ci: fix CI skip script hole #21741
Merged
ci: fix CI skip script hole #21741
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zalimeni
added
pr/no-changelog
github-actions
bot
added
the
theme/contributing
zalimeni
force-pushed
the
zalimeni/fix-scan-ci-skip-config
branch
from
e548773
to
6be0c16
Compare
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var.
zalimeni
force-pushed
the
zalimeni/fix-scan-ci-skip-config
branch
from
6be0c16
to
4ffa6cb
Compare
zalimeni
commented
Sep 16, 2024
| @@ -13,7 +13,8 @@ set -euo pipefail | |||
| # | |||
| # ... `git merge-base origin/$SKIP_CHECK_BRANCH HEAD` would return commit `D` | |||
| # `...HEAD` specifies from the common ancestor to the latest commit on the current branch (HEAD).. | |||
| files_to_check=$(git diff --name-only "$(git merge-base origin/$SKIP_CHECK_BRANCH HEAD~)"...HEAD) | |||
| skip_check_branch=${SKIP_CHECK_BRANCH:?SKIP_CHECK_BRANCH is required} | |||
| files_to_check=$(git diff --name-only "$(git merge-base origin/$skip_check_branch HEAD~)"...HEAD) | |||
There was a problem hiding this comment.
This subshell ignores the set -e at the top of the script, so this ended up setting files_to_check to an empty string (it seems). Some envs won't tolerate the later array expansion of that value, but some CI shells seem to allow it, so the failure never causes issues and the script does the "unsafe default" of skipping CI.
hc-github-team-consul-core
added
backport/1.19
4 tasks
|
Just calling out here for posterity (cc @dduzgun-security): I think the reason we aren't able to use That said, there are some battle-tested options out there like https://github.com/dorny/paths-filter written in response to this open FR that seem promising, and might relieve us of the burden of maintaining a correct implementation, which is tricky since it's ultimately about always failing the script or always setting skip explicitly to false in the case of a non-skippable file - i.e., the default when the script runs and exits 0 is inherently unsafe. |
zalimeni
added a commit
to hashicorp/consul-k8s
that referenced
this pull request
Sep 16, 2024
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. Also fix a small bug where we're incorrectly requiring ',' in the .changelog directory name, which means we'll never skip changelog entries. This change is a port of hashicorp/consul#21741.
zalimeni
added a commit
to hashicorp/consul-k8s
that referenced
this pull request
Sep 16, 2024
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. Also fix a small bug where we're incorrectly requiring ',' in the .changelog directory name, which means we'll never skip changelog entries. This change is a port of hashicorp/consul#21741.
zalimeni
added a commit
to hashicorp/consul-dataplane
that referenced
this pull request
Sep 16, 2024
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. This change is a port of hashicorp/consul#21741.
zalimeni
added a commit
to hashicorp/consul-k8s
that referenced
this pull request
Sep 17, 2024
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. Also fix a small bug where we're incorrectly requiring ',' in the .changelog directory name, which means we'll never skip changelog entries. This change is a port of hashicorp/consul#21741.
This was referenced Sep 17, 2024
zalimeni
added a commit
to hashicorp/consul-dataplane
that referenced
this pull request
Sep 17, 2024
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. This change is a port of hashicorp/consul#21741.
zalimeni
added a commit
to hashicorp/consul-dataplane
that referenced
this pull request
Sep 17, 2024
In some environments, the script will not fail despite SKIP_CHECK_BRANCH being unset, leading to the script explicitly skipping CI when it should fail fast. Prevent this by explicitly checking for the env var. This change is a port of hashicorp/consul#21741.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In some environments, the script will not fail despite
SKIP_CHECK_BRANCHbeing unset, leading to the script explicitly skipping CI when it should fail fast.Meta-comment: we should consider transitioning to paths-ignore. Even though it'd be a bit more copypasta, the upside is we can't silently skip and pass tests + security scans by accident if a future bug or misconfiguration occurs.
Meta-meta-comment: looks like the above is currently infeasible, more on why and alternatives to maintaining our script here.
Description
Example script failure -> skipped CI: https://github.com/hashicorp/consul/actions/runs/10851790913/job/30116333377#step:3:5 (this workflow no longer uses the script, and relies on
paths-ignoreinstead).Testing
PR Checklist