* [PATCH 0/2] check-whitespace: two fixes
@ 2021-07-14 22:09 Johannes Schindelin via GitGitGadget
2021-07-14 22:09 ` [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token Johannes Schindelin via GitGitGadget
2021-07-14 22:09 ` [PATCH 2/2] ci(check-whitespace): restrict to the intended commits Johannes Schindelin via GitGitGadget
0 siblings, 2 replies; 8+ messages in thread
From: Johannes Schindelin via GitGitGadget @ 2021-07-14 22:09 UTC (permalink / raw)
To: git; +Cc: Chris. Webster, Johannes Schindelin
I recently ran into a situation where a merge commit (which admittedly are
undesirable in git/git and gitgitgadget/git Pull Requests, but are sometimes
totally appropriate in the context of other forks such as
git-for-windows/git) misled the logic in the check-whitespace workflow to
look at upstream commits (and missing some patches that it should have
looked at).
At the same time, I also realized that the feature where this workflow adds
a PR comment in an attempt to be more helpful requires a read/write token
(which weakens the overall security, I'd much rather stay with the read-only
token configured e.g. in gitgitgadget/git and in git-for-windows/git).
This patch series addresses both issues.
Johannes Schindelin (2):
ci(check-whitespace): stop requiring a read/write token
ci(check-whitespace): restrict to the intended commits
.github/workflows/check-whitespace.yml | 26 ++------------------------
1 file changed, 2 insertions(+), 24 deletions(-)
base-commit: ebf3c04b262aa27fbb97f8a0156c2347fecafafb
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-995%2Fdscho%2Ffix-check-whitespace-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-995/dscho/fix-check-whitespace-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/995
--
gitgitgadget
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token
2021-07-14 22:09 [PATCH 0/2] check-whitespace: two fixes Johannes Schindelin via GitGitGadget
@ 2021-07-14 22:09 ` Johannes Schindelin via GitGitGadget
2021-07-14 22:20 ` Junio C Hamano
2021-07-14 22:09 ` [PATCH 2/2] ci(check-whitespace): restrict to the intended commits Johannes Schindelin via GitGitGadget
1 sibling, 1 reply; 8+ messages in thread
From: Johannes Schindelin via GitGitGadget @ 2021-07-14 22:09 UTC (permalink / raw)
To: git; +Cc: Chris. Webster, Johannes Schindelin, Johannes Schindelin
From: Johannes Schindelin <johannes.schindelin@gmx.de>
As part of some recent security tightening, GitHub introduced the
ability to configure GitHub workflows to be run with a read-only token.
This is much more secure, in particular when working in a public
repository: While the regular read/write token might be restricted to
writing to the current branch, it is not necessarily restricted to
access only the current Pull Request.
However, the `check-whitespace` workflow threw a wrench into this plan:
it _requires_ write access (because it wants to add a PR comment in case
of a whitespace issue).
Let's just skip that PR comment. The user can always click through to
the actual error, even if it is slightly less convenient.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
.github/workflows/check-whitespace.yml | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/.github/workflows/check-whitespace.yml b/.github/workflows/check-whitespace.yml
index f1483059c76..c53614d6033 100644
--- a/.github/workflows/check-whitespace.yml
+++ b/.github/workflows/check-whitespace.yml
@@ -51,21 +51,5 @@ jobs:
if test -n "${log}"
then
- echo "::set-output name=checkout::"${log}""
exit 2
fi
-
- - name: Add Check Output as Comment
- uses: actions/github-script@v3
- id: add-comment
- env:
- log: ${{ steps.check_out.outputs.checkout }}
- with:
- script: |
- await github.issues.createComment({
- issue_number: context.issue.number,
- owner: context.repo.owner,
- repo: context.repo.repo,
- body: `Whitespace errors found in workflow ${{ github.workflow }}:\n\n\`\`\`\n${process.env.log.replace(/\\n/g, "\n")}\n\`\`\``
- })
- if: ${{ failure() }}
--
gitgitgadget
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/2] ci(check-whitespace): restrict to the intended commits
2021-07-14 22:09 [PATCH 0/2] check-whitespace: two fixes Johannes Schindelin via GitGitGadget
2021-07-14 22:09 ` [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token Johannes Schindelin via GitGitGadget
@ 2021-07-14 22:09 ` Johannes Schindelin via GitGitGadget
2021-07-14 22:25 ` Junio C Hamano
1 sibling, 1 reply; 8+ messages in thread
From: Johannes Schindelin via GitGitGadget @ 2021-07-14 22:09 UTC (permalink / raw)
To: git; +Cc: Chris. Webster, Johannes Schindelin, Johannes Schindelin
From: Johannes Schindelin <johannes.schindelin@gmx.de>
During a run of the `check-whitespace` we want to verify that the
commits introduced in the Pull Request have no whitespace issues. We
only want to look at those commits, not the upstream commits (because
the contributor cannot do anything about the latter).
However, by using the `-<count>` form in `git log --check`, we run the
risk of looking at the wrong commits. The reason is that the
`actions/checkout` step does _not_ check out the tip commit of the Pull
Request's branch: Instead, it checks out a merge commit that merges that
branch into the target branch. For that reason, we already adjust the
commit count by incrementing it, but that is not enough: if the upstream
branch has newer commits, they are traversed _first_. And obviously we
will then miss some of the commits that we _actually_ wanted to look at.
Therefore, let's be careful to stop assuming a linear, up to date commit
topology in the contributed commits, and instead specify the correct
commit range.
Unfortunately, this means that we no longer can rely on a shallow clone:
There is no way of knowing just how many commits the upstream branch
advanced after the commit from which the PR branch branched off. So
let's just go with a full clone instead, and be safe rather than sorry
(if we have "too shallow" a situation, a commit range `@{u}..` may very
well include a shallow commit itself, and the output of `git show
--check <shallow>` is _not_ pretty).
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
.github/workflows/check-whitespace.yml | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/.github/workflows/check-whitespace.yml b/.github/workflows/check-whitespace.yml
index c53614d6033..8c4358d805c 100644
--- a/.github/workflows/check-whitespace.yml
+++ b/.github/workflows/check-whitespace.yml
@@ -12,15 +12,9 @@ jobs:
check-whitespace:
runs-on: ubuntu-latest
steps:
- - name: Set commit count
- shell: bash
- run: echo "COMMIT_DEPTH=$((1+$COMMITS))" >>$GITHUB_ENV
- env:
- COMMITS: ${{ github.event.pull_request.commits }}
-
- uses: actions/checkout@v2
with:
- fetch-depth: ${{ env.COMMIT_DEPTH }}
+ fetch-depth: 0
- name: git log --check
id: check_out
@@ -47,7 +41,7 @@ jobs:
echo "${dash} ${etc}"
;;
esac
- done <<< $(git log --check --pretty=format:"---% h% s" -${{github.event.pull_request.commits}})
+ done <<< $(git log --check --pretty=format:"---% h% s" ${{github.event.pull_request.base.sha}}..)
if test -n "${log}"
then
--
gitgitgadget
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token
2021-07-14 22:09 ` [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token Johannes Schindelin via GitGitGadget
@ 2021-07-14 22:20 ` Junio C Hamano
0 siblings, 0 replies; 8+ messages in thread
From: Junio C Hamano @ 2021-07-14 22:20 UTC (permalink / raw)
To: Johannes Schindelin via GitGitGadget
Cc: git, Chris. Webster, Johannes Schindelin
"Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
writes:
> However, the `check-whitespace` workflow threw a wrench into this plan:
> it _requires_ write access (because it wants to add a PR comment in case
> of a whitespace issue).
OK.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] ci(check-whitespace): restrict to the intended commits
2021-07-14 22:09 ` [PATCH 2/2] ci(check-whitespace): restrict to the intended commits Johannes Schindelin via GitGitGadget
@ 2021-07-14 22:25 ` Junio C Hamano
2021-07-14 22:29 ` Taylor Blau
2021-07-15 12:59 ` Johannes Schindelin
0 siblings, 2 replies; 8+ messages in thread
From: Junio C Hamano @ 2021-07-14 22:25 UTC (permalink / raw)
To: Johannes Schindelin via GitGitGadget
Cc: git, Chris. Webster, Johannes Schindelin
"Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
writes:
> Unfortunately, this means that we no longer can rely on a shallow clone:
> There is no way of knowing just how many commits the upstream branch
> advanced after the commit from which the PR branch branched off. So
> let's just go with a full clone instead, and be safe rather than sorry
> (if we have "too shallow" a situation, a commit range `@{u}..` may very
> well include a shallow commit itself, and the output of `git show
> --check <shallow>` is _not_ pretty).
Makes sense.
As long as you have pull-request base, I suspect that you could
shallow clone the base and incrementally fetch the rest to update,
perhaps? But I do not know if it is worth doing so for a small
project like ours.
Thanks.
> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
> ---
> .github/workflows/check-whitespace.yml | 10 ++--------
> 1 file changed, 2 insertions(+), 8 deletions(-)
>
> diff --git a/.github/workflows/check-whitespace.yml b/.github/workflows/check-whitespace.yml
> index c53614d6033..8c4358d805c 100644
> --- a/.github/workflows/check-whitespace.yml
> +++ b/.github/workflows/check-whitespace.yml
> @@ -12,15 +12,9 @@ jobs:
> check-whitespace:
> runs-on: ubuntu-latest
> steps:
> - - name: Set commit count
> - shell: bash
> - run: echo "COMMIT_DEPTH=$((1+$COMMITS))" >>$GITHUB_ENV
> - env:
> - COMMITS: ${{ github.event.pull_request.commits }}
> -
> - uses: actions/checkout@v2
> with:
> - fetch-depth: ${{ env.COMMIT_DEPTH }}
> + fetch-depth: 0
>
> - name: git log --check
> id: check_out
> @@ -47,7 +41,7 @@ jobs:
> echo "${dash} ${etc}"
> ;;
> esac
> - done <<< $(git log --check --pretty=format:"---% h% s" -${{github.event.pull_request.commits}})
> + done <<< $(git log --check --pretty=format:"---% h% s" ${{github.event.pull_request.base.sha}}..)
>
> if test -n "${log}"
> then
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] ci(check-whitespace): restrict to the intended commits
2021-07-14 22:25 ` Junio C Hamano
@ 2021-07-14 22:29 ` Taylor Blau
2021-07-15 13:00 ` Johannes Schindelin
2021-07-15 12:59 ` Johannes Schindelin
1 sibling, 1 reply; 8+ messages in thread
From: Taylor Blau @ 2021-07-14 22:29 UTC (permalink / raw)
To: Junio C Hamano, F
Cc: Johannes Schindelin via GitGitGadget, git, Chris. Webster,
Johannes Schindelin
On Wed, Jul 14, 2021 at 03:25:15PM -0700, Junio C Hamano wrote:
> "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
> writes:
>
> > Unfortunately, this means that we no longer can rely on a shallow clone:
> > There is no way of knowing just how many commits the upstream branch
> > advanced after the commit from which the PR branch branched off. So
> > let's just go with a full clone instead, and be safe rather than sorry
> > (if we have "too shallow" a situation, a commit range `@{u}..` may very
> > well include a shallow commit itself, and the output of `git show
> > --check <shallow>` is _not_ pretty).
>
> Makes sense.
>
> As long as you have pull-request base, I suspect that you could
> shallow clone the base and incrementally fetch the rest to update,
> perhaps? But I do not know if it is worth doing so for a small
> project like ours.
Agreed, and...
> > - uses: actions/checkout@v2
> > with:
> > - fetch-depth: ${{ env.COMMIT_DEPTH }}
> > + fetch-depth: 0
...I wondered whether "fetch-depth: 0" was the default and whether or
not this hunk could have just removed "fetch-depth" entirely. But the
default is "1", and "0" means "fetch everything". So we really do need
it.
Thanks,
Taylor
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] ci(check-whitespace): restrict to the intended commits
2021-07-14 22:25 ` Junio C Hamano
2021-07-14 22:29 ` Taylor Blau
@ 2021-07-15 12:59 ` Johannes Schindelin
1 sibling, 0 replies; 8+ messages in thread
From: Johannes Schindelin @ 2021-07-15 12:59 UTC (permalink / raw)
To: Junio C Hamano; +Cc: Johannes Schindelin via GitGitGadget, git, Chris. Webster
Hi Junio,
On Wed, 14 Jul 2021, Junio C Hamano wrote:
> "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
> writes:
>
> > Unfortunately, this means that we no longer can rely on a shallow clone:
> > There is no way of knowing just how many commits the upstream branch
> > advanced after the commit from which the PR branch branched off. So
> > let's just go with a full clone instead, and be safe rather than sorry
> > (if we have "too shallow" a situation, a commit range `@{u}..` may very
> > well include a shallow commit itself, and the output of `git show
> > --check <shallow>` is _not_ pretty).
>
> Makes sense.
>
> As long as you have pull-request base, I suspect that you could
> shallow clone the base and incrementally fetch the rest to update,
> perhaps?
Fetching into shallow clones is very expensive on the server. I want to
avoid that whenever possible.
> But I do not know if it is worth doing so for a small project like ours.
And then there's that.
Ciao,
Dscho
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] ci(check-whitespace): restrict to the intended commits
2021-07-14 22:29 ` Taylor Blau
@ 2021-07-15 13:00 ` Johannes Schindelin
0 siblings, 0 replies; 8+ messages in thread
From: Johannes Schindelin @ 2021-07-15 13:00 UTC (permalink / raw)
To: Taylor Blau
Cc: Junio C Hamano, Johannes Schindelin via GitGitGadget, git,
Chris. Webster
Hi Taylor,
On Wed, 14 Jul 2021, Taylor Blau wrote:
> On Wed, Jul 14, 2021 at 03:25:15PM -0700, Junio C Hamano wrote:
> > "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>
> > writes:
> >
> > > Unfortunately, this means that we no longer can rely on a shallow clone:
> > > There is no way of knowing just how many commits the upstream branch
> > > advanced after the commit from which the PR branch branched off. So
> > > let's just go with a full clone instead, and be safe rather than sorry
> > > (if we have "too shallow" a situation, a commit range `@{u}..` may very
> > > well include a shallow commit itself, and the output of `git show
> > > --check <shallow>` is _not_ pretty).
> >
> > Makes sense.
> >
> > As long as you have pull-request base, I suspect that you could
> > shallow clone the base and incrementally fetch the rest to update,
> > perhaps? But I do not know if it is worth doing so for a small
> > project like ours.
>
> Agreed, and...
>
> > > - uses: actions/checkout@v2
> > > with:
> > > - fetch-depth: ${{ env.COMMIT_DEPTH }}
> > > + fetch-depth: 0
>
> ...I wondered whether "fetch-depth: 0" was the default and whether or
> not this hunk could have just removed "fetch-depth" entirely. But the
> default is "1", and "0" means "fetch everything". So we really do need
> it.
Indeed. One of the things that makes `action/checkout@v2` so much faster
than `@v1` is that it fetches shallow by default. But we can't have that
here.
Ciao,
Dscho
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-07-15 13:00 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-14 22:09 [PATCH 0/2] check-whitespace: two fixes Johannes Schindelin via GitGitGadget
2021-07-14 22:09 ` [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token Johannes Schindelin via GitGitGadget
2021-07-14 22:20 ` Junio C Hamano
2021-07-14 22:09 ` [PATCH 2/2] ci(check-whitespace): restrict to the intended commits Johannes Schindelin via GitGitGadget
2021-07-14 22:25 ` Junio C Hamano
2021-07-14 22:29 ` Taylor Blau
2021-07-15 13:00 ` Johannes Schindelin
2021-07-15 12:59 ` Johannes Schindelin
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).