Conversation
Replace all references to offline dl.flynn.io/releases.flynn.io with new GitHub Pages TUF repo at consolving.github.io/flynn-tuf-repo. Key changes: - Update TUF repo URL to include /repository suffix in all 17 locations (tup.config, builder/manifest.json, pkg/tufconfig, scripts, Go code) - Embed 4 ed25519 root public keys in source defaults (tufconfig.go) - Fix TUF root key threshold from len(RootKeys) to 1 in client init (host/cli/download.go, host/cli/update.go, cli/update.go, builder/build.go) - Disable telemetry (offline dl.flynn.io/measure endpoint) - Fix builder/img/busybox.sh: use system busybox-static, fix symlink bug - Fix builder/img/ubuntu-bionic.sh: use debootstrap with bind mounts - Expand script/build-flynn for standalone builds - Add ._* and *.backup to .gitignore
- script/bootstrap-build: builds all 34 Flynn binaries from source without requiring a running cluster, with version embedding via ldflags - script/export-tuf/main.go: standalone Go tool that builds squashfs layers, constructs ImageManifests/Artifacts, generates manifests (bootstrap-manifest.json, images.json), and stages/signs TUF targets - Mark base layer scripts as executable
…st target Add Dockerfile.ci for reproducible builds (Debian Buster, Go 1.13.15, CGO). Add GitHub Actions CI workflow with parallel build and test jobs. Add 'make test-unit-standalone' to run 21 pure Go test packages without requiring a prior full build or running cluster. Fix Makefile portability: replace GNU readlink -f with POSIX cd/pwd.
All 4 TUF keys (root, targets, snapshot, timestamp) were accidentally committed to the public flynn-tuf-repo. This rotates all keys using the new script/rotate-tuf-keys tool, which generates fresh ed25519 keys, revokes the old ones, and signs root.json with both old and new root keys per the TUF specification. Private keys are now stored outside the repo. Updates tup.config, builder/manifest.json, and tufconfig.go to reference the new root public keys (root.json v12).
Debian Buster (10) is EOL and its package repositories at deb.debian.org return 404. Both CI jobs fail at apt-get update. Switch to debian:bookworm-slim (12) which is actively supported. Go 1.13.15 is still installed separately so this is a safe change.
The build job in CI failed because ${GITHUB_SHA::8} is bash-specific
substring syntax, but the Debian Bookworm container's default shell
is dash (sh), which doesn't support it. Replace with POSIX-compatible
$(echo "$GITHUB_SHA" | cut -c1-8).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.