Releases and Remote Plugin Sync Question

[VoyTechnology]

Hi, I've noticed that https://github.com/bufbuild/connect-go/releases/tag/v1.6.0 has been released, however I've noticed that the remote plugin version at https://buf.build/bufbuild/connect-go is still at v1.5.2, 16 hours after the release.

Is the version synchronised periodically or automatically on release? Is there a mechanism of forcing the remote plugin to be downloaded from a git commit or git tag directly rather than relying on what is in the registry?

As popularity of Connect.build hopefully grows, it means that 0 day attack mitigation would be more important and reducing the time it takes from creating a release to being available on the registry becomes more important.

[mfridman]

The bufbuild/plugins repository has a Fetch workflow that runs every 24 hours to fetch new plugins versions. Whenever new versions are detected a PR is created, for this example that's bufbuild/plugins#469. Once that's merged it's in the queue to be uploaded to the BSR.

We have a second Release workflow that pushes all new plugin version(s) in the queue to the BSR, and once this workflow is run they will appear in <1 hour.

If there is a security risk (or otherwise), we have the ability to manually trigger these workflows and shrink the time.

Plugin versions are not updated on a daily basis, so we don't see a reason (at least not yet) to run the Fetch workflow more frequently.

However, we could run the Release workflow more often, iirc if there are no new versions this is a noop. cc @pkwarren what do you think?

[mfridman]

Fwiw I triggered a manual release and v1.16.0 should now be available on the Public BSR, https://buf.build/bufbuild/connect-go