workflows/labels: manage approval labels#415259
workflows/labels: manage approval labels#415259wolfgangwalther merged 3 commits intoNixOS:masterfrom
Conversation
github-actions
bot
added
6.topic: continuous integration
nix-owners
bot
requested review from
LeSuisse,
Mic92,
azuwis,
infinisil,
mweinelt,
philiptaron,
risicle and
zowoq
github-actions
bot
added
10.rebuild-darwin: 0
There was a problem hiding this comment.
I think the status-quo, automated (?) by @wegank, is different though.
I believe the current automation has been inconsistent with whether or not it counts stale reviews.
I don't think we need to get too hung up on maintaining the exact status quo of an unofficial labeling bot 🙂
I assume we'll want that behavior and we should implement it as a branch protection rule
Note there are actually two very similar protection/ruleset rules:
-
Dismiss stale pull request approvals when new commits are pushed
New, reviewable commits pushed will dismiss previous pull request review approvals. -
Require approval of the most recent reviewable push
Whether the most recent reviewable push must be approved by someone other than the person who pushed it.
These are related but subtly different; one relates to whether "old" approvals still count, the other relates to "who" can sign off the latest code.
Personally, I find the label more useful when it includes all approvals, even if they didn't approve the very latest code.
I'd be in favour of this PR counting all approvals; outdated or not, and by committers or not. IIUC that is how the PR behaves currently?
I think follow-up PRs/issues could discuss whether we want to add another label for "up-to-date approvals" and/or formalise what exactly counts as an "approval" for the existing label. Whether and what branch protection/rulesets we want should also be a separate discussion.
How is
12.approved-by: package-maintainerto be defined? [...] I went with "at least one reviewer needs to maintain at least one of the touched packages" to add this label.
SGTM
Not necessarily, no - but it was the only data point I found, so far, about which behavior to prefer.
Yeah, I'm not suggesting to require approvals before merge, so the second option doesn't apply. This would be another different discussion.
Correct.
Fine by me, we'd just make sure that this automation doesn't conflict with other automation approaches, flipping labels back and forth. So those would need to be disabled. |
wolfgangwalther
force-pushed
the
ci-approvals
branch
from
46d9fdf to
cd0de05
Compare
You mean that https://github.com/wolfgangbot/ isn't yet under your control?! 🫢 |
philiptaron
left a comment
philiptaron
left a comment
There was a problem hiding this comment.
A few curious questions.
This brings back the "minimize CI reviews after dismissal" job that was previously removed. The first time around, we had a single job triggered by the `pull_request_review` event. This lacks permission to do meaningful stuff, though. This time, we trigger an empty no-op job on `pull_request_review` and then run a second workflow on `workflow_run`. This can run with the proper permissions.
This moves the actual labeling from the eval workflow to the labels workflow. At this stage, this only has a disadvantage: Adding the topic-labels to the pull request will now only happen after eval has finished, instead of instantly. We will only benefit from this later, when we manage approval related events. With this change, we will have the comparison results and thus the package maintainer info available.
The category 12 labels for number of approvals and approved by package maintainer are now automatically managed by the labels workflow. The logic is slightly different from the "by: package-maintainer" label. For approval, it's enough if *any one* maintainer approves the PR to have the label added, even if the PR touches multiple packages. The workflow only counts approved reviews, no matter whether there had been a push in the meantime or not. To achieve the currently used logic of "expiring approvals after push", we will have to set up a branch protection rule, which actually dismissed those reviews automatically.
wolfgangwalther
force-pushed
the
ci-approvals
branch
from
cd0de05 to
5f09e16
Compare
|
Also added the default shell bash introduced in #415680 to the new workflows. |
wegank
added
12.approved-by: package-maintainer
|
Makes me smile on this PR :) But a question related to that, @wegank: Was this automated and if yes, what's the rule you're looking at? This would not be labeled Thus - are you using codeowners as a reference, too? |
Yeah, actually I was abusing the label, as it was added when someone pinged by nix-owners gave their approval... |
|
Ah, interesting logic. I see multiple options here:
Any preference, anyone? |
This is my preference, but I'm happy for it do be done in another PR if that unblocks this one and/or makes it easier to review |
|
Yeah, to be able to handle codeowners, the codeowner workflow would first have to be integrated with eval/reviewers/labelling. I have some preliminary work in #411409, but that has stalled a bit with no clear path forward. |
|
I think this is as good as it gets for now - we will get the best feedback by just running it. Will merge later today, when I have the time to monitor this in action. |
|
Successfully created backport PR for |
|
Successfully created backport PR for |
github-actions
bot
added
the
8.has: port to stable
|
So one thing that happens: External or first-time contributors (only saw it for the latter, not sure, yet) can't run those This only affects the labeling, and only after a review submission. On creation of the PR and force push, the labels (including approvals) will still be added, but not for reviews - until those workflows are approved. This affects all contributors, even committers, posting a review on those PRs - whether this needs approval or not is about the PR creator. I'm not sure, yet, whether a one-time approval is enough or whether that needs to be repeated after a force push. Whose PRs are affected depends on this setting in Actions / General:
@infinisil could you clarify what this is set to for nixpkgs? |
This needs to be repeated after each force-push, just tested. This is annoying, because it means that approved PRs of first-time contributors will regularly not have approval labels set :/ |
This is annoying, I expect "require approval" is enabled because some workflow events are insecure when run from untrusted forks; the same reason I assume the scenario GitHub is protecting us from is a user modifying a I believe users could also add entirely new workflows to their fork and run them on PRs to the main repo, if not for these security settings? Although from a security perspective there's little difference between a fork having additional workflows and a fork having modified workflows. The details are documented under
Based on that wording, it sounds like |
Both correct.
I think the difference is in terms of whose resources are used. Anybody could create pull_request workflows in a PR and do bad things like mining crypto or whatever.
Correct. So yeah, the very same reason why we need to make this whole dance with I see two ways to deal with that here:
The latter would also be required if we want to manage the "merge conflict" label via actions as well. Edit: Of course, a hybrid approach would also work. Still keep the review event, so we get quick labeling for known contributors - but then come back periodically and update PRs for first-time contributors as well. Not sure whether we could get rid of the "Some workflows need approval" button in the PRs, though. |
This sounds reasonable. It's frustrating that we can't use events to trigger adding labels without running into permission/security issues, but using
This could also work. Maybe start of with a simple |
Yes, I was thinking about "1 hour" as well. This workflow could also implement something like a "one hour self-merge cooldown" mentioned in NixOS/org#122 (comment), which also only works with a scheduled workflow. Plenty of things we can make use of a scheduled workflow for!
Well, we already have the I'd still look into setting up a scheduled workflow at the same time. |
|
I’m really excited about the scheduled workflow for efficiency reasons as well. Being able to batch these and similar low priority jobs together is absolutely a win for efficiency which lets them do substantially more work across a substantially greater set of PRS then they would otherwise. The fact that it might be required for correctness or availability reasons is just another motivating factor. |
To really benefit from the efficiency gain we'd have to drop the This may be safer from a security perspective too, since we won't be running workflows from the fork's context. I don't feel strongly on if we should have a hybrid approach or exclusively use |
That's true and tips the scale for me - the workflow_run stuff is really a bit odd. |
|
Also, the workflow_run stuff doesn't seem to be that reliable:
It should have added the label after the approval already, but only did after the force push. |
4 participants
This enables the
labelsworkflow to manage the12.approvals: ?and12.approved-by: package-maintainerlabels. Two challenges had to be solved for that:pull_request_reviewevents run without permissions. We noticed this in workflows/dismissed-review: drop #413256 already and I summarized it in Automate approval badges update through GitHub action #307917 (comment) as well.The missing permissions are solved by running the labels workflow on
workflow_run- which triggers on completion of a no-oppull_request_reviewworkflow. This also allows us to bring back #413256, so did that in the first commit, verifying the approach.To get the eval results, the label workflow is now run after Eval as a reusable workflow. This means labeling will happen with a delay, compared to the status-quo, but I don't see this as a problem. The labels workflow is triggered after Eval and after any approval or dismissal of reviews.
Currently, the approach to count approvals is based on pure number of approved reviews, without taking "push after review" as invalidation into account. I think the status-quo, automated (?) by @wegank, is different though. I assume we'll want that behavior and we should implement it as a branch protection rule, which reads:
This will also give us better feedback in GitHub's UI than right now, where we remove the approvals label, but still see the approvals in the reviewers list. The branch protection rule should dismiss them entirely.
Also to consider: How is
12.approved-by: package-maintainerto be defined? We defined11.by: package-maintaineras "the PR author must be maintainer of all touched packages". I don't think this definition makes sense for the approval label (and doesn't seem to be used like this in practice right now). So I went with "at least one reviewer needs to maintain at least one of the touched packages" to add this label.Resolves #307917.
Things done
It's hard to test it in my own fork, because I can't approve my own PRs. I did some basic testing with approvals created by CI, though - this should work. I did not test the different scenarios of "approving while eval is still running", "approval after eval ran", "dismissal" etc. - but they all just trigger the same workflow without any special conditions. So I'm fairly confident it should work.
Add a 👍 reaction to pull requests you find important.