Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tools: automate openssl update on v16 #48377

Merged

Conversation

marco-ippolito
Copy link
Member

@marco-ippolito marco-ippolito commented Jun 7, 2023

This PR allows updating openssl 1 on v16, for this to work the scripts (also utils.sh) need to be backported to v16

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/actions
  • @nodejs/security-wg

@marco-ippolito marco-ippolito changed the title Feat/automate openssl backport tools: openssl backport Jun 7, 2023
@nodejs-github-bot nodejs-github-bot added meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory. labels Jun 7, 2023
@marco-ippolito marco-ippolito changed the title tools: openssl backport tools: openssl backport on v16 Jun 7, 2023
@marco-ippolito marco-ippolito changed the title tools: openssl backport on v16 tools: automate openssl update on v16 Jun 7, 2023
@marco-ippolito marco-ippolito force-pushed the feat/automate-openssl-backport branch from 2b0271b to e2ca567 Compare June 7, 2023 13:08
@marco-ippolito marco-ippolito added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jun 8, 2023
@baparham
Copy link

baparham commented Jun 8, 2023

for 3.0 stream at least, quictls isn't using releases to manage new versions so the gh api call probably needs to look more like:

edit: adding link to comment quictls/openssl#114 (comment) for context

NEW_VERSION=$(gh api repos/quictls/openssl/tags -q '.[].name|select(contains("openssl-3.0"))|ltrimstr("openssl-")' | grep quic | head -n1)

so that we query the tags from quictls instead of releases

I suspect a similar pattern is needed for the 1.x stream also

@baparham
Copy link

baparham commented Jun 8, 2023

for 3.0 stream at least, quictls isn't using releases to manage new versions so the gh api call probably needs to look more like:

NEW_VERSION=$(gh api repos/quictls/openssl/tags -q '.[].name|select(contains("openssl-3.0"))|ltrimstr("openssl-")' | grep quic | head -n1)

so that we query the tags from quictls instead of releases

I suspect a similar pattern is needed for the 1.x stream also

I guess you refactored it to use fetch instead, so the logic needs modification from what I suggested, but the principal of checking for tags rather than releases is my main point. The fetch also results in non-quic and quic tag names, so more logic may be necessary to filter on those.

Copy link

@baparham baparham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to more precisely capture what I mean in some specific review comments, hopefully I'm not way off here and this is at least a little bit helpful.

tools/dep_updaters/update-openssl.sh Outdated Show resolved Hide resolved
tools/dep_updaters/update-openssl.sh Outdated Show resolved Hide resolved
tools/dep_updaters/update-openssl.sh Outdated Show resolved Hide resolved
@marco-ippolito
Copy link
Member Author

marco-ippolito commented Jun 8, 2023

@baparham could you check again now? also I think this doesnt apply for v1, I dont see v1 in https://api.github.com/repos/quictls/openssl/tags

@marco-ippolito marco-ippolito added the commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. label Jun 8, 2023
@baparham
Copy link

baparham commented Jun 8, 2023

They are deleting the releases, per that comment from @richsalz, so I don't think that's correct for the 1.1 stream. What's odd is I see tags here https://github.com/quictls/openssl/tags but not in the gh api call, like you pointed out.

Perhaps they are just remnants of previous "releases" and not actual tags or something weird. Either way, I suspect that the releases route won't succeed next time they update the versions.

@richardlau
Copy link
Member

The GH API is paginated and only returns a subset of results. For me at least the tags for 1.1.1 are on https://api.github.com/repos/quictls/openssl/tags?page=4.

Alternatively git/matching-refs API, e.g. https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/OpenSSL_1_1_1 will return tags beginning with "OpenSSL_1_1_1".

@baparham
Copy link

baparham commented Jun 8, 2023

The GH API is paginated and only returns a subset of results. For me at least the tags for 1.1.1 are on https://api.github.com/repos/quictls/openssl/tags?page=4.

Alternatively git/matching-refs API, e.g. https://api.github.com/repos/quictls/openssl/git/matching-refs/tags/OpenSSL_1_1_1 will return tags beginning with "OpenSSL_1_1_1".

I need a facepalm reaction on github comments, haha. I did not catch that it was paginated, thanks for pointing that out! the matching_refs endpoint is probably better to use then.

@marco-ippolito
Copy link
Member Author

I've used matching ref but its a bit hacky wdyt?

@marco-ippolito marco-ippolito added commit-queue Add this label to land a pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Jun 12, 2023
@marco-ippolito marco-ippolito force-pushed the feat/automate-openssl-backport branch from 5e55dc6 to bd065ae Compare June 12, 2023 07:39
@marco-ippolito marco-ippolito added the commit-queue Add this label to land a pull request using GitHub Actions. label Jun 15, 2023
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Jun 15, 2023
@nodejs-github-bot
Copy link
Collaborator

Commit Queue failed
- Loading data for nodejs/node/pull/48377
✔  Done loading data for nodejs/node/pull/48377
----------------------------------- PR info ------------------------------------
Title      tools:  automate openssl update on v16 (#48377)
Author     Marco Ippolito  (@marco-ippolito)
Branch     marco-ippolito:feat/automate-openssl-backport -> nodejs:main
Labels     meta, tools, author ready, commit-queue-squash
Commits    3
 - tools: automate update openssl v16
 - fix: check tags instead of release for 3.0
 - fix: use git ref
Committers 1
 - Marco Ippolito 
PR-URL: https://github.com/nodejs/node/pull/48377
Reviewed-By: Rafael Gonzaga 
Reviewed-By: Antoine du Hamel 
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/48377
Reviewed-By: Rafael Gonzaga 
Reviewed-By: Antoine du Hamel 
--------------------------------------------------------------------------------
   ⚠  Commits were pushed since the last approving review:
   ⚠  - tools: automate update openssl v16
   ⚠  - fix: check tags instead of release for 3.0
   ⚠  - fix: use git ref
   ℹ  This PR was created on Wed, 07 Jun 2023 12:36:03 GMT
   ✔  Approvals: 2
   ✔  - Rafael Gonzaga (@RafaelGSS) (TSC): https://github.com/nodejs/node/pull/48377#pullrequestreview-1467734115
   ✔  - Antoine du Hamel (@aduh95) (TSC): https://github.com/nodejs/node/pull/48377#pullrequestreview-1469308861
   ✔  Last GitHub CI successful
   ℹ  Green GitHub CI is sufficient
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/5280129740

@marco-ippolito marco-ippolito added commit-queue Add this label to land a pull request using GitHub Actions. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. labels Jun 19, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jun 19, 2023
@nodejs-github-bot nodejs-github-bot merged commit 51ca71c into nodejs:main Jun 19, 2023
@nodejs-github-bot
Copy link
Collaborator

Landed in 51ca71c

marco-ippolito added a commit to marco-ippolito/node that referenced this pull request Jun 19, 2023
PR-URL: nodejs#48377
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
marco-ippolito added a commit to marco-ippolito/node that referenced this pull request Jun 19, 2023
PR-URL: nodejs#48377
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
marco-ippolito added a commit to marco-ippolito/node that referenced this pull request Jun 19, 2023
PR-URL: nodejs#48377
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
RafaelGSS pushed a commit that referenced this pull request Jul 3, 2023
PR-URL: #48377
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
@RafaelGSS RafaelGSS mentioned this pull request Jul 3, 2023
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
PR-URL: nodejs#48377
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
PR-URL: nodejs#48377
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
@ruyadorno
Copy link
Member

This commit does not land cleanly on and will need manual backport in case we want it in v18.

@ruyadorno ruyadorno added the backport-requested-v18.x PRs awaiting manual backport to the v18.x-staging branch. label Sep 10, 2023
@RafaelGSS RafaelGSS added dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. and removed backport-requested-v18.x PRs awaiting manual backport to the v18.x-staging branch. labels Sep 10, 2023
@RafaelGSS
Copy link
Member

@marco-ippolito is the backport needed for v18 and v20? I assume no, right? We just need to revert it for main to not land it on v21.

@marco-ippolito
Copy link
Member Author

marco-ippolito commented Sep 11, 2023

I dont think it is needed since it will only run on main and then we can backport security patches. we can revert it since we dont support 16 anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. meta Issues and PRs related to the general management of the project. tools Issues and PRs related to the tools directory.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants