-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Pin Python Version #1545
ci: Pin Python Version #1545
Conversation
Pin the CPython version in Python-oriented GitHub Actions to a micro/patch version.
Hmm, why would up-pinning pyyaml cause it to say we already have that dependency and then skip? Why wouldn't it use a more recent version? (Also why does black's install line ask for pyyaml anyway? If it's a dependency, shouldn't that be automatic?) |
PyYAML 5.3.1 (the latest version) is used by the AWS SDK; technically they pin to 5.X. It's installed on the system by the time we get there. PyYAML is our dependency, so that's why it's listed (and subsequently why I pinned it). |
Ah right I forgot about the fishing script. I guess I don't quite understand why uppinning pyyaml is a no-op. Wouldn't that also fit the criteria you said earlier, in that somebody could run this install command locally and it would work? |
First off: how dare you?
I'm taking no-op here to mean "something I'm avoiding doing," which, you'd be right, this would make me very warm and fuzzy in that someone could come through and run that command and they'd be running pylint/black against the cactbot repository and everything would be happy (including me, possibly). The issue is that the AWS SDK isn't pinning to a version, so if PyYAML came out with a new version we'd be in this mess again, since 5.4.0 or 5.3.2 would cause this to no longer say "I'm happy because that thing you wanted is right here, silly!" and break again. However, that's also in undefined future times (if ever) and we'll probably be on 3.7.9+ of CPython and none of this will be an issue. It's not really a software issue, more of a "I don't like this because of ehh" issue, so if you (or people!) have opinions, mine is not so steadfast that it can't be changed. There's also the opinion that we should probably just install with |
Ah, I see. That is not the way I use the word "no-op". Hmm. Is not specifying a pyyaml version on our end an option? Or do you feel equally bad about that? |
That's an option as well; technically none of our version dependencies need to be pinned (although we did run into that pylint error that one time on Travis 😉 (and that one time even more recently with isort)), but it feels nice to "guarantee" it works with a certain manifest of tool installs, but it's also kind of unnecessary in the sense that someone should be able to install whatever version of PyYAML (or requests) and it should just work with some reasonable amount of success. Things like black or pylint are a little more stringent since we directly depend on their exit codes, but really PyYAML (and requests) only has to be installed to avoid import errors, and for 100% of the current CI use-cases the versioning is irrelevant. |
After talking with @quisquous offline, I think I'm going to abandon this pull request; it doesn't sound like it's the correct solution in any sense. I opened it knowing that it wasn't going to be the permanent fix going forward, but now that it's simmered a bit it feels ultimately like a very poor solution. We're well beyond technical solutions at this point, and I think now we're discussing what this should look like going forward. I think there are two potential solutions here with differing main goals; in no order:
Going to cc @JLGarber here since he's pretty much the main consumer of the Python CI stuff beyond @quisquous and myself. I'm pretty indifferent to the options presented; I have a desire for the CI system to "just work" and stop being intrusive to the developer, but at the same time I don't want to add anything that makes the CI systems scarier than they need to be for anyone looking to contribute in that corner of the repository. If anyone feels super strongly in either direction, I think I'm okay with taking either approach at this point. |
I think it's fair to say that my level of care is mostly at "does it run when I submit a pull request?" and "how often will I get inscrutable errors when I run tests locally?" Solely on that basis I (think I) would prefer the first option, but of course that's mostly just kicking the can until (if?) the action runners pin different dependencies. Maybe another way of looking at it is, how often woud you anticipate the action runners changing their pins, and how long would it be likely to take you to research and resolve this if/when that happens? If it's just a few minutes once every 3-5 months, I think that's a reasonable tradeoff. If it's an hour every 3-5 months, that's less reasonable. |
I think it seems quite unlikely that the action runners would start installing pylint or black if they weren't already. It's not just changing the pin, but it'd be installing it at all. So it's less kicking the can in the sense that the dependency exists and will eventually be updated and more instead taking a gamble that the dependency will ever be added directly or indirectly in the future to the action itself. I think on the chance that happened, we could switch to the |
Keep in mind that it's not only the what the runners themselves install, but what the software that they install also installs; that being said, why would you add a linter as a dependency to your package? I think the risk is pretty minimal, and the fix is (and hopefully remains) easy. |
Closing in favor of #1548. |
Pin the CPython version in Python-oriented GitHub Actions to a micro/patch version.
I have been waffling on this issue for a couple hours now, trying to exactly pinpoint what broke in the upgrade to CPython 3.7.8:
Click for recent Python-lint GitHub Action run error output.
As it turns out, re-running CPython 3.7.7 builds works, but I didn't absolutely love this as a solution since we're already pinned at the minor release (informed readers may already know this is the ending to the story, but don't let that discourage you from reading the tales below!), I felt as though patches should be natural and hopefully non-breaking (or breaking, but in a good way). Additionally, up-pinning our PyYAML version also works, which I considered to be a better approach at the time. Digging into why it works though is pretty bad.
There's a pretty curious error message that gets output:
And I had spent a good amount of time wondering where this had come from, and what one of our three dependencies and their chain might be installing this; turns out, I installed pipdeptree locally and none of them are installing this.
So, I shelved that, and I went to go look at why two days ago (previous working runs) this hadn't been an issue. The setup-python GitHub Action doesn't look at the upstream PyPi for its resolution, but instead at python-versions, which still didn't tell me why two days ago this worked, since the latest release was older than that. From there, I looked into what's installed on the GitHub Action runners and found that it's installing the AWS SDK.
This is basically a long-winded way of saying that the AWS SDK is installing PyYAML at 5.3.1, which means that up-pinning PyYAML does work, but for all the wrong reasons (basically it says we already have that dependency and skips it, 🎉 ).
There's a lot more red-herrings in here around some other things like setuptools not working explicitly for pyyaml, but that doesn't seem correct either since we should be using an older version (47.1.0) as per the CPython release notes/changelog (verified), and upgrading to the fixed version in the linked issue doesn't fix the problem.
There are alternative answers here as well, such as up-pinning PyYAML (I may warm up to this idea, but it sounds fundamentally bad), or adding
--ignore-installed
to the pip command, but all in all I'd prefer this command to be something you'd expect someone to invoke locally as well. I think this is (probably) a non-issue for most people, since I think I'm one of the few unix users of cactbot, and more specifically one of the few people that even runs Ubuntu, and this still doesn't affect me since I don't have weird conflicting issues with PyYAML locally.This is all to say that I don't have an answer, this is acceptable, and it "solves" broken things for the time being. Future me will probably shake his future head at past/current me, but until then I think this is "good enough" for now. Thanks for coming to my TED talk.