fix: Unpack config file in BuildDefinition #1547
Conversation
rbehjati
requested review from
asraa,
ianlewis,
laurentsimon and
joshuagl
as code owners
rbehjati
force-pushed
the
unpack
branch
2 times, most recently
from
6bc7a92
to
d4ec45b
Compare
| @@ -208,13 +218,13 @@ jobs: | |||
| --build-config-path "${CONFIG_PATH}" \ | |||
| --build-definition-path build-definition.json \ | |||
| --builder-image "${BUILDER_IMAGE}@${BUILDER_DIGEST}" \ | |||
| --git-commit-digest "sha1:${GITHUB_SHA}" \ | |||
| --git-commit-digest "sha1:${{needs.commit.outputs.sha}}" \ | |||
There was a problem hiding this comment.
Ah, are you having trouble getting GITHUB_SHA? Hmmm
There was a problem hiding this comment.
Yes. In case of pull requests it is not the actual commit. I am trying to get the latest commit, but now I get the error fatal: not a git repository (or any of the parent directories): .git. This is very strange.
There was a problem hiding this comment.
I thought detect-env would give the correct sha, but it gives empty string.
There was a problem hiding this comment.
Ohhh gotcha, for pull_request events it does appear GITHUB_SHA is not the triggering commit (https://github.com/orgs/community/discussions/26325). But for that, wouldn't the builder need to checkout the base repository (which may be the fork?)
I thought detect-env would give the correct sha, but it gives empty string.
detect-env gives the ref of the reusable workflow, not the triggering environment. hmmm. It should give the head sha of that, let me see if I can test that out as well.
There was a problem hiding this comment.
But for that, wouldn't the builder need to checkout the base repository (which may be the fork?)
Yes, but even in that case the GITHUB_SHA we provide to the command is not something that exists on the repo.
It should be possible to get the actual commit hash. I have one more idea to try :)
There was a problem hiding this comment.
I think detect-env has special case for pull requests to enable pre-submit tests. We don't really support it out outside of that context. The action may need to be adjusted.
rbehjati
force-pushed
the
unpack
branch
2 times, most recently
from
a7771cb
to
0221010
Compare
| @@ -208,13 +220,13 @@ jobs: | |||
| --build-config-path "${CONFIG_PATH}" \ | |||
| --build-definition-path build-definition.json \ | |||
| --builder-image "${BUILDER_IMAGE}@${BUILDER_DIGEST}" \ | |||
| --git-commit-digest "sha1:${GITHUB_SHA}" \ | |||
| --git-commit-digest "sha1:${{ github.event.pull_request.head.sha }}" \ | |||
There was a problem hiding this comment.
With this change we are getting the correct commit sha, but I think we also need to specify the correct branch in source-repo. I am not sure if that is possible. I'll give it a try.
Also, this will fail if the event is push. We should be able to handle both cases.
There was a problem hiding this comment.
IIUC the head SHA will only be available for pull_request events? Are there other events you'll need to handle? I assume that the primary event you would need to handle is tag or release for when release tags are created.
There was a problem hiding this comment.
Yes. We have to be able to handle all these events. I am thinking of reverting this back to use GITHUB_SHA, but make these steps conditional on events that are not pull_request, and add a separate step for pull_request.
There was a problem hiding this comment.
Yeah, we have a lot of places throughout that act differently for pull requests.
I'm curious how you are planning to support pull requests? we have the problem that id-token:write isn't available on pull requests (#131) so we aren't really able to sign provenance for those events currently.
There was a problem hiding this comment.
For pull-requests we only run the dry-run command. We won't actually generate the provenance or sign, but just to make sure that the inputs are correct, and that we can create a BuildDefinition.
The idea is to allow the users to verify their workflow parameters before merging.
There was a problem hiding this comment.
OK so just to clarify what happens here now:
actions/checkoutby default checks out the github repo at the ref of the merge commit. I think that also referencesGITHUB_SHA, and so the comparison with the checked out repo and theGITHUB_SHAof the command line input should always match, pull request or not?
Yes. After all these experiments that is my understanding too. This behaviour makes sense, and makes things simpler :)
secondly, the new
resolution-strategywill allow dry-run to create a build definition, ignoring the mismatch and using the current checkout for the source digest? if so, i think that makes sense.
True. But actually this feature is no longer required, at least not for GitHub. So we could either keep it, or drop it in favour of making the code simpler :)
what happens to the digest of the config file though? is it checked out at the current checkout or at the git-commit-digest during
--resolution-strategy ignore? (It seems likeignoreis likeoverridewith the current checkout so it uses the current checkout for the config file)
It is checked out at the current commit, or what I call the effective commit. The generated BuildDefinition also contains this effective commit digest, not the one given in the inputs.
There was a problem hiding this comment.
So we could either keep it, or drop it in favour of making the code simpler :)
Should we keep, and file a follow-up issue to clean it if the code is complete and we find it's not useful for testing?
There was a problem hiding this comment.
I can actually drop these changes easily, I just need to revert the last commit.
There was a problem hiding this comment.
Done. I think this is now ready to be merged :)
rbehjati
force-pushed
the
unpack
branch
10 times, most recently
from
301fa00
to
e011dda
Compare
rbehjati
force-pushed
the
unpack
branch
2 times, most recently
from
bd87ed2
to
dac281f
Compare
Signed-off-by: Razieh Behjati <[email protected]>
Signed-off-by: Razieh Behjati <[email protected]>
Signed-off-by: Razieh Behjati <[email protected]>
Fixes #1503
Signed-off-by: Razieh Behjati [email protected]
To unpack the input config file, even in case of
dry-runwe have to fetch the source, and load the config file. Because of this, some parts ofbuilder.goare refactored as part of this PR. The benefit of this is that nowdry-runandbuildcommands now have more in common. In particular,dry-runperforms more of the checks inbuild.