Skip to content

refactor: switch to standard Go vendoring for cross-distro packaging #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

refactor: switch to standard Go vendoring for cross-distro packaging #100

wants to merge 1 commit into from
+26 −35

Conversation

@pcdubs
Copy link

@pcdubs pcdubs commented Oct 30, 2025
edited
Loading

Replace go-vendor-tools with standard Go module vendoring to support
building on both Fedora and CentOS/RHEL with a single spec file.

Changes:

  • Commit vendor/ directory to git (998 vendored dependency files)
  • Include vendor/ directory in Source0 tarball
  • Set GO111MODULE=on and GOFLAGS=-mod=vendor for build and test phases
  • Remove go-vendor-tools dependency from spec and Packit config
  • Add vendor/modules.txt to %license for bundled dependency tracking
  • Add testdata files (dc.bin, mfg_key.pem, ov.pem) to vendored go-fdo
    package required by //go:embed directives for build-time compilation

CI workflow updates:

  • Exclude vendor/ from codespell spell-check to avoid false positives
    in third-party dependencies
  • Exclude vendor/ from DevSkim security scanner to prevent flagging
    vendored code issues
  • Disable Go dependency caching in setup-go action since vendored
    dependencies don't require go.sum

This approach follows the standard pattern used by major Go packages
in Fedora and ensures compatibility across distributions.

@pcdubs
Copy link
Author

pcdubs commented Oct 30, 2025

/packit rebuild

@pcdubs pcdubs force-pushed the centos-packaging branch 4 times, most recently from fe8b57a to d03317d Compare October 31, 2025 16:06
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 31, 2025
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

devskim found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@pcdubs pcdubs force-pushed the centos-packaging branch 2 times, most recently from 80949ce to 1911209 Compare October 31, 2025 17:04
@pcdubs pcdubs changed the title Support building on both Fedora and RHEL/CentOS refactor: switch to standard Go vendoring for cross-distro packaging Oct 31, 2025
@pcdubs pcdubs marked this pull request as ready for review November 3, 2025 13:49
ben-krieger
ben-krieger reviewed Nov 4, 2025
View reviewed changes
Copy link
Member

@ben-krieger ben-krieger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I hate vendoring. Before Go modules, it was the best way (at least before dep), but now it's a huge pain.

  1. It requires devs to remember an extra step before pushing
  2. It significantly slows down git clones and gets much worse over time with no great ways to fix
  3. It makes GitHub reviews much worse for humans

On the plus side, it makes building with Nix easier.

At a bare minimum, the gitattributes must be changed so GitHub doesn't show vendored files in the diffs. If review pages start failing to load due to diff size (especially on mobile), it will be hard for me to help.

@pcdubs
Copy link
Author

pcdubs commented Nov 4, 2025

Personally, I hate vendoring. Before Go modules, it was the best way (at least before dep), but now it's a huge pain

I looked at different options without using EPEL and this seems to be a standard practice used by other projects for supporting both Fedora and Centos in a single spec file.

  1. It requires devs to remember an extra step before pushing

The extra step should only be needed when dependencies are added or updated. We can mitigate this by adding a pre-commit hook that validates vendor/ is in sync and/or a CI check that will fail if not.

  1. It significantly slows down git clones and gets much worse over time with no great ways to fix

A definite drawback. I think cross distro compatibility is worth it, but I'm happy to explore other options if you have suggestions.

  1. It makes GitHub reviews much worse for humans

I've added gitattributes to exclude vendor files from diffs, which should help the review experience. Thanks for the suggestion.

refactor: switch to standard Go vendoring for cross-distro packaging
69cd212 
Replace go-vendor-tools with standard Go module vendoring to support
building on both Fedora and CentOS/RHEL with a single spec file.

Changes:
- Use `go mod vendor` + `tar` to create separate vendor tarball at
  release time via packit's create-archive action
- Source0: project source from git archive (no vendor/)
- Source1: vendor tarball created by `go mod vendor`
- Remove go-vendor-tools dependency (EPEL-only package)
- Remove %generate_buildrequires and %go_generate_buildrequires macros
  (not needed when vendoring dependencies)
- Fix SOURCE references for sysusers files
- Add vendor/ to .gitignore

Signed-off-by: Paul Whalen <[email protected]>
@pcdubs pcdubs marked this pull request as draft November 10, 2025 01:07
mmartinv
mmartinv reviewed Nov 12, 2025
View reviewed changes
Copy link
Collaborator

@mmartinv mmartinv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the only thing I am missing is the replacement of the licensing macros, maybe we can use the tools externally to generate the files and include them in the spec.

build/package/rpm/go-fdo-server.spec
%setup -q -T -D -a1 %{forgesetupargs}
#%%autopatch -p1

%generate_buildrequires
Copy link
Collaborator

@mmartinv mmartinv Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we replace this with %go_generate_buildrequires from the go-rpm-macros package? not sure if that would work though

build/package/rpm/go-fdo-server.spec
Source0: %{gosource}
# Generated by go-vendor-tools
Source1: %{archivename}-vendor.tar.bz2
Source2: go-vendor-tools.toml
Copy link
Collaborator

@mmartinv mmartinv Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although we are not going to use the go-vendor-tools.toml file from within the spec file, it might worth it to maintain it in the sources so it's possible to generate the vendor tarball externally with go-vendor-tools. ??

Makefile
Comment on lines -49 to +51
command -v go_vendor_archive || sudo dnf install -y go-vendor-tools python3-tomlkit; \
go_vendor_archive create --config $(GO_VENDOR_TOOLS_FILE) --write-config --output $(VENDOR_TARBALL) .; \
rm -rf vendor;
go mod vendor; \
tar -cjf $(VENDOR_TARBALL) vendor/; \
rm -rf vendor
Copy link
Collaborator

@mmartinv mmartinv Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem is the spec file depending on go-vendor-tools, not its use in the Makefile. We can keep the current vendor tarball generation I believe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmartinv mmartinv mmartinv left review comments

@ben-krieger ben-krieger ben-krieger left review comments

@kgiusti kgiusti Awaiting requested review from kgiusti

@runcom runcom Awaiting requested review from runcom

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pcdubs @mmartinv @ben-krieger