embed git sha in code to detect whether code is built from current resources #2625

shane-tomlinson · 2015-06-21T14:54:49Z

We have /ver.json that reports the current git sha, but I am never 100% confident the code was built from that sha. If the git sha were embedded in the code, or as part of the filename, I'd have a lot more confidence the current code is what we think it is.

The text was updated successfully, but these errors were encountered:

vladikoff · 2015-06-21T15:07:21Z

@shane-tomlinson should that be available on some global namespace on window?
Filename can be tricky due to caching thing we have, but is also possible.

shane-tomlinson · 2015-06-21T15:28:04Z

@vladikoff - or perhaps even a comment at the top of the file.

vladikoff · 2015-06-29T18:35:11Z

Could be done as part of #2626

vladikoff · 2015-08-06T20:40:02Z

from irc:

the fxa-content .git repo is not deployed
so that sha is already available in ver.json.
the rpm build script puts it there
https://github.com/mozilla/fxa-content-server/blob/master/server/lib/routes/get-ver.json.js#L10 or https://github.com/mozilla/fxa-content-server/blob/master/server/lib/version.js#L35
get-ver.json could use a little cleanup. It requires version.json at startup . carefully requires it later inside a try/catch
I guess the thing is that we just package and ship whatever is left after grunt build. .git is not present at that point, but we could change order so config/version.json is available before grunt.

jrgm · 2015-08-06T21:41:03Z

@shane-tomlinson - where are you not confident that the version in /ver.json does not represent the sha of the code that built it? Prod/Stage? latest? other?

shane-tomlinson · 2015-08-10T09:40:56Z

@shane-tomlinson - where are you not confident that the version in /ver.json does not represent the sha of the code that built it? Prod/Stage? latest? other?

All of the above. Embedding the git sha in the code is just another way to verify expectations match reality.

Output looks like: ```js /*! fxa-content-server@0.47.1 -- Mon Oct 12 2015 20:04:55 * * Git sha: 22cfb27e645042d1eb70e8509b2a36f8235837ff * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * For more information, see https://github.com/mozilla/fxa-content-server/ */ ``` fixes #2625

vladikoff · 2015-10-21T00:08:36Z

blocked by changes to an external script #3160 (comment)

Output looks like: ```js /*! fxa-content-server@0.47.1 -- Mon Oct 12 2015 20:04:55 * * Git sha: 22cfb27e645042d1eb70e8509b2a36f8235837ff * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * For more information, see https://github.com/mozilla/fxa-content-server/ */ ``` fixes #2625

vladikoff · 2015-10-26T13:57:15Z

added waffle:review and removed waffle:blocked labels 8 hours ago

Hm, Not sure what happened there, did this move automatically? AFAIK the issue / pr is blocked by an external script.

rfk · 2015-10-26T21:39:00Z

from meeting, @jrgm said this was ready to merge

shane-tomlinson mentioned this issue Jun 21, 2015

No license information at the top of the production JS #2626

Closed

vladikoff added the good first bug label Jun 29, 2015

vladikoff mentioned this issue Jul 9, 2015

Add content server version to Sentry logs #2724

Closed

rfk added the good-first-bug label Jul 13, 2015

rfk added waffle:backlog and removed good first bug labels Aug 10, 2015

vladikoff added waffle:next and removed good-first-bug waffle:backlog labels Aug 19, 2015

rfk added this to the FxA-0: quality and maintenance milestone Aug 21, 2015

vladikoff assigned shane-tomlinson Oct 5, 2015

vladikoff added waffle:now and removed waffle:next labels Oct 5, 2015

shane-tomlinson added waffle:progress and removed waffle:now labels Oct 12, 2015

shane-tomlinson mentioned this issue Oct 12, 2015

feat(build): Add the git sha used in the build to the production JS. #3160

Merged

shane-tomlinson added waffle:review waffle:backlog and removed waffle:progress waffle:review labels Oct 12, 2015

shane-tomlinson removed their assignment Oct 19, 2015

vladikoff self-assigned this Oct 20, 2015

vladikoff removed the waffle:backlog label Oct 20, 2015

vladikoff added waffle:progress waffle:blocked and removed waffle:progress labels Oct 20, 2015

vladikoff assigned jrgm and unassigned vladikoff Oct 21, 2015

rfk added waffle:review and removed waffle:blocked labels Oct 26, 2015

vladikoff added waffle:blocked and removed waffle:review labels Oct 26, 2015

rfk added waffle:review and removed waffle:blocked labels Oct 26, 2015

vladikoff closed this in #3160 Oct 26, 2015

vladikoff removed the waffle:review label Oct 26, 2015

mozilla / fxa-content-server Archived

embed git sha in code to detect whether code is built from current resources #2625

embed git sha in code to detect whether code is built from current resources #2625

shane-tomlinson commented Jun 21, 2015

vladikoff commented Jun 21, 2015

shane-tomlinson commented Jun 21, 2015

vladikoff commented Jun 29, 2015

vladikoff commented Aug 6, 2015

jrgm commented Aug 6, 2015

shane-tomlinson commented Aug 10, 2015

vladikoff commented Oct 21, 2015

vladikoff commented Oct 26, 2015

rfk commented Oct 26, 2015

mozilla / fxa-content-server Archived

embed git sha in code to detect whether code is built from current resources #2625

embed git sha in code to detect whether code is built from current resources #2625

Comments

shane-tomlinson commented Jun 21, 2015

vladikoff commented Jun 21, 2015

shane-tomlinson commented Jun 21, 2015

vladikoff commented Jun 29, 2015

vladikoff commented Aug 6, 2015

jrgm commented Aug 6, 2015

shane-tomlinson commented Aug 10, 2015

vladikoff commented Oct 21, 2015

vladikoff commented Oct 26, 2015

rfk commented Oct 26, 2015