https://pantsbuild.org/ logo
#general
Title
# general
b

bitter-ability-32190

10/19/2022, 7:07 PM
Excited to announce my latest invention! The
external_tool
target! https://github.com/pantsbuild/pants/pull/17277 If a picture is worth 1000 words, an example has to be worth something:
Copy code
external_tool(
    name="gh",
    source=http_source(
        url="<https://github.com/cli/cli/releases/download/v2.18.0/gh_2.18.0_linux_amd64.tar.gz>",
        sha256="6b091b0b21ee8b0ec257920968905dc065505f5718e5a7de1e9d287320869ef8",
        len=9230158
    ),
    exe="gh_2.18.0_linux_amd64/bin/gh"
)
Copy code
$ ./pants run //:gh -- --version
gh version 2.18.0 (2022-10-18)
<https://github.com/cli/cli/releases/tag/v2.18.0>
Now you can declare tools in that Pants will take care of downloading and sandboxing, and share those with your org. Or run them as part of other scripts. Have fun 😈
🙌 9
We'll probably want to start thinking about
http_source
supporting multi-arch/OS
c

curved-television-6568

10/19/2022, 7:17 PM
your example makes me “get the picture”, so that ought to be worth a 1000 words too, right? 😛
joking aside, this is really cool, neat target. Love it! ❤️
@powerful-umbrella-75231 FYI. this could be really useful… just sayin’ 😉
any thoughts about platform support in this..?
guess that q ripple through to the
http_source
target as well…
or perhaps keep http_source as-is to avoid complexity there.. but support a multiple sources field here with some way of selecting one of them depending on the platform.. just a straw man idea…
h

happy-kitchen-89482

10/19/2022, 7:43 PM
Interesting! So a good way to pin a version of a tool across a repo. Which really matters for, e.g., terraform, and other tools that generated versioned state
b

bitter-ability-32190

10/19/2022, 7:44 PM
And to write scripts that down require prior work (download)
b

busy-vase-39202

10/19/2022, 8:07 PM
Neat! Let's do a tweet of this when the feature lands.
w

witty-crayon-22786

10/19/2022, 8:23 PM
will definitely need the cross-platform consideration i think… that’s a lightly tricky situation, because BUILD file evaluation will always occur on the local platform, but if the
http_source
is going to be consumed in a target marked to run in a different
environment
, then it should use that platform. so whatever syntax triggers cross platform needs to actually defer execution until codegen in order to get the “right” platform.
having said that though, the same goes for other uses of
http_source
, so not really specific to this target type.
b

bitter-ability-32190

10/19/2022, 8:28 PM
I think we all agree on that, just that the syntax for declaring all the urls/shas/lens is up for grabs
h

high-yak-85899

10/19/2022, 10:43 PM
Any thoughts on security implications of this? You can already do a lot with python anyway, but I'm curious if any recommendations would flow out of this beyond the usual things like only pull from trusted sources.
b

bitter-ability-32190

10/19/2022, 11:06 PM
I think same as usual. Don't download and run what you don't trust. At least with the hashing, supply chain attacks are mitigated
6 Views