Workflow to automatically bump cli version if different from the current version #1871
Conversation
|
Here is an action from a private repo that you (@tjgurwara99) should have access to. We use this to create a PR for a particular branch and close any other PRs for that branch if they are open. It might be overkill for this case, but you can still use this or copy pieces of this for this PR. https://github.com/github/semmle-code/blob/main/.github/actions/create-unique-pr/action.yml |
|
High-level comment: I wonder if keeping a separate JSON file with the list of CLI versions would help. The various tests could load that file to determine what CLI versions to test against. Then your PR would only need to modify that file (and you can skip creating the PR if there is no diff). This saves you the logic of having to |
tjgurwara99
force-pushed
the
main
branch
11 times, most recently
from
84918c8 to
8460034
Compare
tjgurwara99
force-pushed
the
main
branch
6 times, most recently
from
b79d21a to
8e532e0
Compare
tjgurwara99
force-pushed
the
main
branch
2 times, most recently
from
2ad5584 to
e296dba
Compare
| - name: Commit, Push and Open a PR | ||
| uses: ./.github/actions/create-pr | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Looks like the token doesn't have permission to push. I would think that contents: write should be enough.
There was a problem hiding this comment.
It's the right permission, but it won't work while this PR runs from a fork (by design). All write permissions get downgraded to read on forks.
| COMMIT_MESSAGE: ${{ inputs.commit-message }} | ||
| HEAD_BRANCH: ${{ inputs.head-branch }} | ||
| BASE_BRANCH: ${{ inputs.base-branch }} | ||
| GH_TOKEN: ${{ inputs.token }} |
There was a problem hiding this comment.
I wonder if this needs to change to GITHUB_TOKEN so that the git commands can work.
There was a problem hiding this comment.
I think, the checkout step has already taken care of the ambiguity. Both GH_TOKEN and GITHUB_TOKEN work 😄 - I also think there might actually be no need for this since the GH_TOKEN is not being used in this action at all...
There was a problem hiding this comment.
You need it for gh pr create.
There was a problem hiding this comment.
Yes, but this is after the checkout step which sets up the whole gh cli stuff right? We're calling it as a composite step in another action, and this itself is not a standalone action I believe 😅 Unless I'm mistaken 😓
There was a problem hiding this comment.
I don't think so. I believe the checkout step sets up Git, and uses the token information to set up Git remotes and credentials, but does not do gh auth for the CLI. I believe the CLI will still be expecting a token in GH/GITHUB_TOKEN and will attempt interactive auth if that's missing (which you don't want in CI).
There was a problem hiding this comment.
Cool, I'll keep it as it is then 😄
| pull_request: | ||
| branches: [main] | ||
| paths: | ||
| - .github/actions/create-pr/action.yml |
There was a problem hiding this comment.
Add this file as well.
| - .github/actions/create-pr/action.yml | |
| - .github/actions/create-pr/action.yml | |
| - .github/workflows/bump-cli.yml |
There was a problem hiding this comment.
I think this is the last change that needs to be done before we can merge.
scripts/replace-cli-version.sh
Outdated
| echo "PREVIOUS_VERSION=$PREVIOUS_VERSION" >> $GITHUB_ENV | ||
|
|
||
| sed -i "s/$PREVIOUS_VERSION/$LATEST_VERSION/g" supported_cli_versions.json | ||
| sed -i "s/$PREVIOUS_VERSION/$LATEST_VERSION/g" extensions/ql-vscode/src/vscode-tests/ensureCli.ts |
There was a problem hiding this comment.
Fixing this can be done at a later time.
| LATEST_VERSION=$(echo $VERSIONS | awk '{ print $1 }') | ||
| PREVIOUS_VERSION=$(echo $VERSIONS | awk '{ print $2 }') | ||
|
|
There was a problem hiding this comment.
When we do a minor version bump, we need to add the new version instead of replacing it.
Doing something like this can check if the minor version has changed:
LATEST_MINOR_VERSION="$(echo $LATEST_VERSION | awk 'BEGIN{FS=".";}{print $1$2}')"
PREVIOUS_MINOR_VERSION="$(echo $PREVIOUS_VERSION | awk 'BEGIN{FS=".";}{print $1$2}')"
if [ $LATEST_MINOR_VERSION != $PREVIOUS_MINOR_VERSION ];
then
# handle case where minor version is changed
else
# handle case where patch version is changed
fiThere was a problem hiding this comment.
So the list of versions in supported_cli_versions.json is expanding every time we have a minor version bump? For example, if we have the following in the file
[
"v2.11.5",
"v2.7.6",
"v2.8.5",
"v2.9.4",
"v2.10.5",
"nightly"
]and a version v2.11.6 has been released. Do we want to add that like the following?
[
"v2.11.6", // this is the new version that got added
"v2.11.5",
"v2.7.6",
"v2.8.5",
"v2.9.4",
"v2.10.5",
"nightly"
]
There was a problem hiding this comment.
v2.11.5 -> v2.11.6 would be a patch version bump, so in that case we want to replace!
The minor version bump would be v2.12.0 in this case, so we want to add it:
[
"v2.12.0", // this is the new minor version that got added
"v2.11.5",
"v2.7.6",
"v2.8.5",
"v2.9.4",
"v2.10.5",
"nightly"
]
(Or even, we could add the new minor version and remove the oldest one (i.e. v.2.7.6).)
There was a problem hiding this comment.
I don't think we can actually remove 2.7.6. The removal depends on the support GHES versions and GHES 3.3 is still supported. GHES 3.3 recommends CodeQL 2.7.6, so we can't remove that version yet. In general, I don't think we can remove a version automatically because it's not strictly aligned with the CodeQL CLI releases.
There was a problem hiding this comment.
GHES 3.3 is only supported for another 6 days (2023-01-18), so it kind of aligns with the CodeQL CLI (give or take 1 week 😄). But we don't have to automate the removal (or at least not in this PR) if we want to keep that separate/manual! 🤔
There was a problem hiding this comment.
Lol, I always get confused with semver 😂 For some reason I thought number after the second dot was minor release 😅
I think the removal of a version should be done through a separate workflow/action - from what I can tell, there doesn't seem to be an automated way of telling the which version should be removed. I also think that given a manual trigger with the some inputs (like for example in the image below) and manually adding the version to remove would be better unless we want to completely automate it which may not be as simple or quick 😄 Let me know though whichever way is preferred and I can think on what I can do. PS: I think this issue was for the patch release being released every two weeks or so, so this might benefit from a separate issue which I can take (this PR has been open for a while now - I want to close it 😂 of course if it meets the acceptable standards 😉)
There was a problem hiding this comment.
Good points @tjgurwara99. I expect that this workflow will always be triggered manually since the timing of when to run this workflow depends on a bunch of human decisions.
I'm personally fine with focusing on patch releases for now and working on a new PR to add minor version bumps. I think we can avoid creating a second workflow for minor version bumps and handle that with a new set of inputs.
And removing releases when a GHES version drops out of support is probably something that should be done manually since it also means we can remove certain feature flags that only pertain to the older version.
There was a problem hiding this comment.
I've added the issue and assigned it to myself 😄 will get to it whenever I get time
| pull_request: | ||
| branches: [main] | ||
| paths: | ||
| - .github/actions/create-pr/action.yml |
There was a problem hiding this comment.
I think this is the last change that needs to be done before we can merge.
|
I don't know why the workflow |
Tempted to say it's just flaky 😅 Have you tried re-running? |
Sure, if by trial you mean sending a workflow dispatch 😄
The example run was in my fork here. I'm fairly confident that it would work once the workflow token changes from Also, I don't have the permission to merge this PR, could you merge it please? |
|
Sure. I can merge. The latest test failures seem unrelated, but concerning. |
|
Hmmm...they seem like flakes. |
A new CodeQL CLI gets released (roughly) every 2 weeks1, which requires some minor updates to the extension. At the time of writing, whoever first determines that a new version of CLI has been released manually updates the version number in some places within this repository. This PR aims to reduce the manual step of updating occurrences of the old CLI version from select files so that they remain up to date for our integration tests. Note that the removal of support of CLI version is a scenario where this newly added script might cause some issues and I'm open to gathering ideas on how to tackle the time when we have to drop support for certain versions.
NOTE for maintainers: This script also requires a newly generated PAT for it to create a PULL request to update the workflow file. Therefore the Bump CLI version workflow is expected to break until a new secret
WORKFLOW_TOKENis added to the repository which would have as its value a PAT with theworkflowpermission.Checklist
Footnotes
In general, there's a minor version bump every quarter, which requires an extra step: remove old unsupported version of the CLI from our testing matrix. (We stop testing once we no longer support a version of GHES that shipped with that CLI. That means we only need to support 4 minor versions back, since that's how many GHES releases we support.) ↩