependencies (if private dependencies are used) |
There was a problem hiding this comment.
Thus, private dependencies are brought locally, before starting the build, correct (sorry if I misunderstood)?
If so, the usual contract verification flow (which relies on the Docker container to perform the whole build) would not be able to cover this case (however, for verified contracts, private dependencies would not be acceptable, anyway).
| @@ -196,6 +210,14 @@ jobs: | |||
| steps: | |||
| - uses: actions/checkout@v3 | |||
|
|
|||
| - name: Setup Credentials | |||
There was a problem hiding this comment.
For contracts.yml (not for reproducible-build.yml), the solution you've previously provided (without altering contracts.yml) seems sufficient (an additional step in the workflow file of the repository itself):
multiversx/mx-sdk-rust-contract-builder#59 (comment)
Maybe we can promote and document that solution, and have contracts.yml untouched (at least, from the perspective of setting up credentials)?
| @@ -86,6 +90,42 @@ jobs: | |||
| fetch-depth: 0 | |||
| repository: ${{ env.GITHUB_REPOSITORY }} | |||
|
|
|||
| - name: Setup Credentials | |||
There was a problem hiding this comment.
We understand the need of a closed-source contract to depend on private dependencies, e.g. for development phase 👍 - of course, this is not wise for contracts deployed on mainnet - such contracts cannot pass the verified and reproducible build check.
Though, how would you feel about the options below?
(A) have your private dependencies brought as git submodules in your main private repository, then alter the Cargo.toml to point to them (of course, making your project open-source would reveal the source code of the dependencies, as well).
(B) in the Docker images for reproducible builds, we can enable ssh-agent, and run ssh-add (if any key is provided in the Docker environment) - I did not yet test this approach, though.
(C) allow reproducible-build.yml to be parametrized with the fully qualified-name of a Docker image (instead of image_tag only) - this way, you can use a custom Docker image to perform the build of a closed-source contract.
|
@rvignolo, sorry for the delayed response 🙏 |
An action would look like:
or