fix: eliminate usage of text/template

[smira]

Any usage of text/template blocks deadcode elimination in Go linker.

This packages gets transitively imported when using cosign package:

• sigstore/pkg/oauthflow/flow.go

  Lines 50 to 60 in 1d8faff

  	// init
  	func init() {
  	// set the default HTML page for the DefaultIDTokenGetter
  	htmlPage, err := soauth.GetInteractiveSuccessHTML(false, 10)
  	if err != nil {
  	log.Print("failed to get interactive success html, defaulting to original static page")
  	} else {
  	DefaultIDTokenGetter.HTMLPage = htmlPage
  	}
  	}

• https://github.com/sigstore/sigstore-go/blob/d276dc85c9fd79a96f27753d0aab5ad1bad7d198/pkg/sign/certificate.go#L33-L34
• https://github.com/sigstore/cosign/blob/8bce2dc8bb70efad54a9221612e2208ec615c6fc/pkg/cosign/bundle/sign.go#L28-L29

This shows up as:

0.050 Dead code elimination problem found:
0.052 text/template.(*state).evalField reachable from:
0.052    text/template.(*state).evalFieldChain
0.052    text/template.(*state).evalCommand
0.052    text/template.(*state).evalPipeline
0.052    text/template.(*state).walk
0.052    text/template.(*Template).execute
0.052    github.com/sigstore/sigstore/pkg/oauth.GetInteractiveSuccessHTML
0.052    github.com/sigstore/sigstore/pkg/oauthflow.init.0
0.052    github.com/sigstore/sigstore/pkg/oauthflow..inittask
0.052    go:main.inittasks
0.052    _

Summary

Fix deadcode elimination issue.

Release Note

None.

Documentation

None

[Hayden-IO]

I'm not following the issue, how is this dead code?

[smira]

I'm not following the issue, how is this dead code?

This is not dead code itself of course.

Go has a feature (as part of the linker) which is called dead code elimination which reduces binary size a lot when you have lots of heavy dependencies (e.g. Kubernetes API client), while you use only part of it.

For the deadcode elimination to be enabled, we need avoid calls to Go reflect package, specifically MethodByName with non-constant arguments.

So text/template whenever it gets imported, basically disables dedcode elimination, as long as the code which touches is reachable.

In this case what I (as a developer) want to do is to verify an image signature with cosign as a library. I import it as a library, and through the import path I highlighted above (via init()) functions it unconditionally runs text/template which disables DCE for my whole program.

There are many ways it can be resolved, but this PR is one of them - just get rid of text/template completely.
Another option is to avoid the import chain with leads into the oauth package, but I guess this would be breaking the API, so I tried to avoid it for my change, but you might decide to take a different path if you don't like the proposed change.

[Hayden-IO]

@smira Thanks for the detailed explanation, TIL about the linker and dead code elimination!