publish-commit-bottles: optionally push to pull request branch. #125556
Conversation
BrewTestBot
added
automerge-skip
|
Sounds worth trying out! Question: wouldn't the bottle commit dismiss existing approvals? Update: or, does this mean another maintainer (or possibly the maintainer(s) who previously approved it) is required to approve the PR again? |
MikeMcQuaid
force-pushed
the
publish_commit_bottles_to_pr
branch
from
ffa99d1
to
c3bf91b
Compare
@ZhongRuoyu If so: I'll adjust the branch protection rules to avoid this 👍🏻 |
MikeMcQuaid
force-pushed
the
publish_commit_bottles_to_pr
branch
from
9ff1491
to
1261fb3
Compare
|
- name: Push commits
uses: Homebrew/actions/git-try-push@master
with:
token: ${{secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN}}
directory: ${{steps.set-up-homebrew.outputs.repository-path}}
env:
GIT_COMMITTER_NAME: BrewTestBot
GIT_COMMITTER_EMAIL: 1589480+BrewTestBot@users.noreply.github.com
HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}... because of this? https://github.com/Homebrew/actions/blob/master/git-try-push/action.yml#L18-L21 branch:
description: Git branch
required: false
default: masterI think so, based on what I read from the action's
@MikeMcQuaid said:
If that's to untick "Dismiss stale pull request approvals when new commits are pushed": assuming a naughty PR author is lucky enough to successfully push a malicious commit after the bottle commit is pushed, but right before automerge is switched on, the malicious commit might be able to sneak into I refer to this which reads:
Do we have an appropriate solution to tackle that? We could enable automerge before pushing the bottle commit, but that could also happen before automerge is enabled, but after this workflow starts. There may still be a window for bad things to happen. |
That's a good idea 👍🏻 |
MikeMcQuaid
force-pushed
the
publish_commit_bottles_to_pr
branch
2 times, most recently
from
6625e5c
to
d0498d9
Compare
.github/workflows/tests.yml
Outdated
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Looks like this worked, but you need to cd to homebrew/core.
Wouldn't this result in a PR getting merged before the bottle commit is pushed if it was previously approved? Or is that fixed by |
Yes, that's true. Need to enable auto-merge immediately after pushing I guess! |
There was a problem hiding this comment.
Happy with where this is going, but I think it would be useful to gate these changes behind a PR label so that we can test it out on a few PRs before rolling it out fully.
Then, once we start merging most PRs this way, we can also use a label for the old merge flow for PRs that don't have Allow edits from maintainers enabled (e.g. org forks).
| @@ -30,6 +30,12 @@ jobs: | |||
| container: | |||
| image: ghcr.io/homebrew/ubuntu22.04:master | |||
| steps: | |||
| - name: Enable PR automerge | |||
| run: gh pr merge --auto ${{github.event.inputs.pull_request}} | |||
There was a problem hiding this comment.
What strategy does this use?
We don't allow merge commits currently and squash commits is not what we want. Rebase sounds right but sadly still destroys signing.
There was a problem hiding this comment.
@Bo98 In this case as-is: the default. We should start using merge commits in this repository (and homebrew-cask) along with sharing Formula/Casks to make the Git operations on these repositories more performance so by the time I merge this I expect: merge commits.
There was a problem hiding this comment.
It's not clear what "the default" meant considering merge commits isn't currently enabled and the default on the web interface is just the last one you used.
There was a problem hiding this comment.
I think gh requires specification of a merge strategy to use gh pr merge. i.e. we must pass one of --squash, --rebase, or --merge.
| - name: Pull and upload bottles to GitHub Packages | ||
| env: | ||
| BREWTESTBOT_NAME_EMAIL: "BrewTestBot <1589480+BrewTestBot@users.noreply.github.com>" | ||
| HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }} | ||
| HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_CORE_PUBLIC_REPO_EMAIL_TOKEN}} | ||
| HOMEBREW_GITHUB_PACKAGES_USER: brewtestbot | ||
| HOMEBREW_GITHUB_PACKAGES_TOKEN: ${{secrets.HOMEBREW_CORE_GITHUB_PACKAGES_TOKEN}} | ||
| run: brew pr-pull --debug --workflows=tests.yml --committer="$BREWTESTBOT_NAME_EMAIL" --root-url="https://ghcr.io/v2/homebrew/core" ${{github.event.inputs.args}} ${{github.event.inputs.pull_request}} | ||
| run: brew pr-pull --debug --workflows=tests.yml --committer="$BREWTESTBOT_NAME_EMAIL" --root-url="https://ghcr.io/v2/homebrew/core" --no-autosquash --clean ${{github.event.inputs.args}} ${{github.event.inputs.pull_request}} |
There was a problem hiding this comment.
This is a significant change and needs to be communicated accordingly or have stronger commit checks that disallow merges that need their commits adjusted.
There was a problem hiding this comment.
@Bo98 Alternatively, we can (and should) care less about commit message/format pedantry, particularly if/when we're moving to merge commits where it matters much less about narrowing things down to a single commit.
There was a problem hiding this comment.
That would be disappointing - git blame is actually really useful here, compared to sometimes being horrid to use on Homebrew/brew to the point where I have to click 20 times to get past one PR. But I'll consider the rest of the concept first.
I'm also not entirely sure how brew extract/FormulaVersions behaves when a version bump is split into several commits but that can be adjusted if need be.
There was a problem hiding this comment.
I'm also not entirely sure how
brew extract/FormulaVersionsbehaves when a version bump is split into several commits but that can be adjusted if need be.
Yea, I think we may break brew extract and FormulaVersions. Though I think the former will be broken because it relies on the latter. Breaking FormulaVersions would not be good -- we use it for some audits.
@Bo98 Yes, this gets us on the way to be able to use merge queues for some flows but you cannot push or modify commits as part of the merge queue. We should not expect that to change. Expanding on the above: the homebrew/core CI flow is (and I say this as the person who is primarily to blame for this 😅) very unusual, makes it hard to rely on GitHub's security and workflow features (shout out to all our PRs with bottles being "closed" rather than "merged", something GitHub is never likely to let us fix), makes the repository network size balloon and stops us from being able to repeatedly rerun builds and reuse existing work. To be very clear: I don't expect to just merge this PR as is in the next few days and I expect there will be follow-up changes required to fix and improve these workflows. |
I hate to sound like a broken record, but: that's the advantage of my suggestion to gate this change behind a PR flag. It'll give us the chance to test and iterate on these changes more quickly, much the same way we introduce significant new features via a |
I feel like you are a working record because this sounds like the first time I heard this, sorry 😂 Definitely game to land this and #125595 sooner rather than later for experimentation. How do you see the PR flag working? A label? Something different? We'll have to avoid some things e.g. probably using merge commits then but that shouldn't make much of a difference. Feel free to commit directly to this PR (and #125595) if that's easier than leaving comments here. |
Whoops, sorry, missed that!
Awesome, thanks @carlocab, yeh, please feel free to land when you're happy with it. The |
|
I can clean this up, but I was hoping you could handle the token problem since I have no idea what to do with it 😅 In particular, I don't know which tokens have which scopes, etc. |
@carlocab sure thing will take a look! |
MikeMcQuaid
force-pushed
the
publish_commit_bottles_to_pr
branch
from
ea2ce6b
to
af49ee3
Compare
MikeMcQuaid
changed the title
| run: gh pr checkout ${{github.event.inputs.pull_request}} | ||
| if: inputs.commit_bottles_to_pr_branch | ||
| env: | ||
| GH_TOKEN: ${{secrets.GITHUB_TOKEN}} |
There was a problem hiding this comment.
Yep, I've tried GITHUB_TOKEN, but it seems to not have the right permissions either.
There was a problem hiding this comment.
@carlocab Working now. Needed to add permissions.
MikeMcQuaid
force-pushed
the
publish_commit_bottles_to_pr
branch
from
af49ee3
to
8bf0f6d
Compare
github-actions
bot
added
the
CI-published-bottle-commits
Rather than pulling bottles and pushing to master, pull bottles, push the bottle commit to the PR branch for automatic merging by GitHub and add a label to avoid rerunning `brew test-bot` on the various formulae again. This also allows us to use the GitHub merge queue so run on `merge_group` events too. Co-authored-by: Ruoyu Zhong <zhongruoyu@outlook.com> Co-authored-by: Carlo Cabrera <30379873+carlocab@users.noreply.github.com>
MikeMcQuaid
force-pushed
the
publish_commit_bottles_to_pr
branch
from
8bf0f6d
to
3c84e2a
Compare
|
Needs |
There was a problem hiding this comment.
This looks awesome, I'm very excited to see this in action!
If someone wants to get this merged tonight: I'll be around for several hours in case a TSC approval is needed for a revert. I'll try to periodically check but if it's urgent ping me on Slack so it sends me a notification.
Needed for Homebrew/homebrew-core#125556. Without this, `pr-pull` attempts to cherry-pick commits from the PR branch onto the PR branch, and then gets upset that nothing happened. See https://github.com/Homebrew/homebrew-core/actions/runs/4461335852/jobs/7835095294#step:10:40
…126125) Needed for #125556. Closes Homebrew/actions#338.
Rather than pulling bottles and pushing to master, pull bottles, push the bottle commit to the PR branch for automatic merging by GitHub and add a label to avoid rerunning
brew test-boton the various formulae again.This also allows us to use the GitHub merge queue so run on
merge_groupevents too.CC @carlocab as we'd talked about this