-
-
Notifications
You must be signed in to change notification settings - Fork 12.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
publish-commit-bottles: optionally push to pull request branch. #125556
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One thing we might want to consider is to teach test-bot
to ignore formulae which already have a separate bottle commit on the PR branch, but build ones for those still missing them. This might get us to something like incremental rebuilds on reruns.
Sounds worth trying out! Question: wouldn't the bottle commit dismiss existing approvals? Update: or, does this mean another maintainer (or possibly the maintainer(s) who previously approved it) is required to approve the PR again? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth trying out!
ffa99d1
to
c3bf91b
Compare
@ZhongRuoyu If so: I'll adjust the branch protection rules to avoid this 👍🏻 |
9ff1491
to
1261fb3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These too. (⌘F says that's all.)
- name: Push commits
uses: Homebrew/actions/git-try-push@master
with:
token: ${{secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN}}
directory: ${{steps.set-up-homebrew.outputs.repository-path}}
env:
GIT_COMMITTER_NAME: BrewTestBot
GIT_COMMITTER_EMAIL: 1589480+BrewTestBot@users.noreply.github.com
HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }} ... because of this? https://github.com/Homebrew/actions/blob/master/git-try-push/action.yml#L18-L21 branch:
description: Git branch
required: false
default: master I think so, based on what I read from the action's
@MikeMcQuaid said:
If that's to untick "Dismiss stale pull request approvals when new commits are pushed": assuming a naughty PR author is lucky enough to successfully push a malicious commit after the bottle commit is pushed, but right before automerge is switched on, the malicious commit might be able to sneak into I refer to this which reads:
Do we have an appropriate solution to tackle that? We could enable automerge before pushing the bottle commit, but that could also happen before automerge is enabled, but after this workflow starts. There may still be a window for bad things to happen. |
That's a good idea 👍🏻 |
6625e5c
to
d0498d9
Compare
.github/workflows/tests.yml
Outdated
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this worked, but you need to cd
to homebrew/core.
Wouldn't this result in a PR getting merged before the bottle commit is pushed if it was previously approved? Or is that fixed by |
Yes, that's true. Need to enable auto-merge immediately after pushing I guess! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy with where this is going, but I think it would be useful to gate these changes behind a PR label so that we can test it out on a few PRs before rolling it out fully.
Then, once we start merging most PRs this way, we can also use a label for the old merge flow for PRs that don't have Allow edits from maintainers
enabled (e.g. org forks).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Been thinking about it a bit and wondering how we could use merge queues to handle this. Turns out merge groups are a bit more limited than I thought.
Will take a proper look at this at the weekend but here's a couple questions from a quick think through.
@@ -30,6 +30,12 @@ jobs: | |||
container: | |||
image: ghcr.io/homebrew/ubuntu22.04:master | |||
steps: | |||
- name: Enable PR automerge | |||
run: gh pr merge --auto ${{github.event.inputs.pull_request}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What strategy does this use?
We don't allow merge commits currently and squash commits is not what we want. Rebase sounds right but sadly still destroys signing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Bo98 In this case as-is: the default. We should start using merge commits in this repository (and homebrew-cask) along with sharing Formula
/Casks
to make the Git operations on these repositories more performance so by the time I merge this I expect: merge commits.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not clear what "the default" meant considering merge commits isn't currently enabled and the default on the web interface is just the last one you used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think gh
requires specification of a merge strategy to use gh pr merge
. i.e. we must pass one of --squash
, --rebase
, or --merge
.
- name: Pull and upload bottles to GitHub Packages | ||
env: | ||
BREWTESTBOT_NAME_EMAIL: "BrewTestBot <1589480+BrewTestBot@users.noreply.github.com>" | ||
HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }} | ||
HOMEBREW_GITHUB_API_TOKEN: ${{secrets.HOMEBREW_CORE_PUBLIC_REPO_EMAIL_TOKEN}} | ||
HOMEBREW_GITHUB_PACKAGES_USER: brewtestbot | ||
HOMEBREW_GITHUB_PACKAGES_TOKEN: ${{secrets.HOMEBREW_CORE_GITHUB_PACKAGES_TOKEN}} | ||
run: brew pr-pull --debug --workflows=tests.yml --committer="$BREWTESTBOT_NAME_EMAIL" --root-url="https://ghcr.io/v2/homebrew/core" ${{github.event.inputs.args}} ${{github.event.inputs.pull_request}} | ||
run: brew pr-pull --debug --workflows=tests.yml --committer="$BREWTESTBOT_NAME_EMAIL" --root-url="https://ghcr.io/v2/homebrew/core" --no-autosquash --clean ${{github.event.inputs.args}} ${{github.event.inputs.pull_request}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a significant change and needs to be communicated accordingly or have stronger commit checks that disallow merges that need their commits adjusted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Bo98 Alternatively, we can (and should) care less about commit message/format pedantry, particularly if/when we're moving to merge commits where it matters much less about narrowing things down to a single commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be disappointing - git blame
is actually really useful here, compared to sometimes being horrid to use on Homebrew/brew to the point where I have to click 20 times to get past one PR. But I'll consider the rest of the concept first.
I'm also not entirely sure how brew extract
/FormulaVersions
behaves when a version bump is split into several commits but that can be adjusted if need be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm also not entirely sure how
brew extract
/FormulaVersions
behaves when a version bump is split into several commits but that can be adjusted if need be.
Yea, I think we may break brew extract
and FormulaVersions
. Though I think the former will be broken because it relies on the latter. Breaking FormulaVersions
would not be good -- we use it for some audits.
@Bo98 Yes, this gets us on the way to be able to use merge queues for some flows but you cannot push or modify commits as part of the merge queue. We should not expect that to change. Expanding on the above: the homebrew/core CI flow is (and I say this as the person who is primarily to blame for this 😅) very unusual, makes it hard to rely on GitHub's security and workflow features (shout out to all our PRs with bottles being "closed" rather than "merged", something GitHub is never likely to let us fix), makes the repository network size balloon and stops us from being able to repeatedly rerun builds and reuse existing work. To be very clear: I don't expect to just merge this PR as is in the next few days and I expect there will be follow-up changes required to fix and improve these workflows. |
I hate to sound like a broken record, but: that's the advantage of my suggestion to gate this change behind a PR flag. It'll give us the chance to test and iterate on these changes more quickly, much the same way we introduce significant new features via a |
I feel like you are a working record because this sounds like the first time I heard this, sorry 😂 Definitely game to land this and #125595 sooner rather than later for experimentation. How do you see the PR flag working? A label? Something different? We'll have to avoid some things e.g. probably using merge commits then but that shouldn't make much of a difference. Feel free to commit directly to this PR (and #125595) if that's easier than leaving comments here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Modulo token issues and cleanup, the only change that this will really have that isn't opt-in is merge_group
. Happy to land this for experimentation once token issues and cleanup is done.
Whoops, sorry, missed that!
Awesome, thanks @carlocab, yeh, please feel free to land when you're happy with it. The |
I can clean this up, but I was hoping you could handle the token problem since I have no idea what to do with it 😅 In particular, I don't know which tokens have which scopes, etc. |
@carlocab sure thing will take a look! |
ea2ce6b
to
af49ee3
Compare
run: gh pr checkout ${{github.event.inputs.pull_request}} | ||
if: inputs.commit_bottles_to_pr_branch | ||
env: | ||
GH_TOKEN: ${{secrets.GITHUB_TOKEN}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, I've tried GITHUB_TOKEN
, but it seems to not have the right permissions either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@carlocab Working now. Needed to add permissions
.
af49ee3
to
8bf0f6d
Compare
Rather than pulling bottles and pushing to master, pull bottles, push the bottle commit to the PR branch for automatic merging by GitHub and add a label to avoid rerunning `brew test-bot` on the various formulae again. This also allows us to use the GitHub merge queue so run on `merge_group` events too. Co-authored-by: Ruoyu Zhong <zhongruoyu@outlook.com> Co-authored-by: Carlo Cabrera <30379873+carlocab@users.noreply.github.com>
8bf0f6d
to
3c84e2a
Compare
Needs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks awesome, I'm very excited to see this in action!
If someone wants to get this merged tonight: I'll be around for several hours in case a TSC approval is needed for a revert. I'll try to periodically check but if it's urgent ping me on Slack so it sends me a notification.
Needed for Homebrew/homebrew-core#125556. Without this, `pr-pull` attempts to cherry-pick commits from the PR branch onto the PR branch, and then gets upset that nothing happened. See https://github.com/Homebrew/homebrew-core/actions/runs/4461335852/jobs/7835095294#step:10:40
…126125) Needed for #125556. Closes Homebrew/actions#338.
Rather than pulling bottles and pushing to master, pull bottles, push the bottle commit to the PR branch for automatic merging by GitHub and add a label to avoid rerunning
brew test-bot
on the various formulae again.This also allows us to use the GitHub merge queue so run on
merge_group
events too.CC @carlocab as we'd talked about this