feat: enforce dependency on released versions of packages #12740
Conversation
This reverts commit dd55bbe.
There was a problem hiding this comment.
Thanks @galargh . This is an improvement I believe. I would like other maintainers to give the approval like @rvagg , @Stebalien , and/or @rjan90 .
A couple of things standing out to me:
- I like that we're capturing the "reason" in our exception list.
- I wonder though if it would be better to inline the exception list / reason inline
go.mod:
require (
github.com/yugabyte/pgx/v5 v5.5.3-yb-2 // @unrelease-version-exceptoin-reason: "fill this in with the reason"
)The presence of @unrelease-version-exceptoin-reason signals that this should have an exception and it also provides a reason.
Pros I see:
- All dependency info is in one file
Cons:
- There is more code to write for extracting which dependencies should have an exception. Basically, we can't use
go list -m -json alland do easyjqcommands like you have since the dependency comments aren't going to be included with withgo listcommands. - Not one quick place to check for all dependencies that have an exception (although this is easy to get with a grep)
I also want to recognize that it was @Stebalien who suggested having a separate config file like this.
- Every network upgrade we temporarily introduce some dev dependencies (e.g., go-state-types). Would we want to have the way to communicate a regex for a given dependency?
{
"Path": "github.com/filecoin-project/go-state-types",
"VersionRegex": "v0.\d+.\d+-dev",
"Reason": "Temporary dependency bubbling as part of a network upgrade release."
},Pros:
- One less step during network upgrades of having to update the exclusion list.
Cons:
- Complicates the checking logic (i.e., can't use the concise
jqcommands you have now).
@galargh : please don't act on any of my feedback yet. Lets get input from @Stebalien , @rvagg , and/or @rjan90 first before any action is taken (if any action is to be taken).
Thanks!
That would be nice but we'll have to be a bit careful to avoid bad interactions with tooling. From my basic testing it looks like
I would at least allow a regex. Forcing the user to edit this file every time they want to update a dependency is going to be rather annoying. Alternatively, we could support a set of flags (to avoid having to type out the same regular expressions over and over):
|
|
I don't mind this, having an override is nice, having to put in notes is good too but it would be great to figure out what should go in for all of the ones listed so far. |
|
In e18cc37, I was able to implement extracting the dependencies directly from the In 01b45ef I added these special comments to the currently offending dependencies to showcase how they would look like. I left the reason as |
|
Ooh. That's nice. |
There was a problem hiding this comment.
Thanks for the updates. I like the the inline dependency-check-ignore.
A few thoughts:
- There is boiler plate reading in and out the GITHIB_OUTPUT for each step, but it doesn't look like breaking into steps actually gives us better presentation when I look at https://github.com/filecoin-project/lotus/actions/runs/12237619056/job/34133776622?pr=12740
Would it be cleaner to just do it all in one step and print out along the way?
-
My only other main concern is that we don't have a
dependency-check-ignore-regexand it if it's going to be annoying to maintainers like @rjan90 who bubble up go-state-typesvX.Y.z-devversions periodically. That is the one area I can see where this new check could be inducing undesired work. I am fine to wait to see if that actually turns out to be a nuisance, but my worry with the current dependency-check.yml is that this will be a non-trivial addition since we have so far been relying on shell scripting and shell scripting maybe gets ugly to parse regexes to then apply to a given line. (I don't have experience here doing this in shell script land - it's just my gut feel). Things that would allay my concern are comments from maintainers saying that they don't need the regex or a sketch for how we'd quickly add it in future if we do want it. -
For other reviewers, I don't think we should block this PR on the
dependency-check-ignore: UNKNOWNcases. I'm all for figuring these out and lets do it if someone can quickly figure it out (less than 30 minutes total for all of them). If not, it should get backlogged since this PR isn't making things worse (it's just exposing the truth of the current situation).
go.mod
Outdated
| @@ -52,7 +52,7 @@ require ( | |||
| github.com/filecoin-project/go-jsonrpc v0.7.0 | |||
| github.com/filecoin-project/go-padreader v0.0.1 | |||
| github.com/filecoin-project/go-paramfetch v0.0.4 | |||
| github.com/filecoin-project/go-state-types v0.16.0-rc1 | |||
| github.com/filecoin-project/go-state-types v0.16.0-rc1 // dependency-check-ignore: unknown | |||
There was a problem hiding this comment.
| github.com/filecoin-project/go-state-types v0.16.0-rc1 // dependency-check-ignore: unknown | |
| github.com/filecoin-project/go-state-types v0.16.0-rc1 // dependency-check-ignore: preparing for nv25 |
|
inline |
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Steve Loeppky <biglep@filoz.org>
Co-authored-by: Rod Vagg <rod@vagg.org>
I added step names to all the steps. https://github.com/filecoin-project/lotus/actions/runs/12314231229/job/34369897245?pr=12740 should read better now :) I used the comments that we included for the step names as they explain what happens inside pretty well.
To be fair, I'm not sure if the regex support is necessary with the inline comments implementation. For example, now that we have a However, if we end up needing to add any more logic to the check, I think we should switch to a friendlier programming language, which should be pretty straightforward at this point.
@rvagg Thanks! That's a great addition to the check 🚀 I think we can either a) merge as-is if you just rebase on top of this branch, or b) I could rework it in the style of the rest of the check myself (and possibly use a proper programming language while at it). @BigLep If we go with option b, I'd need a couple more hours to get it fully done if that's alright. |
please go ahead, this branch has changed a bit too much for a clean rebase and I don't have time just at the moment |
You're right. What you have is good and I don't think more is needed. I think we just get the "released versions after v0.0.0" support from #12774 in and we ship this. Thanks! |
Related Issues
Resolves #7131
Proposed Changes
This PR implements dependency on released versions enforcement as described in #7131.
Additional Info
In this iteration of the workflow, the information about the violations is described in the workflow run details. Here's an example from the following run - https://github.com/filecoin-project/lotus/actions/runs/12073744091?pr=12740
The list of approved unreleased dependencies is stored inline, in the workflow, see
lotus/.github/workflows/dependency-check.yml
Lines 20 to 77 in 36da613
Checklist
Before you mark the PR ready for review, please make sure that: