Documenting and cleaning up our github action workflows part 1 #6153
Conversation
test plan: wait for CI to kick in and check if everything is green
aryx
requested review from
spencerdrak,
underyx,
brendongo,
emjin and
mjambon
|
To whoever review, the goal is to better document our workflow. I've put some TODOs in the yaml file when I don't know something so if you have the knowledge it would be great if in your review you comment next to it so then I can fill those TODOs with what you've explained. |
aryx
changed the title
.github/workflows/e2e-semgrep-ci.yml
Outdated
| @@ -1,4 +1,7 @@ | |||
| #TODO: The goal of this workflow is ??? | |||
There was a problem hiding this comment.
This workflow is set up to do some very basic E2E checks - makes sure that semgrep will still run both on a pull request and via semgrep ci. The context here is that we had some cases where releases went out that were broken in simple ways, and this gives us some confident that nightly semgrep still works.
There was a problem hiding this comment.
It also allows us to confirm fail-open behavior is still functioning as expected (e.g., we aren't passing on blocking findings)
.github/workflows/README.md
Outdated
| release.yml has been accepted or is hanging around unmerged | ||
|
|
||
| - homebrew-core-head.yml: cron to check that the Homebrew Core Formula | ||
| created by release.yml works (TODO: why can't this be part of validate-release.yml? |
There was a problem hiding this comment.
These jobs take >60 minutes to run, and require that the latest version of the homebrew formula is up to date, which only occurs after release. The PRs to homebrew also are merged when the homebrew teams gets to them - we shouldn't block on actions we can't control.
|
📸 The pytest shapshots changed in your PR.
|
.github/workflows/README.md
Outdated
| created by release.yml works (TODO: why can't this be part of validate-release.yml? | ||
| because it usually take some time for homebrew developers to accept the PRs | ||
| so we can't test directly? hence find-old-brew-prs.yml and homebrew-core-head.yml | ||
| workflows?) |
| name: lint | ||
|
|
There was a problem hiding this comment.
I haven't touched much of this workflow, will try and answer questions but may leave gaps based on context.
There was a problem hiding this comment.
@brendongo might have context.
.github/workflows/lint.yml
Outdated
| pre-commit: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| #TODO: why do we need this ref:? doesn't checkout@v3 grabs the right branch by default? |
There was a problem hiding this comment.
It should. I can't speak for this specific case, but in the workflows I've been a part of implementing, we've set this explicitly to remove assumptions and make it clear for follow on maintainers.
.github/workflows/lint.yml
Outdated
| with: | ||
| GET_FILE_DIFF: true | ||
| PATTERNS: cli/src/semgrep/** | ||
| - id: changelog_diff | ||
| name: Get changelog diff | ||
| uses: technote-space/get-diff-action@v6.1.0 | ||
| #TODO: should we get rid of this whole job now that we use changelog.d/? |
| @@ -17,6 +21,7 @@ jobs: | |||
| runs-on: ubuntu-latest | |||
| container: returntocorp/ocaml:alpine-2022-06-09 | |||
| steps: | |||
| #TODO: why do we need this? What does not work if we don't have this? | |||
.github/workflows/e2e-semgrep-ci.yml
Outdated
| @@ -1,4 +1,7 @@ | |||
| #TODO: The goal of this workflow is ??? | |||
There was a problem hiding this comment.
It also allows us to confirm fail-open behavior is still functioning as expected (e.g., we aren't passing on blocking findings)
| @@ -1,9 +1,12 @@ | |||
| # Verify Homebrew Core Formula Works | |||
| # Cron to verify that the Homebrew Core Formula Works. | |||
| # This formula is created by ??? | |||
There was a problem hiding this comment.
This formula is created by our release process with the PR to homebrew/homebrew-core. What this workflow does is uses the latest version of the formula at that repo, but develop branch source code from our PR. This serves two purposes:
- Verifies that our changes don't break brew
- Gives us time before release to fix these issues and adjust our homebrew formula if needed.
.github/workflows/start-release.yml
Outdated
| @@ -45,6 +52,7 @@ jobs: | |||
| submodules: "recursive" | |||
| ref: "${{ github.event.repository.default_branch }}" | |||
| token: "${{ steps.token.outputs.token }}" | |||
| #TODO: Why do we need this? checkout@v3 does not get the tags by default? | |||
There was a problem hiding this comment.
See comment below, however, no. checkout@v3 only gets tags if you do a fully checkout, which is too heavyweight. We don't want all branches and everything that ever existed on the repo, so we just do a lightweight checkout and then get the tags ourselves.
.github/workflows/README.md
Outdated
| - revert-semgrep-docker-image.yml: interactive workflow | ||
| to manually revert the semgrep 'latest' docker image. | ||
|
|
||
| - e2e-semgrep-ci.yml: ??? |
There was a problem hiding this comment.
See the comment on the workflow file for a description.
|
📸 The pytest shapshots changed in your PR.
|
.github/workflows/lint.yml
Outdated
| - name: Fetch semgrep-cli submodules | ||
| run: git submodule update --init --recursive --recommend-shallow cli/src/semgrep/lang cli/src/semgrep/semgrep_interfaces | ||
| #TODO: why this is needed? pre-commit/action@v3 requires this setup-python to run? | ||
| # what is this cache-dependency-path? |
There was a problem hiding this comment.
This caches the pip installed dependencies that pre-commit uses. Otherwise it will need to reinstall everytime
There was a problem hiding this comment.
And yes pre-commit is a python script :D https://github.com/pre-commit/pre-commit
There was a problem hiding this comment.
so each time you use the pre-commit/action, you also need to setup python before? The github action don't have a way to pull automatic dependencies?
.github/workflows/lint.yml
Outdated
| - uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: "3.10" | ||
| cache: pip | ||
| cache-dependency-path: .github/workflows/lint.yml | ||
| - uses: pre-commit/action@v3.0.0 | ||
|
|
||
| #TODO: what is the difference with the 'pre-commit' job above? looks only | ||
| # the extra_args below but what is it for? What will not work without that? |
There was a problem hiding this comment.
The extra args runs https://github.com/returntocorp/semgrep/blob/develop/.pre-commit-config.yaml#L150
which dont run on normal pre-commit since they would slow down pre-commit on local development. The intention is a test that runs semgrep-pre-commit. So we can also split this out to a different config?
There was a problem hiding this comment.
why not add just the
with:
extra_args: --hook-stage manual
in the pre-commit job instead of duplicating all the parts before and make it a separate job?
Because it can run in parallel then?
There was a problem hiding this comment.
I don't see any difference though oin the pre-commit config file between:
# Dogfood! running semgrep in pre-commit!
- repo: https://github.com/returntocorp/semgrep
rev: "v0.100.0"
hooks:
- id: semgrep
name: Semgrep Python
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "https://semgrep.dev/p/python", "--error"]
- id: semgrep
name: Semgrep Bandit
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "https://semgrep.dev/p/bandit", "--error"]
and
# Run develop semgrep. Only used in CI since it's slower for local developmemt.
# To run locally use `pre-commit run --hook-stage manual semgrep-docker-develop`
- repo: https://github.com/returntocorp/semgrep
rev: "v0.100.0"
hooks:
- id: semgrep-docker-develop
name: Semgrep Develop Python
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "p/python", "--error"]
stages: [manual]
- id: semgrep-docker-develop
name: Semgrep Develop Bandit
types: [python]
exclude: "^cli/tests/.+$|^scripts/.+$|^cli/setup.py$"
args: ["--config", "p/bandit", "--error"]
stages: [manual]
in both cases we use rev: "v0.100.0" so we don't really test the develop docker image here.
* Documenting and cleaning up our github action workflows test plan: wait for CI to kick in and check if everything is green * more comments * more * adding the comments of brendon and spencer (and adding a few TODOs)
test plan:
wait for CI to kick in and check if everything is green
PR checklist:
If you're unsure on any of this, please see: