Updated on January 31, 2019 to reflect the current state of the technology and JFrog support for Go.
The need for a Go registry
What was missing in the Go ecosystem was standardization – there wasn’t a standard tool for dependency management, and there wasn’t a standard package format or compatible registry specification. This meant that developers could not create reproducible builds with Go which was quite an issue. Over the years, tools such as dep, godep, glide and govendor entered the scene to handle Go dependency management, but none of these offered an acceptable solution for managing immutable Go packages in an internal Go registry or for setting up a go proxy for remote Go packages. The good news is that Google eventually stepped in and solved the issue once and for all by adding versioning support for Go.
Artifactory Go Registries and go proxy
The release of Artifactory 5.11 added support for Go registries giving the community a variety of capabilities when developing with Go.JFrog Artifactory is the only universal artifact repository that supports Go registries giving the community a variety of capabilities when developing with Go Click To Tweet
Here are just a few of them:
- Local repositories in Artifactory let you set up secure, private Go registries with fine-grained access control to packages according to projects or development teams.
- A remote repository in Artifactory is a caching proxy for remote Go resources such as a GitHub project. Accessing a go proxy through Artifactory removes your dependency on the network, or on GitHub since all dependencies needed for your Go builds are cached in Artifactory and are therefore locally available. This also removes the risk of someone mutating or removing a dependency from version control, or worse, force-pushing changes to a remote Git tag thus changing what should be an immutable version which can create a lot of confusion and instability for dependant projects.
- A virtual repository aggregates both local and remote Go registries giving you access to all Go resources needed for your builds from a single URL, hiding the complexity of using a combination of both local and remote resources.
- Enterprise-grade features
- Multiple layers of security to manage authentication, access control and data privacy
- Support for massive scalability, both in terms of number of users and volume of Go packages being stored
- High-availability for extremely robust installations
- Support for any multi-site topology through a variety of repository replication capabilities
Building Go projects with JFrog CLI
To work with Go repositories, you first need to install and configure the Go client. Then, to deploy Go packages into an Artifactory Go registry, you need to install JFrog CLI and configure it as described in the go example below which you can run by following 5 easy steps:
Step 1: Clone the project
$ git clone https://github.com/jbaruch/artifactory-go-example.git
Step 2: Configure JFrog CLI
Use the JFrog rt config command to configure JFrog CLI with the parameters needed to access Artifactory by running
$ jfrog rt config
… and follow the prompts.
Step 3: Build the project
Once JFrog CLI is correctly configured to access Artifactory, you can build your project. Since the package’s modules are not yet available in Artifactory, to resolve dependencies through Artifactory, you need to use the ‘no-registry’ flag in order to get the dependencies sources from GitHub and let Go create modules from them.
$ jfrog rt go build --no-registry
Step 4: Create the modules and push them to Artifactory
After fetching the project dependency sources from GitHub you can create the modules and push them to Artifactory. Once modules are published to Artifactory, they are available for other developers to use:
$ jfrog rt go-publish go --self=false --deps=ALL
The dependencies are now available in Artifactory under the go-local repository.
Step 5: Build the project and resolve uncached dependencies
Build the project with go and resolve uncached dependencies from Artifactory. This will also declare the dependencies used in the build-info metadata:
$ jfrog rt go build go --build-name=my-first-go-build --build-number=1
Step 6: Publish the Go module with build-info
Now you can publish the package you just built to Artifactory along with the relevant build-info that includes the uploaded module as an artifact as well as all the environment variables.
$ jfrog rt go-publish go v1.0.0 --build-name=my-first-go-build --build-number=1
To collect the environment variables, run the following command:
$ jfrog rt build-collect-env my-first-go-build 1
Then you can publish the build info:
$ jfrog rt build-publish my-first-go-build 1
Now you can see the build info in Artifactory: