ROX-22250: Update version string in builds for fast stream #11187
Conversation
|
Images are ready for the commit at ef042ef. To use with deploy scripts, first |
tools/tag.py
Outdated
|
|
||
| if __name__ == "__main__": | ||
| v = Version.fromstring(orig) | ||
| v.minor = str(int(v.minor) + 1) |
There was a problem hiding this comment.
This feels wrong, considering we still have the a.b.x GitHub tag, it will produce a.(b+1).0-....
I am asking myself, can we bump the a.b.x to the next minor release?
https://github.com/stackrox/stackrox/blob/master/.github/workflows/start-release.yml#L157-L162
There was a problem hiding this comment.
I'm not sure I follow the concern. Would this (tag.py) script be used to create the version string for build on the release branches as well? Based on a quick look it seems like BUILD_TAG is set in downstream builds, thus overriding what this script would produce.
There was a problem hiding this comment.
I'm with Tom, the release automation scripting should place A.(B+1).x tag instead of A.B.x (which it currently does) on master when release-A.B branch is cut.
There was a problem hiding this comment.
Would this (tag.py) script be used to create the version string for build on the release branches as well?
It would be used for all commits, except tagged ones.
There is one slight caveat with doing the A.(B+1).x approach. We tag the commit where we branch off the release branch. Any commit on the release branch before the first release candidate on the .0 release (which is the A.B.0-rc.1 tag), would have A.(B+1).x-n-g123456. This might be ignored, because those commits are not built - they are updating the CHANGELOG, cherry-picks for the first RC and pushed with an empty commit. See https://github.com/stackrox/stackrox/commits/release-4.4/?before=53dd371292a8277e1049815c4f408d04a041f317+105 - 7fc7385 is pushed, preceding commits until 1f75c80 are not built.
A "solution" would be to add an empty commit with the tag to the master branch after the branching point - that leaves the question how to tag if the branching point is not the latest commit on master - the branching may be done couple of hours/days after the code freeze at a specific commit.
There was a problem hiding this comment.
Is there a reason not to tag the very first commit on the release-A.B branch with A.B.0-rc.0? Also, the very first commit could be an empty placeholder so that there's always something.
There was a problem hiding this comment.
Is there a reason not to tag the very first commit on the release-A.B branch with A.B.0-rc.0? Also, the very first commit could be an empty placeholder so that there's always something.
Not really. Tagged commits have a few additional checks, like confirming that COLLECTOR_VERSION and SCANNER_VERSION are SemVer, but failure here may be informative, for the release engineers - if they look at the status of this tag at all.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #11187 +/- ##
=======================================
Coverage 47.98% 47.99%
=======================================
Files 2330 2330
Lines 166754 166761 +7
=======================================
+ Hits 80013 80030 +17
+ Misses 80388 80379 -9
+ Partials 6353 6352 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
tools/tag.py
Outdated
|
|
||
| if __name__ == "__main__": | ||
| v = Version.fromstring(orig) | ||
| v.minor = str(int(v.minor) + 1) |
There was a problem hiding this comment.
I'm with Tom, the release automation scripting should place A.(B+1).x tag instead of A.B.x (which it currently does) on master when release-A.B branch is cut.
Creating a minor release branch (let's call the new minor release version "y") should go like this: * Create a new release branch based on selected commit in master (no change here) * Push an empty commit to the release branch * Tag that empty commit on the release branch with "4.y.0-rc.0" * Push an empty commit to the tip of master (it is ok if this empty commit does not directly follow the branching commit) * Tag that empty commit on master with "4.<y+1>.x", e.g. if the minor version is "4", the tag would be "4.5.x". The last change is to update the output of "make tag" to replace the ".x-" with ".0-" using the sed command provided by Misha in the PR.
|
OSCI jobs have failed, e.g. here https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/stackrox_stackrox/11187/pull-ci-stackrox-stackrox-master-gke-nongroovy-e2e-tests/1796024033389580288#1:build-log.txt%3A605 because images were not built. For some reason, I see It is not unexpected that the tag change Update: Looks like, this time it's just a GitHub thing and not caused by this change. I triggered a re-run in GitHub. |
|
/retest |
.github/workflows/variables.yml
Outdated
| major, minor = tuple(int(i) for i in m.group('release').split('.')) | ||
| next_release = f'{major}.{minor+1}' |
There was a problem hiding this comment.
I suppose you can try redefine RELEASE=r'(?P<release>\d+\.\d+)' to be nested:
RELEASE=r'(?P<release>(?P<major>\d+)\.(?P<minor>\d+))'Then, this will turn into:
| major, minor = tuple(int(i) for i in m.group('release').split('.')) | |
| next_release = f'{major}.{minor+1}' | |
| major, minor = int(m.group('major')), int(m.group('minor')) | |
| next_release = f'{major}.{minor+1}' |
There was a problem hiding this comment.
I've addressed this in https://github.com/stackrox/test-gh-actions/pull/158
.github/workflows/variables.yml
Outdated
| next-release: | ||
| description: Next Release (A.`B+1`) | ||
| value: ${{jobs.parse.outputs.next-release}} | ||
| next-release-patch: | ||
| description: Next Release.patch (A.B.`C+1`) | ||
| value: ${{format('{0}.{1}', jobs.parse.outputs.release, jobs.parse.outputs.next-patch)}} |
There was a problem hiding this comment.
[nit] Output names next-release, next-release-patch and next-named-release-patch don't stack against each other any more because the new next-release means a different thing now.
One option that comes to mind is to rename
next-release-patch -> next-patch
and next-named-release-patch -> next-named-patch.
This way, they don't refer to next-release.
There was a problem hiding this comment.
What do you think about this:
next-release -> next-minor-release
next-release-patch -> next-patch-release
next-named-release-patch -> next-named-patch-release
There was a problem hiding this comment.
Looks ok.
I feel tiny bit uneasy about minor because it alludes to a small amount of changes, but the alternative next-y-stream-release looks a bit ugly. Therefore, what you suggest is actually ok.
There was a problem hiding this comment.
I've addressed this in https://github.com/stackrox/test-gh-actions/pull/158
.github/workflows/start-release.yml
Outdated
| git commit --allow-empty --message \ | ||
| "Initial commit to release branch ${{needs.variables.outputs.release}}" |
There was a problem hiding this comment.
In good StackRox tradition, I suggest to tweak the message to:
| git commit --allow-empty --message \ | |
| "Initial commit to release branch ${{needs.variables.outputs.release}}" | |
| git commit --allow-empty --message \ | |
| "Empty commit to diverge ${{needs.variables.outputs.release}} from master" |
There's nothing wrong about the current message, I just somehow feel attached to the old one :-)
There was a problem hiding this comment.
I've addressed this in https://github.com/stackrox/test-gh-actions/pull/158
.github/workflows/start-release.yml
Outdated
| @@ -174,10 +170,21 @@ jobs: | |||
| git commit --message "Changelog for ${{inputs.version}}" | |||
| echo "\`CHANGELOG.md\` has been updated on the release branch." >> "$GITHUB_STEP_SUMMARY" | |||
| fi | |||
| - name: Tag master for next release | |||
| if: steps.check-existing.outputs.branch-exists == 'false' | |||
There was a problem hiding this comment.
[no-op] I wouldn't say that the condition is the perfect guard here. If making the workflow idempotent, I'd suggest to move the check inside the script and check for presence of a ${{needs.variables.outputs.next-release}} tag. Similarly, other steps (e.g. Create and annotate branch ${{needs.variables.outputs.branch}}) can check for presence of a thing (x.y.0-rc.0 tag) before adding it.
However, the current step is consistent with other steps so I don't insist on changing that.
.github/workflows/start-release.yml
Outdated
| git commit --allow-empty --message \ | ||
| "Bumping release tag to ${{needs.variables.outputs.next-release}}" | ||
| git tag --annotate --message "Upstream automation" \ | ||
| "${{needs.variables.outputs.next-release}}" HEAD |
There was a problem hiding this comment.
This must be
| "${{needs.variables.outputs.next-release}}" HEAD | |
| "${{needs.variables.outputs.next-release}}.x" HEAD |
There was a problem hiding this comment.
I've addressed this in https://github.com/stackrox/test-gh-actions/pull/158
.github/workflows/start-release.yml
Outdated
| git commit --allow-empty --message \ | ||
| "Bumping release tag to ${{needs.variables.outputs.next-release}}" |
There was a problem hiding this comment.
[nitpicking, but] I'd love to suggest a more festive message here but currently feel my muse is away. How about something like "Work on the release ${{needs.variables.outputs.next-release}} begins from here"?
There was a problem hiding this comment.
Also, it would be nice if you add a comment saying that there could be several commits between the starting point of the release branch and this new commit on master tagged with the next-release tag. This is ok because if we'd put the next-release tag we would change make tag output for those existing commits which is like overwriting history and is worse (than having these few tagged with the previous release tag).
There was a problem hiding this comment.
I've addressed this in https://github.com/stackrox/test-gh-actions/pull/158
msugakov
added
the
ci-build-race-condition-debug
There was a problem hiding this comment.
@kylape Please consider https://github.com/stackrox/test-gh-actions as the place to develop and test these changes. It has all release related workflows, some tags, no make tag (yet!)
You'll also be missing builds and E2E tests, but for getting the workflow correct, it might be better to start there.
| @@ -27,7 +27,7 @@ SILENT ?= @ | |||
| UNIT_TEST_IGNORE := "stackrox/rox/sensor/tests|stackrox/rox/operator/tests|stackrox/rox/central/reports/config/store/postgres|stackrox/rox/central/complianceoperator/v2/scanconfigurations/store/postgres|stackrox/rox/central/auth/store/postgres|stackrox/rox/scanner/e2etests" | |||
|
|
|||
| ifeq ($(TAG),) | |||
| TAG=$(shell git describe --tags --abbrev=10 --dirty --long --exclude '*-nightly-*')$(MAIN_TAG_SUFFIX) | |||
There was a problem hiding this comment.
One thing I'd also ask is to adjust operator's Makefile which does not need to handle cases like 4.5.x and 3.0.62.1.
Lines 6 to 8 in a8df2c2
It can simply become
VERSION ?= $(shell $(MAKE) --quiet --no-print-directory -C .. tag)since the Makfile in repo root now does handling of .x and versions like 3.0.y.z are long gone.
|
/retest |
No longer needed because main makefile now does handling of `.x` and versions like 3.0.y.z are long gone.
|
Github workflow changes have been moved to https://github.com/stackrox/test-gh-actions/pull/158. |
|
@kylape: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
When calculating the output of
make tag, pipe the output of thegit describecommand through a new script calledtag.py, which will make the following two modifications:.x-to.0-These changes are intended to support the versioning strategy Fast Stream Releases.
Checklist
If any of these don't apply, please comment below.
Testing Performed
Here I tell how I validated my change
TODO(replace-me)
Use this space to explain how you validated that your change functions exactly how you expect it.
Feel free to attach JSON snippets, curl commands, screenshots, etc. Apply a simple benchmark: would the information you
provided convince any reviewer or any external reader that you did enough to validate your change.
It is acceptable to assume trust and keep this section light, e.g. as a bullet-point list.
It is acceptable to skip testing in cases when CI is sufficient, or it's a markdown or code comment change only.
It is also acceptable to skip testing for changes that are too taxing to test before merging. In such case you are
responsible for the change after it gets merged which includes reverting, fixing, etc. Make sure you validate the change
ASAP after it gets merged or explain in PR when the validation will be performed.
Explain here why you skipped testing in case you did so.
Have you created automated tests for your change? Explain here which validation activities you did manually and why so.
Reminder for reviewers
In addition to reviewing code here, reviewers must also review testing and request further testing in case the
performed one does not seem sufficient. As a reviewer, you must not approve the change until you understand the
performed testing and you are satisfied with it.