publish-commit-bottles: use public action #171085
Conversation
Also adds the 'attestations' permission, which will be required in the future. Also adds a duplicate "last ditch" step that will (hopefully) reduce the number of hard failures we see here, requiring manual rollback of the corresponding package upload. Signed-off-by: William Woodruff <[email protected]>
github-actions
bot
added
automerge-skip
| # through to a last-ditch retry below. Longer term, we should put this | ||
| # above the 'pr-pull' step, which should be split into separate 'pull' | ||
| # and 'push to GitHub Packages' phases. | ||
| continue-on-error: true |
There was a problem hiding this comment.
I think this is the right way to continue if this step fails. The other approach is to have the last ditch step use if: failure(), which AFAIK means it'll run if any step fails, not just the last one.
There was a problem hiding this comment.
I feel like it would be nicer if actions/attest-build-provenance had some sort of retry logic built-in, but this approach suits for now, I think. (Assuming actions/attest-build-provenance is idempotent, which I suppose it should be.)
There was a problem hiding this comment.
Yeah, agreed. I think the team working on this at GH has been tackling it though internal retries, so I suspect it'll get better over time.
There was a problem hiding this comment.
there is no side effect of ignoring the action step failure?
There was a problem hiding this comment.
I don't believe so -- if it fails it should fall through to the "last ditch" version, which will then hard-fail the action if it also fails. But maybe I missed something?
|
Edit: rhysd/actionlint#421 Edit 2: I see @bdehamer landed this with rhysd/actionlint@1f0efe1, it's just not in a release yet. |
| # through to a last-ditch retry below. Longer term, we should put this | ||
| # above the 'pr-pull' step, which should be split into separate 'pull' | ||
| # and 'push to GitHub Packages' phases. | ||
| continue-on-error: true |
There was a problem hiding this comment.
I feel like it would be nicer if actions/attest-build-provenance had some sort of retry logic built-in, but this approach suits for now, I think. (Assuming actions/attest-build-provenance is idempotent, which I suppose it should be.)
We could probably apply that patch to the |
Signed-off-by: William Woodruff <[email protected]>
SGTM! I can do a follow-up PR for that. |
Yes, agreed. I think the only current blocker for that is splitting the |
So I think you can just add |
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Carlo Cabrera <[email protected]>
There was a problem hiding this comment.
Looks good, happy to merge once CI is 🟢 and you're around for a bit to babysit/debug master issues. Thanks @woodruffw!
|
#171161 should fix the |
Co-authored-by: Carlo Cabrera <[email protected]>
I'm able to watch this all day today, so whenever is convenient for you and @carlocab as well! Edit: looks like the |
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Carlo Cabrera <[email protected]>
Co-authored-by: Carlo Cabrera <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Bo Anderson <[email protected]>
|
It seems that this approach does not work for
|
Huh, I didn't even know about I'll look into a fix. |
HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>, where<formula>is the name of the formula you're submitting?brew test <formula>, where<formula>is the name of the formula you're submitting?brew audit --strict <formula>(after doingHOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>)? If this is a new formula, does it passbrew audit --new <formula>?Adds the 'attestations' permission, which will be required in the future.
Also adds a duplicate "last ditch" step that will (hopefully) reduce the number of hard failures we see here, requiring manual rollback of the corresponding package upload.CCing some GH folks to double-check my changes here: @bdehamer @phillmv