-
Notifications
You must be signed in to change notification settings - Fork 602
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Documenting and cleaning up our github action workflows part 1 #6153
Conversation
test plan: wait for CI to kick in and check if everything is green
To whoever review, the goal is to better document our workflow. I've put some TODOs in the yaml file when I don't know something so if you have the knowledge it would be great if in your review you comment next to it so then I can fill those TODOs with what you've explained. |
.github/workflows/e2e-semgrep-ci.yml
Outdated
@@ -1,4 +1,7 @@ | |||
#TODO: The goal of this workflow is ??? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This workflow is set up to do some very basic E2E checks - makes sure that semgrep will still run both on a pull request and via semgrep ci
. The context here is that we had some cases where releases went out that were broken in simple ways, and this gives us some confident that nightly semgrep still works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It also allows us to confirm fail-open behavior is still functioning as expected (e.g., we aren't passing on blocking findings)
.github/workflows/README.md
Outdated
release.yml has been accepted or is hanging around unmerged | ||
|
||
- homebrew-core-head.yml: cron to check that the Homebrew Core Formula | ||
created by release.yml works (TODO: why can't this be part of validate-release.yml? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These jobs take >60 minutes to run, and require that the latest version of the homebrew formula is up to date, which only occurs after release. The PRs to homebrew also are merged when the homebrew teams gets to them - we shouldn't block on actions we can't control.
📸 The pytest shapshots changed in your PR.
|
.github/workflows/README.md
Outdated
created by release.yml works (TODO: why can't this be part of validate-release.yml? | ||
because it usually take some time for homebrew developers to accept the PRs | ||
so we can't test directly? hence find-old-brew-prs.yml and homebrew-core-head.yml | ||
workflows?) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct assumption.
name: lint | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't touched much of this workflow, will try and answer questions but may leave gaps based on context.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@brendongo might have context.
.github/workflows/lint.yml
Outdated
pre-commit: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
#TODO: why do we need this ref:? doesn't checkout@v3 grabs the right branch by default? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should. I can't speak for this specific case, but in the workflows I've been a part of implementing, we've set this explicitly to remove assumptions and make it clear for follow on maintainers.
.github/workflows/lint.yml
Outdated
with: | ||
GET_FILE_DIFF: true | ||
PATTERNS: cli/src/semgrep/** | ||
- id: changelog_diff | ||
name: Get changelog diff | ||
uses: technote-space/get-diff-action@v6.1.0 | ||
#TODO: should we get rid of this whole job now that we use changelog.d/? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably, yes.
@@ -17,6 +21,7 @@ jobs: | |||
runs-on: ubuntu-latest | |||
container: returntocorp/ocaml:alpine-2022-06-09 | |||
steps: | |||
#TODO: why do we need this? What does not work if we don't have this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was needed the last time I looked at this part of the workflow (~3 months ago). Maybe @underyx knows.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think @mjambon actually wrote those pre-checkout fixes
.github/workflows/e2e-semgrep-ci.yml
Outdated
@@ -1,4 +1,7 @@ | |||
#TODO: The goal of this workflow is ??? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It also allows us to confirm fail-open behavior is still functioning as expected (e.g., we aren't passing on blocking findings)
@@ -1,9 +1,12 @@ | |||
# Verify Homebrew Core Formula Works | |||
# Cron to verify that the Homebrew Core Formula Works. | |||
# This formula is created by ??? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This formula is created by our release process with the PR to homebrew/homebrew-core
. What this workflow does is uses the latest version of the formula at that repo, but develop
branch source code from our PR. This serves two purposes:
- Verifies that our changes don't break brew
- Gives us time before release to fix these issues and adjust our homebrew formula if needed.
.github/workflows/start-release.yml
Outdated
@@ -45,6 +52,7 @@ jobs: | |||
submodules: "recursive" | |||
ref: "${{ github.event.repository.default_branch }}" | |||
token: "${{ steps.token.outputs.token }}" | |||
#TODO: Why do we need this? checkout@v3 does not get the tags by default? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment below, however, no. checkout@v3 only gets tags if you do a fully checkout, which is too heavyweight. We don't want all branches and everything that ever existed on the repo, so we just do a lightweight checkout and then get the tags ourselves.
.github/workflows/README.md
Outdated
- revert-semgrep-docker-image.yml: interactive workflow | ||
to manually revert the semgrep 'latest' docker image. | ||
|
||
- e2e-semgrep-ci.yml: ??? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See the comment on the workflow file for a description.
📸 The pytest shapshots changed in your PR.
|
.github/workflows/lint.yml
Outdated
- name: Fetch semgrep-cli submodules | ||
run: git submodule update --init --recursive --recommend-shallow cli/src/semgrep/lang cli/src/semgrep/semgrep_interfaces | ||
#TODO: why this is needed? pre-commit/action@v3 requires this setup-python to run? | ||
# what is this cache-dependency-path? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This caches the pip installed dependencies that pre-commit uses. Otherwise it will need to reinstall everytime
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And yes pre-commit is a python script :D https://github.com/pre-commit/pre-commit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so each time you use the pre-commit/action, you also need to setup python before? The github action don't have a way to pull automatic dependencies?
.github/workflows/lint.yml
Outdated
- uses: actions/setup-python@v4 | ||
with: | ||
python-version: "3.10" | ||
cache: pip | ||
cache-dependency-path: .github/workflows/lint.yml | ||
- uses: pre-commit/action@v3.0.0 | ||
|
||
#TODO: what is the difference with the 'pre-commit' job above? looks only | ||
# the extra_args below but what is it for? What will not work without that? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The extra args runs https://github.com/returntocorp/semgrep/blob/develop/.pre-commit-config.yaml#L150
which dont run on normal pre-commit since they would slow down pre-commit on local development. The intention is a test that runs semgrep-pre-commit. So we can also split this out to a different config?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not add just the
with:
extra_args: --hook-stage manual
in the pre-commit job instead of duplicating all the parts before and make it a separate job?
Because it can run in parallel then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see any difference though oin the pre-commit config file between:
# Dogfood! running semgrep in pre-commit!
- repo: https://github.com/returntocorp/semgrep
rev: "v0.100.0"
hooks:
- id: semgrep
name: Semgrep Python
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "https://semgrep.dev/p/python", "--error"]
- id: semgrep
name: Semgrep Bandit
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "https://semgrep.dev/p/bandit", "--error"]
and
# Run develop semgrep. Only used in CI since it's slower for local developmemt.
# To run locally use `pre-commit run --hook-stage manual semgrep-docker-develop`
- repo: https://github.com/returntocorp/semgrep
rev: "v0.100.0"
hooks:
- id: semgrep-docker-develop
name: Semgrep Develop Python
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "p/python", "--error"]
stages: [manual]
- id: semgrep-docker-develop
name: Semgrep Develop Bandit
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "p/bandit", "--error"]
stages: [manual]
in both cases we use rev: "v0.100.0" so we don't really test the develop docker image here.
* Documenting and cleaning up our github action workflows test plan: wait for CI to kick in and check if everything is green * more comments * more * adding the comments of brendon and spencer (and adding a few TODOs)
test plan:
wait for CI to kick in and check if everything is green
PR checklist:
If you're unsure on any of this, please see: