New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reproduce ns-3 per-commit CI pipelines (push, MR) #141
Conversation
e3f06f7
to
ea1982e
Compare
ea1982e
to
95dafc0
Compare
Thanks for your efforts! In terms of the MR itself, I am not a big fan of introducing tests we do not pass. Therefore, I'd like to fix the ones that currently fail before merging this. |
I agree with you that before merging we should first fix the code that makes the tests fail. Shouldn't we have a separate MR for each problem to keep the history clean? Yesterday I was also able to fix the problems that caused caused building the doxygen documentation to fail. Unfortunately, the doxygen test itself (coverage != from building) is bound to fail until we comment all the code, which could be a long process. (I'll keep this MR updated with changes and make sure it works) |
As long as changes are rather small (such as removing the emacs lines), I'd keep everything in this MR. |
But if we tie these corrections to the present MR, they will not be integrated until we are satisfied with the workflow pipeline tests. Also they are a bit out of scope for this MR which is already quite big. |
I personally feel like this is a bit overkill, but feel free to go ahead if you truly deem it necessary |
8a5395f
to
16d1ed6
Compare
After a bit of investigation, it seems that the problem is due to
A perfect solution would be use self-hosted runners. For now, I propose we test the |
From my own personal experience, |
(I made a correction to my previous comment to clarify that the issue is between subsequent optimized builds, not between the build & test stages) My understanding is that on GitLab they are using self-hosted runners, while on the GitHub copy they only adopt the I don't know where we could deploy self-hosted runners, but I think we can avoid using ccache for I will test that and push it here. I also added the code analysis jobs from the ns-3 GitHub pipeline (CodeQL & CodeCov) at the end of our pipeline and a manual job to deploy the documentation. For these new ones we may need to add a couple of secrets to the repository if not present already. Namely:
|
I do not think we have availability of computational resources for deploying a self-hosted runner at my home uni, so yeah let's go for disabling ccache for now and let's follow the ccache issue, hopefully they'll deploy a fix. Regarding the Code* jobs, I think we could skip them tbh, agree with the test deployment test. Once you will push we can double check which secrets are to be added, I can take care of that. |
The CodeQL is a standard GitHub test that searches for known bug-prone pieces of code (see an example https://github.com/non-det-alle/lorawan/security/code-scanning/1). The CodeCov one is really useful to keep track of test coverage (see https://app.codecov.io/gh/non-det-alle/lorawan/tree/github-ci-dev). I would keep them, they make a good code analysis tool causing no harm. |
16d1ed6
to
87b052a
Compare
Welcome to Codecov 🎉Once merged to your default branch, Codecov will compare your coverage reports and display the results in this comment. Thanks for integrating Codecov - We've got you covered ☂️ |
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
I pushed the 2nd version of the CI pipeline with bug fixes and the discussed changes. The first run went as expected. As you can see, to obviate the problems introduced by different runners having different underlying architectures, now the 'running tests' is an optional step of the base per-commit compile job. Moreover, It is safe to say that the CI pipeline has been thoroughly tested on my side, with almost 200 runs in the past 3 weeks. Apparently, there is no limit on the total amount of workflow run-hours for public repositories, while the cache is limited to 10GB. You'll see that each run produces timestamped caches: that's the way to do it as you cannot rewrite existing caches. Older caches will be deleted automatically once we reach the 10GB limit. Finally, it seems that CodeCov was already enabled by someone else in the past for this repo (@DvdMgr ?). For instance, you can see here the current code coverage relative to this merge. Deploying the documentation is a manually-activated workflow included in this commit. I will push a small refactoring of the main CI pipeline and temporarily put the deploy-doc workflow as activated on pull_request such that we can test it in this context. |
87b052a
to
b08a7cd
Compare
|
It is an optional step because not all compile jobs also run tests in the the ns-3 per-commit pipeline. Here, tests are only run for the g++
If we set it to trigger on MRs, I think people would be able to change the documentation without maintainer approval by submitting pull requests? I'll try to set it to run once a MR is closed, and merged with the repo.
No problem. I was force pushing the one commit because I saw in a previous MR that if we rebase multiple commits before merging we effectively lose the changes in-between commits, while with the force pushes GitHub lets you check the changes (I have a Compare button aside the force push in the MR timeline). |
Valid point, I am not sure what would happen to be honest. Let's keep it to commit on the main branch then |
Currently the deploy-doc job is failing during the push-to-another-repository action with no clear error. I think possibly the API_TOKEN_GITHUB secret may be missing?
It must be set to a personal access token with push permissions onto the lorawan-docs repository. Note: if this jobs succeeds here, a security problem still remains because somebody else could open a MR with a workflow pushing onto lorawan-docs. |
I setup an SSH deploy key, which is the suggested, more secure option according to the action's documentation and modified the workflow accordingly (I will possibly push more fixes based on the test outcome) Edit: regarding the fact that the doc will be deployed only for MRs opened from the repo itself, this seem to be a "standard" issue, so I believe we could simply provide the suggestion of opening MRs by opening a branch in this repository instead.. (or trigger the build manually, and on actual merge of the commit on the repo, which may be more secure) |
When you are done, I have prepared a trigger configuration for the deploy-doc as follows:
|
The doc deployment should work now, I believe it still does not because you opened the MR from your fork, thus the DEPLOY_KEY secret can not found. However, it should work from the this repository |
I also think that could be the issue. If that's the case, it could be a good thing because it means people cannot use MRs to push onto lorawan-docs. If you want to test this hypothesis beforehand, I can move deploy-doc to another branch (of this repo) and open a separate MR. Otherwise I'll proceed to push the correct triggers for deploy-doc and squash the commits of this MR before you merge it. |
I'd opt for the second option, and then I can fix the CI afterwards in case the secret is still not found (but I expect it to work 🤞🏻 ) |
+ code analysis jobs + docs deployment job
633e73e
to
2bf9d47
Compare
Ok, it's done. Now the deploy-doc job should run once you merge this MR. Maybe let's have the on-commit pipeline terminate once again before merging, just to avoid surprises. As a next step, I'd review the readme and add new CI badges (build, coverage) in place of the old ones (gitter chat, travis build). |
Unfortunately the Looking at the merge outcome I also have another observation: I did not expect the
I'll work on this second point. |
Perhaps it is still picking up the commit as a MR from a fork? I am basically following 1:1 the tutorial, and the secret is there in the repo.. I'm kind of at a loss on understanding why the job is still failing. Ok regarding the second point, perhaps we can try that first, to check whether a MR opened from a branch in this repository is finally able to pick up the deploy secret ? |
I run the Now we need to understand why we are not able to do it automatically. I understand when it was failing as a MR; the strangest thing for me it is that it did not work here, where the pipeline was triggered by you merging the MR (it counts as a push) and it should have been fully internal to this repository. I will do a push test and merge test to see if it is still failing. I predict that the direct push works, but that the merge may still have the same issue... Edit: I did not realize I don't have permissions for a direct push on |
I believe that even though the commit counts as a push, it is still different than a non-MR-derived push and it encodes the fact that it originated from an MR, perhaps Github is not providing access to the secret anyway? |
Found the problem: https://docs.github.com/en/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow I squashed the fix + all CI related commits I used for testing into the one that merges this PR. We would also be missing a CODECOV_TOKEN repo secret. If you can get admin access to this page (you need to login with the repo owner GitHub account), then you should find the token value in the Settings tab. |
Thanks for the find. Please avoid force pushing on main branches though, as it messes up the git history for everyone who cloned the repo. |
First complete working pipeline Sorry about force pushing, I was trying to keep the git history clean and I usually do it with rebase + force-push. Do you now a better way? For instance, I'd like to commit some minor changes (adding names to sub-workflows) that are fit to be squashed into the initial CI commit. Should I leave it as a separate commit? In general, in the future I'll try to avoid pushing directly. I think it's better to work on forks and MRs that you can then review and merge. We are almost done! 🎉 |
Good job! Finally we have a proper CI pipeline Regarding the push, no worries, I just think that leaving a separate commit is the way to go. I agree that it may lead to a more convoluted git history, but force-pushing on branches that people clone is usually a bad practice AFAIK and is thus avoided. |
This is a re-do of the GitHub workflows of this repo in order to mimic the CI pipelines run on push and MR by ns-3 on GitLab.
The jobs are written to be as 1:1 as possible with the code run on ns-3's GitLab, limiting compilation to this module (and dependencies) when possible to reduce time and storage used by the workflow. Jobs that do not involve the module (Cppyy, documentation for installation, manual, contributing and tutorial) are not reproduced.
See a complete run of the workflow here, and compare with an example on ns-3's GitLab here.
This workflow runs the following checks/jobs organized in stages:
Notes:
Possible addition to the ns-3 pipeline:
If needed I can also implement daily/weekly ns-3 pipelines, but for that I think using a GitLab ns-3 fork with the lorawan submodule is better (as previously proposed by @pagmatt here #138).