Make it easy to vendor a component project in my own namespace
Problem
When using components/templates from a public catalog, the user project keeps referencing the SSoT path to include the configuration.
trigger:
include:
- component: docker/docker-build@1.0.0If the docker/ group or the docker/docker-build project is deleted, it can break all pipelines using this component.
The same problem has been in the Javascript world with left-pad issue where a missing popular dependency broke many other packages.
How can we protect components from being broken?
Ideas
Here below are some ideas that can be also combined together. We need to evaluate pros/cons of each of those and add any alternatives.
- Allow a dependecy to be vendored within a private catalog. If a project
myorg/projectwants to rely ondocker/docker-buildcomponent, they can fork the component withinmyorg's catalog. Thenmyorg/projectcan usemyorg/docker-buildinstead.- If
docker/docker-builddisappears or introduces breaking changes, it doesn't affectmyorg/project. - periodically
myorg/docker-buildfork can be upgraded from the upstream SSoTdocker/docker-buildand newer versions can be used bymyorg/project
- If
- Allow a dependency to be vendored within the same component project. If a new component
awesome/componentwants to reusedocker/docker-buildthey could include the wholedocker/docker-buildcontent withinvendor/docker/docker-buildpath insideawesome/component. Then useinclude:local:instead ofinclude:component:-
👎 it doesn't promote the same level of collaboration and contributions on components. -
👍 self contained component. Consistent behavior.
-
- Cache automatically used components within a project (e.g. ObjectStorage, package registry or in the form of artifacts maybe?). This would be like installing Go modules, Ruby gems or NPM modules locally. If you keep using the same version we will pull it from the vendored space. If the components version or entire project is removed, you'll keep using the vendored version and are not impacted. If you empty the vendored space then you may be exposed to missing dependencies.
- Other...
Edited by Fabio Pitino