Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update update_dep.sh #18609

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

henrybear327
Copy link
Contributor

@henrybear327 henrybear327 commented Sep 19, 2024

Based on the experience of performing dependency bumps, some minor improvements are made to the script to make it conform to our current dependency bump procedure, listed as follows:

  • print out the dependency's version before and after the bump
  • check if the dependency is fully indirect
  • change the behavior of bumping dependency (doesn't ignore bumping indirect dependency in the go mod files anymore)
  • check if all dependencies across all go mod files have the same pinned version respectively after bumping a dependency

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

@henrybear327
Copy link
Contributor Author

/cc @ivanvc
/cc @ahrtr
I am not good with bash scripts :(

This is the script that I have been using to bump the dependencies in the past months. Hopefully, it will be helpful for future volunteers before the dependabot is fixed!

@ivanvc
Copy link
Member

ivanvc commented Sep 19, 2024

@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues?

@henrybear327
Copy link
Contributor Author

@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues?

@ivanvc let's draft the PR and you can probably take over it if you have time to improve it!

Hopefully it's a helpful start otherwise you can trash the PR and start from scratch!

Thanks!

@codecov-commenter
Copy link

codecov-commenter commented Sep 19, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.81%. Comparing base (7c56ef2) to head (4b83871).

Additional details and impacted files

see 20 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #18609      +/-   ##
==========================================
+ Coverage   68.77%   68.81%   +0.04%     
==========================================
  Files         420      420              
  Lines       35649    35649              
==========================================
+ Hits        24518    24533      +15     
+ Misses       9705     9689      -16     
- Partials     1426     1427       +1     

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7c56ef2...4b83871. Read the comment docs.

@henrybear327
Copy link
Contributor Author

@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues?

@ivanvc I have fixed the shellcheck errors

Maybe you can see if this is a good enough quality script to consider now!
Thank you!

scripts/update_dep.sh Outdated Show resolved Hide resolved
Comment on lines 35 to 37
if grep --exclude-dir=.git --include=\*.mod -Ri -q "^.*${mod} v.*// indirect$"; then
echo "Fully indirect, we will terminate the script"
exit 1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sometimes we still need bump pure indirect dependency, i.e. due to CVE. A couple of approaches:

  • raise a question something "XXX is a pure indirect dependency, Are you sure you want to proceed? (y/n):"
  • Or we can just print a warning and automatically continue to execute the script. As mentioned in previous comment, it's up to maintainers/contributors whether to bump a pure indirect dependency. If not, then they shouldn't run this script at all.

@henrybear327 henrybear327 force-pushed the ci/improve_update_dep branch 2 times, most recently from 967bc31 to f892b05 Compare September 25, 2024 07:33
@k8s-ci-robot
Copy link

@henrybear327: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-etcd-verify f892b05 link true /test pull-etcd-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Copy link
Member

@ivanvc ivanvc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the pull request, Henry. I haven't had a chance to check it before. I left some comments ✌️

function maybe_update_module {
function print_current_dep_version {
echo "${mod} version in all go mod files"
grep --exclude-dir=.git --include=\*.mod -Ri "^.*${mod} v.*$" | grep -v sum
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By passing --include to the first grep, I don't think you need to pipe the second grep. It won't match go.sum files.

I think your regular expression can be simplified to "${mod} v". I don't see the value of ^.* and .*$, which matches anything before and after. I'd suggest simplifying.

run go mod tidy

deps=$(go list -f '{{if not .Indirect}}{{if .Version}}{{.Path}},{{.Version}}{{end}}{{end}}' -m all)
deps=$(go list -f '{{if .Version}}{{.Path}},{{.Version}}{{end}}' -m all)
if [[ "$deps" == *"${mod}"* ]]; then
if [ -z "${ver}" ]; then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the changes from the top of the file

if [ "$#" -ne 2 ]; then
    echo "Illegal number of parameters"
    exit 1
fi

We will never reach this conditional, as ${ver} will never be empty.

Comment on lines +31 to +40
# check if all lines end with "// indirect"
# if grep found nothing, the error code will be non-zero
ALL=$(grep --exclude-dir=.git --include=\*.mod -Ri "^.*${mod} v.*$" | grep -v sum | wc -l)
ONLY_INDIRECT=$(grep --exclude-dir=.git --include=\*.mod -Ri "^.*${mod} v.*// indirect$" | grep -v sum | wc -l)
if [[ "$ALL" == "$ONLY_INDIRECT" ]]; then
echo "Fully indirect, we will terminate the script"
exit 1
else
echo "Not fully indirect, we will perform dependency bump"
fi
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another approach would be to use go list for this, i.e., something like:

local result
result=$(find . -name go.mod | xargs -I{} /bin/sh -c 'cd $(dirname {}); go list -f "{{if eq .Path \"'"${mod}"'\"}}{{.Indirect}}{{end}}" -m all' | sort | uniq)
if [ "$result" = "true" ] ; then
   read -p "Module ${mod} is an indirect dependency. Are you sure you want to update it? [y/N] " -r confirm
   [[ "${confirm,,}" == "y" ]] || exit
else
  echo "Not fully..."
fi

Comment on lines 60 to 63
# check all dependencies across all go mod files have the same pinned version respectively
PASSES="dep" ./scripts/test.sh

go mod tidy
run_for_modules maybe_update_module
./scripts/fix.sh
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we invert these steps? Shouldn't it be first fix, then the dep tests?

Comment on lines +16 to +19
if [ "$#" -ne 2 ]; then
echo "Illegal number of parameters"
exit 1
fi
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also outdates the documentation at the top of the file 😅

@henrybear327 henrybear327 force-pushed the ci/improve_update_dep branch 3 times, most recently from 1e47ce2 to 97d9610 Compare October 8, 2024 17:36
@henrybear327 henrybear327 force-pushed the ci/improve_update_dep branch from 97d9610 to 401bceb Compare October 20, 2024 05:17
@henrybear327 henrybear327 force-pushed the ci/improve_update_dep branch 2 times, most recently from 612ca28 to bba5e87 Compare October 31, 2024 14:37
@henrybear327 henrybear327 force-pushed the ci/improve_update_dep branch from bba5e87 to 02bb65a Compare January 16, 2025 21:28
@k8s-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: henrybear327
Once this PR has been reviewed and has the lgtm label, please assign ivanvc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Based on the experience of performing dependency bumps, some minor
improvements are made to the script to make it conform to our current
dependency bump procedure, listed as follows:
- print out the dependency's version before and after the bump
- check if the dependency is fully indirect
- change the behavior of bumping dependency (doesn't ignore bumping
indirect dependency in the go mod files anymore)
- check if all dependencies across all go mod files have the same pinned
version respectively after bumping a dependency

Signed-off-by: Chun-Hung Tseng <[email protected]>
@henrybear327 henrybear327 force-pushed the ci/improve_update_dep branch from 02bb65a to 4b83871 Compare January 21, 2025 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

5 participants