-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update update_dep.sh #18609
base: main
Are you sure you want to change the base?
Update update_dep.sh #18609
Conversation
3976754
to
c0ba3eb
Compare
@henrybear327, there are some shellcheck warnings in the script. Would you want to draft the PR? And would you like me to continue on top of it? Or do you want to address the issues? |
@ivanvc let's draft the PR and you can probably take over it if you have time to improve it! Hopefully it's a helpful start otherwise you can trash the PR and start from scratch! Thanks! |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted filessee 20 files with indirect coverage changes @@ Coverage Diff @@
## main #18609 +/- ##
==========================================
+ Coverage 68.77% 68.81% +0.04%
==========================================
Files 420 420
Lines 35649 35649
==========================================
+ Hits 24518 24533 +15
+ Misses 9705 9689 -16
- Partials 1426 1427 +1 Continue to review full report in Codecov by Sentry.
|
c0ba3eb
to
4691dfc
Compare
@ivanvc I have fixed the Maybe you can see if this is a good enough quality script to consider now! |
4691dfc
to
f94117c
Compare
scripts/update_dep.sh
Outdated
if grep --exclude-dir=.git --include=\*.mod -Ri -q "^.*${mod} v.*// indirect$"; then | ||
echo "Fully indirect, we will terminate the script" | ||
exit 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sometimes we still need bump pure indirect dependency, i.e. due to CVE. A couple of approaches:
- raise a question something "XXX is a pure indirect dependency, Are you sure you want to proceed? (y/n):"
- Or we can just print a warning and automatically continue to execute the script. As mentioned in previous comment, it's up to maintainers/contributors whether to bump a pure indirect dependency. If not, then they shouldn't run this script at all.
967bc31
to
f892b05
Compare
@henrybear327: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the pull request, Henry. I haven't had a chance to check it before. I left some comments ✌️
function maybe_update_module { | ||
function print_current_dep_version { | ||
echo "${mod} version in all go mod files" | ||
grep --exclude-dir=.git --include=\*.mod -Ri "^.*${mod} v.*$" | grep -v sum |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By passing --include
to the first grep, I don't think you need to pipe the second grep. It won't match go.sum
files.
I think your regular expression can be simplified to "${mod} v"
. I don't see the value of ^.*
and .*$
, which matches anything before and after. I'd suggest simplifying.
run go mod tidy | ||
|
||
deps=$(go list -f '{{if not .Indirect}}{{if .Version}}{{.Path}},{{.Version}}{{end}}{{end}}' -m all) | ||
deps=$(go list -f '{{if .Version}}{{.Path}},{{.Version}}{{end}}' -m all) | ||
if [[ "$deps" == *"${mod}"* ]]; then | ||
if [ -z "${ver}" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the changes from the top of the file
if [ "$#" -ne 2 ]; then
echo "Illegal number of parameters"
exit 1
fi
We will never reach this conditional, as ${ver}
will never be empty.
# check if all lines end with "// indirect" | ||
# if grep found nothing, the error code will be non-zero | ||
ALL=$(grep --exclude-dir=.git --include=\*.mod -Ri "^.*${mod} v.*$" | grep -v sum | wc -l) | ||
ONLY_INDIRECT=$(grep --exclude-dir=.git --include=\*.mod -Ri "^.*${mod} v.*// indirect$" | grep -v sum | wc -l) | ||
if [[ "$ALL" == "$ONLY_INDIRECT" ]]; then | ||
echo "Fully indirect, we will terminate the script" | ||
exit 1 | ||
else | ||
echo "Not fully indirect, we will perform dependency bump" | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another approach would be to use go list
for this, i.e., something like:
local result
result=$(find . -name go.mod | xargs -I{} /bin/sh -c 'cd $(dirname {}); go list -f "{{if eq .Path \"'"${mod}"'\"}}{{.Indirect}}{{end}}" -m all' | sort | uniq)
if [ "$result" = "true" ] ; then
read -p "Module ${mod} is an indirect dependency. Are you sure you want to update it? [y/N] " -r confirm
[[ "${confirm,,}" == "y" ]] || exit
else
echo "Not fully..."
fi
scripts/update_dep.sh
Outdated
# check all dependencies across all go mod files have the same pinned version respectively | ||
PASSES="dep" ./scripts/test.sh | ||
|
||
go mod tidy | ||
run_for_modules maybe_update_module | ||
./scripts/fix.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we invert these steps? Shouldn't it be first fix, then the dep tests?
if [ "$#" -ne 2 ]; then | ||
echo "Illegal number of parameters" | ||
exit 1 | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also outdates the documentation at the top of the file 😅
f892b05
to
d26e944
Compare
1e47ce2
to
97d9610
Compare
97d9610
to
401bceb
Compare
612ca28
to
bba5e87
Compare
bba5e87
to
02bb65a
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: henrybear327 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Based on the experience of performing dependency bumps, some minor improvements are made to the script to make it conform to our current dependency bump procedure, listed as follows: - print out the dependency's version before and after the bump - check if the dependency is fully indirect - change the behavior of bumping dependency (doesn't ignore bumping indirect dependency in the go mod files anymore) - check if all dependencies across all go mod files have the same pinned version respectively after bumping a dependency Signed-off-by: Chun-Hung Tseng <[email protected]>
02bb65a
to
4b83871
Compare
Based on the experience of performing dependency bumps, some minor improvements are made to the script to make it conform to our current dependency bump procedure, listed as follows:
Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.