Release process is misleading for images published #6517
Comments
|
Thats gold, thank you! It will take some time to process it :) Re versioning and latest. It was hard for us to decide on this, as it has mulitple procs and cons. |
Yes I'm well aware of the problems with The problem is you have a I don't think that benefits anyone, either causing the user to be frustrated and unaware why they might run into problems, silently disengaging from Tyk to evaluate other products, or your support teams need to account for that with any troubleshooting offered? I guess if it were a visible problem you'd be more aware of that by now, so either the users aren't following those docs, or they're silently giving up, or they're competent enough to troubleshoot and notice the issue themselves. If DockerHub allows for dropping the
Sorry I don't quite get what you meant here? Just so we're on the same page:
One way that you can probably avoid the Have your release branches call the docker metadata tag + publish jobs from You'll just need to remember to do this each time a new minor is published and you branch off. Actually, you could probably determine this with a better check 🤔 Yeah I think you could automate it by sorting/comparing git tags semver wise, there are actions for this or you can implement the logic yourself. That way there's no need to toggle an opt-in/opt-out input for the major tag publishing, nor separate workflow copies on release branches, just use that check as a conditional 👍 |
|
Thanks for the detailed audit of the releng code! Restricting myself to the bits that I know.
Yes, this can be considered a bug. Due to our somewhat idiosyncratic release versioning this tag does not always DTRT. We should probably stop pushing this tag. The
I'm not sure why the UI shows it as identical commits. v5.3.3 is on 9eb415d and v5.3.4 is on eadbffd.
That version (3.0.8) was the last release before the current releng started operating so we want to make sure that we can upgrade the package from that known version. To clarify a few things:
Despite the confusion caused by the v5 tag, compounded by outdated documentation, it does not appear that any of the published image contents are incorrect. Just pretend the v5 tag does not exist. |
Some software like Watchtower for example will only monitor for changes to a semver tag like Since minors and patch parts of a semver tag should not introduce breaking changes, this is normally not something to worry about. It's only the regression bug that makes it problematic.
Your links are 404 for me. Probably only visible to your team members, so I cannot inspect to compare. Note that the links you provided point to Tyk Analytics not Tyk Gateway if that makes any difference. It's not just the UI. your CI published these images for those tags with that commit: $ docker run --rm -it tykio/tyk-gateway:v5.3.4 version --json
{
"Version": "5.3.4",
"BuiltBy": "goreleaser",
"BuildDate": "2024-08-26T15:17:54Z",
"Commit": "4e82e7da10e922b28764da399edcd80f93f0f0b8",
"Go": {
"Os": "linux",
"Arch": "amd64",
"Version": "go1.21.13"
}
}$ docker run --rm -it tykio/tyk-gateway:v5.3.3 version --json
{
"Version": "5.3.3",
"BuiltBy": "goreleaser",
"BuildDate": "2024-08-01T19:48:25Z",
"Commit": "4e82e7da10e922b28764da399edcd80f93f0f0b8",
"Go": {
"Os": "linux",
"Arch": "amd64",
"Version": "go1.21.12"
}
}$ docker run --rm -it tykio/tyk-gateway:v5.3 version --json
{
"Version": "5.3.4",
"BuiltBy": "goreleaser",
"BuildDate": "2024-08-26T15:17:54Z",
"Commit": "4e82e7da10e922b28764da399edcd80f93f0f0b8",
"Go": {
"Os": "linux",
"Arch": "amd64",
"Version": "go1.21.13"
}
}$ docker run --rm -it tykio/tyk-gateway:v5 version --json
{
"Version": "5.3.4",
"BuiltBy": "goreleaser",
"BuildDate": "2024-08-26T15:17:54Z",
"Commit": "4e82e7da10e922b28764da399edcd80f93f0f0b8",
"Go": {
"Os": "linux",
"Arch": "amd64",
"Version": "go1.21.13"
}
}I mentioned the build date difference between
Thanks, that makes sense 👍
Perhaps, I did mention that in my report too, but noted that it was reverted without explanation. Perhaps that was accidental? Here: docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
wagoodman/dive:latest \
tykio/tyk-gateway:v5.3When you run that you'll get some insights into the image layers and contents: As you can see from the DockerHub screenshots in my initial report, the size does reflect that these are not Distroless variants.
Then you and I are seeing very different things for some reason? All I can do is provide the citations to sources that I have with screenshots to show what I am seeing, and the commands that I've shared in this response (and similar at the end of the initial report). These aren't specific to the https://github.com/TykTechnologies/tyk/blob/v5.3.4/.github/workflows/release.yml#L139-L145 tyk/.github/workflows/release.yml Lines 139 to 145 in 4e82e7d https://github.com/TykTechnologies/tyk/blob/v5.3.4/.github/workflows/release.yml#L168-L174 tyk/.github/workflows/release.yml Lines 168 to 174 in 4e82e7d I've linked above to the workflow for the direct tag You can see that it's running the |
|
Ah, sorry. Now I see that that 5.3.3 and 5.3.4 are on the same commit. The point I'm trying to make is that the image corresponds to where the tag was pushed. Whether the tag is on the right place is not something I can comment on. Your proposal for v5 is well thought out but this is a policy matter that will have to be decided by the those who are affected by the decision. |
Just so we're on the same page:
The tag for
I understand, I'm just a random user chiming in to let you know. I don't use Tyk but spotted this while evaluating if Tyk would be suitable to adopt. Hopefully those involved in the decision can understand how bad the current approach is for automation to be these large single workflow files with re-use of flows that diverge not only in a single workflow, but now in the release branches and the bugs you're getting related to that when they're not synced properly. What I've proposed has no drawbacks AFAIK, but if you're aware of any please let me know. |
|
Appreciate the time and effort to go into such detail. |
|
Apologies for all the noise, the bulk of what I reported was from:
I had some misunderstandings during the report too from navigating the git history as I was not familiar with gromit at the time, but @alephnull has been helpful with his responses adding the context I needed 😎 (thanks!) Based on discussion at TykTechnologies/gromit#357
Once There still might be some subtle regressions slipping through PRs: tyk/.github/workflows/release.yml Lines 173 to 175 in 480da05 Which from what I understand with the gromit templates sync, that'll be fixed implicitly. The concern is more about the flip/flop reverting that probably shouldn't be happening? Depending on timing of a workflow run it'll potentially be on stale changes (technically not timing of the run since you do not use branch refs for workflow selection, if the commit is older it'll be stuck with the stale workflow). |
ActionablesFeel free to close this issue, below is a task summary of what has been covered:
|
Do not push v{{Major}} tags
TykTechnologies/tyk#6517
Apologies if this all comes off a bit blunt btw, I don't mean any disrespect 😅
I've spent the time to share this information for the benefit of Tyk and it's users. Hopefully some of the feedback will be appreciated :)
Biggest concern is what looks like regression with published tags on CI for bug fix releases. It looks like those may not have released the intended fixes correctly, and disrupted semver management of
v5.Due to verbosity, here's a quick summary:
:latesttag is approx 3 years old (Tyk Gateway 3.0).v5tag points tov5.3.4notv5.5.0v5.3.4shares the same tagged commit asv5.3.3. Seems like an accident by @ilijabojanovic ?v5.3.2tagged commit (August 2nd, same as release date, but image was published in June 6th for this May commit according to image metadata).v5.3.4was tagged 3 weeks ago, with the image built and published to DockerHub at this time, whilev5.3.3retains it's old build date (August 2nd, image says Aug 1st but that'd be TZ difference) according todocker inspect, so no build job triggered? 🤔Beyond that there was some feedback/tips for release workflow you could adopt 👍
zig ccfor build benefits and better control over glibc support.docker/build-push-action).generic-*workflows that always target the main branch. You can change the ref target or co-locate legacy workflows on a dedicated actions/ci branch, the workflow should still run from the original caller branch and only improve the workflow maintenance.UX concerns
Originally I wanted to see the Tyk binary published on GH releases, but that doesn't seem to exist.
Perhaps it's easily available somewhere else, but the docs did not communicate that well. I'm fine with Docker so gave that a look and was a bit more surprised / confused with what I observed.
Local dev vs demo image + config
Curious I inspected the main
Dockerfilefor this repo but it didn't seem to match DockerHub, instead that seems to belong to the repodocker-compose.ymland that is discouraged in favor of a separate repo for the compose config. Probably helpful to inline a comment on the mentioned files in this repo to direct users there as well (we don't always go through the README first unfortunately 😓 )Not aligning with Docker upstream conventions introduced well over a year ago aside, that separate repo refers to an image at a registry that differs from DockerHub?
docker.tyk.ioregistry in the example that follows.:latest(which is understandable for docs), but as mentioned below it suffers the same problem as DockerHub for that tag. Likewise the docs have not been updated to reflect the newer upstream Docker conventions.Actual image used to publish to DockerHub
Back to this repo, I was still curious about the actual image being built for DockerHub. Looked through the release workflow and identified it varied a bit.
There are some inline
Dockerfile, while others refer to separate files like this one. I detail concerns regarding this further below.Docs
The docs UX had some concerns too, but this report is already covering a lot for maintainers to digest as-is, so I'll stop here. I was curious about the OSS Tyk, but found the docs to be a bit discouraging for what I assume is a decent product. I'm not sure if this is just the OSS version being low priority and neglected in these areas, or a tactic to discourage it rather than attract users to adopt Tyk that later switch to the on-prem or SaaS offerings. Definitely needs some love/polish if the latter is intended instead of intentional bad UX.
Release workflow observations
You can add these labels to the
Dockerfileand populate dynamic values viaARG:tyk/.github/workflows/release.yml
Line 172 in bc067e7
Without looking too much into it, you have a CI test on a pinned v3 release of Tyk (there is more than one occurrence of this), that was over 2 years ago, is it intentional for the test to stay on v3, or was it intended for that to be updated with new releases of Tyke Gateway?
tyk/.github/workflows/release.yml
Line 437 in bc067e7
Publishing issues
I'm assuming the below concerns are low priority for Tyk, I've not compared to your other registries where your publishing logic differs a bit. That said it's not good that semver publishing is clearly broken in your CI pipeline (due to patch release).
:latesttag - Please fixFWIW, you have a
:latesttag (which will be used implicitly as the default when none is provided) that was last updated approx 3 years ago:Either remove that tag or keep it updated with the actual latest release.
The DockerHub README doesn't seem to be tailored to the image itself, but rather aligning with the Github README. There's no mention about the
:latesttag concern and that it should be avoided at present.v5tag regression - Incorrectly points to older minor release (and other oddities)As release
v5.3.4is newer thanv5.5.0release publish date wise, the CI has published that point release as the latestv5semver tag which is inaccurate, it should bev5.5.0:Presumably that tag is unreliable whenever you're making point releases. CI needs to know only to update major tag when the latest minor is updated (new minor or point release for that minor release).
Related - GH Releases (less important and less actionable AFAIK)
This also affects the GH release
latestURL (https://github.com/TykTechnologies/tyk/releases/latest), which presently redirects toreleases/tag/v5.3.4. That's unrelated to the workflow and I'm not sure if there's much you can do about that behaviour. The mainreleases/URL seems to sort by commit date, not release date from what I can see.So on the actual releases page
v5.5.0is the top shown result as it's tagged with the newest commit date, despite being released over a month ago (no complaints there). Meanwhile on the main repo page the sidebar shows the last made release and the implicitlatesttag from GH (again no complaints, just documenting the difference):v5.3series wrong commits tagged for publishing?That tag is for a commit from July 25 2024 for which
5.3.4was tagged as release, but the release itself was published on August 27 2024:In fact
v5.3.3andv5.3.4were both tagged with the exact same commit for the5.3release branch, butv5.3.2was tagged with a newer commit date:Since when does
v5.3.2release afterv5.3.4?? It should be sequential releases with the higher point release as newer than their prior commits? Something seems off there?v5.3.2does appear to have older RC releases from May 2024:Here you can again see tags sharing commits along with
v5.3.3+v5.3.4development tags for commits newer than those that were tagged for publishing.NOTE: They are prior to the official
v5.5.0tag release, and that thev5.3.5-alpha1is from Aug 29 (2 days after the5.3.3+5.3.4GH release was made for the tagged July 25 commit). It definitely seems unintentional and something went wrong with the release process?Docker image
v5metadata for confirmationInspect the
v5image published to DockerHub presently has the following labels further confirming the concern:Inconsistencies between images published and release workflow updates (modularize workflow and use
@<branch>refs to avoid)These
v5.3/v5images were built with thisDockerfile(hence the larger size on DockerHub despite newer publish dates) while thev5.5image was built with the newer and slimmer Google distroless base as the final stage via a newDockerfilecontributed in either May or June (that release workflow is a mess and should be split to use re-usable workflows instead for modularity, @alephnull contributed them so is probably more familiar with what is going on).EDIT: The
v5.3.3/v5.3.4tags also had the May distroless update, but the release workflow reverted back to the old Distroless image for builds (no reason mentioned in the PR notes or review process, but presumably intentional? Otherwise modularize your workflow and version it accordingly instead of bug prone sync issues from divergence of branches impacting CI).Commit history nit
The commits for the June update also seem odd if they were all meant to be named like that with separate PRs:
zig ccsuggestion for avoiding glibc support woesWhile browsing the commits, you also have this one citing a concern with a glibc problem, forcing you to roll back from Debian Bookworm (12) to Debian Bullseye (11).
If you're unable to do a static build of Tyk, then I would suggest you look at adopting
zig ccfor the external dependencies to your Go app.It'll allow you to pin the glibc version to a min supported API for compatibility when you need it so long as it's possible (that said do benchmark/profile, as lowering too far back for broader compatibility may opt-out of newer API calls that perform better).
The text was updated successfully, but these errors were encountered: