-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ane 926 release group #1399
Ane 926 release group #1399
Conversation
deprecateReleaseGroupMetadata :: Has Diagnostics sig m => ProjectMetadata -> m ProjectMetadata | ||
deprecateReleaseGroupMetadata projectMetadata = do | ||
case (projectReleaseGroup projectMetadata) of | ||
Nothing -> pure projectMetadata | ||
Just _ -> do | ||
warn deprecationMessage | ||
pure $ removeReleaseGroupMetadata projectMetadata | ||
where | ||
removeReleaseGroupMetadata :: ProjectMetadata -> ProjectMetadata | ||
removeReleaseGroupMetadata project = project{projectReleaseGroup = Nothing} | ||
|
||
deprecationMessage :: Text | ||
deprecationMessage = | ||
renderIt $ | ||
vsep | ||
[annotate (color Red) "Release group options for this command have been deprecated. Refer to `fossa release-group` subcommands to interact with FOSSA release groups."] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking more about this, not sure if we want to deprecate this on analyze. There was a customer that was asking to update the release projects upon scan and if we deprecate this, they wouldn't be able to do this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you characterize this more? The reason not to deprecate these isn't obvious to me. It seems like they could just analyze
and update the release projects in a separate command after?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's true, you would be able to run analyze
and then update the release projects with release-group add-projects
, but I think the customer was looking to only run fossa analyze
to have their release group project updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It sounds like deprecating them would not totally prevent the customer from updating a project in a release group. I think it's OK in that case to say that they'll need to use these new commands even if they have a preference for analyze
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sounds good to me
deprecateReleaseGroupMetadata :: Has Diagnostics sig m => ProjectMetadata -> m ProjectMetadata | ||
deprecateReleaseGroupMetadata projectMetadata = do | ||
case (projectReleaseGroup projectMetadata) of | ||
Nothing -> pure projectMetadata | ||
Just _ -> do | ||
warn deprecationMessage | ||
pure $ removeReleaseGroupMetadata projectMetadata | ||
where | ||
removeReleaseGroupMetadata :: ProjectMetadata -> ProjectMetadata | ||
removeReleaseGroupMetadata project = project{projectReleaseGroup = Nothing} | ||
|
||
deprecationMessage :: Text | ||
deprecationMessage = | ||
renderIt $ | ||
vsep | ||
[annotate (color Red) "Release group options for this command have been deprecated. Refer to `fossa release-group` subcommands to interact with FOSSA release groups."] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you characterize this more? The reason not to deprecate these isn't obvious to me. It seems like they could just analyze
and update the release projects in a separate command after?
- projectLocator: custom+123/git@github.com/fossas/fossa-cli | ||
projectRevision: "12345" | ||
projectBranch: master | ||
- projectLocator: custom+123/git@github.com/example |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We discussed project id vs. locator with respect to modifying projects and I think we should do the same here. This is technically an entirely new config block so there's no compatibility issues but users are already used to using projectId
elsewhere.
I think it'd be good to allow/prefer projectId
and make projectLocator
available for people who really need it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think allowing projectId makes sense when modifying projects as that field was already present in the project
config block. However, in this case, because we are introducing a new config block I would rather constrain users to using projectLocator
and make it simple. I think if we get requests to include projectId
as an option, then we can go ahead and add it, but for now I would like to keep it as is. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's more confusing that way for people familiar with project ids or who want to make use of both project's and release groups in a .fossa.yml
. If I make a project block and then try to copy some it's project id into a release group block it won't work. It isn't immediately obvious why a projectId
isn't good enough even though thus far it's worked everywhere else in .fossa.yml
. Yet, I'm required to at least be able to discern the difference between the two to use this functionality. The docs in this PR explain what the difference is but not why the difference is important or necessary.
I think the ideal way would be to use projectId
as much as possible and provide projectLocator
for cases where someone really needs it. I think that the majority of cases would be handled by this and it's easier to understand.
If you disagree, I'm OK with moving forward with it this way and seeing what the response is, but please edit the project ID and project locator docs to describe the different semantics of these values. Maybe mention directly in the release group docs that project id won't work. Additionally, the existing project id docs describe it as a unique id for a project which after talking it over, I think isn't true. Could you edit that description to be specific?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good I updated the docs!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see that chris already added comments - here are some of them from my review; Also test-plan's .fossa.yml
is incorrect - e.g. projectLocator
src/App/Fossa/ReleaseGroup/Create.hs
Outdated
policies <- getPolicies | ||
teams <- getTeams | ||
|
||
maybeLicensePolicyId <- retrievePolicyId (releaseGroupLicensePolicy releaseGroupRevision) LICENSING policies |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[question] why are we doing policy resolution logic in cmdline opposed to backend?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Core wanted me to use their existing endpoints for my work and they only have endpoints to retrieve policies by id, so I had to do policy resolution here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks pretty good. I can approve after you add some clarification in the docs on the differences in semantics between projectId
and projectLocator
as well as some description that projectId
s are only unique for the purposes of analyze.
- projectLocator: custom+123/git@github.com/fossas/fossa-cli | ||
projectRevision: "12345" | ||
projectBranch: master | ||
- projectLocator: custom+123/git@github.com/example |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's more confusing that way for people familiar with project ids or who want to make use of both project's and release groups in a .fossa.yml
. If I make a project block and then try to copy some it's project id into a release group block it won't work. It isn't immediately obvious why a projectId
isn't good enough even though thus far it's worked everywhere else in .fossa.yml
. Yet, I'm required to at least be able to discern the difference between the two to use this functionality. The docs in this PR explain what the difference is but not why the difference is important or necessary.
I think the ideal way would be to use projectId
as much as possible and provide projectLocator
for cases where someone really needs it. I think that the majority of cases would be handled by this and it's easier to understand.
If you disagree, I'm OK with moving forward with it this way and seeing what the response is, but please edit the project ID and project locator docs to describe the different semantics of these values. Maybe mention directly in the release group docs that project id won't work. Additionally, the existing project id docs describe it as a unique id for a project which after talking it over, I think isn't true. Could you edit that description to be specific?
deprecateReleaseGroupMetadata :: Has Diagnostics sig m => ProjectMetadata -> m ProjectMetadata | ||
deprecateReleaseGroupMetadata projectMetadata = do | ||
case (projectReleaseGroup projectMetadata) of | ||
Nothing -> pure projectMetadata | ||
Just _ -> do | ||
warn deprecationMessage | ||
pure $ removeReleaseGroupMetadata projectMetadata | ||
where | ||
removeReleaseGroupMetadata :: ProjectMetadata -> ProjectMetadata | ||
removeReleaseGroupMetadata project = project{projectReleaseGroup = Nothing} | ||
|
||
deprecationMessage :: Text | ||
deprecationMessage = | ||
renderIt $ | ||
vsep | ||
[annotate (color Red) "Release group options for this command have been deprecated. Refer to `fossa release-group` subcommands to interact with FOSSA release groups."] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It sounds like deprecating them would not totally prevent the customer from updating a project in a release group. I think it's OK in that case to say that they'll need to use these new commands even if they have a preference for analyze
.
@@ -482,6 +497,14 @@ commonOpts = | |||
, boldItalicized "Default: " <> coloredBoldItalicized Green "full" | |||
] | |||
|
|||
configHelp :: Maybe (Doc AnsiStyle) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see a reason for these to be Maybe
since it doesn't seem like there's any possibility that they will be Nothing
. This forces consumers of that data to handle the case of Nothing
regardless though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These help docs are of type Maybe
due to Options.Applicative helpDoc
function. It required aMaybe
type.
cliParser = | ||
AddProjectsOpts | ||
<$> releaseGroupCommonOpts | ||
<*> optional (strOption (applyFossaStyle <> long "config" <> short 'c' <> helpDoc configHelp)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with a ticket, but I was only asking for sharing for the config values defined in this PR. That we can't get sharing for everything doesn't mean it isn't good to do it where it's possible and relatively easy.
src/App/Fossa/ReleaseGroup/Common.hs
Outdated
[] -> pure Nothing | ||
[releaseGroup] -> pure . Just $ releaseGroupId releaseGroup | ||
(_ : _ : _) -> | ||
errHelp ("Navigate to the FOSSA web UI to rename your release groups so that they are unqiue" :: Text) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
errHelp ("Navigate to the FOSSA web UI to rename your release groups so that they are unqiue" :: Text) | |
errHelp ("Navigate to the FOSSA web UI to rename your release groups so that they are unique." :: Text) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Relatedly, as you find things that you think should be constrained in FOSSA's data-model to be unique, can you make tickets if you haven't yet?
### What is the difference between project ID and project locator? | ||
|
||
In the CLI, project ID refers to a specific portion of a project locator. When running `fossa analyze` on a project for the first time, if project ID is not directly configured, it will default to: | ||
|
||
- Git: The CLI will look for a `.git/config` file and set the ID to the project's remote "origin" url. | ||
- SVN: The CLI will run `svn info` and use the "Repository Root". | ||
- No VCS (Version control system): The ID will be set to the name of the project's directory. | ||
|
||
<img src="../../assets/project-id-example.png"> | ||
|
||
|
||
After project ID is set, the CLI will use that value to construct a project locator on first time analysis. A project locator is a unique ID that the FOSSA API will use to reference a project across FOSSA. | ||
|
||
> NOTE: Projects uploaded through the CLI will have `custom` embedded into the project locator. | ||
|
||
<img src="../../assets/project-locator-example.png"> | ||
|
||
### When do I use project ID vs project locator? | ||
|
||
Project ID should be used when referencing projects uploaded via the CLI. In most cases, providing just a project ID is sufficient. However, when referencing projects uploaded through avenues outside the CLI (Quick Import, Archive Upload, etc), providing just a project ID fails. This is due to the nature of FOSSA's project naming conventions as project locators are constructed differently depending on how a project was uploaded. There is no way to tell at runtime which project a user is referencing when only given a project ID (i.e. Is this a project uploaded via the CLI or Archive Upload?). | ||
|
||
In `fossa release-group` project locator is used to reference projects that will be added to your release group's release. By using project locator, all FOSSA project upload flows are covered and the CLI is able to determine the specific project a user is trying to add to a release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me know if this makes sense or if I should word this differently.
Overview
The CLI should offer a way to create release groups from the command line. Creating and deleting other org-level objects should be done through their own command.
Acceptance criteria
There is a way to create and delete a release group from the CLI.
Emit audit logs on release group creation in CORE
Testing plan
example .fossa.yml:
Create a release group:
fossa release-group create --title example-title --release example-release-title --project-locator custom+1/git@github.com/example --project-revision 12345 --project-branch main
fossa release-group create -c /path/to/.fossa.yml/
Add projects to a release group:
fossa release-group add-projects --title example-title --release example-release-title --project-locator custom+1/git@github.com/example --project-revision 12345 --project-branch main
fossa release-group add-projects -c /path/to/.fossa.yml/
Delete a release group:
fossa release-group delete --title example-title
Delete a release group release:
fossa release-group delete-release --title example-title --release example-release-title
Risks
Metrics
References
Checklist
docs/
.docs/README.ms
and gave consideration to how discoverable or not my documentation is.Changelog.md
. If this PR did not mark a release, I added my changes into an# Unreleased
section at the top..fossa.yml
orfossa-deps.{json.yml}
, I updateddocs/references/files/*.schema.json
AND I have updated example files used byfossa init
command. You may also need to update these if you have added/removed new dependency type (e.g.pip
) or analysis target type (e.g.poetry
).docs/references/subcommands/<subcommand>.md
.