nixpkgs-check-by-name: make all github-driven checks locally reproducible#266937
Conversation
…ible
This commit moves the chunks of shellcode in
.github/workflows/check-by-name.yml into individual scripts.
What remains in .github/workflows/check-by-name.yml are three-line
scripts which:
1. Dump the environment to the console
2. Set `-x` so the following command is printed in
properly-escaped form, which developers can simply paste to their
own shell to reproduce the command
3. exec() into the file containing the shellcode which previously
comprised that step.
This ensures that if a test fails, the PR author doesn't have to
rummage around in the bowels of github in order to reproduce the
failure locally.
github-actions
bot
added
the
6.topic: policy discussion
ghost
marked this pull request as ready for review
ofborg
bot
added
10.rebuild-darwin: 1-10
infinisil
left a comment
infinisil
left a comment
There was a problem hiding this comment.
Not sure about this. The commands in the action aren't actually reproducible since they depend on the base branch and the channel. However, all the information to reproduce it is already printed decently in a markdown for each check: https://github.com/NixOS/nixpkgs/actions/runs/6837521847#summary-18593634536
How about adding a command like
pkgs/test/nixpkgs-check-by-name/reproduce.sh <base SHA> <tooling SHA>
Which then tests HEAD in the current Nixpkgs the same way as the action does. Ideally the action should also just use this command then.
Then the markdown can be changed to just tell users to run the command with specific flags.
These are passed in environment variables, which are printed.
That is the most important part. I'm on board as long as that is true. |
|
With latest push, using #266956 as an example: |
ghost
dismissed
infinisil’s stale review
requested changes implemented, re-review requested.
|
The most annoying part is that, for not-yet-merged PRs, the But at least this is a step forward. |
|
It's easiest to review by reading 8187fe5 by itself. The other commits just copy things between various files, making it difficult to review the entire PR as a single diff. |
infinisil
left a comment
infinisil
left a comment
There was a problem hiding this comment.
I've got some suggestions, but I think we can make something like this work. Also be sure to update the contributor docs too.
| echo "mergedSha=$mergedSha" >> "$GITHUB_ENV" | ||
| env | ||
| set -x | ||
| exec pkgs/test/nixpkgs-check-by-name/workflows/check-by-name/check-mergeability.sh |
There was a problem hiding this comment.
This is very GitHub Actions specific. Locally you'd want to test your current working tree, not the PR's HEAD, so this should stay here.
| # nixpkgs. | ||
| env | ||
| set -x | ||
| exec pkgs/test/nixpkgs-check-by-name/workflows/check-by-name/determine-pr-hashes.sh |
There was a problem hiding this comment.
This should also stay, it's GitHub-specific. Locally it's rarely the case to have a merge commit with the right parent commits.
| # nixpkgs. | ||
| env | ||
| set -x | ||
| exec pkgs/test/nixpkgs-check-by-name/workflows/check-by-name/determine-channel-for-dependencies.sh |
There was a problem hiding this comment.
It's not great how there's all of these separate files. The main reason these steps are split up so that it's easier to see where time is spent (e.g. see https://github.com/NixOS/nixpkgs/actions/runs/6844035438/job/18607346212). But that's not very important, I'd rather have this and all steps after as a single script.
Also we shouldn't make env necessary. If we have a script to reproduce it locally, the script shouldn't depend on GitHub-specific variables.
I also don't think set -x is necessary, the code is very verbose and already prints everything useful.
| toolingBinariesSha="$2" | ||
| mergedSha="$3" | ||
|
|
||
| nixpkgs_for_tooling_binaries=$(nix-instantiate --eval --expr "builtins.fetchTarball \"https://github.com/nixos/nixpkgs/archive/$toolingBinariesSha.tar.gz\"" | tr -d '"') |
There was a problem hiding this comment.
This duplicates the tooling Nixpkgs download, it should re-use the one it already fetched from the channels. Otherwise this adds another ~15 seconds to the CI time.
| echo "nixpkgs=$nixpkgs" >> "$GITHUB_ENV" | ||
| echo "toolingBinariesSha=$toolingbinariesSha" >> "$GITHUB_ENV" |
There was a problem hiding this comment.
You can remove all GITHUB_ENV assignments if we only have a single step and script.
| # Usage: pkgs/test/nixpkgs-check-by-name/reproduce.sh <base SHA> <tooling SHA> <merged SHA> | ||
|
|
||
| # TODO(amjoseph): allow omitting the final argument, since it is | ||
| # often a commit which exists only in github (and is difficult to | ||
| # `git fetch` from github before the PR is merged). |
There was a problem hiding this comment.
Ideally we'd have two scripts:
./reproduce.sh <tooling SHA> <base SHA> <merged SHA>: Reproducible from the args as here (I'd order the args this way)../reproduce-latest.sh <base branch name>: Tests the current HEAD against the latest commit of the base branch name, effectively replicating what a new CI run should do if you committed and pushed the current code. This should first determine the arguments for./reproduce.shand then call it.
Can you implement something like that?
| echo " - Tooling binaries built at nixpkgs commit: [$toolingBinariesSha](https://github.com/${GITHUB_REPOSITORY}/commit/$toolingBinariesSha)" | ||
| echo " - Store path: \`$(realpath result)\`" | ||
| echo "- Tested Nixpkgs:" | ||
| echo " - Base branch: $BASE_SHA" | ||
| echo " - Latest base branch commit: [$baseSha](https://github.com/${GITHUB_REPOSITORY}/commit/$baseSha)" | ||
| echo " - Latest PR commit: [$headSha](https://github.com/${GITHUB_REPOSITORY}/commit/$headSha)" | ||
| echo " - Merge commit: [$mergedSha](https://github.com/${GITHUB_REPOSITORY}/commit/$mergedSha)" | ||
| } | tee -a "${GITHUB_STEP_SUMMARY:-/dev/null}" |
There was a problem hiding this comment.
We should avoid all GitHub-specific variables from such a script, such that you can run it locally without knowing these variables.
|
To make this actually work it has to be implemented a bit differently, I'm doing that here: #274591 |
|
Effectively done with #274591 |
1 participant
Description of changes
This commit moves the chunks of shellcode in
.github/workflows/check-by-name.ymlinto individual scripts.What remains in
.github/workflows/check-by-name.ymlare three-line scripts which:-xso the following command is printed in properly-escaped form, which developers can simply paste to their own shell to reproduce the commandexec()into the file containing the shellcode which previously comprised that step.This ensures that if a test fails, the PR author doesn't have to rummage around in the bowels of github in order to reproduce the failure locally.
Fixes #266930
Fixes #266931
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)