checkout action performing merge commit from incorrect base SHA #27
Comments
siggy
changed the title
|
@siggy This is kind of worrying behavior. Does using command line git avoid this issue? |
|
I think the second job should failed if your PR branch get updated, since we can't find the same SHA to build anymore. |
|
@chingc @TingluoHuang Thanks for looking into this. I have set up a simpler, more contrived example: https://github.com/siggy/linkerd2/pull/15/checks?check_run_id=220501197 I am not reliably reproducing the issue in the above example, but I do I see commands from git -c http.extraheader="AUTHORIZATION: basic ***" fetch --tags --prune --progress --no-recurse-submodules origin +refs/heads/*:refs/remotes/origin/* +refs/pull/15/merge:refs/remotes/pull/15/merge
git checkout --progress --force refs/remotes/pull/15/mergeIs it correct that |
|
We're also running into this issue. -- Basically under the hood, Github Actions/Checkout is checking out this phantom Merge Commit, when I look at other environment variables like |
|
This is particularly problematic, because we have some automatic commits like Prettier Formatting, and generating some documentation when certain code files change, and these automatic commits are effectively doing a merge-master-into-branch every time they trigger!
Each of those This is also a problem as we have an external CI, that we trigger from Github Actions (based on labels), and we try to prevent duplicate builds for a given Commit, but since this Phantom Commit is the |
and:
Yes, this is the intended default behavior. The goal is to validate that the pull request will build and test against what it would be merged into. Continuous integration builds need to take into account what they'll be merge into, not the state of the repository when they were created. This prevents you from merging a commit that breaks master but "worked on my machine". If your goal is not to validate the CI but to do some fixups (ie, automatic updates from linting) then I agree that you would not want to check out the merge commit but to actually If you really want to validate the pull request as it was actually sent, and not what would be produced by a merge into master (ie, in isolation of the master branch), you can specify the ref to checkout: steps:
- uses: actions/checkout@v1
with:
ref: ${{ github.head_ref }} However, I strongly encourage you not to make this a separate workflow - one workflow that lints and updates the PR if (and only if) it made some changes, and then a second workflow that does a build and test on the merge produced into master for verification. |
|
Oh wow! That’s super interesting. And very much not what I was guessing or expecting. What happens if there are merge conflicts? |
This is exactly what I've had to resort to when running some ci checks that report status based on branch. Otherwise the reported branch is incorrect. |
|
@ethomson Appreciate the detailed reply. Testing a PR merged into master is in fact what we want, not Our core issue is that our workflow that executes This is problematic because, for example, a job in our workflow builds docker images versioned as The result is every time we merge master, most currently-running CI workflows fail. Here's an example, note Is there any plan to open source this action? We'd love to just submit a PR to better illustrate the issue. Failing that, we may write our own checkout action, but we're concerned about potential rate limit issues. Any guidance is much appreciated, thanks. |
|
Hi @fbartho -
The first check that happens on GitHub when you open a pull request is whether it's mergeable or not.
I'd like to understand more about the scenario you're describing, but generally this is an advantage. You usually want to know if there was a change to a dependency in master that you depend on in your pull request. Consider the case where the dependency was changed in master in an incompatible way and that PR used it. If the CI build didn't do the merge into master, then that would just be a successful build, but as soon as you merged the pull request, that would break. By building the merge commit, you're able to have high confidence that the integration of your pull request will be successful. |
Thanks, @siggy, for the clarification. We'll give this some thought. |
|
@ethomson FWIW, we have worked around this issue by only using |
|
@siggy |
|
@ericsciple Thanks! Will check it out. |
|
I've just run into what I believe is a related issue. $ git diff --name-only ${{github.event.pull_request.base.sha}}...
fatal: Invalid symmetric difference expression ddf331629b3147875282f18f52fc6f3483d75dff...This repo is private. For GitHub staff who may investigate: The workaround of instead using |
Support for the HAPPO_IS_ASYNC env variable was recently added to happo.io. So far, it's only been affecting `happo run` and `happo compare`, but I'm making it affect `happo-ci` as well. In async mode, we don't need to check out the previous commit. This should help resolve issues with running happo in github actions, where (by default) the current sha is not the tip of the PR. Instead, it's a merge commit to the current master. Some context here: actions/checkout#27
|
Bumping, since it seems like folks (myself included) are still having issues with this. I see a lot of people are switching to From what I understand, creating a new merge commit between the PR's HEAD and the base branch, and running the CI against that, is telling us if our CI would pass after the PR is merged. So if any code conflicts are resolved cleanly during the merge, or if behavior has changed elsewhere that could cause test failures, this CI build will catch that. However, it looks like we're still running into issues with the SHA of the checked out code being incorrect, or originating from an incorrect base. Edit: found this issue when poking around, which asks why a merge commit is the default behavior. I think my description here answers that, but please correct me if I'm wrong! |
#### Problem For a GitHub PR, the actual parent may be different from the commit given by `github.event.pull_request.base.sha` (see actions/checkout#27). In this case, size reports incorrectly include changes from commit(s) between the purported and actual parent. #### Change overview Extract the actual parent from the PR merge commit subject. #### Testing Manually checked externally https://github.com/kpschoedel/actiontest/runs/4226639507 Actual confirmation can only happen on live CI runs.
* Size reports: Fix parent SHA race #### Problem For a GitHub PR, the actual parent may be different from the commit given by `github.event.pull_request.base.sha` (see actions/checkout#27). In this case, size reports incorrectly include changes from commit(s) between the purported and actual parent. #### Change overview Extract the actual parent from the PR merge commit subject. #### Testing Manually checked externally https://github.com/kpschoedel/actiontest/runs/4226639507 Actual confirmation can only happen on live CI runs. * set $GH_EVENT_PARENT before gh_sizes.py runs * Use `test` instead of `[[` * POSIX `test`
* Size reports: Fix parent SHA race #### Problem For a GitHub PR, the actual parent may be different from the commit given by `github.event.pull_request.base.sha` (see actions/checkout#27). In this case, size reports incorrectly include changes from commit(s) between the purported and actual parent. #### Change overview Extract the actual parent from the PR merge commit subject. #### Testing Manually checked externally https://github.com/kpschoedel/actiontest/runs/4226639507 Actual confirmation can only happen on live CI runs. * set $GH_EVENT_PARENT before gh_sizes.py runs * Use `test` instead of `[[` * POSIX `test`
* Size reports: Fix parent SHA race #### Problem For a GitHub PR, the actual parent may be different from the commit given by `github.event.pull_request.base.sha` (see actions/checkout#27). In this case, size reports incorrectly include changes from commit(s) between the purported and actual parent. #### Change overview Extract the actual parent from the PR merge commit subject. #### Testing Manually checked externally https://github.com/kpschoedel/actiontest/runs/4226639507 Actual confirmation can only happen on live CI runs. * set $GH_EVENT_PARENT before gh_sizes.py runs * Use `test` instead of `[[` * POSIX `test`
## Issue being fixed or feature implemented Our guix workflow creates a merge commit instead of using HEAD from a PR itself which is why commit hash is different. That's exactly what is described in actions/checkout#27 imo. related: #5355 (comment) ## What was done? adjust guix workflow ## How Has This Been Tested? see this PR results: the HEAD looks correct now this PR: https://github.com/dashpay/dash/actions/runs/5191152453/jobs/9358590629?pr=5416#step:2:482 #5355: https://github.com/dashpay/dash/actions/runs/5187698039/jobs/9350381761?pr=5355#step:2:489 ## Breaking Changes n/a hopefully ## Checklist: - [x] I have performed a self-review of my own code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have added or updated relevant unit/integration/functional/e2e tests - [ ] I have made corresponding changes to the documentation - [ ] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_
We're observing
actions/checkoutcreating merge commits based on the repo's latest master SHA, rather thangithub.event.pull_request.base.shafrom the event that initiated the action.This causes different merge commits across jobs within a single workflow. This is despite
GITHUB_SHA,github.sha,github.event.pull_request.head.sha, andgithub.event.pull_request.base.shabeing identical for both jobs.This happens because a new commit was added to master between the two job runs, but the observed behavior is still surprising given that both jobs are given identical environment variables and Github event data.
Identical environment between jobs
Abridged
${{ github }}context:Job 1
Full output:
https://github.com/siggy/linkerd2/runs/207435287#step:2:1007
Job 2
Note that Job 2 has created merge commit
7efd2d0bbased off of the most recent master commit324483a653c7c09a350bc2a782080d6ea0ae533d, despite these SHAs not appearing anywhere in the environment variables or event data.Full output:
https://github.com/siggy/linkerd2/runs/207437496#step:2:1014
State of master
Note that the above event data references the 2nd most recent commit to master, as that was the state of master when the workflow was triggered:
with/refconfigNote that setting
ref: ${{ github.sha }}orref: ${{ github.ref }}had no effect:sha
https://github.com/siggy/linkerd2/pull/14/checks?check_run_id=207481400#step:2:3
Run actions/checkout@v1 with: ref: 17c77866218c23d4b2a47221ccd9aff78a5d7172 clean: true ... git checkout --progress --force refs/remotes/pull/14/merge ... HEAD is now at d6ae7796 Merge 80e75c911dbd20e9b1226d7854818843b037dc1a into ae31e8838e171e60e1cd2fa9ad54070fcb741025ref
https://github.com/siggy/linkerd2/pull/14/checks?check_run_id=207488293#step:2:3
Run actions/checkout@v1 with: ref: refs/pull/14/merge clean: true ... git checkout --progress --force refs/remotes/pull/14/merge ... HEAD is now at eb786159 Merge 8a33bbfb6ad62902926b1449c2b9703433da6450 into ae31e8838e171e60e1cd2fa9ad54070fcb741025Previously reported in the Community Forum
https://git.luolix.topmunity/t5/GitHub-API-Development-and/Github-Actions-Inconsistent-repo-checkouts-across-jobs/td-p/30258
...but upon further inspection of workflow environment variables opted to create an issue in this repo.
The text was updated successfully, but these errors were encountered: