Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Add makefile target to verify the local module cache #775

Merged
merged 1 commit into from
Sep 14, 2022
Merged

ci: Add makefile target to verify the local module cache #775

merged 1 commit into from
Sep 14, 2022

Conversation

shahzadlone
Copy link
Member

@shahzadlone shahzadlone commented Sep 5, 2022
edited
Loading

Resolves #762

Description

  • Introduces a Makefile target that will fail when go mod verify reports any changes to module cache, because by default the go mod verify command just prints the modules that were tampered with (doesn't fail or return an error).

Limitations

No way to specify go mod verify to be a read-only op (i.e. in some cases might modify go.sum file.

How has this been tested?

Ensured that CI will fail upon

Specify the platform(s) on which this was tested:

  • Manjaro WSL2

@shahzadlone shahzadlone added ci/build This is issue is about the build or CI system, and the administration of it. action/no-benchmark Skips the action that runs the benchmark. labels Sep 5, 2022
@shahzadlone shahzadlone added this to the DefraDB v0.3.1 milestone Sep 5, 2022
@shahzadlone shahzadlone requested a review from a team September 5, 2022 11:42
@shahzadlone shahzadlone self-assigned this Sep 5, 2022
@shahzadlone shahzadlone force-pushed the lone/ci/go-mod-verify branch 3 times, most recently from ecdd476 to 949f7bb Compare September 5, 2022 11:51
@AndrewSisley
Copy link
Contributor

No way to specify go mod verify to be a read-only op (i.e. in some cases might modify go.sum file.

Are you sure that it will not modify anything if this step passes? If 'all modules verified' is printed out?

And are you sure there is no more reliable way of checking that it passes other than with a simple grep?

These questions aside (the first one being a blocker for me), I'm happy, but suggest waiting on someone else to chime in first before merge

orpheuslummis
orpheuslummis reviewed Sep 6, 2022
View reviewed changes
Makefile Show resolved Hide resolved
@shahzadlone
Copy link
Member Author

Are you sure that it will not modify anything if this step passes? If 'all modules verified' is printed out?

Here is what their documentation says:

"go mod verify may download go.mod files in order to perform minimal version selection. It will use go.sum to verify those files, and it may add go.sum entries for missing hashes."

In my testing I haven't seen it modify anything (i.e. go.sum) so far.

And are you sure there is no more reliable way of checking that it passes other than with a simple grep?

I couldn't find a flag or another option that would make it fail, happy to take another approach if there are suggestions.

@AndrewSisley
Copy link
Contributor

"go mod verify may download go.mod files in order to perform minimal version selection. It will use go.sum to verify those files, and it may add go.sum entries for missing hashes."

In my testing I haven't seen it modify anything (i.e. go.sum) so far.

😅 okay lol, I guess we can try it out and drop it if this starts being a nuisance. I wont mark this as approved though, and will let others keep chatting on this first (as I'm still very 50-50 on this RE cost-benefit, and I guess this isn't blocking any other work).

I couldn't find a flag or another option that would make it fail, happy to take another approach if there are suggestions.

Okay no worries :P

@orpheuslummis
Copy link
Contributor

orpheuslummis commented Sep 12, 2022
edited
Loading

Here's a middle ground idea:

  • do provide make verify
  • do not use it as part of build target
  • do verify when building a binary for release, and make that fact known (for trustworthiness) - ideally - that opens up the question of how to have reproducible builds and proofs of them
  • when/if Go provides readonly go mod verify, we can add the step as part of build target

@codecov
Copy link

codecov bot commented Sep 13, 2022
edited
Loading

Codecov Report

Merging #775 (c535c14) into develop (55fca49) will decrease coverage by 0.57%.
The diff coverage is n/a.

❗ Current head c535c14 differs from pull request most recent head baa0e1f. Consider uploading reports for the commit baa0e1f to get more accurate results

Impacted file tree graph

@@             Coverage Diff             @@
##           develop     #775      +/-   ##
===========================================
- Coverage    59.11%   58.53%   -0.58%     
===========================================
  Files          153      150       -3     
  Lines        16977    16900      -77     
===========================================
- Hits         10036     9893     -143     
- Misses        6023     6083      +60     
- Partials       918      924       +6
Impacted Files Coverage Δ
db/collection_update.go 42.99% <0.00%> (-12.49%) ⬇️
query/graphql/planner/planner.go 74.83% <0.00%> (-2.91%) ⬇️
query/graphql/planner/select.go 75.00% <0.00%> (-1.45%) ⬇️
query/graphql/planner/sum.go 84.97% <0.00%> (-0.60%) ⬇️
query/graphql/planner/count.go 95.60% <0.00%> (-0.36%) ⬇️
query/graphql/schema/manager.go 97.05% <0.00%> (-0.29%) ⬇️
core/enumerable/skip.go
core/enumerable/concat.go
core/enumerable/select.go
query/graphql/schema/generate.go 83.24% <0.00%> (+0.81%) ⬆️
... and 3 more

@shahzadlone
Copy link
Member Author

Here's a middle ground idea:

  • do provide make verify
  • do not use it as part of build target
  • do verify when building a binary for release, and make that fact known (for trustworthiness) - ideally - that opens up the question of how to have reproducible builds and proofs of them
  • when/if Go provides readonly go mod verify, we can add the step as part of build target

Happy with this suggestion. I have removed the build step, and fixed the makefile target to show the failure as suggested.

fredcarle
fredcarle approved these changes Sep 13, 2022
View reviewed changes
Copy link
Collaborator

@fredcarle fredcarle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shahzadlone shahzadlone force-pushed the lone/ci/go-mod-verify branch 2 times, most recently from d4b0e89 to c03bdf3 Compare September 14, 2022 05:43
@shahzadlone shahzadlone changed the title ci: Add step to verify the local module cache ci: Add makefile target to verify the local module cache Sep 14, 2022
@shahzadlone shahzadlone merged commit d95e4cb into develop Sep 14, 2022
@shahzadlone shahzadlone deleted the lone/ci/go-mod-verify branch September 14, 2022 06:17
@orpheuslummis
Copy link
Contributor

Thanks, I've added the corresponding step to the release process document so next time we produce a binary we manually do the step... To be automated later.

@orpheuslummis
Copy link
Contributor

orpheuslummis commented Sep 14, 2022
edited
Loading

The Go 1.18 release notes indicate that go mod verify "no longer automatically update the go.mod and go.sum files". https://go.dev/doc/go1.18#go-command I will revisit this issue after Go 1.20 lands so we can just include it as part of the normal build, so the user can benefit from it locally.

shahzadlone added a commit to shahzadlone/defradb that referenced this pull request Feb 23, 2024
@shahzadlone
ci: Add makefile target to verify the local module cache (sourcenetwo…
530b5e3 
…rk#775)

- Resolves sourcenetwork#762 

- Introduces a Makefile target that will fail when `go mod verify` reports any changes to module cache, because by default the `go mod verify` command just prints the modules that were tampered with (doesn't fail or return an error).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fredcarle fredcarle fredcarle approved these changes

@orpheuslummis orpheuslummis Awaiting requested review from orpheuslummis

Assignees

@shahzadlone shahzadlone

Labels
action/no-benchmark Skips the action that runs the benchmark. ci/build This is issue is about the build or CI system, and the administration of it.
Projects
None yet
Milestone
DefraDB v0.3.1
Development

Successfully merging this pull request may close these issues.

Use go mod verify as part of build step
4 participants
@shahzadlone @AndrewSisley @orpheuslummis @fredcarle