-
-
Notifications
You must be signed in to change notification settings - Fork 369
CI: Add a verify-success reusable workflow to use for required checks #3320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for discussing the rules. Your ruleset JSON imports cleanly, so we can use that. We are using Branch protection rules now.
The required checks make sense only for branches where the checks are present. For release branches so far, we are not requiring any checks. I think we need 8.4 or higher or something like that for the new ruleset.
I definitively find it strange that I need to change the rules every time a version updates. It is doable, but not smooth. I would rather see a GitHub solution than more custom CI code, but faster updates of more versions require more of these manual non-code updates and that's not a good outlook, so we need a solution sooner rather than later.
While the same system of true matrix-based multi-jobs, the use of the matrix to set the versions for one job started as a workaround of not having a GitHub feature for setting variables which are not environment variables, so maybe there is a better way now which would (only!) partially reduce need for this PR.
I can't be sure that using both Branch protection rules and rulesets will do what we want. Adding rulesets does not remove the (as I understand) current branch protection rules that require a check that won't exist if a version is updated. If you sent me (privately if needed) screenshots of the existing config in branch protection rules, I could study a suggestion, on what to remove from it (and make sure an equivalent is set on the rulesets).
In that case, we should split the ruleset to only apply on what we want. Like what is common to all (the permissions), and what is specific (main and later, vs older release branches)
This is what it is fixing. By configuring the repo to require a check (or a check name) that doesn't change in time. I saw other repos doing the same-ish idea, some had issues at first with handling of skipped jobs that didn't block them from merging when they wished it would, that's why I really took my time to handle the possibilities. I avoid the flaws discussed here: https://github.com/orgs/community/discussions/26822
I'm thinking about this. Why don't we only apply the advanced required checks for the default branch ( |
On a side note, concerning repo settings, it would have been useful for #531 if automerge wasn't disabled. Into this (for checks running): Enabling auto merge enables the possibility of auto merging, not that it automerges anything by default. The setting to change is in the General tab: I double checked, and there isn't any merging done if there is no required checks or no required reviewers. It stays a simple PR. The wording of the interface is scarier than it is. I use it daily on other repos. Once I make my tour and everything is ok, and only the CI needs to finish after my review, I enable it and it will do its thing without having to go back to it. |
I'm polishing up a new round of rulesets. I experimented a bit more in the last days with other ways of splitting them, some configurations I didn't like, but I think I have something I like better now. I'll come back with it when they are ready. |
Auto-merge is enabled. I went through the doc and fits with your explanation, but it is similarly confusing/scary as the UI, like they never considered that people want to hear that they will be confirming the action first. It is basically a new button for each PR to "merge later when ready", not a policy to "immediately merge everything across the whole repo". |
Yah, I know, I was scared too when playing in my settings, but since I already knew what the feature was (from using it), I only had to find how it was called. And it's that. It's not so bad. |
The plan is to change the rules and then merge this, correct? |
Yes, if the rules seem okay to you, and they are equivalent enough to replace the branch protection rules (at least for the main branch, and at least for the required checks). The more I think about it, the more I think the members that merge PRs are getting used to add reviews, and thus checking the require PR reviews (to at least 1) might not be a so bad idea. At first I wanted to be extra conservative to not add anything more, but since automerge is possible, it plays a bit nicer with it: you can set automerge on waiting for an "approval" and expressly don't add yours to wait for someone to add it. |
I applied the two rulesets for the default branch. I added linear history to 1 (otherwise that would be ensured only by using PRs and the settings for the PRs). I also experimentally added the 1 required approval. The bypass is enabled as suggested. I removed everything from 2 except the checks. I deleted the old branch protection rule for main. Result: https://github.com/OSGeo/grass/rules?ref=refs%2Fheads%2Fmain I didn't create the release and other branches rulesets. I'll leave feedback for these later. (After reviewing this PR again so we can merge it, ha ha.) |
For the require linear history, I didn’t opt to include it in my recommendation since we sometimes might need to have a PR not squashed merged to help with file renames. But since we require PRs, the default is squash merge, and the ones who can merge should know what they are doing, it wasn’t a concern for me. You can look at the descriptions of the potential problems or things to look out (for the available rules) in this doc https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-linear-history |
@wenzeslaus Lastly, since the rulesets are now active, we need to merge this PR that includes the now required status checks tonight, so that all the other PRs aren’t blocked by this. Either this, or to not enforce the rule if you still want to wait. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good job writing that reusable workflow, but I'm anyway secretly hoping GitHub will a native solution at some point.
I’ll let you try using the auto merge for this one ;). Enable it, then go and approve the PR when ready. |
Too late! :-))) But I already tried elsewhere (just to enable and disable). |
It seems like there was an intention for this on October, but when will it really be available? We never know. We'll adapt. It's our tooling, it's not set in stone. |
About the rulesets for release branches, release branches are now often updated locally, i.e., backports are happening without PRs. They can and do happen with PRs sometimes, but not always. Release procedure also does direct commits and pushes to release branches. There was a talk about using a bot for backports, so maybe that would help here. Current release branch rules are "Require linear history" and "Do not allow bypassing the above settings". I don't have a suggestion right now on how to proceed. |
I don't see any rulesets for the release branches. Are they really set, or it is branch protection rules (that I can't really help or analyze) |
For clarity, I migrated the current branch protection rules for release branches to a new ruleset. It is the same as before including no bypass. |
When reviewing #3333, I decided to also require conversations to be closed before merging. I was giving an approving review, but there was still an open comment. Auto-merge would make sense only after the comment is resolved. It seems that if you want a review, you want the conversations to be closed as well. |
Totally agree, and with auto-merge/require resolved conversations, the UI makes it clear why it isn't ready to merge. |
…OSGeo#3320) * CI: Add a verify success job to use in required checks * Limit line length in verify-success.yml and Python Code Quality workflow * CI: Use pipx to run tools in python-code-quality.yml, cache pip * CI: Add verify success for pytest workflow * CI: Add verify-success to Ubuntu * Update .github/workflows/python-code-quality.yml
Since the issue might be a little weird to understand, let's go through the problem by stating individual facts, then explaining why the PR is needed and the changes to make.
needs
property. This is what makes some pretty diagrams in the workflow summary when more than one rectangle is present. Usually, all jobs inneeds
have to be successfully complete before the dependant job starts, unless a conditional expression makes it continue.success
,failure
,cancelled
, orskipped
.if
at the job-level) to control if it should be executed, or it should be skipped.Now the problematic part starts:
Examples of the problematic behaviour:
3.10.0
since the name would be different.So the solution is to have the status checks defined on a job that can only complete successfully if the checks we want to be required are also successful. That is what I bring in this PR.
To make it possible to use the same logic multiple times, I created a reusable workflow called
verify-success.yml
, and call it from our existing workflows. In order to have the most flexibility to really create the outcomes that we want, I added inputs that allow to adjust for what types of job results that check should fail. That reusable workflow doesn't run my itself since it only has theworkflow_call
trigger.In the future, I imagine that I might bring a PR that combines multiple workflow files (that have the same triggers) together to reuse some commonly built artifacts, or optimizations like that. But if some of the jobs shouldn't be required, but others do, the way I created the reusable workflow allows to group the non-required jobs or even cancelled jobs to make the result of that verify-success job successful, and that could be used a dependant job for another call of verify-success, along with other required jobs. That's why you already see that I set the job_id to
ubuntu
in theubuntu.yml
workflow.I tested out this with multiple smaller jobs with all statuses, and all 16 combinations of my input flags (boolean). It works correctly.
Some more info:
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/troubleshooting-required-status-checks
https://docs.github.com/en/actions/using-workflows/required-workflows
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds
https://docs.github.com/en/actions/learn-github-actions/contexts#needs-context
https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
Now, for the settings changes that an admin has to do to allow this PR to merge:
I made them all from rulesets. They are layered, and when more than one rule applies, the strictest setting is used.
I made screenshots of the configuration I think we need.
In the repo settings, open the Rules > Rulesets tab. Create a new ruleset.
Image
Add bypass to admin, it is sometimes needed. I selected for pull requests for now
Image
Choose the branches to target. The default branch, plus our
releasebranch_*
Image
Once saved, we see that it will apply correctly:

For the next section of settings, we select the branch protection settings
Image
I started by selecting at least to disallow deletions.

Then, I selected the most basic settings concerning pull requests. Some of them have bigger quirks than others, and need some time getting used to. If we were to be more active on reviews, "Require approval of the most recent reviewable push" could be interesting in order to not allow someone to merge their own pull requests. I don't think we are ready for this yet.
Then the core part, specific for this PR, choosing the settings for "Require status checks to pass".
Image
If the rules were configured as rulesets, make sure to remove the existing entries for Ubuntu (2 lines), Pytest (2 lines), and Python Code Quality (2 lines). If there is nothing there, we need to remove
Then, select all the following entries, to match the picture:

The newest checks that come from this PR might only show once they have run once for this PR (if they don't show yet, wait for the first round of CI checks since this PR was opened to complete first)
Lastly, I selected to block force pushes to these 7 (for now) protected branches, enabled, and saved.
Image
I saved the settings.

Then back to the top, make sure that the ruleset is enabled:
Then save again.
If there wasn't any required checks in the rulesets, then the configuration was through branch protection rules. They are found on the left, two tabs above rulesets. Make sure to disable any conflicting configuration from there. The functionality of the older branch protection rules was ported up to be essentially the same (user-interface - wise).
I exported my config, I'm joining it here. It might reference my repo though:
Main and release branch rules.json