-
Notifications
You must be signed in to change notification settings - Fork 601
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: stronger pinning of jsonnet dependencies? #762
Comments
Hey, have you come across any problem due to this? jsonnet bundler(jb) does have a way to pin the dependencies. Look at https://github.com/prometheus-operator/kube-prometheus/blob/main/jsonnetfile.lock.json for example. |
Yes, I can't build this project in a sandboxed environment without network access. If you'd either ship the dependencies vendored-in, or commit a lockfile with hashes, that should work. |
This issue has not had any activity in the past 30 days, so the
Thank you for your contributions! |
still relevant |
Thanks @flokli, I added the keepalive label to prevent it getting closed. |
It seems this project uses
jsonnet-builder
as a way to manage jsonnet dependencies.I peeked at the
jsonnetfile.json
in the repo:This just seems to use the master branch, but doesn't use any strong pinning.
This means, it's not possible to ensure the same outputs are produced, or building in a sandbox where network access is blocked (except for dependencies where the hash is already provided upfront).
Does jsonnet-builder provide some sort of lockfile, or could you use their vendoring function instead of loosely tracking master?
The text was updated successfully, but these errors were encountered: