Rebuilding stable for security updates (with build.s.o)


I use to build snaps for one of my GitHub repos. In that repo, I have a devel branch and a master branch (loosely following Gitflow). The devel branch is the default, as that’s where changes should land, which means (I believe) that it’s also the place that builds from, in to edge.

This is fine in the general case, as most of my changes do flow linearly from devel to master, but I just received (an extremely cool!) email informing me that my snap contains an old OpenSSL. I want to rebuild the snap using the contents of master, so I only pull in the updated OpenSSL and not the changes that have landed in devel but not yet in a release.

As far as I can tell, there isn’t a way to do this in so I would have to switch the default branch in Github, manually kick off a build and then switch it back. Is there a better way of doing this that I’m missing? Are there any plans to support switching the built branch in

(My preferred workflow, which is a bit more complex than the above, would be to build from devel in to edge and from master in to beta or candidate, so that I can promote exactly what is in master, rather than what was in devel that I merged in to master.)




This is certainly an option.

I am in a similar position, but with over 20 snaps to deal with.

One alternative is to use launchpad rather than build. I consider using launchpad as expert-mode

Put simply, push a “stable branch” to launchpad, then visit your code branch and click the “Create snap package” link. Ensure you tell it to build against Xenial, with updates, and tell it the store registered snap name, and make it push to beta only. You can also optionally choose to trigger a build on each change to that repo, or manually press the button to trigger a build at your leisure.

Next, create another branch for your “unstable” (edge) builds, and repeat the process, uploading to the store under the same name, but only to the edge channel.

You can also optionally use the lp-build-snap snap to trigger the builds remotely, perhaps via a cron job on your own infra.

I’m keen to know other ways to do this. Up until recently I’d been using one yaml which had some logic to determine if it needs to build a new stable or unstable build based on whether the upstream project has tagged a new version, and what’s in the beta channel.

You could (ab)use this by simply doing snapcraft close snapname beta to close the channel. This will force the logic to fail, and trigger a re-build of the last stable tagged release. I may use this method.

It’d be great if offered a way to build to different channels or tracks from different branches. At this point, though, I think we’re stuck with the horribly manual solutions suggested by you and @popey.