DEV - Refactor release CI workflow #425
Conversation
trallard
changed the title
| @@ -12,7 +12,7 @@ on: | |||
| pull_request: | |||
|
|
|||
| jobs: | |||
| build: | |||
There was a problem hiding this comment.
Changed the name because it was confusing seeing this in the UI and on my terminal when tracking CI runs
There was a problem hiding this comment.
Left some more review comments on this latest iteration. This is shaping up nicely!
By the way, I figured out why the release for 2024.6.1 was okay, but not 9.1. It was because of my PR to make the Yarn version more explicit. Previously, the CI job was running some version of Yarn v1, after my PR it started running some version Yarn v4.
If you run yarn install with v1, it runs the package.json prepare script after installing. But for some reason that I haven't taken the time to investigate, Yarn v4 does not. The prepare script in turn calls the build script, which is what creates the crucial lib/ directory.
So when the release workflow was being run with Yarn v1, the yarn install step would also do yarn build which would result in the lib/ directory existing in the workflow runner's filesystem by the time it got to the yarn pack step.
But in my PR, which sets the Yarn version to v4, and was merged between 2024.6.1 and 2024.9.1, the yarn install step does not trigger yarn build and so the lib/ directory does not exist by the time it gets to yarn pack, which explains why the 2024.6.1 tarball in the NPM registry has a lib/ directory whereas the 2024.9.1 tarball does not.
| - name: "Checkout repository 🛎" | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
yes if there is no package.json then one cannot run the publish step
There was a problem hiding this comment.
Ah, right, of course. But hmmm, something about the way the build and release jobs are split up still feels unintuitive to me... can't quite put my finger on it
There was a problem hiding this comment.
I do not know why this is a rather standard approach.
If you build on every PR and merge to main basically you are following continuous delivery practices -> ensures that when you need to develop and release this is is working as expected.
There was a problem hiding this comment.
I don't mean the fact that they are split up, more about how... but it's not important, this can be iterated on later :)
.github/workflows/release.yml
Outdated
| - name: "Check npmjs/conda-store-ui scope" | ||
| run: npm show | ||
|
|
||
| # we always do a dry run for the publish |
There was a problem hiding this comment.
because we want to make sure the actual publish will succeed when we make a release
There was a problem hiding this comment.
The dry run is pretty much useless unless you inspect the results. The command does not error out (exit code 1) if it encounters any issues.
There was a problem hiding this comment.
And you either check the logs or the artefacts or both, these are not only useful based on exit codes, but logs that one can go and revisit later to diagnose.
Since we had neither to check we also did not have a quick way to check why/where the lib dir has gone missing.
There was a problem hiding this comment.
I disagree because the same information is going to be printed with npm publish --verbose, so this step in the context of a workflow file is 100% redundant.
I'm sorry to be pushing back so hard, but one reason I think all of this code is so hard to work with is because there's stuff in here and we have no idea why it's here or why it can't be removed. If we're going to keep this step here I think we should document in the comments why it makes sense to do the dry run immediately before the publish, because to me, it makes no sense. In other words, if I come to this workflow file and see this step before the other I will think: this makes no sense, there must be something I don't understand. But I think it just doesn't make sense. It would make sense if there were some code afterwards that grepped the console output for error messages before going to the next step, but we're not doing that here.
There was a problem hiding this comment.
I am really not privvy of either of these. I added both when refactoring this workflow so if both are confusing/useless we can just remove it.
As long as we have logs of some sort it is good enough for me.
| uses: actions/checkout@v4 | ||
|
|
||
| # Setup .npmrc file to publish to npm | ||
| - name: "Set up Node.js 🧶" |
There was a problem hiding this comment.
yes so that we have an .npmrc and can handle authentication to npmjs
There was a problem hiding this comment.
Yeah... I started playing with this, and for some reason, if you use this action with the registry-url parameter, something magical happens (something to do with .npmrc) that allows the npm publish command to pick up env.NODE_AUTH_TOKEN. Otherwise, the command doesn't pick up the token from the environment, and it fails.
There was a problem hiding this comment.
It does not magically work - I am using the registry-url here and it still fails to pick up the correct credentials.
See actions/setup-node#763
which I tried and check if it was resolved, but no.
There was a problem hiding this comment.
To be clear, I was agreeing with you here that this step is necessary. It's just sad to me that these two things are not at all clearly related. It's side effect dependencies.
I think a comment like the following would be helpful to people later:
# Without this parameter, `npm publish` will not be able to get the API token from the environment variable `NODE_AUTH_TOKEN`
# (Why? Unsure but it seems that registry-url causes .npmrc to be saved which somehow causes npm publish to read from NODE_AUTH_TOKEN)
registry-url: "https://registry.npmjs.org"
There was a problem hiding this comment.
Also I don't understand why we keep linking to actions/setup-node#763. That issue is irrelevant. It's only relevant if you're using the GitHub package registry, which we're not using.
There was a problem hiding this comment.
But it is not, that is what I am trying to explain.
Using the set-node action with a registry-url should configure it so that the authentication is properly setup for publication to whichever registry.
But it is not, hence I needed to add, a while back, the additional step to set the proper context.
That issue is relevant as it's the only issue where I found useful steps to properly set the context and authentication. Hence why I left it as a comment.
I tried to remove the additional context-setup again this time to see if that was fixed but the authentication was still failing, so could not remove that step. I can remove the comment linking to that issue if this is too confusing but it's helpful to me as a reference.
RELEASE.md
Outdated
| @@ -7,6 +7,8 @@ | |||
| 1. Build the package locally: | |||
|
|
|||
| ```bash | |||
| # clean build artefacts to avoid issues | |||
| yarn run clean | |||
There was a problem hiding this comment.
Just FYI, the clean command doesn't currently clear the dist/ directory, and may be missing other directories that it should clear
There was a problem hiding this comment.
but the yarn run webpack:prod or whatever that is cleans dist.
We can do a clean:slate instead if one wants to be safe
There was a problem hiding this comment.
I guess I don't understand why someone would need to run this command if they run already ran git clean -fxdq on line 5 above.
There was a problem hiding this comment.
because people not always follow steps in a linear way and mess up when running through things 🤷🏽♀️
There was a problem hiding this comment.
That's true. But I would hope that someone would be a bit more careful when doing a release.
There was a problem hiding this comment.
I can remove that if it is too much cruft, as long as it makes sense to people it is fine.
And I also hope people are careful, including me, but mistakes can happen, it's just the way it is.
| name: conda-store-ui-package | ||
| path: ${{ env.PACKAGE_FILE }} | ||
|
|
||
| release-to-npmjs: |
There was a problem hiding this comment.
I thought we only want to run this job on a release but I can't seem to find anything that prevents the release-to-npm job from running on every pull request or push to the main branch.
There was a problem hiding this comment.
We have if: github.repository_owner == 'conda-incubator' && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/') which serves that purpose on the attestation and release
There was a problem hiding this comment.
we want the build and verification to run at all the times and the publish to npmjs only on releases
There was a problem hiding this comment.
Hmm. Doesn't this result in confusing UX in GitHub? As in, somebody creates a pull request, sees this check, clicks on it, and sees both a build and release job with green check marks, and might think, oh did my pull request trigger a release?
There was a problem hiding this comment.
I suppose that is when the logs are helpful.
I mean, I can further separate the release and have it in a completely isolated job it really makes no difference IMO
There was a problem hiding this comment.
Yes and we do have much better logs thanks to you. :)
But it's still bad UI, but also maybe not high priority so... just gotta live with it
Co-authored-by: gabalafou <[email protected]>
|
I made the last changes, which are updating the workflow step names. I still do not understand how the yarn v1/v4 thing happened/works but 🤷🏽♀️ |
From the NPM v10 docs on npm install:npm install preinstall From the Yarn 1 docs on scripts:Scripts are a great way of automating tasks related to your package, such as simple build processes or development tools. Using the "scripts" field, you can define various scripts to be run as yarn run <script>. For example, the build-project script above can be invoked with yarn run build-project and will run node build-project.js. Certain script names are special. If defined, the preinstall script is called by yarn before your package is installed. For compatibility reasons, scripts called install, postinstall, prepublish, and prepare will all be called after your package has finished installing. The start script value defaults to node server.js. From the Yarn v2 docs on lifecycle scripts:Note that we don't support every single lifecycle script originally present in npm. This is a deliberate decision based on the observation that too many lifecycle scripts make it difficult to know which one to use in which circumstances, leading to confusion and mistakes. We are open to add the missing ones on a case-by-case basis if compelling use cases are provided. The current Yarn docs (v4) on lifecycle scripts says the same thing. |
|
Actually the more relevant bit from the NPM docs is: Life Cycle ScriptsThere are some special life cycle scripts that happen only in certain situations. These scripts happen in addition to the
prepare (since
|
| - name: "Checkout repository 🛎" | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
Ah, right, of course. But hmmm, something about the way the build and release jobs are split up still feels unintuitive to me... can't quite put my finger on it
| uses: actions/checkout@v4 | ||
|
|
||
| # Setup .npmrc file to publish to npm | ||
| - name: "Set up Node.js 🧶" |
There was a problem hiding this comment.
Yeah... I started playing with this, and for some reason, if you use this action with the registry-url parameter, something magical happens (something to do with .npmrc) that allows the npm publish command to pick up env.NODE_AUTH_TOKEN. Otherwise, the command doesn't pick up the token from the environment, and it fails.
RELEASE.md
Outdated
| @@ -7,6 +7,8 @@ | |||
| 1. Build the package locally: | |||
|
|
|||
| ```bash | |||
| # clean build artefacts to avoid issues | |||
| yarn run clean | |||
There was a problem hiding this comment.
I guess I don't understand why someone would need to run this command if they run already ran git clean -fxdq on line 5 above.
.github/workflows/release.yml
Outdated
| - name: "Check npmjs/conda-store-ui scope" | ||
| run: npm show | ||
|
|
||
| # we always do a dry run for the publish |
There was a problem hiding this comment.
The dry run is pretty much useless unless you inspect the results. The command does not error out (exit code 1) if it encounters any issues.
| name: conda-store-ui-package | ||
| path: ${{ env.PACKAGE_FILE }} | ||
|
|
||
| release-to-npmjs: |
There was a problem hiding this comment.
Hmm. Doesn't this result in confusing UX in GitHub? As in, somebody creates a pull request, sees this check, clicks on it, and sees both a build and release job with green check marks, and might think, oh did my pull request trigger a release?
… trallard/update-release-wf
|
The last push addresses all of @gabalafou concerns and any improvements will have to come later as we only needed to get a working pipeline to try and make a pre-release and this has been hanging for too long now |
Description
For whatever reason, the package was not compiled during the last release. So, this PR adds additional cleanup and check tasks to the GH workflow to prevent this from happening.
Pull request checklist
Additional information