Sources for external dependencies
As part of our build pipelines for the package and charts, we pull a number of dependencies from external sources.
For omnibus-gitlab package, we cache a number of items:
- Libraries built from git repositories have a repository setup in https://gitlab.com/gitlab-org/build/omnibus-mirror that gets mirrored from its public source
- Any libraries we pull as archives(zip, tar, etc.) are stored in an S3 bucket. When we change a version of the library, we first pull from its public source and push to an S3 bucket. Afterwards, libraries with the same SHA are pulled from S3 buckets
Items that we always pull from public sources:
- Rubygems
- Node modules
- Golang project dependencies (with
go get
)
This means that an outage of any of these services could prevent us from building/releasing GitLab. We need to look at the possible impact of this and whether finding a way to pull from our own mirrors would make sense.