Ane 926 release group #1399
Ane 926 release group #1399
Conversation
| deprecateReleaseGroupMetadata :: Has Diagnostics sig m => ProjectMetadata -> m ProjectMetadata | ||
| deprecateReleaseGroupMetadata projectMetadata = do | ||
| case (projectReleaseGroup projectMetadata) of | ||
| Nothing -> pure projectMetadata | ||
| Just _ -> do | ||
| warn deprecationMessage | ||
| pure $ removeReleaseGroupMetadata projectMetadata | ||
| where | ||
| removeReleaseGroupMetadata :: ProjectMetadata -> ProjectMetadata | ||
| removeReleaseGroupMetadata project = project{projectReleaseGroup = Nothing} | ||
|
|
||
| deprecationMessage :: Text | ||
| deprecationMessage = | ||
| renderIt $ | ||
| vsep | ||
| [annotate (color Red) "Release group options for this command have been deprecated. Refer to `fossa release-group` subcommands to interact with FOSSA release groups."] |
There was a problem hiding this comment.
Thinking more about this, not sure if we want to deprecate this on analyze. There was a customer that was asking to update the release projects upon scan and if we deprecate this, they wouldn't be able to do this.
There was a problem hiding this comment.
Could you characterize this more? The reason not to deprecate these isn't obvious to me. It seems like they could just analyze and update the release projects in a separate command after?
There was a problem hiding this comment.
That's true, you would be able to run analyze and then update the release projects with release-group add-projects, but I think the customer was looking to only run fossa analyze to have their release group project updated.
There was a problem hiding this comment.
It sounds like deprecating them would not totally prevent the customer from updating a project in a release group. I think it's OK in that case to say that they'll need to use these new commands even if they have a preference for analyze.
There was a problem hiding this comment.
That sounds good to me
| deprecateReleaseGroupMetadata :: Has Diagnostics sig m => ProjectMetadata -> m ProjectMetadata | ||
| deprecateReleaseGroupMetadata projectMetadata = do | ||
| case (projectReleaseGroup projectMetadata) of | ||
| Nothing -> pure projectMetadata | ||
| Just _ -> do | ||
| warn deprecationMessage | ||
| pure $ removeReleaseGroupMetadata projectMetadata | ||
| where | ||
| removeReleaseGroupMetadata :: ProjectMetadata -> ProjectMetadata | ||
| removeReleaseGroupMetadata project = project{projectReleaseGroup = Nothing} | ||
|
|
||
| deprecationMessage :: Text | ||
| deprecationMessage = | ||
| renderIt $ | ||
| vsep | ||
| [annotate (color Red) "Release group options for this command have been deprecated. Refer to `fossa release-group` subcommands to interact with FOSSA release groups."] |
There was a problem hiding this comment.
Could you characterize this more? The reason not to deprecate these isn't obvious to me. It seems like they could just analyze and update the release projects in a separate command after?
| - projectLocator: custom+123/git@github.com/fossas/fossa-cli | ||
| projectRevision: "12345" | ||
| projectBranch: master | ||
| - projectLocator: custom+123/git@github.com/example |
There was a problem hiding this comment.
We discussed project id vs. locator with respect to modifying projects and I think we should do the same here. This is technically an entirely new config block so there's no compatibility issues but users are already used to using projectId elsewhere.
I think it'd be good to allow/prefer projectId and make projectLocator available for people who really need it.
There was a problem hiding this comment.
I think allowing projectId makes sense when modifying projects as that field was already present in the project config block. However, in this case, because we are introducing a new config block I would rather constrain users to using projectLocator and make it simple. I think if we get requests to include projectId as an option, then we can go ahead and add it, but for now I would like to keep it as is. What do you think?
There was a problem hiding this comment.
I think it's more confusing that way for people familiar with project ids or who want to make use of both project's and release groups in a .fossa.yml. If I make a project block and then try to copy some it's project id into a release group block it won't work. It isn't immediately obvious why a projectId isn't good enough even though thus far it's worked everywhere else in .fossa.yml. Yet, I'm required to at least be able to discern the difference between the two to use this functionality. The docs in this PR explain what the difference is but not why the difference is important or necessary.
I think the ideal way would be to use projectId as much as possible and provide projectLocator for cases where someone really needs it. I think that the majority of cases would be handled by this and it's easier to understand.
If you disagree, I'm OK with moving forward with it this way and seeing what the response is, but please edit the project ID and project locator docs to describe the different semantics of these values. Maybe mention directly in the release group docs that project id won't work. Additionally, the existing project id docs describe it as a unique id for a project which after talking it over, I think isn't true. Could you edit that description to be specific?
There was a problem hiding this comment.
Sounds good I updated the docs!
src/App/Fossa/ReleaseGroup/Create.hs
Outdated
| policies <- getPolicies | ||
| teams <- getTeams | ||
|
|
||
| maybeLicensePolicyId <- retrievePolicyId (releaseGroupLicensePolicy releaseGroupRevision) LICENSING policies |
There was a problem hiding this comment.
[question] why are we doing policy resolution logic in cmdline opposed to backend?
There was a problem hiding this comment.
Core wanted me to use their existing endpoints for my work and they only have endpoints to retrieve policies by id, so I had to do policy resolution here.
| - projectLocator: custom+123/git@github.com/fossas/fossa-cli | ||
| projectRevision: "12345" | ||
| projectBranch: master | ||
| - projectLocator: custom+123/git@github.com/example |
There was a problem hiding this comment.
I think it's more confusing that way for people familiar with project ids or who want to make use of both project's and release groups in a .fossa.yml. If I make a project block and then try to copy some it's project id into a release group block it won't work. It isn't immediately obvious why a projectId isn't good enough even though thus far it's worked everywhere else in .fossa.yml. Yet, I'm required to at least be able to discern the difference between the two to use this functionality. The docs in this PR explain what the difference is but not why the difference is important or necessary.
I think the ideal way would be to use projectId as much as possible and provide projectLocator for cases where someone really needs it. I think that the majority of cases would be handled by this and it's easier to understand.
If you disagree, I'm OK with moving forward with it this way and seeing what the response is, but please edit the project ID and project locator docs to describe the different semantics of these values. Maybe mention directly in the release group docs that project id won't work. Additionally, the existing project id docs describe it as a unique id for a project which after talking it over, I think isn't true. Could you edit that description to be specific?
| deprecateReleaseGroupMetadata :: Has Diagnostics sig m => ProjectMetadata -> m ProjectMetadata | ||
| deprecateReleaseGroupMetadata projectMetadata = do | ||
| case (projectReleaseGroup projectMetadata) of | ||
| Nothing -> pure projectMetadata | ||
| Just _ -> do | ||
| warn deprecationMessage | ||
| pure $ removeReleaseGroupMetadata projectMetadata | ||
| where | ||
| removeReleaseGroupMetadata :: ProjectMetadata -> ProjectMetadata | ||
| removeReleaseGroupMetadata project = project{projectReleaseGroup = Nothing} | ||
|
|
||
| deprecationMessage :: Text | ||
| deprecationMessage = | ||
| renderIt $ | ||
| vsep | ||
| [annotate (color Red) "Release group options for this command have been deprecated. Refer to `fossa release-group` subcommands to interact with FOSSA release groups."] |
There was a problem hiding this comment.
It sounds like deprecating them would not totally prevent the customer from updating a project in a release group. I think it's OK in that case to say that they'll need to use these new commands even if they have a preference for analyze.
| @@ -482,6 +497,14 @@ commonOpts = | |||
| , boldItalicized "Default: " <> coloredBoldItalicized Green "full" | |||
| ] | |||
|
|
|||
| configHelp :: Maybe (Doc AnsiStyle) | |||
There was a problem hiding this comment.
I don't see a reason for these to be Maybe since it doesn't seem like there's any possibility that they will be Nothing. This forces consumers of that data to handle the case of Nothing regardless though.
There was a problem hiding this comment.
These help docs are of type Maybe due to Options.Applicative helpDoc function. It required aMaybe type.
| cliParser = | ||
| AddProjectsOpts | ||
| <$> releaseGroupCommonOpts | ||
| <*> optional (strOption (applyFossaStyle <> long "config" <> short 'c' <> helpDoc configHelp)) |
There was a problem hiding this comment.
I'm fine with a ticket, but I was only asking for sharing for the config values defined in this PR. That we can't get sharing for everything doesn't mean it isn't good to do it where it's possible and relatively easy.
src/App/Fossa/ReleaseGroup/Common.hs
Outdated
| [] -> pure Nothing | ||
| [releaseGroup] -> pure . Just $ releaseGroupId releaseGroup | ||
| (_ : _ : _) -> | ||
| errHelp ("Navigate to the FOSSA web UI to rename your release groups so that they are unqiue" :: Text) |
There was a problem hiding this comment.
| errHelp ("Navigate to the FOSSA web UI to rename your release groups so that they are unqiue" :: Text) | |
| errHelp ("Navigate to the FOSSA web UI to rename your release groups so that they are unique." :: Text) |
There was a problem hiding this comment.
Relatedly, as you find things that you think should be constrained in FOSSA's data-model to be unique, can you make tickets if you haven't yet?
| ### What is the difference between project ID and project locator? | ||
|
|
||
| In the CLI, project ID refers to a specific portion of a project locator. When running `fossa analyze` on a project for the first time, if project ID is not directly configured, it will default to: | ||
|
|
||
| - Git: The CLI will look for a `.git/config` file and set the ID to the project's remote "origin" url. | ||
| - SVN: The CLI will run `svn info` and use the "Repository Root". | ||
| - No VCS (Version control system): The ID will be set to the name of the project's directory. | ||
|
|
||
| <img src="../../assets/project-id-example.png"> | ||
|
|
||
|
|
||
| After project ID is set, the CLI will use that value to construct a project locator on first time analysis. A project locator is a unique ID that the FOSSA API will use to reference a project across FOSSA. | ||
|
|
||
| > NOTE: Projects uploaded through the CLI will have `custom` embedded into the project locator. | ||
|
|
||
| <img src="../../assets/project-locator-example.png"> | ||
|
|
||
| ### When do I use project ID vs project locator? | ||
|
|
||
| Project ID should be used when referencing projects uploaded via the CLI. In most cases, providing just a project ID is sufficient. However, when referencing projects uploaded through avenues outside the CLI (Quick Import, Archive Upload, etc), providing just a project ID fails. This is due to the nature of FOSSA's project naming conventions as project locators are constructed differently depending on how a project was uploaded. There is no way to tell at runtime which project a user is referencing when only given a project ID (i.e. Is this a project uploaded via the CLI or Archive Upload?). | ||
|
|
||
| In `fossa release-group` project locator is used to reference projects that will be added to your release group's release. By using project locator, all FOSSA project upload flows are covered and the CLI is able to determine the specific project a user is trying to add to a release. |
There was a problem hiding this comment.
Let me know if this makes sense or if I should word this differently.
Overview
The CLI should offer a way to create release groups from the command line. Creating and deleting other org-level objects should be done through their own command.
Acceptance criteria
There is a way to create and delete a release group from the CLI.
Emit audit logs on release group creation in CORE
Testing plan
example .fossa.yml:
Create a release group:
fossa release-group create --title example-title --release example-release-title --project-locator custom+1/git@github.com/example --project-revision 12345 --project-branch mainfossa release-group create -c /path/to/.fossa.yml/Add projects to a release group:
fossa release-group add-projects --title example-title --release example-release-title --project-locator custom+1/git@github.com/example --project-revision 12345 --project-branch mainfossa release-group add-projects -c /path/to/.fossa.yml/Delete a release group:
fossa release-group delete --title example-titleDelete a release group release:
fossa release-group delete-release --title example-title --release example-release-titleRisks
Metrics
References
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an# Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.