-
-
Notifications
You must be signed in to change notification settings - Fork 14.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixpkgs-check-by-name: make all github-driven checks locally reproducible #266937
Conversation
…ible This commit moves the chunks of shellcode in .github/workflows/check-by-name.yml into individual scripts. What remains in .github/workflows/check-by-name.yml are three-line scripts which: 1. Dump the environment to the console 2. Set `-x` so the following command is printed in properly-escaped form, which developers can simply paste to their own shell to reproduce the command 3. exec() into the file containing the shellcode which previously comprised that step. This ensures that if a test fails, the PR author doesn't have to rummage around in the bowels of github in order to reproduce the failure locally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about this. The commands in the action aren't actually reproducible since they depend on the base branch and the channel. However, all the information to reproduce it is already printed decently in a markdown for each check: https://github.com/NixOS/nixpkgs/actions/runs/6837521847#summary-18593634536
How about adding a command like
pkgs/test/nixpkgs-check-by-name/reproduce.sh <base SHA> <tooling SHA>
Which then tests HEAD
in the current Nixpkgs the same way as the action does. Ideally the action should also just use this command then.
Then the markdown can be changed to just tell users to run the command with specific flags.
These are passed in environment variables, which are printed.
That is the most important part. I'm on board as long as that is true. |
With latest push, using #266956 as an example:
|
requested changes implemented, re-review requested.
The most annoying part is that, for not-yet-merged PRs, the But at least this is a step forward. |
It's easiest to review by reading 8187fe5 by itself. The other commits just copy things between various files, making it difficult to review the entire PR as a single diff. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've got some suggestions, but I think we can make something like this work. Also be sure to update the contributor docs too.
echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" | ||
env | ||
set -x | ||
exec pkgs/test/nixpkgs-check-by-name/workflows/check-by-name/check-mergeability.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is very GitHub Actions specific. Locally you'd want to test your current working tree, not the PR's HEAD, so this should stay here.
# nixpkgs. | ||
env | ||
set -x | ||
exec pkgs/test/nixpkgs-check-by-name/workflows/check-by-name/determine-pr-hashes.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should also stay, it's GitHub-specific. Locally it's rarely the case to have a merge commit with the right parent commits.
# nixpkgs. | ||
env | ||
set -x | ||
exec pkgs/test/nixpkgs-check-by-name/workflows/check-by-name/determine-channel-for-dependencies.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not great how there's all of these separate files. The main reason these steps are split up so that it's easier to see where time is spent (e.g. see https://github.com/NixOS/nixpkgs/actions/runs/6844035438/job/18607346212). But that's not very important, I'd rather have this and all steps after as a single script.
Also we shouldn't make env
necessary. If we have a script to reproduce it locally, the script shouldn't depend on GitHub-specific variables.
I also don't think set -x
is necessary, the code is very verbose and already prints everything useful.
toolingBinariesSha="$2" | ||
mergedSha="$3" | ||
|
||
nixpkgs_for_tooling_binaries=$(nix-instantiate --eval --expr "builtins.fetchTarball \"https://github.com/nixos/nixpkgs/archive/$toolingBinariesSha.tar.gz\"" | tr -d '"') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This duplicates the tooling Nixpkgs download, it should re-use the one it already fetched from the channels. Otherwise this adds another ~15 seconds to the CI time.
echo "nixpkgs=$nixpkgs" >> "$GITHUB_ENV" | ||
echo "toolingBinariesSha=$toolingbinariesSha" >> "$GITHUB_ENV" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can remove all GITHUB_ENV
assignments if we only have a single step and script.
# Usage: pkgs/test/nixpkgs-check-by-name/reproduce.sh <base SHA> <tooling SHA> <merged SHA> | ||
|
||
# TODO(amjoseph): allow omitting the final argument, since it is | ||
# often a commit which exists only in github (and is difficult to | ||
# `git fetch` from github before the PR is merged). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally we'd have two scripts:
./reproduce.sh <tooling SHA> <base SHA> <merged SHA>
: Reproducible from the args as here (I'd order the args this way)../reproduce-latest.sh <base branch name>
: Tests the current HEAD against the latest commit of the base branch name, effectively replicating what a new CI run should do if you committed and pushed the current code. This should first determine the arguments for./reproduce.sh
and then call it.
Can you implement something like that?
echo " - Tooling binaries built at nixpkgs commit: [$toolingBinariesSha](https://github.com/${GITHUB_REPOSITORY}/commit/$toolingBinariesSha)" | ||
echo " - Store path: \`$(realpath result)\`" | ||
echo "- Tested Nixpkgs:" | ||
echo " - Base branch: $BASE_SHA" | ||
echo " - Latest base branch commit: [$baseSha](https://github.com/${GITHUB_REPOSITORY}/commit/$baseSha)" | ||
echo " - Latest PR commit: [$headSha](https://github.com/${GITHUB_REPOSITORY}/commit/$headSha)" | ||
echo " - Merge commit: [$mergedSha](https://github.com/${GITHUB_REPOSITORY}/commit/$mergedSha)" | ||
} | tee -a "${GITHUB_STEP_SUMMARY:-/dev/null}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should avoid all GitHub-specific variables from such a script, such that you can run it locally without knowing these variables.
To make this actually work it has to be implemented a bit differently, I'm doing that here: #274591 |
Effectively done with #274591 |
Description of changes
This commit moves the chunks of shellcode in
.github/workflows/check-by-name.yml
into individual scripts.What remains in
.github/workflows/check-by-name.yml
are three-line scripts which:-x
so the following command is printed in properly-escaped form, which developers can simply paste to their own shell to reproduce the commandexec()
into the file containing the shellcode which previously comprised that step.This ensures that if a test fails, the PR author doesn't have to rummage around in the bowels of github in order to reproduce the failure locally.
Fixes #266930
Fixes #266931
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)