Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

detect if API breaks on PR #727

Merged
merged 19 commits into from
Nov 20, 2024
Merged

detect if API breaks on PR #727

merged 19 commits into from
Nov 20, 2024

Conversation

mikemhenry
Copy link
Contributor

@mikemhenry mikemhenry commented Feb 16, 2024

Developers certificate of origin

Copy link

codecov bot commented Feb 16, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.84%. Comparing base (6b3d1a7) to head (f24a252).
Report is 20 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #727      +/-   ##
==========================================
- Coverage   93.42%   92.84%   -0.58%     
==========================================
  Files         134      134              
  Lines        9940     9940              
==========================================
- Hits         9286     9229      -57     
- Misses        654      711      +57     
Flag Coverage Δ
fast-tests 92.84% <ø> (?)
slow-tests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.


🚨 Try these New Features:

@mikemhenry
Copy link
Contributor Author

mikemhenry commented Feb 16, 2024

See https://mkdocstrings.github.io/griffe/checking/#detected-breakages

We get errors, but that is because we are breaking things, after the 1.0 tag, we can use this check to make sure we update the change log with breakage.

For example:
https://github.com/OpenFreeEnergy/openfe/actions/runs/7925490023/job/21638754579?pr=727#step:4:65

@mikemhenry mikemhenry marked this pull request as ready for review February 16, 2024 06:39
Copy link
Member

@IAlibay IAlibay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is really cool @mikemhenry - I personally like it.

python-version: "3.12"

- name: Check for API breaks
continue-on-error: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't remember what side effect this has anymore - does it mean that we get a green tick even if it fails? If so, we should make it loud and not a merge requirement imho. That way we can have the red tick and know that it was API breaking?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay counteroffer, how about if the step fails (which indicates API breakage) a comment is added to the PR saying "This PR breaks API, be sure to add a note in the change log" I was thinking it would be annoying to have a red check if API breaks and you knew it was going to. That way the check will always be green, but it tells us in a more loud way then having to read a CI log file every time.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To do that you'll need to trigger a separate workflow iirc. That can be a bit messy / time consuming. Could this be a follow-up PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it needs to trigger a separate workflow. I just added a bit to do that, it worked in 192b5e9 now I just need to add an API break to see if it does what we expect

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mikemhenry is it not that anything that needs secrets (like comment posting) will fail for PRs coming from non-org members unless it's in a pull_request_target workflow type?

@IAlibay IAlibay requested review from atravitz and removed request for richardjgowers October 28, 2024 12:15
Copy link
Contributor

@atravitz atravitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this! @mikemhenry could you just address this comment before merge?

Copy link

github-actions bot commented Nov 5, 2024

🚨 API breaking changes detected!. 🚨

@mikemhenry
Copy link
Contributor Author

cool, bot posted the comment and the check stayed green, and this is what the output looks like on the action
image
We can refine the bot to update the comment/or do more, but it works!

@mikemhenry mikemhenry self-assigned this Nov 14, 2024
check:
runs-on: ubuntu-latest
permissions:
pull-requests: write
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just as an FYI - last I tried this, it didn't work when the PR comes from a fork.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are correct, which is why we need to use pull_request_target

@mikemhenry
Copy link
Contributor Author

From https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

Having said that, mixing pull_request_target with an explicit PR checkout is not always vulnerable. The workflow may, for example:

  • Reformat and commit the code
  • Checkout both base and head repositories and generate a diff
  • Run grep on the checked out source.

Generally speaking, when the PR contents are treated as passive data, i.e. not in a position of influence over the build/testing process, it is safe. But the repository owners must be extra careful not to trigger any script that may operate on PR controlled contents like in the case of npm install.

I believe now that we don't actually build the code in the PR, we should be okay.

@IAlibay IAlibay merged commit e02dc01 into main Nov 20, 2024
11 checks passed
@IAlibay IAlibay deleted the add-api-breaking-detection branch November 20, 2024 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants