-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(r): Refactor CI configuration #1210
Conversation
.github/workflows/r-extended.yml
Outdated
fail-fast: false | ||
|
||
env: | ||
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any secrets should not be set globally as envvars (neither workflow nor job wide) and only set in the step they are used. That way potentially compromised actions can't grab them. Not essential here as the permissions are set to read only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That must have been a hangover from some earlier workflow (I think maybe pak needs it for setup-r-dependencies but we don't install anything from GitHub at the moment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks very good permissions and everything is there 👍 .
Theoretically you could move the sequence of checkout, setup r, setup deps, check package into a local action/reusable workflow which would reduce the non valgrind jobs in r-extended to one call to that and reduce duplication. But there is also something to say for listing the steps clearly without hiding behind an abstraction... so 🤷
105 checks might be a bit excessive...they are all short, but 50% of the runtime of each of them is just setting up R at this point |
Oh, right, but many of them are weekly and not on every PR. That's better then. |
Ok, I think I got it down to 5 checks that run on every PR, which should catch most things from changes outside the r/ directory that would break the packages. It's true that setting up R has higher overhead than setting up Python...I'm happy to re-workshop these if that becomes a problem (but since most of them just run weekly I don't think it will come up). |
This PR moves R workflows into their own file since they don't depend on any other jobs. It also adds an r-extended job that checks some of the more obscure things (e.g., older R versions, valgrind). The gist of the CI setup is:
Closes #1138.
I opened tickets to debug the valgrind errors reported by the drivers. Those CI jobs run weekly (reflecting the time I have available to debug them) so they won't add noise to ongoing development.