New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support self-hosted Cirrus workers on forks #29274
base: master
Are you sure you want to change the base?
Changes from all commits
036f886
87424ec
3f2ea2a
8b06d6f
8f322f0
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,10 @@ on: | |
# See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push. | ||
push: | ||
branches: | ||
- '**' | ||
# Do not run branch pushes on forks, because they are typically redundant with | ||
# pull requests to the main repo. | ||
- 'bitcoin/**' | ||
- 'bitcoin-core/**' | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No objection, but I presume this will cause issues on forks (Inquisition, Knots, ...) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good point, this probably needs an ENV flag. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Knots pull requests seem to be typically made against the Inquisition seems to follow the some pattern. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Aaargh, afaik Github CI doesn't support custom ENV variables for forks. So this is solved, but on Github forks are unconditionally skipped. |
||
tags-ignore: | ||
- '**' | ||
|
||
|
@@ -26,7 +29,10 @@ jobs: | |
test-each-commit: | ||
name: 'test each commit' | ||
runs-on: ubuntu-22.04 | ||
if: github.event_name == 'pull_request' && github.event.pull_request.commits != 1 | ||
# Only run on pull requests, skip if there's only commit. | ||
# Do not run on forks. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It would be nicer to fix the actual problem, but I don't understand what this job is doing. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @hebasto @ryanofsky any thoughts on how to make the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Example of earlier failure: https://github.com/Sjors/bitcoin/actions/runs/7556559882/job/20573828392?pr=28#step:4:42
|
||
if: github.event_name == 'pull_request' && github.event.pull_request.commits != 1 && | ||
(github.repository == 'bitcoin-core/gui' || github.repository == 'bitcoin/bitcoin') | ||
timeout-minutes: 360 # Use maximum time, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes. Assuming a worst case time of 1 hour per commit, this leads to a --max-count=6 below. | ||
env: | ||
MAX_COUNT: 6 | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this needed? Won't this be skipped already by default if the worker is offline?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It stays pending, at least in the Cirrus interface.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But that seems preferable to me, as it communicates clearly that the task didn't run.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trying that UX in Sjors#36 ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the first push of a branch, due to the UI glitched described below (#29274 (comment)) they show as skipped:
That seems fine. On the second push they are put in "queued sate" (forever?).
I agree that hiding the task altogether is not ideal (as ecf01f4 does). Perhaps marking it as skipped is better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well for one thing it's way faster (using just an idle desktop computer).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's also not this black and white. Sure, Microsoft and Cirrus can screw us over by faking the CI result. But by not relying on them for hosting for the runners, it's both easier to catch them doing shenanigans and it's easier to move elsewhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why? Someone will have to run a fully local backup either way, whose cost is independent of what is running on the other side.
Why? Moving elsewhere also requires moving the repo off of the GitHub mirror, or writing a GH integration and a CI framework from scratch, both of whose costs are largely independent of where the CI CPUs happen to sit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I run a self-hosted CI I can see what it's doing. If it fails on my machine and is marked as successful on Github, I can see that. If I collude with Github that's a different story of course.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CI cleans up after itself, latest when the next run starts, so I don't think it is reliably possible to inspect a failure of a remote-triggered CI run locally, even assuming no "attack" from GH.
More importantly, the CI machine is literally doing RCE of downloaded binary executables and random code, so reliably detecting a test failure (assuming a GH attack) seems questionable at best.