MNT: Use conda-lock lock file for reproducible environment #32
Conversation
matthewfeickert
temporarily deployed
to
remove-old-wheels
GitHub Actions
Inactive
| #!/bin/bash | ||
|
|
||
| # This should be the base image the Docker image built by the GitHub Action uses | ||
| BUILD_IMAGE="mambaorg/micromamba:1.4.9-bullseye-slim" | ||
| docker pull "${BUILD_IMAGE}" | ||
|
|
||
| # Don't need to ensure emulation possible on non-x86_64 platforms at the | ||
| # `docker run` level as the platform is specified in the conda-lock command. | ||
| docker run \ | ||
| --rm \ | ||
| --volume "${PWD}":/work \ | ||
| --workdir /work \ | ||
| "${BUILD_IMAGE}" \ | ||
| /bin/bash -c "\ | ||
| micromamba install --yes --channel conda-forge conda-lock && \ | ||
| conda-lock lock --micromamba --platform linux-64 --file environment.yml" |
There was a problem hiding this comment.
For maintainability I would like to know if this Bash script is clear enough as to what is happening and why (hopefully the name lock.sh helps it a bit as well).
| # lock file created by running lock.sh in the top level of the repository | ||
| COPY --chown=mambauser conda-lock.yml /conda-lock.yml |
There was a problem hiding this comment.
The lock file is now under version control so we have it accessible to us at the Docker image build time to be able to COPY in.
| "${BUILD_IMAGE}" \ | ||
| /bin/bash -c "\ | ||
| micromamba install --yes --channel conda-forge conda-lock && \ | ||
| conda-lock lock --micromamba --platform linux-64 --file environment.yml" |
There was a problem hiding this comment.
The default user for mambaorg/micromamba:1.4.9-bullseye-slim is a non-root user with id 1000 so the generated conda-lock.yml is under the ownership of the user who ran the lock.sh script. So you don't have to mess around with getting a file owned by root and then needing to do permission and ownership changes on it.
matthewfeickert
force-pushed
the
mnt/use-conda-lock
branch
from
337b9e7
to
c4b9a4f
Compare
matthewfeickert
temporarily deployed
to
remove-old-wheels
GitHub Actions
Inactive
|
Do you, or anyone else know what this means on a PR? Is the action configured improperly? 
Also, we haven't stated preferred dev workflow, but I always went with the assumption of fork's feature branch+PR is the preferred way rather than keeping feature branches on the main repo. Could we do that in the future? |
Things are working as intended. "deployed to remove-old-wheels" means that the This bit that uses the environment upload-nightly-action/.github/workflows/ci.yml Lines 56 to 62 in 2b318b6 was added in PR #27 because you asked for the test upload to be removed in the same workflow it was uploaded in (#27 (comment)).
No, as the CI needs to run upload-nightly-action/.github/workflows/ci.yml Lines 17 to 21 in 2b318b6 and the CI requires secrets that are repo/org specific. There is I see no problems in having (short lived dev) branches other than |
* Add lock.sh which uses the same Docker image used for deployment to install conda-lock and then build the conda-lock lock file from the high level environment.yml.
* Add high level environment.yml and use conda-lock v2.x to create a hash level conda-lock.yml lock file of the environment. ``` conda-lock lock --micromamba --platform linux-64 --file environment.yml ``` * COPY conda-lock.yml lock file to Dockerfile during build. * Use the conda-lock.yml lock file to create an upload-nightly-action micromamba environment and activate it to have access to anaconda-client.
matthewfeickert
force-pushed
the
mnt/use-conda-lock
branch
from
c4b9a4f
to
08ffdeb
Compare
matthewfeickert
temporarily deployed
to
remove-old-wheels
GitHub Actions
Inactive
There was a problem hiding this comment.
This looks good, thanks @matthewfeickert!
We have 2 reviews, not sure if we should wait for more?
If not I can merge this and maybe we can do a 0.2.0 release?
|
Just adding a note here. If we start to use lock files, we need to be careful when integrating changes. There have been cases of supply chain attack using lock files. It's very easy to miss a change in a lock file as these are usually very large and people rarely check the diffs. |
|
Does it have to be a full on conda lock, cannot we simply stay within pip land and use a much smaller file there? |
@tupui Can you elaborate? If you mean by injection of malicious software by manually editing the lock file then this is checked in two ways:
Anaconda does not support |
We can also just make github run the lock.sh script and ask it to resolve and generate the lock file, but it would probably be a bit overkill. I don't really think there would be too much activity/changes in lock file here. |
|
Gentle ping to @tupui and @bsipocz (before it gets to be Friday night in Europe). If there are no further comments by end of the day US time I'm going to merge this as we already have 2 approving reviews from @Carreau and @MridulS. If there are additional comments later we can always iterate in a new Issue. |
|
Sorry all good 👍 I just wanted to bring that up. |
|
It's an ok from me too. But would advise against a Friday night release. |
This is a fix for a currently broken procees. |
This PR does 3 things:
condaenvironment.ymlfile.noxfilebut I thought that people might want to keep things less fancy and just go with something very straightforward) that uses the same Docker image that the Action's Dockerfile uses as a base image to installconda-lockand then create aconda-lock.ymllock file for theenvironment.ymlwhich fully specifies the environment down to the hash level.Advantages of this method
anaconda-clientcan be tested through the CI tests with high confidence that no breaking changes will follow.anaconda-clienthas many dependencies, that are (correctly) not restricted, which means that specifying theanaconda-clientversion number alone is not enough as all these dependencies can float beneath it and in addition to potentially breaking anyanaconda-clientrelease in the future can be a security risk. The only way around this is through a hash level lock file which specifies the exact binary that should be installed.anaconda-clientbefore as its SemVer nature is not checked explicitly, and so securing reproducible environments for it is rather important.environment.ymland then runbash lock.sh.environment.ymlandconda-lock.ymlto version control and make a new PR.micromambajust needs to download each binary listed in the lock file. (Of course, as this environment is so simple this saves very little time, but it is true in general regardless of the size of the environment.)I'd like to make release
0.2.0after this is merged.