fix(ci): change ephemeral env to use github labels instead of comments #31340
Conversation
dpgaspar
requested review from
villebro,
geido,
eschutho,
rusackas,
betodealmeida,
nytai,
mistercrunch,
craig-rueda,
john-bodley and
kgabryje
as code owners
github-actions
bot
added
the
github_actions
.github/workflows/ephemeral-env.yml
Outdated
| - name: Debug | ||
| id: get-sha | ||
| run: | | ||
| echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
You should exit early if the PR was updated after the comment. See https://github.com/apache/camel/blob/66fbdcd2c71a6588bacd7b3e0d2a03128c0cd069/.github/workflows/pr-comment.yml#L55-L57
| - name: Debug | |
| id: get-sha | |
| run: | | |
| echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT | |
| - name: Debug | |
| id: get-sha | |
| env: | |
| COMMENT_AT: ${{ github.event.comment.created_at }} | |
| PUSHED_AT: ${{ fromJSON(steps.get-pr-info.outputs.result).pushed_at }} | |
| run: | | |
| if [[ $(date -d "$PUSHED_AT" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then | |
| exit 1 | |
| fi | |
| echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
Unfortunately, this is not useful as pushed_at field is deprecated and the value will be nil.
There was a problem hiding this comment.
I don't see any evidence of that in the documentation. Can you point me to your source?
There was a problem hiding this comment.
There was a problem hiding this comment.
Got it, thanks! In that case, alternative methods to verify the time of commit push should be used. (But some sort of verification is still needed)
There was a problem hiding this comment.
If untrusted code needs to be run, I would move the IssueOps workflow to a Label gate (pull_request + label). There is no way to get a trustful commit date.
There was a problem hiding this comment.
just to tie things together: pushed_at from https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#get-a-pull-request is slightly different from Commit.pushedDate, but I suppose the they're ultimately populated from the same source, so both are deprecated/going away? This wasn't obvious to me before but would make sense. I didn't see anything in https://docs.github.com/en/rest/about-the-rest-api/breaking-changes but I guess it just somewhat follows from https://docs.github.com/en/graphql/overview/breaking-changes .
There was a problem hiding this comment.
@pwntester @raboof sorry for the delay here. I've updated to workflow to use PR labels, would be great if you can review it again
dpgaspar
changed the title
|
@ Ephemeral environment spinning up at http://34.216.170.82:8080. Credentials are |
.github/workflows/ephemeral-env.yml
Outdated
| - name: Check if a commit was pushed after PR was labeled | ||
| id: get-sha | ||
| env: | ||
| COMMENT_AT: ${{ github.event.pull_request.updated_at }} | ||
| PUSHED_AT: ${{ fromJSON(steps.get-pr-info.outputs.result).pushed_at }} | ||
| run: | | ||
| if [[ $(date -d "$PUSHED_AT" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then | ||
| echo "Commit was pushed after the PR was updated." | ||
| exit 1 | ||
| fi | ||
| echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
If you're verifying the label, there is no need for this extra step. Just use github.event.pull_request.head.sha
There was a problem hiding this comment.
unsure if github.event.pull_request.updated_at could be greater then the time of the last push
There was a problem hiding this comment.
No, it’s the SHA at the time of label, which is the most secure
There was a problem hiding this comment.
GITHUB_RUN_ID can we useful at times too, not sure if it's better than SHA here, but would allow concurrent runs on the same SHA (do we want that? how do we want to handle potential SHA collisions?)
There was a problem hiding this comment.
I see we have the concurrency GHA thing set up properly, meaning a new request will kill the previous ones, which I believe is what we want. Using the GITHUB_RUN_ID as a unique id on the AWS-side could help segment/isolate/clarify the runs.
There was a problem hiding this comment.
I guess we need something deterministic that we can use to kill previous instances on PR close or unlabelling on the AWS side, so GITHUB_RUN_ID isn't the best for that ...
There was a problem hiding this comment.
Side note, I created supersetbot to make it easier to develop/test/deploy things outside of GHA. We're pretty deep already here so we may not want to take this on, but we could move the bulk of the logic to supersetbot ephemeral deploy {image_id}, supersetbot ephemeral stop {image_id} ...
There was a problem hiding this comment.
concurrency seems fine to me (pushed a fix). it's unique at the PR level, so label events for new commits will cancel previous runs.
+1 on using supersetbot ephemeral deploy
|
@ Ephemeral environment spinning up at http://34.209.140.91:8080. Credentials are |
.github/workflows/ephemeral-env.yml
Outdated
| pull_request: | ||
| types: | ||
| - labeled |
There was a problem hiding this comment.
Keep in mind, pull_request_target must be used if you want to use secrets.
.github/workflows/ephemeral-env.yml
Outdated
| - name: Get PR Info | ||
| uses: actions/github-script@v7 | ||
| id: get-pr-info | ||
| with: | ||
| script: | | ||
| const pull_number = context.payload.pull_request | ||
| ? context.payload.pull_request.number | ||
| : context.payload.inputs.issue_number; | ||
|
|
||
| if (!pull_number) { | ||
| throw new Error("Pull request number is not available."); | ||
| } | ||
|
|
||
| const pr = await github.rest.pulls.get({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| pull_number, | ||
| }); | ||
|
|
||
| return pr.data; | ||
|
|
||
| - name: Check if a commit was pushed after PR was labeled | ||
| id: get-sha | ||
| env: | ||
| COMMENT_AT: ${{ github.event.pull_request.updated_at }} | ||
| PUSHED_AT: ${{ fromJSON(steps.get-pr-info.outputs.result).pushed_at }} | ||
| run: | | ||
| if [[ $(date -d "$PUSHED_AT" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then | ||
| echo "Commit was pushed after the PR was updated." | ||
| exit 1 | ||
| fi | ||
| echo "sha=${{ fromJSON(steps.get-pr-info.outputs.result).head.sha }}" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
as I mentioned in my other review, this entire segment is not needed when not triggering on a dispatch, and could result in a race condition (albeit harmless unless the trigger is pull_request_target)
I suggest ONLY fetching the SHA via this method when executing on dispatch rather than on PR.
There was a problem hiding this comment.
LGTM! - and they envs are broken so this can only help.
I did some complementary work here #32017
|
@dpgaspar Ephemeral environment spinning up at http://52.33.205.29:8080. Credentials are |
|
@mistercrunch @avivkeller thank you for the reviews! |
SUMMARY
Use labels instead of issue comment to spin up new environments, this is a safer approach, labels can only be added to PRs by users with write access to the repo. Also using labels it's possible to get the
pushed_atto sanity check what we are building.Use
testenv-uplabels to spin ephemeral envsBEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION