In terraform-provider-apko the yaml configuration is resolved, and attached as an attestation, which is fully reproducible and possible to rebuild offline with a local cache of apks.
The partial lockfiles in json are incomplete configuration, which still requires yaml configuration, and can generate non-reproducible results - or rather unplanned for results (yaml with arches x86_64 and arm64, plus a lockfile of the same, happily can be asked to create an empty s390x image).
Currently I don't see a direct cli command to translate yaml file from a multi-arch one, to a fully resolved single target arch yaml configuration.
Also the fully resolved yaml configuration doesn't currently record checksums, or at least reference locked apkindex somehow. They are encoded in the SPDX json however.
A lot of code could be removed from apko, and a lot of things could be removed from rules_apko, if instead of json lock file the pagadim would be "apko.yaml => apko.$targetarch.yaml => oci image". And would fit the bazel ideas more cleanly, with better reproducibility (matching the apko behaviour as used elsewhere).
Whilst the bazel download cache handling is admirable, it is also a burden to maintain for no additional gain (apko is designed to be fully reproducible with its existing cache.... and yet somehow bazel doesn't quite let one achieve the same goals).
I wonder if apko could populate / fetch cache natively, and for bazel to accept that, without maintaining infrastructure to support json lock files in apko. Or if some sort of generator could be created that would recreate apko cache-dir based on the locked yaml configuration external to apko codebase.
Bazel documentation is very user centric, and it is not clear how to best integrate foreign packages. Also a lot of foreign packages repositories are oriented to fetching source code and building it; rather than pre-built binaries (which is what .apks are). Even looking at go, instead of pushing bazel specific integrations into go get a separate generator gazelle was written that mangles things on bazel terms. Something like that would be best here too.
I rough bazel terms, I think following "rules" will be needed:
- something that accepts apko.yaml and tracks it
- something that can translate apko.yaml to a resolved apko.$targetarch.yaml for as many arches as needed and track it
- something that can given apko.$targetarch.yaml can create bazel accepted http cache, which happens to be acceptable as apko's go-apk cache too, and track its state
- allow updating the go-apk cache from scratch (for example, during key rotation, or apk version reuse - not the case for cgr.dev publications, but possibly true for local / self-service publications)
- allow updating the resolved apko.$targetarch.yaml upon remove archive moves
- remove usage of json lockfiles, remove --lockfile from apko
- allow calling apko build against just apko.yaml
- allow calling apko build against apko.$targetarch.yaml without cache
- allow calling apko build against apok.$targetarch.yaml with bazel managed build-cache and thus --offline
- never use json lockfiles anymore
This will significantly simply apko & rules_apko maintenance, reduce codebase of both, and make the builds more flexible and possibly even faster.
In terraform-provider-apko the yaml configuration is resolved, and attached as an attestation, which is fully reproducible and possible to rebuild offline with a local cache of apks.
The partial lockfiles in json are incomplete configuration, which still requires yaml configuration, and can generate non-reproducible results - or rather unplanned for results (yaml with arches x86_64 and arm64, plus a lockfile of the same, happily can be asked to create an empty s390x image).
Currently I don't see a direct cli command to translate yaml file from a multi-arch one, to a fully resolved single target arch yaml configuration.
Also the fully resolved yaml configuration doesn't currently record checksums, or at least reference locked apkindex somehow. They are encoded in the SPDX json however.
A lot of code could be removed from apko, and a lot of things could be removed from rules_apko, if instead of json lock file the pagadim would be "apko.yaml => apko.$targetarch.yaml => oci image". And would fit the bazel ideas more cleanly, with better reproducibility (matching the apko behaviour as used elsewhere).
Whilst the bazel download cache handling is admirable, it is also a burden to maintain for no additional gain (apko is designed to be fully reproducible with its existing cache.... and yet somehow bazel doesn't quite let one achieve the same goals).
I wonder if apko could populate / fetch cache natively, and for bazel to accept that, without maintaining infrastructure to support json lock files in apko. Or if some sort of generator could be created that would recreate apko cache-dir based on the locked yaml configuration external to apko codebase.
Bazel documentation is very user centric, and it is not clear how to best integrate foreign packages. Also a lot of foreign packages repositories are oriented to fetching source code and building it; rather than pre-built binaries (which is what .apks are). Even looking at go, instead of pushing bazel specific integrations into
go geta separate generator gazelle was written that mangles things on bazel terms. Something like that would be best here too.I rough bazel terms, I think following "rules" will be needed:
This will significantly simply apko & rules_apko maintenance, reduce codebase of both, and make the builds more flexible and possibly even faster.