Skip to content

refactor: switch to standard Go vendoring for cross-distro packaging #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

refactor: switch to standard Go vendoring for cross-distro packaging #35

wants to merge 1 commit into from

Conversation

@pcdubs
Copy link

@pcdubs pcdubs commented Oct 31, 2025
edited
Loading

Replace go-vendor-tools with standard Go module vendoring to support building on both Fedora and CentOS/RHEL with a single spec file.

Changes:

  • Commit vendor/ directory to git (vendored dependency files)
  • Include vendor/ directory in Source0 tarball
  • Add .gitattributes to exclude vendor/ from GitHub diffs
  • Set GO111MODULE=on and GOFLAGS=-mod=vendor for build and test phases
  • Remove go-vendor-tools dependency from spec and Packit config
  • Add vendor/modules.txt to %license for bundled dependency tracking
  • Add testdata files (dc.bin, mfg_key.pem, ov.pem, embed.go) to vendored go-fdo package required by //go:embed directives for build-time compilation

CI workflow updates:

  • Exclude vendor/ from codespell spell-check to avoid false positives in third-party dependencies
  • Exclude vendor/ from DevSkim security scanner to prevent flagging vendored code issues

This approach follows the standard pattern used by major Go packages in Fedora and matches the vendoring implementation in go-fdo-server.

@pcdubs pcdubs force-pushed the centos-packaging branch 2 times, most recently from ce430de to fc25a13 Compare October 31, 2025 21:27
@pcdubs pcdubs marked this pull request as ready for review November 3, 2025 13:50
@runcom runcom added this to the 1.0.0 milestone Nov 7, 2025
@mmartinv
Copy link
Collaborator

mmartinv commented Nov 7, 2025
edited
Loading

I don't think we need to enable vendoring in this project, it's something related to downstream packaging and should be done by the packaging process.

Am I missing something?

@ben-krieger
Copy link
Member

ben-krieger commented Nov 7, 2025

I've been bitten by vendoring in weird ways and seen it break the build.

Sometimes retagging causes hash changes and some of our dependencies do this.

Sometimes you rely on a private repo and you get different hashes if one side didn't have git lfs installed.

The costs don't seem worth it to me. What's the benefit we're hoping for?

refactor: switch to standard Go vendoring for cross-distro packaging
280b7f4 
Replace go-vendor-tools with standard Go module vendoring to support
building on both Fedora and CentOS/RHEL with a single spec file.

Changes:
- Use `go mod vendor` + `tar` to create separate vendor tarball at
  release time via packit's create-archive action
- Source0: project source from git archive (no vendor/)
- Source1: vendor tarball created by `go mod vendor`
- Remove go-vendor-tools dependency (EPEL-only package)
- Remove %generate_buildrequires and %go_generate_buildrequires macros
- Add vendor/ to .gitignore

Signed-off-by: Paul Whalen <[email protected]>
@pcdubs pcdubs marked this pull request as draft November 10, 2025 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmartinv mmartinv Awaiting requested review from mmartinv

@runcom runcom Awaiting requested review from runcom

@ben-krieger ben-krieger Awaiting requested review from ben-krieger

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@pcdubs @mmartinv @ben-krieger @runcom