-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: fix CI skip script hole #21741
ci: fix CI skip script hole #21741
Conversation
e548773
to
6be0c16
Compare
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var.
6be0c16
to
4ffa6cb
Compare
@@ -13,7 +13,8 @@ set -euo pipefail | |||
# | |||
# ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD` would return commit `D` | |||
# `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD).. | |||
files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD) | |||
skip_check_branch=${SKIP_CHECK_BRANCH:?SKIP_CHECK_BRANCH is required} | |||
files_to_check=$(git diff --name-only "$(git merge-base origin/$skip_check_branch HEAD~)"...HEAD) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This subshell ignores the set -e
at the top of the script, so this ended up setting files_to_check
to an empty string (it seems). Some envs won't tolerate the later array expansion of that value, but some CI shells seem to allow it, so the failure never causes issues and the script does the "unsafe default" of skipping CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Just calling out here for posterity (cc @dduzgun-security): I think the reason we aren't able to use That said, there are some battle-tested options out there like https://github.com/dorny/paths-filter written in response to this open FR that seem promising, and might relieve us of the burden of maintaining a correct implementation, which is tricky since it's ultimately about always failing the script or always setting skip explicitly to false in the case of a non-skippable file - i.e., the default when the script runs and exits 0 is inherently unsafe. |
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. Also fix a small bug where we're incorrectly requiring ',' in the .changelog directory name, which means we'll never skip changelog entries. This change is a port of hashicorp/consul#21741.
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. Also fix a small bug where we're incorrectly requiring ',' in the .changelog directory name, which means we'll never skip changelog entries. This change is a port of hashicorp/consul#21741.
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. This change is a port of hashicorp/consul#21741.
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. Also fix a small bug where we're incorrectly requiring ',' in the .changelog directory name, which means we'll never skip changelog entries. This change is a port of hashicorp/consul#21741.
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. This change is a port of hashicorp/consul#21741.
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. This change is a port of hashicorp/consul#21741.
In some environments, the script will not fail despite
SKIP_CHECK_BRANCH
being unset, leading to the script explicitly skipping CI when it should fail fast.Meta-comment: we should consider transitioning to paths-ignore. Even though it'd be a bit more copypasta, the upside is we can't silently skip and pass tests + security scans by accident if a future bug or misconfiguration occurs.
Meta-meta-comment: looks like the above is currently infeasible, more on why and alternatives to maintaining our script here.
Description
Example script failure -> skipped CI: https://github.com/hashicorp/consul/actions/runs/10851790913/job/30116333377#step:3:5 (this workflow no longer uses the script, and relies on
paths-ignore
instead).Testing
PR Checklist