When #7277 was merged is was intended to create shasums accessible
in a way shasum -c or sha256sum could use to verify the files the
Helm project ships. The solution created a new file named
shasums.txt. This setup contained a few problems:
1. The new file file was not uploaded to get.helm.sh for someone
to download and use.
2. The file had not version in the naming or path. This means that
each new release of Helm will overwrite it. Downloading and
validating an old file is impossible.
3. If one downloads a single file, the shasums.txt file, and uses
shasum -c it will return an exit code that is 1. This is because
of missing files as it is looking for all the files from the
release.
4. The shasums.txt file is not signed for verification like the
other files.
This change fixes these problems with the following changes:
* Instead of a shasums.txt file there is a .sha256sum file for
each package. For example, helm-3.1.0-linux-amd64.zip.sha256sum.
This file will can be used with `shasum -a 256 -c` to verify
the single file helm-3.1.0-linux-amd64.zip. The exit code of
checking a single file is 0 if the file passes.
* This new .sha256sum file is signed just like the .tar.gz, .zip,
and .sha256 files. The provenance can be verified.
* The file name starts with `helm-` meaning the existing upload
script in the deploy.sh file will move it to get.helm.sh.
Note, the existing .sha256 file can be deprecated and removed
in Helm v4 with the new .sha256sum file taking over. But,
for backwards compatibility with scripts it needs to be kept
during v3.
Closes#7567
Signed-off-by: Matt Farina <matt@mattfarina.com>
With Helm using go modules, its git repo need not reside under
$GOPATH/src/helm.sh anymore. In fact it may be desirable for a user to
move it to another location (e.g., to get the debugger to work).
In the same train of thought, the acceptance-testing repo, which is not
even a go program, need not be in the GOPATH.
This commit reduces the requirement on the location of the
acceptance-testing repo to a relative path to the helm repo, instead
of an absolute path within GOPATH.
Signed-off-by: Marc Khouzam <marc.khouzam@montreal.ca>
Commands shasum -a 256 -c (or) sha256sum -c can read the SHA sum and validate the TAR/ZIP archive
Example:
Download helm-v3.0.2-darwin-amd64.tar.gz.sha256 and helm-v3.0.2-darwin-amd64.tar.gz and running below will resule in
shasum -a 256 -c helm-v3.0.2-darwin-amd64.tar.gz.sha256
helm-v3.0.2-darwin-amd64.tar.gz: OK
Closes#4968
Signed-off-by: Thilak Somasundaram <t2same@gmail.com>
These make targets are used as part of the release process. They
had yet to be brought over to the v3 branch from the v2 branch
as they were developed after the branching happened.
Signed-off-by: Matt Farina <matt@mattfarina.com>
Circleci is used to build the release artifacts and embeds build paths
into the binary release. To reproduce the release binaries we then need
to also build in the same path as a result.
$ strings linux-amd64/helm | grep "home/circleci" | wc -l
174
Go 1.13 introduces `-trimpath` which strips the build path from all
compiled binaries. This should enable people to reproduce the
distributed helm binaries.
https://reproducible-builds.org/docs/source-date-epoch/https://golang.org/doc/go1.13#go-command
Signed-off-by: Morten Linderud <morten@linderud.pw>
* Allow to run acceptance tests from main Helm repo
To run the acceptance tests, one can now do:
make test-acceptance
Signed-off-by: Marc Khouzam <marc.khouzam@ville.montreal.qc.ca>
* Allow to run completion tests from main Helm repo
To run the completion tests, one can now do:
make test-completion
Signed-off-by: Marc Khouzam <marc.khouzam@ville.montreal.qc.ca>
* Use the word 'clone' instead
Signed-off-by: Marc Khouzam <marc.khouzam@ville.montreal.qc.ca>
* Use test-acceptance-completion naming
Signed-off-by: Marc Khouzam <marc.khouzam@ville.montreal.qc.ca>
* Remove helmVersion constraint from charts
* Guard compile time set variables behind `internal/`
* Allow configuration of UserAgent for HTTPGetter
Signed-off-by: Adam Reese <adam@reese.io>
The `build` target will compile helm only when source code is modified
and run `dep ensure` if needed.
Only ensure golang tools are installed when needed for a specific target.
Signed-off-by: Adam Reese <adam@reese.io>
Lets us build a subset of the targets while still using build-cross
To build for multiple linux archs:
TARGETS="linux/amd64 linux/386" make clean build-cross dist APP=helm VERSION=v25.12.2