Replace splices with reusable workflows #942
Conversation
|
Splices had a reason to be, avoiding breaking branch protections, I think in #687 We might want to make sure that the protections still work or just follow up here as needed. |
Yup, testing for the branch protections makes sense - will test this via the xyz provider. Reading through that thread, the discussion of the sentinel was interesting, though I think we should consider dropping the sentinel job altogether and just make our branch protections accurate for the jobs we care about. The very precise combinations of conditionals and dependencies required to make it effective seem error-prone and non-obvious as to if there's a bug or not. The sentinel was introduced when our branch names were changing every week and so it was hard work keeping them in sync, but the sentinel was ultimately a poor attempt to avoid managing the rules. Our management of branch protections has always been pretty unreliable and gets out of sync easily. I think a bit of a redesign around this could make things simpler and more reliable. An alternative design for the branch protections would be for the provider-ci CLI tool to have a command such as |
|
The name of the step does change because of the nested worklow: -build_sdk (dotnet)
+build_sdk / build_sdk (dotnet)Option 1: Avoid the name change by abstracting using a composite action rather than a reusable workflow. This makes the steps slightly less nice to look at in the UI, but avoids changing the naming. Option 2: Stick with "sentinel" checks right at the end but make them simpler to comprehend and harder to mess up. Rather than relying on the job within the workflow to be marked as complete, let's just explicitly post to our own custom check to say "all required steps passed" and only require this one check. sentinel:
name: sentinel
needs:
- test
- license_check
- lint
runs-on: ubuntu-latest
steps:
- uses: guibranco/github-status-action-v2@latest
with:
authToken: ${{secrets.GITHUB_TOKEN}}
context: 'Sentinel'
description: 'All required checks passed'
state: 'success'
sha: ${{github.event.pull_request.head.sha || github.sha}}This avoids the need for expressions like |
|
I think all prior art was done in a tremendous rush. If got time to think it through and especially test on xyz provider I think it's completely reasonable to rewrite from the ground up. The key is non-disruptive rollout that does not affect provider ops. |
|
Ok, going to simplify the sentinel, roll it out, then come back to roll this out. Thanks for the ideating! |
|
I would recommend syncing with @iwahbe and @guineveresaenger about the structure of the current sentinel checks before replacing them. IIRC, they had to do some surgery to make sure skipped and cancelled jobs reported the right status, (which is why those conditionals are so complex). Eg see the code comment in #687 (comment). |
|
I'd like to see any changes to the sentinel before they roll out. Sentinels are required because GH actions doesn't have very intuitive behavior for how it conducts required checks, and it allows race conditions with auto-merge. |
|
Here's the proposal PR for a better sentinel & migration plan: #944 |
Write an explicit status check called "Sentinel" which will only pass if this code really runs. Once rolled out, we can make this the only required check for PRs, then remove the old conditionals on this job and remove the previous step. This is a follow-up to the conversation #942 (comment) where we debated the merits of a single required check if we could simplify the current sentinel logic to make it more reliable. Here's the test run in the xyz provider: https://github.com/pulumi/pulumi-xyz/actions/runs/9292939832?pr=145 Here's the old and new sentinel checks shown on the [test PR](pulumi/pulumi-xyz#145): 
|
I am in favor of this. I also appreciate the improved naming where each reusable workflow has its own identifiable name. nit: Could we... structure the files to have reusable workflows in their own folder? |
Do they not have to be in the |
This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 18d44a52b6ca8881f3d9c20d4ca562cdec02effc. To fix the hard-coded steps the versions have been hard coded too for now. This will be possible to resolve once pulumi/ci-mgmt#942 is rolled out. --------- Co-authored-by: Daniel Bradley <daniel@pulumi.com>
- Reduce duplication in rendered workflows. - Splices are not composable (can't call one splice from another) so don't form good building blocks.
danielrbradley
force-pushed
the
remove-splices
branch
from
5f55603
to
f97e59e
Compare
Delete old splice
This has since moved out of the env.
danielrbradley
force-pushed
the
remove-splices
branch
from
96f7ad9
to
959e758
Compare
|
I've rebased and updated this since completing the roll-out of the simplified sentinel check. |
provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml
Outdated
Show resolved
Hide resolved
@iwahbe Yeah, diffs are a bit noisy, though hoped the separate commits would help. My plan is to wait until tomorrow as there's the sentinel changes going out tonight, then I'll roll this to a single provider first, get a green master build, then merge. |
Co-authored-by: Ian Wahbe <ian@wahbe.com>
danielrbradley
force-pushed
the
remove-splices
branch
from
7b07c54
to
cfb363a
Compare
|
Test release running on the xyz provider: https://github.com/pulumi/pulumi-xyz/actions/runs/9464972790 |
Stacked on top of #942 - Provide dedicated option instead of relying on providers to use custom steps which are run after tool installs. - Run as first step so we don't delete things that have just been installed. - Default to off to maintain existing behaviour. This can take around 3 minutes to run, so we should only run it if we're having issues. ```yaml # Set to true to clear disk space before running prerequisites workflow. freeDiskSpaceBeforeBuild: false # Set to true to clear disk space before running test jobs. freeDiskSpaceBeforeTest: false ``` This fixes oddities in Azure and AWS where we've added steps in the `preBuild` and `preTest` to clear disk space but then have to install tools (e.g. dotnet) a second time as they get deleted.
Stacked on top of #942 Primary benefit is to reduce duplication within templates. This was not possible when using splices because splices cannot reference splices. Additionally, we want to make installing our standard versions of our tools available for use from custom test jobs as used in AWS and other providers so they don't have to hard code their own install actions. - Go was not previously explicitly installed during the build_sdk job but is used when running `make build_go`, so this adds it to ensure we're using a consistent version.
Part of #936