The recommendation to "move" tags #214
Comments
|
Yes, this has had many discussions and even the actions/javascript-action repo has the walk through creating a v1 branch instead of moving a tag. When we did that, there were other objections that it led to less opportunity to validate and "release" the action with an explicit action. Merging into the release branch led to it immediately being used by customers. As opposed to typically merging (potentially multiple) changes into a release branch, validating the integration and then having an explicit reaction action. The tag move is that. If the solution is a v1 branch, and you're integrating multiple changes from feature branches, it's still possible with an integration branch off of the release branch so it's still possible. Completely open to change here - however I will note that the tag moving anti pattern covers coding multi user scenarios. From an action distribution branch perspective for actions, it's not an issue from the runner which simply gets a tar gz of where that ref currently points. So I think the reasons for the anti pattern don't apply ("others will have already seen the old tag"). In this case, that's exactly what we want, the last run "saw" the 1.x action and the next run sees what's currently the 1.x version. The runner throws away the action between runs. However, we do acknowledge that it feels icky (force) and perhaps v1 branch is a better approach (and thus why I tried it out on javascript-action). Hope that helps on background. @ericsciple and @thboop for interesting conversation. Let's use this issue for a community discussion. I would love to get other feedback from the community. |
|
IMHO, the point is that refs (tags or branches) in a SCM system are not the natural way to distribute the artifacts of a project:
Artifacts in GitHub Registry cannot be overwritten, and recreating a GitHub release is not as easy as force-pushing a ref. Hence, I believe that all the documentation suggesting the usage of git refs (instead of properly releasing the artifacts) is because of a deficient implementation of semantic versioning parsing in GitHub Actions workflows. See actions/create-release#16. This is kind of expected, since apparently someone at GitHub decided a deadline for the beta, without being really aware of how disruptive it was to change from v1 to v2 just a few months ago. Engineers are doing their best, but we have to deal with this annoying lack of better planification. I think that priorities are:
Overall, I think that it is important for new users/developers to understand the difference between sources and artifacts. If that is clear, it is easy to understand that For example, in https://github.com/actions/javascript-action:
For example, in https://github.com/1138-4EB/actions/blob/master/.github/workflows/push.yml a branch named
I think that a safe procedure would be to strongly suggest users to only push full semver tags. Then, it is possible for a GitHub workflow, such as the example above, to create/overwrite either a branch or a tag. With this approach, there is no need to prepend Moreover, providing https://github.com/1138-4EB/actions/blob/master/.github/workflows/push.yml#L36-L52 as an official Action, would allow the developers at GitHub to easily support other distribution repositories in the future. Developers of actions provide the dir with the artifacts (
Note that it is not guaranteed that all the tags are located in a linear history. If developers follow a workflow with two main branches ( |
|
👋 @1138-4eb Thanks for your feedback I think we should focus this issue on the tag. However, I can at least shed some light on the motivations for some of the decisions.
Yes, there are plans and discussions going on to support GPR as a distribution mechanism. We discussed releases as an option but we're leaning toward GPR. When we have GPR, it will support full semver. However, we should note that right now, the solution is tagging. A closer analogy would be tagging in dockerhub. e.g. node offers tags like
It's safer for a source, package, build scenarios. However, the hosted images (and all the dev tools installed on them), the tools distribution mechanisms (dotnet, node installs), the service itself and the runner all move forward. Holding one component of a runtime system back as everything else moves forward provides an illusion of safety but in practice it breaks down. In addition there's critical security fixes and breaks in tools that need reactions. Azure also defaults to binding to version channels (not exact) and tool breaks happened where changes were needed and millions of builds continued to safely build when the images were updated. Exact binding would have led to build breaks en-masse. Another example would be a subtle change in the way a tool is distributed or its layout on disk (setup-node prepends the path to the bins). Users expect to add 14 to their list of 10 and 12 when 14 is released and they don't need to know when they add 14, they need to bump the action version. However, major version binding allows for action authors to make breaking changes in the inputs and behaviors.
The motivation here from product was to actually keep actions as simple dockerfiles and scripts and to use the GitHub graph. It has benefits such as just fork and use. Users can try out an action fix that's in a PR branch for validation etc. Push is the distribution. Yes, it has the consequence of the ts source files next to the js files (if you use ts) but in practice the extra few scripts from the tar ball the runner pulls (it does not clone the repo), is not an issue. The key issue is to avoid pulling all the dev dependencies (which are very large) and ncc (javascript-action example) solves that nicely. Yes, all that's actually needed to run is the action yml and a javascript entry point or dockerfile. I hope that sheds some light on at least the motivation and reasoning for the decisions that were made. As I pointed out, there's discussions for GPR and all your feedback is appreciated. Thank you! Let's keep this issue focused on for the current distribution mechanism and it's |
|
@bryanmacfarlane, thanks a lot for the insight!
I was not suggesting to stop using major version tags; I just suggested that developers don't push them manually, but an action is used instead. Shall I open a PR in https://github.com/actions/javascript-action based on eine/actions@dcb3159 to discuss it?
This makes lots of sense. Unfortunately, it seems that most actions are being written in JS/TS, and not as dockerfiles+scripts. I believe we need to adapt to the fact that new generations feel more comfortable with JS than with bash...
I think that this is desirable, indeed. I am not suggesting to stop supporting tags/branches. I think that GPR should be supported along with tags/branches. The regular distribution procedure should be GPR, but for development git refs are a must.
I think that it is not a requirement to have the JS/TS sources next to the distribution JS files. This happens to whoever that clones https://github.com/actions/javascript-action just because that template is incomplete. The PR I suggest above is precisely to solve this. Half of the work is already done (using ncc).
Please, check my comments about https://github.com/actions/javascript-action above. I'm proposing to use branch Regarding the discussion about tags vs branches. I think it deserves some clarification in the docs. As you said, it has had many discussions, and it is likely that it will keep coming up. Since this is a non-standard usage of git, a brief explanation can avoid new users being mislead. If you are ok with the PR, this explanation can be added to https://github.com/actions/javascript-action#create-a-release-branch. |
|
The nice part about the @friederbluemle suggestion and what's done in the javascript-action template is the manual step is removed (move tag). To release you simply merge into the v1 branch. The PR is the release approval. I was trying it out on the javascript-action first before updating guidance so I'm considering just updating the guidance. We can take packing, actions and other discussions in other issues. @ericsciple I think this means the v2 checkout action we're starting should just be coded in a topic branch, then merged to master upon CR and then when we're ready for release, a v2 branch. |
|
I will work on this today. |
|
Tags remain useful here, since tags align with GitHub releases, and - most importantly - marketplace publishing is controlled by tags and releases. Indeed moving tags is not a good practice in a source repository, but that's not what this is, we're using a repository here as a release mechanism. And a poor practice for source trees is not necessarily a poor practice for a release mechanism. Now you could argue that we shouldn't be using a repository as a release mechanism (since it means checking in build artifacts and using tags in this way). And that's a fair argument - as @bryanmacfarlane mentioned, we're working here to explore other options. In the meantime, I think that we should keep this guidance as-is. |
|
This is a great discussion. Thanks a lot for your input everyone! It's interesting to see that actions/javascript-action is already using the branch based approach (I did not know this :)). Also, thanks @bryanmacfarlane for providing more details on the thinking behind the recommendation. The reasons given (making releasing a new version more "explicit" step) are consistent with what I assumed to be the case. Thanks @1138-4eb for an amazingly detailed, and completely valid assessment of the underlying issue that Git refs (branch/tags) are (mis)used as a way to distribute artifacts from a project. Another thing not mentioned in the original question that struck me as odd was the fact that a comment in
Yes, that's true and I'm aware of it. My example was simplified. As soon as older major versions needs to be supported concurrently, additional branches (e.g. An idea: If GitHub Actions yml config could natively parse version ranges similar to NPM, for example:
Since the current behavior of We get the following benefits:
It feels much more natural and in line with the intended usage of Git tags. In addition each user of an action has full control over how much "risk" they're willing to accept of the CI breaking without changing the code. In an ideal world where everyone strictly follows semantic version this it should never happen. Of course, this does not address what was said regarding releasing/publishing an artifact directly from a source repo. I wonder if a separate issue should be created specifically to discuss GitHub releases/GPR? |
This is also possible without putting sources and artifacts in the same branch.
The procedure which is recommended in the docs does not only require to temporaly disable it, but it also requires to remove it and This is my main motivation to suggest:
The most relevant effect of this is precisely to avoid removing As commented, half of the work (using a bundler) is already done in https://github.com/actions/javascript-action. Section https://github.com/actions/javascript-action#create-a-release-branch needs to be fixed only.
You are correct.
@ethomson commented in actions/create-release#16 that "something we're looking at soon". I added the reference and comment above just for contextualisation. However, the discussion whether release commits should contain sources or artifacts only remains. Any possible branching/releasing model is conditioned by that. |
|
Thanks for the additional clarifications @1138-4eb 👍 Do you think it makes sense to create a separate issue regarding the release/packaging method for artifacts, or do you prefer to keep everything together in this thread (and perhaps reword the issue title)? |
|
I think it is worth a separate issue. But I don't know if it should fit in this repo or in https://github.com/actions/javascript-action. That's why I asked about creating a PR to discuss it. |
|
Full semver will come with the using GPR to release actions. As @ethomson pointed out, the tag based approach is what we have now and needed by the marketplace. I will update javascript-action and create a PR to not create the v1 branch as it won't work with the market place. We also need to update the versioning doc to note the the releases/v1 branch is not needed until we need to break compat and create a v2. ncc offers the ability to not check in any node_modules which alleviates the immediate needs for the releases/v1 branch up front. I will update those soon and then we can follow up with specific issues or questions on that. I'm closing this specific issue as the details were laid out and the questions were answered. We should avoid one total encompassing issue on action distribution. It's good to have an issue with a specific topic and agenda. |
|
I wholly agree with the first post and I think the main point got unfortunately lost. The documentation could just recommend a That would work fine with the marketplace, since anyway the v1 tag or branch should not be published to the marketplace, only specific versions (e.g., 1.0.1), as already documented. Having a release branch is a separate matter, one can still have a Packaging is another story, but there is clearly value in a beautifully simple way to distribute code with users of an action (i.e., by pushing to a branch, not overriding a tag). |
|
Linking community/community#9847. I don't think branches are the right solution either. The references (I will also note that in the context of (recent) software supply chain issues, the default recommendation should be to reference a commit, or some equivalent immutable reference to a released action's assets). |
This is regarding the official Versioning documentation for authoring custom GitHub Actions.
I really had to read it several times to make sure that an "official" GitHub controlled repository is recommending to "move" tags between commits. 😨
Please, if you haven't already, read the section On Re-tagging in the official Git man page for the tag command. Specifically, "The insane thing" (point 2), and why "Git does not change tags behind users back".
These mechanisms are in place for a reason, and together with many other amazing things about Git, have contributed to the huge success and the way Git/GitHub have revolutionized version control and collaboration over the past decade. Please, don't try to circumvent them and recommend anti-patterns as best practices. This totally sends the wrong signal, especially to new users who are less familiar with Git. Do not force re-tag and force override already published tags.
All that said, most what is written in the Versioning documentation document makes sense, and is following best practices 👍 It seems like a solution that uses Git tags in the intended way with minimal change to what is already there could be:
masterbranch for ongoing developmentv1.0.0,v1.1.0)v1instead ofreleases/v1A branch is the correct construct to point to different commits over time.
Example
Say
v1points tov1.0.0, and a new versionv1.1.0has been tagged. After successfully testingv1.1.0,v1could simply be fast-forwarded tov1.1.0. There is no need to force anything, and from a user's perspective, everything remains the same, e.g. using an action would still look like this:The text was updated successfully, but these errors were encountered: