gha-overhaul#10653
Conversation
41d6c3f to
7835187
Compare
macfarla
left a comment
There was a problem hiding this comment.
verify-source-metadata dropped from the merge gate
The old unittests-passed gate required [compile, unitTests, verify-source-metadata]. The new one only requires [unitTests]. Supply-chain security checks (verifySourceArtifacts) no longer block PR merge. This feels like an unintentional regression — verify-source-metadata should remain in the required set.
| ./ | ||
| !./.git/** | ||
| retention-days: 1 | ||
| include-hidden-files: 'true' |
There was a problem hiding this comment.
I don't think we want to include hidden files here?
7835187 to
87ec960
Compare
7282a08 to
9b505b7
Compare
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
9b505b7 to
c1bac6a
Compare
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
b2642d5 to
57b1c13
Compare
yep, have added an |
852cd90 to
8a60c95
Compare
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
8a60c95 to
38c749c
Compare
| --- | ||
| # Wait for Besu liveness endpoint to confirm main loop is up | ||
| http: | ||
| http://localhost:8545/liveness: |
There was a problem hiding this comment.
@siladu this will replace the containerVerify.sh Besu container started and entered main loop and relies on the internal healthcheck
| # Verify Besu version matches expected VERSION env var | ||
| command: | ||
| check-besu-version: | ||
| exec: "sh -c '[ -n \"${EXPECTED_VERSION}\" ] && /opt/besu/bin/besu --version 2>&1 | grep -q \"${EXPECTED_VERSION}\"'" |
There was a problem hiding this comment.
this one replaces the containerVerify.sh version check - extract the version from the pod and match it to the tag. In ci.yml we skip this as we don;t care. In release.yml it sends the tag to compare against
8ed2d8e to
df8d7e9
Compare
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
df8d7e9 to
8701179
Compare
| if [[ -n "${{ inputs.version }}" ]]; then | ||
| ./gradlew --no-daemon -Prelease.releaseVersion=${{ inputs.version }} -Pversion=${{ inputs.version }} distDockerCopy | ||
| else | ||
| ./gradlew --no-daemon distDockerCopy |
There was a problem hiding this comment.
have we tested that gradle does the right thing and avoids rebuilding the tarball when it is restored from the assemble-output?
Honestly, I'd be happy to remove distDockerCopy from gradle, and avoid depending on both it and java. It's just moving tarballs around and opening them.
There was a problem hiding this comment.
Aye, should do, its what we do on teku & w3s.
Definitively in favour of less gradle mjolnir for everything ;) maybe a second round after this goes in? Fuse your changes in there too? In the very least this should simplify life a good deal
|
Still reviewing...let's test this in the sandbox before merging please 🙏 |
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
pass repo linter by adding hyperledger code of conduct link Signed-off-by: Simon Dudley <simon.dudley@consensys.net>
Signed-off-by: Simon Dudley <simon.dudley@consensys.net>
siladu
left a comment
There was a problem hiding this comment.
I fixed the linting and got the ci.yml green.
However, this PR regresses the overall CI time by double: from ~15mins to ~30mins
https://github.com/besu-eth/besu/actions/runs/28508814455
I appreciate it is easier to maintain this style of workflow but I think +15mins on every push to a PR is a case of negatives outweighing the benefits.
Before we commit to this workflow architecture can we address how we can might get the duration back down to ~15mins?
Some select items from a Codex review that I think deserve a comment or might be genuine bugs:
- P1: CI no longer runs for merge queue events. The new workflow only has push and pull_request triggers in .github/workflows/ci.yml:3, and the test/gate jobs are additionally guarded with
github.event_name == 'pull_request' around .github/workflows/ci.yml:151. Since the deleted workflows previously handled merge_group, required checks will not be reported for merge-queue
entries. GitHub explicitly requires adding merge_group for required checks used with merge queues.
- P1: Release Docker publish drops contents: read at the reusable-workflow call site. .github/workflows/release.yml:206 grants only id-token: write, so unspecified permissions become none,
and reusable workflows cannot elevate them. The called workflow then tries actions/checkout in .github/workflows/docker-publish.yml:26, which needs repository contents. Add contents: read
to the caller.
- P1: Multi-arch Docker publish builds linux/amd64,linux/arm64 from an amd64 runner without explicit QEMU or a native arm builder in .github/workflows/docker-publish.yml:39. The Dockerfile
runs apt-get during build in docker/Dockerfile:12, so the arm64 leg depends on emulation/native support. Docker’s multi-platform GitHub Actions example sets up QEMU before Buildx for this
platform pair.
- P2: The new release workflow no longer smoke-tests the generated tar/zip artifacts before drafting/publishing. draftRelease only needs build and dockerBuildTest in .github/workflows/
release.yml:107; there is no Linux/Windows unpack-and-run check for besu --help / --version. A broken distribution archive could reach the draft/publish path.
Thankyou for that, appreciate the commits in there for spdx and code of conduct :)
This is quite misleading mate and also one of the big antipatterns this PR fixes.
I don't have an objection to moving the For comparison: |
Another antipattern: merge_queue was tested at one point from what I understand, but not used. This PR calls that out and removes refs to it as well so its clear for users. This is discussed in the doc and with @macfarla already.
Fixed:
On
Another antipattern: unzipping an artifact in linux/windows isn't a real test mate. Let's be honest, if the artifact zip/tar was unusable, it should have been picked up much earlier in the testing, not here. This is also why provenance helps. |
Signed-off-by: Joshua Fernandes <joshua.fernandes@consensys.net>
Here's an example PR with all the checks: Preview is the longest check @ 15 mins , there's no waiting for extra tests or docker build+test after that, it's all in parallel https://github.com/besu-eth/besu/actions/runs/28560601462
The test suites are separate gradle commands, they don't rely on the artifact being generated. Code compile happens as part of the test command, even in this PR.
IIUC, release.yml rebuilds the artifact with a new gradle assemble command, it doesn't attempt to reuse what was built by ci.yml. I agree about the benefits of the provenance and testing what we ship (in the burn-in), but that is only relevant for release, whereas my regression comment is about the PR workflow, ci.yml |
Also remove unused assemble-output assemble-output still used for dockerBuildTest Signed-off-by: Simon Dudley <simon.dudley@consensys.net>
This should speed up the first stage slightly. Also add in parallel javadoc to first stage. The idea is that spotless and javadoc are common errors that could gate the full test suite runs. This may increase the first stage duration due to code compilation, so may revert after testing. Signed-off-by: Simon Dudley <simon.dudley@consensys.net>
Signed-off-by: Simon Dudley <simon.dudley@consensys.net>
Signed-off-by: Simon Dudley <simon.dudley@consensys.net>
|
Made some changes to improve CI speed and clarity:
Total duration after this is merged should bring duration back down <= 15 mins: 29 mins - 11 mins - 3 mins - 30secs = ~14 mins 30 seconds Will hold off on merging this until @joshuafernandes is back since once we merge, we'll need to test the release in the sandbox and potentially revert/forward-fix. |

PR description
Thanks for sending a pull request! Have you done the following?
doc-change-requiredlabel to this PR if updates are required.Locally, you can run these tests to catch failures early:
./gradlew spotlessApply./gradlew build./gradlew acceptanceTest./gradlew integrationTest./gradlew ethereum:referenceTests:referenceTests