-
-
Notifications
You must be signed in to change notification settings - Fork 12.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
publish-commit-bottles: use public action #171085
publish-commit-bottles: use public action #171085
Conversation
Also adds the 'attestations' permission, which will be required in the future. Also adds a duplicate "last ditch" step that will (hopefully) reduce the number of hard failures we see here, requiring manual rollback of the corresponding package upload. Signed-off-by: William Woodruff <[email protected]>
# through to a last-ditch retry below. Longer term, we should put this | ||
# above the 'pr-pull' step, which should be split into separate 'pull' | ||
# and 'push to GitHub Packages' phases. | ||
continue-on-error: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is the right way to continue if this step fails. The other approach is to have the last ditch step use if: failure()
, which AFAIK means it'll run if any step fails, not just the last one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like it would be nicer if actions/attest-build-provenance
had some sort of retry logic built-in, but this approach suits for now, I think. (Assuming actions/attest-build-provenance
is idempotent, which I suppose it should be.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, agreed. I think the team working on this at GH has been tackling it though internal retries, so I suspect it'll get better over time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there is no side effect of ignoring the action step failure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe so -- if it fails it should fall through to the "last ditch" version, which will then hard-fail the action if it also fails. But maybe I missed something?
Edit: rhysd/actionlint#421 Edit 2: I see @bdehamer landed this with rhysd/actionlint@1f0efe1, it's just not in a release yet. |
# through to a last-ditch retry below. Longer term, we should put this | ||
# above the 'pr-pull' step, which should be split into separate 'pull' | ||
# and 'push to GitHub Packages' phases. | ||
continue-on-error: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like it would be nicer if actions/attest-build-provenance
had some sort of retry logic built-in, but this approach suits for now, I think. (Assuming actions/attest-build-provenance
is idempotent, which I suppose it should be.)
We could probably apply that patch to the |
Signed-off-by: William Woodruff <[email protected]>
SGTM! I can do a follow-up PR for that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This approach is an improvement, but I feel like the correct thing to do would be to avoid uploading the bottles to GitHub Packages if the build provenance step fails.
This way we can simply re-run publish workflows when needed.
Yes, agreed. I think the only current blocker for that is splitting the |
So I think you can just add |
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Carlo Cabrera <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, happy to merge once CI is 🟢 and you're around for a bit to babysit/debug master
issues. Thanks @woodruffw!
#171161 should fix the |
Co-authored-by: Carlo Cabrera <[email protected]>
I'm able to watch this all day today, so whenever is convenient for you and @carlocab as well! Edit: looks like the |
Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should be ready to give this a try after these changes!
Co-authored-by: Carlo Cabrera <[email protected]>
Co-authored-by: Carlo Cabrera <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Bo Anderson <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's try this.
It seems that this approach does not work for
|
Huh, I didn't even know about I'll look into a fix. |
HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>
, where<formula>
is the name of the formula you're submitting?brew test <formula>
, where<formula>
is the name of the formula you're submitting?brew audit --strict <formula>
(after doingHOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>
)? If this is a new formula, does it passbrew audit --new <formula>
?Adds the 'attestations' permission, which will be required in the future.
Also adds a duplicate "last ditch" step that will (hopefully) reduce the number of hard failures we see here, requiring manual rollback of the corresponding package upload.CCing some GH folks to double-check my changes here: @bdehamer @phillmv