[ci] fix git checkout for comment-triggered CI jobs

[jameslamb]

See #5159 (comment).

A patch was recently pushed in git which fixes a newly-discovered security vulnerability. That patch causes the actions/checkout GitHub Action to fail for containerized jobs. See #5151 for details.

#5152 sought to fix that for LightGBM's CI jobs, but missed optional jobs triggered by comments.

This PR applies that fix to those jobs.

Note for Reviewers

Since the configs for these comment-triggered jobs are sourced from master, I think this PR will have to be merged and then we'll have to use comments on another open PR to test.

[shiyu1994]

@jameslamb @StrikerRUS Do you have any idea why Azure Pipeline fails with the above error?

[jameslamb]

😬 looking at logs like this:

/__w/1/s/.ci/setup.sh: line 58: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
sudo: locale-gen: command not found
sudo: update-locale: command not found
/__w/1/s/.ci/setup.sh: line 104: curl: command not found
sh: 0: cannot open miniforge.sh: No such file
/__w/1/s/.ci/setup.sh: line 114: conda: command not found
/__w/1/s/.ci/setup.sh: line 115: conda: command not found

https://dev.azure.com/lightgbm-ci/lightgbm-ci/_build/results?buildId=12625&view=logs&j=275189f9-c769-596a-7ef9-49fb48a9ab70&t=1fb0a3dd-ad11-527b-ef3d-485324b146c4

I suspect that the default permissions in Azure DevOps linux images (or maybe the default user that jobs run as) has changed significantly. Can try to test tonight.

If you or @StrikerRUS want to test fixes to this today before I get to it, you can push directly to this branch to test them.

[jameslamb]

I just tried manually re-running the failed jobs and unfortunately they failed with the same errors.

https://dev.azure.com/lightgbm-ci/lightgbm-ci/_build/results?serviceHost=f20a5aec-1eb1-4148-b39d-05f96db00af1%20(lightgbm-ci)&buildId=12625&view=results&j=c28dceab-947a-5848-c21f-eef3695e5f11

[jameslamb]

Comparing the logs from the failed jobs and the most recent successful job, I can see we're now getting a new version of Ubuntu from tag ubuntu:latest. Until recently, ubuntu:latest pointed to v20.04 but now it points to v22.04.

From failed build (link)

Digest: sha256:2a7dffab37165e8b4f206f61cfd984f8bb279843b070217f6ad310c9c31c9c7c
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest

Ran the following to check the Ubuntu version in that image.

docker run \
    --rm \
    -it ubuntu@sha256:2a7dffab37165e8b4f206f61cfd984f8bb279843b070217f6ad310c9c31c9c7c \
    cat /etc/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04 LTS"

And from the most recent successful job (link)

Digest: sha256:9101220a875cee98b016668342c489ff0674f247f6ca20dfc91b91c0f28581ae
Status: Downloaded newer image for ubuntu:latest
docker.io/library/ubuntu:latest

Ran the following to check the Ubuntu version in that image.

docker run \
    --rm \
    -it ubuntu@sha256:9101220a875cee98b016668342c489ff0674f247f6ca20dfc91b91c0f28581ae \
    cat /etc/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.4 LTS"

[StrikerRUS]

Also this announce might be related:

Azure DevOps has started rollout of changes to disable communication over TLS 1.0 and TLS 1.1. This change is permanent and if your tools are dependent on TLS 1.0/1.1 for communication with Azure DevOps, please take necessary actions to enable TLS1.2, as detailed in the blog.

[jameslamb]

oooo interesting, thank you! I hadn't noticed that.

I now strongly suspect that some of the setup just needs to be altered to account for the new Ubuntu version. If you look at the logs from the most recent build (https://dev.azure.com/lightgbm-ci/lightgbm-ci/_build/results?buildId=12636&view=results), I can see now that a few Linux_latest jobs are succeeding, and others are failing with errors complaining about some packages not being available:

E: Unable to locate package libicu66
E: Unable to locate package libssl1.1
E: Couldn't find any package by glob 'libssl1.1'
E: Couldn't find any package by regex 'libssl1.1'

I'll keep testing here and locally in Docker, I think I'm getting closer.

[StrikerRUS]

Could we separate this PR into two: [this] one for "fix git checkout for comment-triggered CI jobs" and another one for "some of the setup just needs to be altered to account for the new Ubuntu version"?

[jameslamb]

Could we separate this PR into two

Yes definitely! I totally support that idea.

Just reverted this PR back to only fixes for the git issue, and opened #5186 documenting the work to return the Azure jobs back to ubuntu:latest.

[StrikerRUS]

and opened #5186

Thank you so much!

[StrikerRUS]

Close-reopen to update CLA status.

[StrikerRUS]

Hmm, what is this?.. 😕

https://microsoft.github.io/GitOps/

[StrikerRUS]

Looks like bad uncomment action led to extra whitespace characters were added. Please exclude this file from the diff.

[jameslamb]

blegh sorry about that, just pushed commits removing this from the diff

[jameslamb]

at that link, I see

This service is the foundation for the compliance and governance efforts on our GitHub instance

So I guess it must be another governance thing that Microsoft enabled on all its repos? @shiyu1994 can you tell us about this?

[shiyu1994]

can you tell us about this?

Seems that the check has been removed. I'm not sure why it was introduced before.

[jameslamb]

hmmm ok. Thanks for checking!

[github-actions]

This pull request has been automatically locked since there has not been any recent activity since it was closed. To start a new related discussion, open a new issue at https://github.com/microsoft/LightGBM/issues including a reference to this.