transmission version: check with SHA & allow git push to trigger build workflow #2843
Conversation
|
Good point about overwritten version releases, but anyone doing that is a terrible practice for precisely this reason. It is typical to release fixes for pulled versions as a new version even if the old one is no longer available. Has transmission done this in the past? |
|
Yea, I've had to upload hotfixes before, and even if I'd deleted the originals, they would still have been distinct ( While I don't think Transmission ever have or would do it, it's best to avoid the risk if we can. kinda off-topicI've a vague recollection of a Jackett build half failing for us, and we just re-ran the job. It had only been public for 2mins, but it was the same version number. Not a great example of high standards, but CCleaner pulled a build that was bugged to all hell, and a few days later re-released it, same version number. Also, bit of an aside, but WinRAR has terrible versioning when it comes their beta builds. You can currently download Long story short, sometimes even sensible people do stupid things. But otherwise, does that look ok to you? Do you think |
|
the code looks good to me for extracting the sha. I'm not sure if token is required or not. can always add it on next release of transmission if the commit fails |
|
@pkishino are you able to add the secret and merge this? Thanks |
ilike2burnthing
force-pushed
the
versioncheck
branch
from
779bdb2
to
140b2a7
Compare
|
Whoops, also requires #2849, as I'm also going to roll back the three upstream txt files to 4.0.5, so we can test if this actually works when merged, without having to manually trigger anything. |
ilike2burnthing
force-pushed
the
versioncheck
branch
from
573a2a6
to
5a4bb85
Compare
|
I’ll take a look at this later, but as I’m not the owner of this repo I don’t think I can create a pat with the great necessary rights.. |
|
Ah, good point. My guess would be that if you can write to a repo, then your PAT should be able to be used to do so as well, but I haven't tried it, so 🤷 |
Breaking change
Proposed change
@ksurl & @pkishino
Looking at the commits for this on the dev branch, there appear to be two problems:
4.0.5A healthy job fetches ~25000B, whereas an unhealthy job is ~100 times less than that, so I'm guessing some sort of error page (there's no output to confirm).
Adding the additional check, that
LATEST_VERSIONisn't null or empty, should prevent these pointless bot commits.While unlikely, Transmission could publish a new build (e.g.
4.0.6), we pull and build with it, they delete it (say because of a security hotfix), and they publish a new4.0.6build. The workflow would not see this as a new build, and we'd be left using the vulnerable build. Switching to the commit SHA avoids this issue.Alternatively, we could use one of the following:
Published Date
Release ID
You can see the results of the workflow here:
Currently, the
git pushhere does not trigger theTransmission Buildsworkflow. This requires the use of a personal access token withreporights, and which would need to be set up as a repository secret with the namePAT, before committing this PR.I don't know if that would also be need for
docker-transmission-builds.yml, in order to trigger theImage Buildsworkflow, I can't test that out.Questions, comments, whatever; let me know.
Type of change
Additional information
fixes #relates to #2691https://...Checklist
If user exposed functionality or configuration variables are added/changed: