-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(build-debian): Use docker to manually run build and prepare steps and add tests #28
base: main
Are you sure you want to change the base?
Conversation
579f2a4
to
05d1c3c
Compare
Fix warnings related to: - Version number - File too long - No contributor name - Extra whitespace around name
4dc3e58
to
7a5ba6b
Compare
We don't fully support source builts for non-native packages yet though, so ignore the error for now
Artifacts could be exposed by various other composed jobs so make this clearer for binary packages too
This allows us to have more control on the volumes we mount in docker and on the location of the source path. And permits us to properly mount the parent folder of the source that we need to access to read the .orig files for non-native packages. It comes as a little extra cost, but also it give us way more control on the builder instance.
In general when building sources we should not need anything else a part what is in build-depends, but for some packages we may need some extra packages such as ca-certificates or git. So, expose these values as extra-source-build-deps input. This option should actually be unset by default, but we don't yet not to break existing packages, but we should change it ASAP so that it depends on each repo needs.
It may be useful for debugging purposes, so upload it once it's ready
For some reason using jtdor/build-deb-action@v1 does not work well with some rust builds we have, so re-implement it using some manual labor. It's not really much work and it will allow us more control. Other than, working authd builds.
When building debian packages we should not have high privileges, so let's just use an unprivileged user to perform the binary build. It's not too needed for source builds, since those are not really doing tests or anything where having root privileges may lead to different behavior
Ensure that internet access is completely disabled for builder user when creating the binary package. This is something that we somewhat had implicitly for HTTPS only since ca-certificates were not installed. But let's ensure this in any case.
It allows to perform special builds (such as nocheck ones), so expose it in case, for example, one may want to build without running tests.
In this way we can use the proper distro version number
In case a git repository is setup, then use version number that includes the revision list and use actual author name
It can provide some quick information about what's in the packages
7a5ba6b
to
188e5a8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have to stop the review for now here, already posting what I found.
This is clearly post FF material…
echo "::endgroup::" | ||
|
||
- name: Prepare source package | ||
uses: kohlerdominik/[email protected] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you monitored how trustworthy, monitored and updated this action is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, not really very updated but still more recent than the more popular https://github.com/addnab/docker-run-action that also does not provide many inputs, and so it requires us to use more options
which are still fine but more prone to error and less clean IMHO.
So, I had reviewed the code and it's quite simple and fine from my POV.
In case we can also fork it to something even simpler in bash that does the same, but it seems an overkill to me.
required: false | ||
# FIXME: this should default to '', but we don't want to break job depending on us for now | ||
default: 'ca-certificates git' | ||
DEB_BUILD_OPTIONS: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don’t think we should provide those options. This can end up with "I add this build-dep here or this DEB_BUILD_OPTIONS in my ci and forget to really fix the packages). Let’s ensure we have a real need (I don’t think the package should be run with nocheck
as you illustrated for those before adding them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have removed DEB_BUILD_OPTIONS
, but IMHO it can be quite convenient for testing nocheck
builds too, which are somewhat supported by the ecosystem (other than useful to do simpler test-builds).
Regarding extra-source-build-deps
I think we still need it as explained in the commit, and the FIXME, IMHO is very wrong always installing ca-certificates
and git
even on source builds.
So, if you want I can make this more strict by not allowing people to customize what install (I need a good variable name though :)), but my point here is that all the projects that really need this should define it, not this low-level action.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think our goal is really to add options when we have a first consumer requesting for it and revisting the rationale.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw, my comment was (see my first comment) for both options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I noticed. But I'd like to have a different proposal for extra-source-build-deps
😄
As really I don't think we should not default to having it populated, unless explicitly required.
@@ -46,69 +55,194 @@ runs: | |||
run: | | |||
set -eu |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While you are changing it, please set -eu
after the echo so that we have a readable step title.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I was thinking about that... I followed the style of the file but indeed had to be addressed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done too
with: | ||
image: ${{ inputs.docker-image }} | ||
environment: | | ||
TERM=dumb |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you expand why this is needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well dpkg build may warn about TERM
not being set, and having this in theory should make tools aware of the environment we are in.
It's not strictly needed but a nice to have one since we're so low level, but let me know if you prefer avoid it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check if there is a warning. If there is a warning, let’s set it, but here, on GitHub action, I haven’t seen it IIRC, so if no warning, let’s not predict the future :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
eh, I'm sure I saw it while building... IIRC was on go packages, but I need to check this again as I don't see it in the test job.
workdir: ${{ github.workspace }}/${{ inputs.source-dir }} | ||
shell: bash | ||
run: | | ||
set -eu |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto on set -eu
apt install devscripts lsb-release | ||
echo "::endgroup::" | ||
|
||
dch --local "~$(lsb_release -r -s)+${{ env.VERSION_REF }}" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn’t ensure we are always bumping the version up as we publish this artefact. as the second part is based on the sha. I suggest we prefix it with the date in us format.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, ideally to have this automatically we need to use some higher depth when cloning, that isn't always expected.
Also I didn't change that, but I feel we should use +
as first instead of ~
because we are building on top of a release normally, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True, but what is the changelog is set to the next version, but UNRELEASED?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, changed both...
2d1772f
to
b574a4e
Compare
So that github groups things better
b574a4e
to
0a2059d
Compare
This reverts commit 3f55310.
Yeah, in theory it is, but I liked the idea to have ubuntu/authd#223 in before and so being tested too. |
I propose we focus on the FF itself, remove the deb building part, polish the packaging, release and then, we can go over that one. |
10a0fa4
to
d35f929
Compare
d35f929
to
524fee0
Compare
Use a +git syntax and there we use incremental version values. Finally add the distro version as a minor factor, so that builds on the same code for different distros only rely on that
524fee0
to
6f061b8
Compare
As underlined in ubuntu/authd#130 (comment) using
jtdor/build-deb-action
for building debian packages has some problems that are yet not clear, and it also does not seem to properly support building non-native packages.As per this, given that the code needed for handling the build inside a simpler docker container is quite small, I've moved the build to manual handling which allows us some more control over the steps at the cost of being a bit more verbose.
As bonus:
DEB_BUILD_OPTIONS
can be customized for special builds (e.g.nocheck
)I've added some commits from #22, but not included the lintian build yet (that I've ready here) not to make this PR harder to check, but also because I think those could instead be part of another action to allow more parallelization when used.
By doing this change, not only both test cases pass, but also authd is correctly built: ubuntu/authd#130 (e.g. https://github.com/ubuntu/authd/actions/runs/8044158864)
UDENG-2439