search

typelevel / sbt-typelevel

Let sbt work for you.
https://typelevel.org/sbt-typelevel/
Apache License 2.0
163 stars 44 forks source link

A `ci` command alias auto-derived from workflow steps #202

Open armanbilge opened 2 years ago

armanbilge commented 2 years ago

As @djspiewak says:

basically ci isn't needed all that often, but when you do need it, you really need it at least I've never worked on any long-lived project at any point in my career that didn't, at some point, need it

@rossabaker is this relevant at all e.g. when http4s does a release to patch a CVE? IIRC those are done manually, but is there a reason they can't/aren't done from CI?

Ross also had an idea in https://github.com/typelevel/sbt-typelevel/pull/65#issuecomment-1008422048 to make ci a task rather than a command.

I pointed out in https://github.com/typelevel/sbt-typelevel/pull/65#issuecomment-1008426170 that it's difficult/impossible to manipulate an opaque ci command and punted the issue. Early milestones of sbt-typelevel worked like this and it was annoying being unable to add a step to ci without redefining the entire command.

In any case, since the source-of-truth for CI is the workflow, and the plugin knows the workflow, we should be able to derive the ci command automatically. I've definitely thought about this but I'm not sure I have the sbt-fu to pull this off myself 😅

One thing that seems tricky to me is how this would interact with additional CI jobs added to the workflow e.g. as suggested in https://github.com/typelevel/sbt-typelevel/issues/93.

rossabaker commented 2 years ago

CVE releases are done manually so a binary is available in Maven Central before the vulnerability is publicly disclosed.

They are a bit dangerous because it's easy to forget a step, particularly MiMa. I suppose this is why we'd want a ci that is reasonably authentic.

armanbilge commented 2 years ago

What I don't understand is why you can't just do the release from CI in the private fork that's used to work on the issue?

rossabaker commented 2 years ago

CI doesn't run on the private fork.

armanbilge commented 2 years ago

Oh, I didn't realize that. Yeesh, so you really really do need a ci command because otherwise nobody is checking ...

Edit:

To keep information about vulnerabilities secure, integrations, including CI, cannot access temporary private forks.

https://docs.github.com/en/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability#creating-a-temporary-private-fork

Yeah, I guess it makes sense.

armanbilge commented 2 years ago

TIL about https://github.com/nektos/act for running GHA workflows locally. It has a Nix-thingy therefore Ross will like it 😝