Fork me on GitHub
#architecture
<
2022-11-17
>
Rupert (All Street)23:11:14

For companies that have fine grained access to source code in git (ie different access for different developers/teams), how do you replicate those same fine grained access rights to your Maven (Jar) Repos and your Docker Image Repos? Or do you just fully lock them down so devs have no access?

1
lukasz16:11:50

The co I'm at separates repository access to different teams, and because we're using GitHub Packages - the access to Maven artifacts is also restricted.

Rupert (All Street)16:11:09

I see, so Github packages basically solves this problem?! Although it does really lock you in to Github Actions as the transfer cost is very high (We have uberjars easily 1GB).

lukasz17:11:02

Cost is not my problem (anymore) so can't comment on that. Also, I'm really curious why do you store uberjars in Maven - I assume these aren't applications, but libraries with extra resources?

lukasz17:11:28

as for the lock in, it's a myth - I moved ~50 projects from Circle to GHA - it took a week and we were up and running just fine 🤷

Rupert (All Street)17:11:51

Oops, I didn’t mean lock in that way. I’m sure we can move our cicd pipeline around easily. It’s just that GH Packages - charges a high cost if your workers are outside of GitHub (our workers are because we find the GitHub ones too slow and have no local caching), so if you want benefit of packages you are highly incentivized to use GitHub action workers too (because of the transfer costs). We might store the Uber jars in maven so they can be redeployed to servers without rebuilding. Even if we use non uberjars - it could be 100s of mbs of data transfer each build.

lukasz17:11:19

Right right

lukasz17:11:38

Other approach that could be cost effective and have better access controls is to use S3 + IAM + AWS SSO

lukasz17:11:11

so only users authorized to SSO into given account can push/pull artifacts into S3 via S3 Wagon - I'm theorizing here as I never used S3 for maven storage

lukasz17:11:30

but we do use AWS SSO and multiple accounts a lot, for different things - and it's a nice access barier

lukasz17:11:24

also, you can move to Docker and use ECR (definitely not GH Packages, their docker image repo is super limited, at least last time I used it)

lukasz17:11:38

but I'm just speculating, I don't know much about your setup :-)