Closed Bug 1635488 Opened 5 years ago Closed 4 years ago

add git and github support in treescript

Categories

(Release Engineering :: Release Automation: Other, task)

Product:
Release Engineering
Component:
Release Automation: Other
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mtabara, Assigned: jlorenzo)

References

(
URL
)

Details

Attachments

(16 files)

https://gitpython.readthedocs.io/ POC
2.39 KB, patch
Details | Diff | Splinter Review
https://pygithub.readthedocs.io/ POC
1.45 KB, patch
Details | Diff | Splinter Review
[scriptworker-script] part 1: [treescript] Expose commit() function in mercurial
63 bytes, text/x-github-pull-request
Details | Review
[scriptworker-scripts] part 2 & 3: Dynamically choose vcs module
63 bytes, text/x-github-pull-request
Details | Review
[scriptworker-scripts] part 4: Support version bumps on github repos
63 bytes, text/x-github-pull-request
Details | Review
[fenix] add taskgraph version bump task
56 bytes, text/x-github-pull-request
Details
[k8s-autoscale] Add mobile treescript workers
56 bytes, text/x-github-pull-request
Details | Review
Bug 1635488 - part 1: Create new TC clients for the mobile treescript instances r=mtabara
47 bytes, text/x-phabricator-request
Details | Review
Bug 1635488 - Bump attrs (and other deps) so that fenix can use mozilla-version r=#releng-reviewers
47 bytes, text/x-phabricator-request
Details | Review
[scriptworker-scripts] part 7 and 8: Fixup Thunderbird
63 bytes, text/x-github-pull-request
Details | Review
[fenix] part 2: Add missing branch in version bump payload
50 bytes, text/x-github-pull-request
Details | Review
[scriptworker-scripts] part 9 and 10: Fix git branch that cannot be checked out
63 bytes, text/x-github-pull-request
Details | Review
[scriptworker-scripts] part 11: Do not use the `branch@{u}` syntax
63 bytes, text/x-github-pull-request
Details | Review
[scriptworker-scripts] part 12: Set upstream branch at push time
63 bytes, text/x-github-pull-request
Details | Review
[scriptworker-scripts] part 13: Fix set-upstream flag
63 bytes, text/x-github-pull-request
Details | Review
[scriptworker-scripts] part 14: Fix branch parameter
63 bytes, text/x-github-pull-request
Details | Review

The goal here is to get Fenix on ship-it. For that to happen, there are two things that need to happen:

  1. Fenix to be able to schedule an action task that generates a graph, which creates a Github release. Other sanity checks around version found in-tree and bump the version once the release is done.

Expected Github operations:

  • github push (to master if there is no branch-protection) or pull-request (if there is)
  • github create release
  1. Bumping the version number in-tree requires manuevring git repos. For this we need to extend treescript to understand git as well.

Expected supported git operations:

  • pull
  • push
  • tag
  • count commits (used for sanity checks to compare local git commits to expected ones to be pushed in a release)
  • (optional) sign commit

For git operations, we're leaning towards using subprocesses and call the underlying git modules directly for a handful of reasons:
a) easier to update the git within the Docker images should we want to
b) more maintenance expertise within RelEng when it comes to vanilla git commands, rather than any of the APIs (https://gitpython.readthedocs.io/en/stable/)
c) (speculation) speed - using native tools is likely faster than using the Python wrapper around them, since Python runs in a single process.

https://pygithub.readthedocs.io/en/latest/index.html may be worth investigating, too. Example:

>>> repo = g.get_repo("PyGithub/PyGithub")
>>> contents = repo.get_contents("test.txt", ref="test")
>>> repo.update_file(contents.path, "more tests", "more tests", contents.sha, branch="test")
{'commit': Commit(sha="b06e05400afd6baee13fff74e38553d135dca7dc"), 'content': ContentFile(path="test.txt")}
Blocks: 1568466

Coordinated with Johan again on this topic to align our strategy, dropping some thoughts.

  1. In the glorious future, Ship-it will replace Github releases so we won't have to rely on them anymore. That said, we can solely rely on the https://github.com/mozilla-mobile/fenix/blob/master/version.txt, similarly to what we do on gecko trees. That file shall be read by the Ship-it frontend and updated via treescript for the future Fenix releases.

  2. For a while, we'll have both Github releases and Ship-it at the same time, which will probably be a bit confusing since we'll have to keep that file manually at sync. But once the migration is over, we should be good to go.

  3. RelMan/Mobile go on Ship-it, they choose the revision and the version number for the Fenix release and trigger the release. Under the hood, an action task is being scheduled which schedules the release graph. Alongside them, there will be a treescript task too. Given that at the time of action-task creation we already have the version, we can already bake the version and nextVersion within the version-bump's task payload.

Version bump treescript task will look something like:
task.payload: version, nextVersion

logic under the hood in treescript:
a) pull https://github.com/mozilla-mobile/fenix/,
b) adjust the version value from version to nextVersion
c) add the files
d) commit
e) push to Github (push if ssh key, pull-request if branch protection, etc)

These is the basic backbone to begin with. We could inject some sanity checks along the way including but not limited to:
i) between a) and b) ensure the version in the payload corresponds to the one in the actual version.txt file in the repo
ii) between d) and e) to ensure git out (or wathever the equivalent is for hg out) pushes only one commit and nothing more
iii) import/export the commit and inject an Autograph signing task in between
iv) etc

Note to self:

  • confirmed with :hwine that we can use a bot, within a more restrictive group, that can automatically push to master. That entails:
    a) generate the ssh key for that bot and keep that in SOPS
    b) carefully restrict the actions possible via the Github configs and have SecOps sign-off that

Callek and myself pair-programmed on this today, with some great results:

Pros

Cons

  • PRs difficult to implement as they are not natively supported
  • we need to implement sanity checks to ensure things are as expected, as opposed
    to having them already there via the Github API wrapper
  • less guarantees for idempotency - doable but needs extra work

Results: https://github.com/MihaiTabara/fenix/commit/7b6b8c40e7d5da10b7d73a10305a6ae9f044d909#diff-5fb01c6f8b54d96c62af3415c51ffad3

Pros

Cons

  • confusing non-granular write access for the Github token or Github user
  • possible rate-limit future concern https://developer.github.com/v3/#rate-limiting
  • side-effects of functions are not aparent at callsite
  • possible deprecation of the Github APIs in the future versions
  • only one file per changeset/commit via update_file
  • harder to extend for future requests

Results: https://github.com/MihaiTabara/fenix/commit/2b79439542114e81145ee1de61126006631eca59#diff-5fb01c6f8b54d96c62af3415c51ffad3

Assignee: nobody → mtabara
Attachment #9150567 - Attachment is patch: true

Un-assigning this since it's a TEAM effort.

Assignee: mtabara → nobody
  • same treescript, but a different COT product for safety of COT
  • we need to guard with scopes per branch/project since in the mobile world we can have more projects using this task, unlike gecko where we have per-level scopes

We can carve out two pieces of work here:

See Also: → 1648785

Note to self: Johan pointed out that we need to bump https://github.com/mozilla-mobile/fenix/pull/12907/files#diff-e5307118f57349f9bf5d4be8b0d92aef as well when we do the version bump.

Had a chat with Johan on this today.

Places we need to touch:

  • taskgraph - Fenix standalone version bump tasks + git tags since we're here
  • instances - all the SOPS, cloudops-infra
  • treescript git work + docker configuration + worker.yml
  • ciadmin - scopes administration

Tracked in JIRA as https://jira.mozilla.com/browse/RELENG-89. Chatted with :mtabara, I'm going to handle this bug.

Assignee: nobody → jlorenzo
URL: https://jira.mozilla.com/browse/RELEN...
Pushed by jlorenzo@mozilla.com: https://hg.mozilla.org/ci/ci-configuration/rev/20818c90d9eb part 1: Create new TC clients for the mobile treescript instances r=mtabara
Regressions: 1675565
Pushed by jlorenzo@mozilla.com: https://hg.mozilla.org/ci/taskgraph/rev/2b2622598df0 Bump attrs (and other deps) so that fenix can use mozilla-version r=releng-reviewers,bhearsum
See Also: → 1595808

This is now fixed and has been deployed to production.

2020-12-01 11:02:21,379 - git.cmd - DEBUG - Popen(['git', 'push', '--porcelain', '--set-upstream', '--verbose', 'origin', 'relbot/AC-67.0.6'], cwd=/app/workdir/src, universal_newlines=True, shell=None, istream=None)
2020-12-01 11:02:25,596 - treescript.git - INFO - Push done succesfully!
2020-12-01 11:02:25,598 - treescript.git - INFO - Resetting repo state to match upstream's...
2020-12-01 11:02:25,598 - git.cmd - DEBUG - Popen(['git', 'reset', '--hard', 'origin/relbot/AC-67.0.6', '--'], cwd=/app/workdir/src, universal_newlines=False, shell=None, istream=None)
2020-12-01 11:02:25,623 - git.cmd - DEBUG - Popen(['git', 'clean', '-fdx'], cwd=/app/workdir/src, universal_newlines=False, shell=None, istream=None)
2020-12-01 11:02:25,637 - treescript.git - INFO - Repo state reset.
2020-12-01 11:02:25,637 - treescript.script - INFO - Done!
exit code: 0

https://firefox-ci-tc.services.mozilla.com/tasks/eI8dFWdETrW-vYSu2SMUqA/runs/1/logs/https%3A%2F%2Ffirefox-ci-tc.services.mozilla.com%2Fapi%2Fqueue%2Fv1%2Ftask%2FeI8dFWdETrW-vYSu2SMUqA%2Fruns%2F1%2Fartifacts%2Fpublic%2Flogs%2Flive_backing.log

The branch was wrong, but it's because of shipit. I'm going to work on this in another bug. This means this bug is now done \o/

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: