On Wednesday, 09.03.2016 at 22:58, David Halls wrote: > > > > The rumprun toolchain used to build the packages is built afresh from > > source (then-current git master) *for each package*. This is not ideal -- > > I'll get in touch with Travis and see if we can figure out a way to both > > optimize this (speeding up build times) and ensure that the same, > > known-good, toolchain is used for the entire build as a whole. > > > > The toolchain build could be a separate project and the result into each > package build. > > I do something similar with Aboriginal Linux: > https://github.com/davedoesdev/build-aboriginal-travis > which I then download into heddle builds here: > https://github.com/davedoesdev/heddle/blob/master/.travis-ci/deps.sh
I didn't realise you could do that (upload build artefacts to Github)! The fact that it's mentioned in the Travis documentation under "Deployment Guides" as opposed to "Uploading Build Artefacts" is what confused me. The latter only talks about uploading to S3 and I didn't think of looking under "Deployment Guides" at all. Uploading to Github requires an OUATH token with permissions to upload to the Github repository in .travis.yml. What are the security implications of this? Unless I'm missing something, anyone could trivially steal that token and use it to upload arbitrary "releases" to the target Github repo...? > Of course that means specifying toolchain artefact version in the package > build. Right. And that doesn't work for our toolchain for two reasons 1) The toolchain just wraps (and is thus dependent on) the host toolchain. So "version of toolchain" is not meaningful. 2) Even if it were, we don't have a versioning/release scheme in place (yet)
