Skip to content

[CI] Github Actions tests#8607

Closed
yparitcher wants to merge 3 commits into
koreader:masterfrom
yparitcher:gha
Closed

[CI] Github Actions tests#8607
yparitcher wants to merge 3 commits into
koreader:masterfrom
yparitcher:gha

Conversation

@yparitcher

@yparitcher yparitcher commented Jan 2, 2022

Copy link
Copy Markdown
Member

For real this time ;)

Depends on #8605

Docs translations and coverage need to be implemented.

Do the docs & translations need to run on each commit? Can i make a nightly / twice a day GHA in the doc repo to check if master changed and if yes rebuild the docs?


This change is Reviewable

@yparitcher yparitcher mentioned this pull request Jan 2, 2022
@yparitcher

yparitcher commented Jan 2, 2022

Copy link
Copy Markdown
Member Author

Edit: they both had a cache miss
GHA took 25 min while CircleCi took 23

@yparitcher

yparitcher commented Jan 2, 2022

Copy link
Copy Markdown
Member Author

Cached took:
GHA: 6 min
CircleCI: 3 min

Now they are both at 4 min

@Frenzie

Frenzie commented Jan 2, 2022

Copy link
Copy Markdown
Member

Do the docs & translations need to run on each commit? Can i make a nightly / twice a day GHA in the doc repo to check if master changed and if yes rebuild the docs?

Changing translations from nightly to every commit on master was a great improvement imho, and I'm extremely satisfied about changing it, so definitely a yes on that one.

For the docs it probably matters less, but a discrepancy is still a bit annoying and would actively get in the way of my current workflow. Most contributors don't run ldoc locally first, and I rarely fetch their branch just to run ldoc; it's easier to check the results 3 minutes later and usually it's perfectly fine. This would be impossible if you made it worse, though I could live with it. But it only takes a handful of seconds so I'm not sure what the big deal is anyway? ;-)

@yparitcher

Copy link
Copy Markdown
Member Author

Do the docs & translations need to run on each commit? Can i make a nightly / twice a day GHA in the doc repo to check if master changed and if yes rebuild the docs?

Changing translations from nightly to every commit on master was a great improvement imho, and I'm extremely satisfied about changing it, so definitely a yes on that one.

For the docs it probably matters less, but a discrepancy is still a bit annoying and would actively get in the way of my current workflow. Most contributors don't run ldoc locally first, and I rarely fetch their branch just to run ldoc; it's easier to check the results 3 minutes later and usually it's perfectly fine. This would be impossible if you made it worse, though I could live with it. But it only takes a handful of seconds so I'm not sure what the big deal is anyway? ;-)

np, it is just annoying to trigger a commit in a different repo with GHA

@yparitcher yparitcher marked this pull request as draft January 3, 2022 03:58
@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

Within an organization even? That's a bit annoying.

@Frenzie Frenzie left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like it should be able to live next to CircleCI now? If so I'm fine with merging this already to start testing the basics in the wild. ^_^

@yparitcher

Copy link
Copy Markdown
Member Author

Within an organization even? That's a bit annoying.

Yes :(
The simplest way is to create a Personal Access Token with the public_repo scope and set this token as a organization secret that can be used in the CI.
This PAT can only be created by a user and has that users rights. So i am not going to make a personal PAT and put it in the org. If someone else wants to volunteer is good. if not i was thinking of making a new GH account for just this, invite it with read only into the org and use it's PAT for the CI.

@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

The simplest way is to create a Personal Access Token with the public_repo scope and set this token as a organization secret that can be used in the CI.j

It's a bit surprising that this is also necessary within GitHub, but that's 100% identical to the former Travis and the current CircleCI setup.

So i am not going to make a personal PAT and put it in the org. If someone else wants to volunteer is good.

You mean as a security precaution? Unless GHA has some serious design flaws a token is once entered and never shown to anyone. The only available option afterwards is deleting them. I'm fine with generating new ones and entering them in the secrets here.

@yparitcher

Copy link
Copy Markdown
Member Author

So i am not going to make a personal PAT and put it in the org. If someone else wants to volunteer is good.

You mean as a security precaution? Unless GHA has some serious design flaws a token is once entered and never shown to anyone. The only available option afterwards is deleting them. I'm fine with generating new ones and entering them in the secrets here.

If anyone merges a malicious or buggy GHA they can exfiltrate the PAT or just commit etc as me in any of my repos. This is why github by default won't run workflows for first time contributors as a precaution in case they change or take advantage of a gha.

@yparitcher

Copy link
Copy Markdown
Member Author

Looks like it should be able to live next to CircleCI now? If so I'm fine with merging this already to start testing the basics in the wild. ^_^

👍
just maybe give it a day for my comments below.
Part of this PR is that the gha does not not depend on scripts in the .ci/ folder. all the functionality is achieved through use of ./kodev. This allows us to run the same tests and lint locally.

Comment thread kodev Outdated
check_submodules

# shellcheck disable=2016
mapfile -t shellscript_locations < <({ git grep -lE '^#!(/usr)?/bin/(env )?(bash|sh)' && git submodule --quiet foreach '[ "$path" = "base" -o "$path" = "platform/android/luajit-launcher" ] || git grep -lE "^#!(/usr)?/bin/(env )?(bash|sh)" | sed "s|^|$path/|"' && git ls-files ./*.sh; } | sort | uniq)

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does anyone know what exactly the git grep -lE '^#!(/usr)?/bin/(env )?(bash|sh)' is supposed to pick up?

When run from the .ci/ folder i get all the scripts inside it (that are also picked up by the other ones). This is the way CircleCi uses it.
If i run it locally directly in the repo I get tons of other files including many from crengine. however GHA doe not seem to pick u on those (it should also be running from the koreader folder).

Which set of files do we actually want with this?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

git blame should probably say why I wrote it.

If i run it locally directly in the repo I get tons of other files including many from crengine.

I can't confirm that? Could you post the full command and output? Afaik it's been the same from git 2.1x or so all the way up to 2.32.

koreader$ ({ git grep -lE '^#!(/usr)?/bin/(env )?(bash|sh)' && git submodule --quiet foreach '[ "$path" = "base" -o "$path" = "platform/android/luajit-launcher" ] || git grep -lE "^#!(/usr)?/bin/(env )?(bash|sh)" | sed "s|^|$path/|"' && git ls-files ./*.sh; } | sort | uniq)
.ci/after_success.sh
.ci/before_install.sh
.ci/build.sh
.ci/check.sh
.ci/common.sh
.ci/fetch.sh
.ci/helper_luarocks.sh
.ci/helper_shellchecks.sh
.ci/install.sh
.ci/script.sh
.ci/test.sh
kodev
platform/appimage/AppRun
platform/cervantes/disable-usbms.sh
platform/cervantes/disable-wifi.sh
platform/cervantes/enable-usbms.sh
platform/cervantes/enable-wifi.sh
platform/cervantes/koreader.sh
platform/cervantes/koreader-standalone.sh
platform/cervantes/obtain-ip.sh
platform/cervantes/release-ip.sh
platform/cervantes/restore-wifi-async.sh
platform/cervantes/resume.sh
platform/cervantes/spinning_zsync
platform/cervantes/suspend.sh
platform/common/spinning_zsync
platform/debian/do_debian_package.sh
platform/debian/koreader.sh
platform/kindle/extensions/koreader/bin/koreader-ext.sh
platform/kindle/koreader.sh
platform/kindle/libkohelper.sh
platform/kobo/disable-wifi.sh
platform/kobo/enable-wifi.sh
platform/kobo/fmon/koreader.sh
platform/kobo/koreader.sh
platform/kobo/nickel.sh
platform/kobo/obtain-ip.sh
platform/kobo/release-ip.sh
platform/kobo/restore-wifi-async.sh
platform/mac/do_mac_bundle.sh
platform/pocketbook/koreader.app
platform/pocketbook/system_koreader.app
platform/remarkable/disable-wifi.sh
platform/remarkable/enable-wifi.sh
platform/remarkable/koreader.sh
platform/sony-prstux/resume.sh
platform/sony-prstux/set-wifi.sh
platform/sony-prstux/suspend.sh
platform/ubuntu-touch/koreader.sh
plugins/backgroundrunner.koplugin/luawrapper.sh
plugins/backgroundrunner.koplugin/wrapper.sh

It was intended to be as inclusive as possible. See #5096 (comment) as for why luajit-launcher is excluded a bit more draconically than I intended.

In retrospect I should've probably suggested reducing it to git grep -lE '^#!(/usr)?/bin/(env )?(bash|sh)', but I really only meant to exclude the gradle script, not our own. Much the same applies for base really. At the time that wasn't ready to pass yet.

Of course in principle that should all be checked in the relevant submodules themselves, but I liked the idea of a final check on everything.

tl;dr You can probably safely reduce the line to git grep -lE '^#!(/usr)?/bin/(env )?(bash|sh)'.

@yparitcher yparitcher Jan 3, 2022

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

koreader]$ { git grep -lE '^#!(/usr)?/bin/(env )?(bash|sh)' && git submodule --quiet foreach '[ "$path" = "base" -o "$path" = "platform/android/luajit-launcher" ] || git grep -lE "^#!(/usr)?/bin/(env )?(bash|sh)" | sed "s|^|$path/|"' && git ls-files ./*.sh; } | sort | uniq
base/.ci/build_script.sh
base/.ci/common.sh
base/.ci/emulator_install.sh
base/.ci/helper_luarocks.sh
base/.ci/helper_shellchecks.sh
base/.ci/lint_install.sh
base/.ci/lint_script.sh
base/.ci/test_script.sh
base/thirdparty/cmake_modules/patch-wrapper.sh
base/thirdparty/kpvcrlib/crengine/.ci/script.sh
base/thirdparty/kpvcrlib/crengine/cr3gui/po/update-po
base/thirdparty/kpvcrlib/crengine/cr3wx/macros/autogen.sh
base/thirdparty/kpvcrlib/crengine/thirdparty/antiword/Docs/Mozilla
base/thirdparty/kpvcrlib/crengine/thirdparty/antiword/kantiword
base/thirdparty/kpvcrlib/crengine/thirdparty/antiword/Unix-only/KDE1-only/kantiword.sh
base/thirdparty/kpvcrlib/crengine/thirdparty/antiword/Unix-only/KDE3-only/kantiword.sh
base/thirdparty/kpvcrlib/crengine/thirdparty/chmlib/contrib/mozilla_helper.sh
base/thirdparty/kpvcrlib/crengine/thirdparty/chmlib/install-sh
base/thirdparty/kpvcrlib/crengine/thirdparty/freetype/autogen.sh
base/thirdparty/kpvcrlib/crengine/thirdparty/freetype/builds/atari/gen-purec-patch.sh
base/thirdparty/kpvcrlib/crengine/thirdparty/freetype/builds/unix/install-sh
base/thirdparty/kpvcrlib/crengine/thirdparty/freetype/configure
base/thirdparty/kpvcrlib/crengine/thirdparty/libpng/install-sh
base/thirdparty/kpvcrlib/crengine/thirdparty/zlib/configure
base/utils/pdfattach
.ci/after_success.sh
.ci/before_install.sh
.ci/build.sh
.ci/check.sh
.ci/common.sh
.ci/fetch.sh
.ci/helper_luarocks.sh
.ci/helper_shellchecks.sh
.ci/install.sh
.ci/script.sh
.ci/test.sh
kodev
platform/android/luajit-launcher/gradlew
platform/android/luajit-launcher/jni/luajit/mk-luajit.sh
platform/appimage/AppRun
platform/cervantes/disable-usbms.sh
platform/cervantes/disable-wifi.sh
platform/cervantes/enable-usbms.sh
platform/cervantes/enable-wifi.sh
platform/cervantes/koreader.sh
platform/cervantes/koreader-standalone.sh
platform/cervantes/obtain-ip.sh
platform/cervantes/release-ip.sh
platform/cervantes/restore-wifi-async.sh
platform/cervantes/resume.sh
platform/cervantes/spinning_zsync
platform/cervantes/suspend.sh
platform/common/spinning_zsync
platform/debian/do_debian_package.sh
platform/debian/koreader.sh
platform/kindle/extensions/koreader/bin/koreader-ext.sh
platform/kindle/koreader.sh
platform/kindle/libkohelper.sh
platform/kobo/disable-wifi.sh
platform/kobo/enable-wifi.sh
platform/kobo/fmon/koreader.sh
platform/kobo/koreader.sh
platform/kobo/nickel.sh
platform/kobo/obtain-ip.sh
platform/kobo/release-ip.sh
platform/kobo/restore-wifi-async.sh
platform/mac/do_mac_bundle.sh
platform/pocketbook/koreader.app
platform/pocketbook/system_koreader.app
platform/remarkable/disable-wifi.sh
platform/remarkable/enable-wifi.sh
platform/remarkable/koreader.sh
platform/sony-prstux/resume.sh
platform/sony-prstux/set-wifi.sh
platform/sony-prstux/suspend.sh
platform/ubuntu-touch/koreader.sh
plugins/backgroundrunner.koplugin/luawrapper.sh
plugins/backgroundrunner.koplugin/wrapper.sh

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

git --version 
git version 2.34.1

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which shell? It's clearly not excluding base and luajit-launcher like it should.

@yparitcher

Copy link
Copy Markdown
Member Author

Do we still use travis anywhere? if not can i remove its third party permissions for the org?

@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

You can remove it. Travis.org stopped working some 4-5 months ago, cf. koreader/crengine#451

@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

@yparitcher

If anyone merges a malicious or buggy GHA they can exfiltrate the PAT or just commit etc as me in any of my repos. This is why github by default won't run workflows for first time contributors as a precaution in case they change or take advantage of a gha.

Travis could just run while not passing any secrets. (I.e., $SECRET_PAT would just be empty.)

This is what recently developed into an issue with CircleCI, where it refused to run at all, except without GHA's nice "authorize" (except I don't want to authorize anything at all obviously!).

If that's a problem, I would be more inclined to cancel GHA completely and just do some GHA stuff from the docs & translation repos once an hour or so.

@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

I.e., removing secrets from CircleCI will fix all CircleCI issues. If GHA has the same issues it doesn't fix anything.

@yparitcher

Copy link
Copy Markdown
Member Author

Merging the disscussion from above and koreader/koreader-base#1442

the primary issue with CircleCI ... show the output.[1]
[1] That's new as well. If I'm not mistaken it always used to show it to you regardless if you were logged in.

This is fixed for me now that we have CircleCi checks installed.

This is what recently developed into an issue with CircleCI, where it refused to run at all, except without GHA's nice "authorize" (except I don't want to authorize anything at all obviously!).

I am not sure what "authorize" you are referring to. Is this only because of the docs/translations?

also as i asked before in #8304 (comment)

github action are run with a GITHUB_TOKEN that only has permissions in the current repo.
In order to commit in a different repo on can:
make a user PAT, however the drawback is that if the person leaves the org it will stop working, and there are no ganular permissions, the PAT an access any repo of the user.

With a organization Github Apps one can give the app only repo permissions and these permissions will only be applied to the repos the app is installed to.
we can make a "commit" Github App and install it in the doc and translation repos. this can then be used by a workflow in the koreader repo to commit with the auth of the app. For details see this blog post

Can we change the default permission for the GITHUB_TOKEN to read only as i don't think we are using github actions anywhere to write

@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

I am not sure what "authorize" you are referring to. Is this only because of the docs/translations?

Yes. There are (or were) three issues:

  1. Sometimes PRs won't run the checks (and worse, they won't show this as a failed check). That's because of this:
    workflows:
    version: 2
    build:
    jobs:
    - build:
    context: koreader-vars

    Screenshot_2022-01-03_21-10-57
    Those are personal access tokens I created, used only in CircleCI. Travis and I'd swear also CircleCI used to just run the PR without populating the environment variables. That was ideal. Their focus is on private organizations who actually pay for the service, so it doesn't seem to have received much attention.
  2. Since fairly recently (insofar as 2019 or so is recent), CircleCI has started requiring you log in to see the results. But apparently this has recently ceased to be an issue, in the actual definition of recently since I know I had to log in just weeks ago.
    Screenshot_2022-01-03_21-22-05
  3. The newer Docker image segfaulted. I was hoping that GHA might help, but it did far worse than just not helping. Even getting to a point where it'd segfault proved to be an ordeal.

Given the three above facts, a year ago GHA seemed like the most logical course of action. With 2 and 3 taken out of the equation there's no need to switch to GHA wholesale.

There's may still be a role for GHA to play to work around point 1, and I'm not opposed to GHA taking on everything (in front), but especially 2 and to a lesser extent 3 were always the primary reason to want to move over to GHA. Because 2 would be fixed for sure and 3 might be fixed as a side effect.

Can we change the default permission for the GITHUB_TOKEN to read only as i don't think we are using github actions anywhere to write

Wouldn't adding release builds be write?

@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

I am not sure what "authorize" you are referring to. Is this only because of the docs/translations?

I assume that without any secrets, you wouldn't have to click the "run this action" or whatever it says exactly button? That's what I mean. I don't want random PRs to have any secrets, like in Travis. If PRs get secrets, then it'd definitely have to be a dedicated user or some sort.

@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

Since fairly recently (insofar as 2019 or so is recent), CircleCI has started requiring you log in to see the results. But apparently this has recently ceased to be an issue, in the actual definition of recently since I know I had to log in just weeks ago.

Ohhh and point 1 also somewhat ceased to be an issue, at least in the sense that it now clearly says unauthorized. (See over on #8604 right now.)

That means that every single reason I had to avoid spending time on CircleCI and to migrate to GHA or possibly GitLab CI instead is now gone. [Edit: which doesn't mean we should throw away this PR!]

@poire-z

poire-z commented Jan 3, 2022

Copy link
Copy Markdown
Contributor

There is still the issue that we don't have CircleCI running at all (not even showing as "unauthorized") on PRs from @hius07 and @zwim ...
(All these past and current headaches really have me wanting to get rid of CircleCI :)

@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

I've had much worse headaches with GHA already unfortunately. :-)

There is still the issue that we don't have CircleCI running at all (not even showing as "unauthorized") on PRs from @hius07 and @zwim ...

I'll fix that. I was kept from it by the fact that if it failed it wasn't a big red x and point 2.

@yparitcher

yparitcher commented Jan 3, 2022 via email

Copy link
Copy Markdown
Member Author

@Frenzie

Frenzie commented Jan 3, 2022

Copy link
Copy Markdown
Member

I added the && git submodule --quiet foreach to do the submodules. That command only deals with the repo in question:

$ git grep -lE '^#!(/usr)?/bin/(env )?(bash|sh)'
.ci/after_success.sh
.ci/before_install.sh
.ci/build.sh
.ci/check.sh
.ci/common.sh
.ci/fetch.sh
.ci/helper_luarocks.sh
.ci/helper_shellchecks.sh
.ci/install.sh
.ci/script.sh
.ci/test.sh
kodev
platform/appimage/AppRun
platform/cervantes/disable-usbms.sh
platform/cervantes/disable-wifi.sh
platform/cervantes/enable-usbms.sh
platform/cervantes/enable-wifi.sh
platform/cervantes/koreader-standalone.sh
platform/cervantes/koreader.sh
platform/cervantes/obtain-ip.sh
platform/cervantes/release-ip.sh
platform/cervantes/restore-wifi-async.sh
platform/cervantes/spinning_zsync
platform/common/spinning_zsync
platform/debian/do_debian_package.sh
platform/debian/koreader.sh
platform/kindle/extensions/koreader/bin/koreader-ext.sh
platform/kindle/koreader.sh
platform/kindle/libkohelper.sh
platform/kobo/disable-wifi.sh
platform/kobo/enable-wifi.sh
platform/kobo/fmon/koreader.sh
platform/kobo/koreader.sh
platform/kobo/nickel.sh
platform/kobo/obtain-ip.sh
platform/kobo/release-ip.sh
platform/kobo/restore-wifi-async.sh
platform/mac/do_mac_bundle.sh
platform/pocketbook/koreader.app
platform/pocketbook/system_koreader.app
platform/remarkable/disable-wifi.sh
platform/remarkable/enable-wifi.sh
platform/remarkable/koreader.sh
platform/sony-prstux/resume.sh
platform/sony-prstux/set-wifi.sh
platform/sony-prstux/suspend.sh
platform/ubuntu-touch/koreader.sh
plugins/backgroundrunner.koplugin/luawrapper.sh
plugins/backgroundrunner.koplugin/wrapper.sh

However, in modern Git you can also do git grep --recurse-submodules -lE '^#!(/usr)?/bin/(env )?(bash|sh)'. Your results suggest there's a way to enable that through a setting as well, and either you did it and forgot or your distro did it for you.

Edit: that is, back in Git 2.71.9.1 or something it either wasn't an option or I wasn't aware of it, and you had to use that git submodule foreach construct.

@yparitcher

Copy link
Copy Markdown
Member Author
git config -l
submodule.recurse=true

Frenzie added a commit to Frenzie/koreader that referenced this pull request Jan 4, 2022
Frenzie added a commit to Frenzie/koreader that referenced this pull request Jan 4, 2022
Frenzie added a commit that referenced this pull request Jan 4, 2022
@Frenzie

Frenzie commented Jan 4, 2022

Copy link
Copy Markdown
Member

The issue with the context suffered by @hius07, @zwim and others should be resolved by ec280f8.

That might look something like this:
Screenshot_2022-01-04_22-19-10

@codecov

codecov Bot commented Jan 4, 2022

Copy link
Copy Markdown

Codecov Report

Merging #8607 (ec280f8) into master (ec280f8) will not change coverage.
The diff coverage is n/a.

❗ Current head ec280f8 differs from pull request most recent head c8b94bd. Consider uploading reports for the commit c8b94bd to get more accurate results
Impacted file tree graph

@@           Coverage Diff           @@
##           master    #8607   +/-   ##
=======================================
  Coverage   39.67%   39.67%           
=======================================
  Files         289      289           
  Lines       50259    50259           
=======================================
  Hits        19941    19941           
  Misses      30318    30318           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ec280f8...c8b94bd. Read the comment docs.

@Frenzie Frenzie modified the milestones: 2022.01, 2022.02 Jan 11, 2022
@yparitcher yparitcher removed this from the 2022.02 milestone Feb 15, 2022
@poire-z

poire-z commented Oct 25, 2022

Copy link
Copy Markdown
Contributor

Is this PR still relevant?

@Frenzie

Frenzie commented Oct 25, 2022

Copy link
Copy Markdown
Member

Doing something like that kodev-check() would be better regardless so if it doesn't bother you too much I'd prefer to leave it open for the moment (but just so it's easy to find as documentation).

@yparitcher yparitcher closed this Oct 25, 2022
@yparitcher yparitcher deleted the gha branch October 25, 2022 14:42
0xstillb pushed a commit to 0xstillb/koreader-thai that referenced this pull request May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants