Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move cargo-deny into a separate workflow on a schedule #10289

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Move cargo-deny into a separate workflow on a schedule #10289

wants to merge 6 commits into from
+88 −7

Conversation

jcgruenhage
Copy link
Member

@jcgruenhage jcgruenhage commented Jan 7, 2025
edited
Loading

Problem

There are two (related) problems with the previous handling of cargo-deny:

  • When a new advisory is added to rustsec that affects a dependency, unrelated pull requests will fail.
  • New advisories rely on pushes or PRs to be surfaced. Problems that already exist on main will only be found if we try to merge new things into main.

Summary of changes

We split out cargo-deny into a separate workflow that runs on all PRs that touch Cargo.lock, and on a schedule on main, release, release-compute and release-proxy to find new advisories.

@jcgruenhage jcgruenhage force-pushed the jcgruenhage/cargo-deny-schedule branch from 6e2aa6a to f83d74a Compare January 7, 2025 11:23
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 7, 2025
edited
Loading

7403 tests run: 7017 passed, 0 failed, 386 skipped (full report)

Flaky tests (3)

Postgres 16

Postgres 15

Code coverage* (full report)

  • functions: 33.5% (8488 of 25340 functions)
  • lines: 49.3% (71418 of 144804 lines)

* collected from Rust tests only

The comment gets automatically updated with the latest test results
ae45eff at 2025-01-24T10:04:38.828Z :recycle:

@arpad-m
Copy link
Member

arpad-m commented Jan 8, 2025

Great idea! We should probably talk about which team needs to ensure a "healthy" cargo-deny state, should it fail.

skip release-compute here, as this is not a rust release.

note that the the compute image includes rust components as well. Both postgres plugins written in Rust (which are built via git clone + cargo build, so are not managed by the Cargo.lock in this repo), as well as stuff from the compute_tools crate, which is managed by Cargo.lock.

@jcgruenhage jcgruenhage mentioned this pull request Jan 15, 2025
Merged
@jcgruenhage jcgruenhage force-pushed the jcgruenhage/cargo-deny-schedule branch 5 times, most recently from 95947bc to bf20692 Compare January 23, 2025 12:00
bayandin
bayandin reviewed Jan 23, 2025
View reviewed changes
.github/workflows/cargo-deny.yml Outdated Show resolved Hide resolved
.github/workflows/cargo-deny.yml Outdated
Comment on lines 3 to 10
on:
pull_request:
paths:
- 'Cargo.lock'
schedule:
- cron: '0 0 * * *'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For PRs we don't want to have a separate workflow, but rather explicitly call a reusable workflow from the build_and_test workflow, reasoning is here:

neon/.github/workflows/build_and_test.yml

Lines 1257 to 1265 in 7d4bfcd

# This job simplifies setting branch protection rules (in GitHub UI)
# by allowing to set only this job instead of listing many others.
# It also makes it easier to rename or parametrise jobs (using matrix)
# which requires changes in branch protection rules
#
# Note, that we can't add external check (like `neon-cloud-e2e`) we still need to use GitHub UI for that.
#
# https://github.com/neondatabase/neon/settings/branch_protection_rules
conclusion:

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes the bit of filtering it to Cargo.lock changes a bit more complex, but is still doable. In some places we use tj-actions/changed-files (4 results), in others we use dorny/paths-filter (18 results). Should we standardize on one action for this?

.github/workflows/cargo-deny.yml Outdated Show resolved Hide resolved
.github/workflows/cargo-deny.yml Outdated Show resolved Hide resolved
@jcgruenhage jcgruenhage force-pushed the jcgruenhage/cargo-deny-schedule branch from 72f54d9 to b31ed90 Compare January 23, 2025 14:19
@jcgruenhage jcgruenhage marked this pull request as ready for review January 23, 2025 14:21
@jcgruenhage jcgruenhage requested a review from a team as a code owner January 23, 2025 14:21
@jcgruenhage jcgruenhage requested a review from bayandin January 23, 2025 14:21
@jcgruenhage
Copy link
Member Author

https://github.com/neondatabase/neon/actions/runs/12931148735/job/36064437643?pr=10289 did not run cargo-deny, and https://github.com/neondatabase/neon/actions/runs/12931246215/job/36064743303?pr=10289 did.

Should I remove the anyhow bump again?

@jcgruenhage jcgruenhage force-pushed the jcgruenhage/cargo-deny-schedule branch from 48e22c5 to ae45eff Compare January 24, 2025 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bayandin bayandin Awaiting requested review from bayandin

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jcgruenhage @arpad-m @bayandin