Reduce recurring steps in CI workflow #14865
Conversation
nineinchnick
force-pushed
the
ci-setup
branch
from
5154eb8 to
f025b82
Compare
|
Shouldn't the caching from #14882 be part of the composite action used here? |
Yes, that's why I opened trinodb/github-actions#15 and I'll update the commit sha here when necessary. |
nineinchnick
force-pushed
the
ci-setup
branch
from
f025b82 to
fc282af
Compare
nineinchnick
force-pushed
the
ci-setup
branch
from
fc282af to
b14d737
Compare
|
I also extracted uploading test results and reports into a separate action and added a step to grab heap dumps. |
|
@nineinchnick |
|
Ah, I forgot that they can contain sensitive data, like secrets. If we upload them as artifacts, then they're public. I'll add a condition to only do this if there are no secrets set. |
nineinchnick
force-pushed
the
ci-setup
branch
from
b14d737 to
a9b6940
Compare
|
This will work for now. If we have OOMs with secrets-requiring jobs, we can perhaps encrypt those dumps. |
.github/workflows/ci.yml
Outdated
| upload-heap-dump: >- | ||
| ${{ secrets.TRINO_AWS_ACCESS_KEY_ID == '' && | ||
| secrets.TRINO_AWS_SECRET_ACCESS_KEY == '' && | ||
| secrets.AZURE_ABFS_CONTAINER == '' && |
There was a problem hiding this comment.
Let's try to simplify.
Can we somehow explicitly detect the PR is not trusted?
If github doesn't make it explicit, we could check that the build is a PR and the source repo != trinodb/trino
wdyt?
(i am worried that addition of a new secret will be overlook here)
alternatively, we could have a dummy secret SECRETS_PRESENT in trinodb/trino
and condition on that here
There was a problem hiding this comment.
alternatively, we could have a dummy secret SECRETS_PRESENT in trinodb/trino
and condition on that here
I like this idea. I didn't try to add a condition to detect forks because I'm not sure we wouldn't miss some cases. Checking for secrets seemed more direct.
There was a problem hiding this comment.
Can you create such a secret? Or would it be enough to check for just one of the existing secrets, with a comment?
There was a problem hiding this comment.
I created org-wide SECRETS_PRESENT secret.
There was a problem hiding this comment.
why is checking for PR source not enough? i.e. source repo != trinodb/trino?
|
I don't understand commits other than "Attempt to upload heap dump if tests failed". @hashhar do you want help reviewing? |
Decoupling would mean I'd have to do this twice, once by duplicating it 4 times and then again in this PR. Would it help if I'd extract it into another PR based on this branch? |
sounds bad
no, because i still wouldn't be able to merge this :) |
There was a problem hiding this comment.
upload-heap-dump should be very carefully used - I'm not strongly in favour of enabling it by default. We should enable it when debugging for a specific job and not always.
Also are the heap dump artifacts only visible to people with write access to repo? If not then it's not safe to do at all.
.github/actions/upload/action.yml
Outdated
| heap-dump-retention-days: | ||
| default: 2 | ||
| upload-heap-dump: | ||
| default: "false" |
There was a problem hiding this comment.
stringly typed booleans create confusion specially when the value being used can be easily confused for a boolean
.github/workflows/ci.yml
Outdated
| upload-heap-dump: >- | ||
| ${{ secrets.TRINO_AWS_ACCESS_KEY_ID == '' && | ||
| secrets.TRINO_AWS_SECRET_ACCESS_KEY == '' && | ||
| secrets.AZURE_ABFS_CONTAINER == '' && |
There was a problem hiding this comment.
why is checking for PR source not enough? i.e. source repo != trinodb/trino?
|
Let's extract last 2 commits and merge the first one. the last 2 are controversial. |
nineinchnick
force-pushed
the
ci-setup
branch
from
a9b6940 to
053868b
Compare
Done, I'll open up another PR after this one gets merged. |
If we want to use it to debug OOM errors that happen sporadically, it'll not be very useful. I wonder if it would make more sense to try to reproduce the OOM locally, for ex. in a container with limited memory.
Why they're not safe? Do you have ideas for any alternatives? |
I now see that you only upload them if secrets don't exist so that solves my concern. |
nineinchnick
force-pushed
the
ci-setup
branch
from
053868b to
019c889
Compare
nineinchnick
force-pushed
the
ci-setup
branch
from
019c889 to
d52f4df
Compare
nineinchnick
force-pushed
the
ci-setup
branch
from
d52f4df to
85328d5
Compare
nineinchnick
force-pushed
the
ci-setup
branch
from
85328d5 to
b3473bb
Compare
|
@hashhar all green! |
Description
Extracted from #12817
Non-technical explanation
n/a
Release notes
(x) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
( ) Release notes are required, with the following suggested text: