Automate the ORAS upgrade in package manager systems

[FeynmanZhou]

What is the version of your ORAS CLI

v1.1.0-rc.1

What would you like to be added?

From the installation guide, Homebrew, Winget, Nix, and Snap only support ORAS v1.0.0 so far. We need to investigate and find approaches to automate the ORAS upgrade in those package manager systems.

• Homebrew: it will be automatically upgraded in the package manager when a new ORAS release is out
• Winget: it is tracked in Simplify installation process for windows by using winget #939
• Nix: need to investigate how to add this upgrade to GitHub Actions of the release process
• Snap: need to investigate how to add this upgrade to GitHub Actions of the release process
  • move oras snapcraft configuration to GitHub actions #1052

Why is this needed for ORAS?

It will be convenient for ORAS maintainers to maintain the ORAS upgrade in those package manager systems. Users can install the latest version of ORAS CLI on each OS/platform easier.

Are you willing to submit PRs to contribute to this feature?

• Yes, I am willing to implement it.

[amands98]

Hi @FeynmanZhou , I can help investigate some of these items.

[amands98]

Homebrew : https://github.com/marketplace/actions/bump-homebrew-formula

[FeynmanZhou]

Thanks @amands98 ! We will review #1033 and also #1030

[FeynmanZhou]

I also assigned this issue to you @amands98

[FeynmanZhou]

@developer-guy Do you know how to automate the ORAS package update in Nix?

[shizhMSFT]

Thank @amands98 for sending out PRs. However, we need to discuss before proceeding the PR review.

In general, upgrading packages in a package manager requires an account of that system. For example, homebrew is based on GitHub so that it requires a GitHub account to do the commit. Other package managers may require differently.

The ultimate question is: Who should be the committer? It should be trusted and should not be an account of a real person (otherwise, that person is risk of impersonation).

[FeynmanZhou]

Thank @amands98 for sending out PRs. However, we need to discuss before proceeding the PR review.

In general, upgrading packages in a package manager requires an account of that system. For example, homebrew is based on GitHub so that it requires a GitHub account to do the commit. Other package managers may require differently.

The ultimate question is: Who should be the committer? It should be trusted and should not be an account of a real person (otherwise, that person is risk of impersonation).

Maybe we can use a bot account to handle this process. We will come up with a solution and update here

[shizhMSFT]

Meanwhile, we found that podman desktop has done similar job to publish releases to various package manager systems, including but not limited to brew (homebrew) and winget. We can take it as reference to develop our own release pipeline.

Reference: https://github.com/containers/podman-desktop/tree/main/.github/workflows

[shizhMSFT]

More comments on brew (homebrew)

Unlike podman desktop, which is a brew cask, oras is a brew formula. Therefore, we cannot directly copy the workflow from podman deslop.

We SHOULD use the brew CLI on macOS to up to ensure the resulted formula is workable on a Mac. Detailed instruction can be found at Updating Software in Homebrew and Submit a new version of an existing formula. Basically, sending out a formula PR for a new version of oras is as simple as running brew bump-formula-pr. Since the brew CLI is always update-to-date, we will have less chance to get errors or the bump up PR is requested for changes by the brew maintainers.

[shizhMSFT]

More comments on winget

There is a tool named winget-create by Microsoft Official. It does not require the user to fork the winget-pkgs repo to the organization.

[FeynmanZhou]

@amands98 Could you please help investigate solutions for brew and winget from @shizhMSFT 's proposal?

[developer-guy]

There is a bot called r-ryantm, thanks to @ryantm, it regularly updates Nix packages based on the nixpkgs-update project. I guess we don't need to do anything special on the Nix side to update oras packages, all we need to do is check the update PR and approve it if everything looks good, @ryantm can correct me if I'm wrong.

[FeynmanZhou]

Thanks @developer-guy . I saw ORAS CLI was upgraded to v1.0.1 by this PR NixOS/nixpkgs#247693 (comment).

From the Nix doc, they have a bot account that updates Nixpkgs by making PRs that bump a package to the latest version. So no further actions that we need to take in ORAS.

cc @oras-project/oras-cli

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[developer-guy]

we can close this one as we don't need to take manual actions or don't need to anything to automate this process since the we have already have an automation on that.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.