New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add update-unwanted-dependencies.sh to track unwanted dependencies #102309
add update-unwanted-dependencies.sh to track unwanted dependencies #102309
Conversation
@pacoxu: GitHub didn't allow me to request PR reviews from the following users: gautierdelorme. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@pacoxu: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
A quick discussion with Gautier on slack, some explanation on the PR for track My initial idea:
|
4f5e73e
to
6b499a8
Compare
@gautierdelorme Updated. Thanks for your comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we perhaps document why these are forbidden / unwanted?
maybe we can have # comment
lines, or at least leave some notes in this PR (for future PRs changing these presumably I can track the git blame to the PR and see the discussion there)
6b499a8
to
0413e44
Compare
@gautierdelorme I updated the PR. Thanks for you comments. |
Good idea. We may choose a comment style or data structure and continue.
or
or
Currently, only
|
agree on having a comment/reason I wonder if structured input and writing the check in a real language like go would be preferable (for example, see cmd/importverifier/importverifier.go and the associated .import-restriction input files) |
inputs could be the file containing unwanted/forbidden inputs, and a file containing the output of the tool could then evaluate the that structure would allow easy unit testing of hypothetical unwanted/forbidden config vs hypothetical |
we might also want to consider making it possible to run some of these dep tools we're writing as one program that can invoke go mod graph once, IIRC it's pretty slow to do this on a repo this size. |
we're building up quite a list of unwanted deps in #102145 ... would be good to get an initial version of this in. |
519b6d1
to
ba11d54
Compare
ba11d54
to
dfab0d0
Compare
Update the unwanted list
|
// eliminating things from this list is good. | ||
DirectReferences []string `json:"directReferences"` | ||
|
||
// unwanted modules indirectly referenced from modules other than spec.roots, based on `go mod graph` content. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feedback from the go team and behavior change in go1.17 indicate go mod graph
isn't the right tool to determine direct/indirect dependencies (#104461). However, since go list
does not return results for all build tags, there's not a clear alternative at the moment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ugh, so how can we make progress here? :(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hoisting from slack:
we can use go mod graph to get the full set of dependencies
which is what the tool is using now
but to resolve the "TODOs" distinguishing direct/indirect, it won't help us
so it would still be useful for keeping an unwanted dependency we've eradicated from creeping back in
but it won't be useful for keeping one that is currently an indirect dep from creeping in as a direct dep (edited)
/assign |
i am happy with this. /approve will wait for @pacoxu to peek at the last comments here and on slack before we ship this. |
Signed-off-by: pacoxu <paco.xu@daocloud.io> Co-authored-by: Jordan Liggitt <jordan@liggitt.net> Signed-off-by: pacoxu <paco.xu@daocloud.io>
dfab0d0
to
af0b801
Compare
Updated. The change I made
|
this is the current output if a module adds a bad dependency on klog:
with this PR, the output changes to:
A couple observations:
I think this needs to be clearer when there's a mismatch in the status. For anything currently in the file that should be removed from status, that's great and we can just tell them to drop the thing from status. For anything not in the file that is newly referenced, we should print out the modules depending on the unwanted dependency so they can fix those. |
I just try to refactor the output. And I will update the
For a removed dependency
A dependency
|
b68fdd7
to
74c2fe2
Compare
This looks closer, but I think we still need to be more specific about which modules are referencing the unwanted dependencies, and what action should be taken. Something like the following gives different guidance depending on which situation the user encounters: diff --git a/cmd/dependencyverifier/dependencyverifier.go b/cmd/dependencyverifier/dependencyverifier.go
index 26f56952996..ecf367945a3 100644
--- a/cmd/dependencyverifier/dependencyverifier.go
+++ b/cmd/dependencyverifier/dependencyverifier.go
@@ -187,21 +187,22 @@ func main() {
// Compare unwanted list from unwanted-dependencies.json with current status from `go mod graph`
removedReferences, unwantedReferences := difference(configFromFile.Status.References, config.Status.References)
if len(removedReferences) > 0 {
- log.Println("The following dependencies are removed:")
+ log.Println("Good news! The following unwanted dependencies are no longer referenced:")
for reference := range removedReferences {
- fmt.Println(reference)
+ log.Printf(" %s", reference)
}
+ log.Printf("!!! Remove the unwanted dependencies from status in %s to ensure they don't get reintroduced", dependenciesJSONPath)
needUpdate = true
}
if len(unwantedReferences) > 0 {
- log.Println("The following dependencies are not allowed:")
+ log.Printf("The following unwanted dependencies marked in %s are referenced:", dependenciesJSONPath)
for reference := range unwantedReferences {
- fmt.Println(reference)
+ log.Printf(" %s (referenced by %s)", reference, strings.Join(modeGraph[reference], ", "))
}
+ log.Printf("!!! Avoid updating referencing modules to versions that reintroduce use of unwanted dependencies\n")
needUpdate = true
}
if needUpdate {
- log.Println("!!! Please update status in ./hack/unwanted-dependencies.json")
os.Exit(1)
}
} |
74c2fe2
to
b99e1e4
Compare
Updated, new output is like below.
|
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dims, liggitt, pacoxu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
/area code-organization
/sig architecture
What this PR does / why we need it:
Verify: Run ./hack/lint-dependencies.sh
Test results:
Which issue(s) this PR fixes:
Fixes #102145
Special notes for your reviewer:
Does this PR introduce a user-facing change?
/cc @liggitt @gautierdelorme @dims