Update update_dep.sh #18609
Update update_dep.sh #18609
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: henrybear327 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
henrybear327
force-pushed
the
ci/improve_update_dep
branch
from
3976754
to
c0ba3eb
Compare
|
@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues? |
@ivanvc let's draft the PR and you can probably take over it if you have time to improve it! Hopefully it's a helpful start otherwise you can trash the PR and start from scratch! Thanks! |
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted filessee 26 files with indirect coverage changes @@ Coverage Diff @@
## main #18609 +/- ##
==========================================
+ Coverage 68.74% 68.76% +0.02%
==========================================
Files 420 420
Lines 35535 35535
==========================================
+ Hits 24427 24436 +9
+ Misses 9677 9667 -10
- Partials 1431 1432 +1 Continue to review full report in Codecov by Sentry.
|
henrybear327
force-pushed
the
ci/improve_update_dep
branch
from
c0ba3eb
to
4691dfc
Compare
@ivanvc I have fixed the Maybe you can see if this is a good enough quality script to consider now! |
henrybear327
force-pushed
the
ci/improve_update_dep
branch
from
4691dfc
to
f94117c
Compare
scripts/update_dep.sh
Outdated
| if grep --exclude-dir=.git --include=\*.mod -Ri -q "^.*${mod} v.*// indirect$"; then | ||
| echo "Fully indirect, we will terminate the script" | ||
| exit 1 |
There was a problem hiding this comment.
Sometimes we still need bump pure indirect dependency, i.e. due to CVE. A couple of approaches:
- raise a question something "XXX is a pure indirect dependency, Are you sure you want to proceed? (y/n):"
- Or we can just print a warning and automatically continue to execute the script. As mentioned in previous comment, it's up to maintainers/contributors whether to bump a pure indirect dependency. If not, then they shouldn't run this script at all.
henrybear327
force-pushed
the
ci/improve_update_dep
branch
2 times, most recently
from
967bc31
to
f892b05
Compare
|
@henrybear327: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| function maybe_update_module { | ||
| function print_current_dep_version { | ||
| echo "${mod} version in all go mod files" | ||
| grep --exclude-dir=.git --include=\*.mod -Ri "^.*${mod} v.*$" | grep -v sum |
There was a problem hiding this comment.
By passing --include to the first grep, I don't think you need to pipe the second grep. It won't match go.sum files.
I think your regular expression can be simplified to "${mod} v". I don't see the value of ^.* and .*$, which matches anything before and after. I'd suggest simplifying.
| run go mod tidy | ||
|
|
||
| deps=$(go list -f '{{if not .Indirect}}{{if .Version}}{{.Path}},{{.Version}}{{end}}{{end}}' -m all) | ||
| deps=$(go list -f '{{if .Version}}{{.Path}},{{.Version}}{{end}}' -m all) | ||
| if [[ "$deps" == *"${mod}"* ]]; then | ||
| if [ -z "${ver}" ]; then |
There was a problem hiding this comment.
With the changes from the top of the file
if [ "$#" -ne 2 ]; then
echo "Illegal number of parameters"
exit 1
fiWe will never reach this conditional, as ${ver} will never be empty.
| # check if all lines end with "// indirect" | ||
| # if grep found nothing, the error code will be non-zero | ||
| ALL=$(grep --exclude-dir=.git --include=\*.mod -Ri "^.*${mod} v.*$" | grep -v sum | wc -l) | ||
| ONLY_INDIRECT=$(grep --exclude-dir=.git --include=\*.mod -Ri "^.*${mod} v.*// indirect$" | grep -v sum | wc -l) | ||
| if [[ "$ALL" == "$ONLY_INDIRECT" ]]; then | ||
| echo "Fully indirect, we will terminate the script" | ||
| exit 1 | ||
| else | ||
| echo "Not fully indirect, we will perform dependency bump" | ||
| fi |
There was a problem hiding this comment.
Another approach would be to use go list for this, i.e., something like:
local result
result=$(find . -name go.mod | xargs -I{} /bin/sh -c 'cd $(dirname {}); go list -f "{{if eq .Path \"'"${mod}"'\"}}{{.Indirect}}{{end}}" -m all' | sort | uniq)
if [ "$result" = "true" ] ; then
read -p "Module ${mod} is an indirect dependency. Are you sure you want to update it? [y/N] " -r confirm
[[ "${confirm,,}" == "y" ]] || exit
else
echo "Not fully..."
fi| # check all dependencies across all go mod files have the same pinned version respectively | ||
| PASSES="dep" ./scripts/test.sh | ||
|
|
||
| go mod tidy | ||
| run_for_modules maybe_update_module | ||
| ./scripts/fix.sh |
There was a problem hiding this comment.
Shouldn't we invert these steps? Shouldn't it be first fix, then the dep tests?
| if [ "$#" -ne 2 ]; then | ||
| echo "Illegal number of parameters" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
This also outdates the documentation at the top of the file 😅
Based on the experience of performing dependency bumps, some minor improvements are made to the script to make it conform to our current dependency bump procedure, listed as follows: - print out the dependency's version before and after the bump - check if the dependency is fully indirect - change the behavior of bumping dependency (doesn't ignore bumping indirect dependency in the go mod files anymore) - check if all dependencies across all go mod files have the same pinned version respectively after bumping a dependency Signed-off-by: Chun-Hung Tseng <[email protected]>
henrybear327
force-pushed
the
ci/improve_update_dep
branch
from
f892b05
to
d26e944
Compare
Based on the experience of performing dependency bumps, some minor improvements are made to the script to make it conform to our current dependency bump procedure, listed as follows:
Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.