* [PATCH 0/2] check-whitespace: two fixes @ 2021-07-14 22:09 Johannes Schindelin via GitGitGadget 2021-07-14 22:09 ` [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token Johannes Schindelin via GitGitGadget 2021-07-14 22:09 ` [PATCH 2/2] ci(check-whitespace): restrict to the intended commits Johannes Schindelin via GitGitGadget 0 siblings, 2 replies; 8+ messages in thread From: Johannes Schindelin via GitGitGadget @ 2021-07-14 22:09 UTC (permalink / raw) To: git; +Cc: Chris. Webster, Johannes Schindelin I recently ran into a situation where a merge commit (which admittedly are undesirable in git/git and gitgitgadget/git Pull Requests, but are sometimes totally appropriate in the context of other forks such as git-for-windows/git) misled the logic in the check-whitespace workflow to look at upstream commits (and missing some patches that it should have looked at). At the same time, I also realized that the feature where this workflow adds a PR comment in an attempt to be more helpful requires a read/write token (which weakens the overall security, I'd much rather stay with the read-only token configured e.g. in gitgitgadget/git and in git-for-windows/git). This patch series addresses both issues. Johannes Schindelin (2): ci(check-whitespace): stop requiring a read/write token ci(check-whitespace): restrict to the intended commits .github/workflows/check-whitespace.yml | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) base-commit: ebf3c04b262aa27fbb97f8a0156c2347fecafafb Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-995%2Fdscho%2Ffix-check-whitespace-v1 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-995/dscho/fix-check-whitespace-v1 Pull-Request: https://github.com/gitgitgadget/git/pull/995 -- gitgitgadget ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token 2021-07-14 22:09 [PATCH 0/2] check-whitespace: two fixes Johannes Schindelin via GitGitGadget @ 2021-07-14 22:09 ` Johannes Schindelin via GitGitGadget 2021-07-14 22:20 ` Junio C Hamano 2021-07-14 22:09 ` [PATCH 2/2] ci(check-whitespace): restrict to the intended commits Johannes Schindelin via GitGitGadget 1 sibling, 1 reply; 8+ messages in thread From: Johannes Schindelin via GitGitGadget @ 2021-07-14 22:09 UTC (permalink / raw) To: git; +Cc: Chris. Webster, Johannes Schindelin, Johannes Schindelin From: Johannes Schindelin <johannes.schindelin@gmx.de> As part of some recent security tightening, GitHub introduced the ability to configure GitHub workflows to be run with a read-only token. This is much more secure, in particular when working in a public repository: While the regular read/write token might be restricted to writing to the current branch, it is not necessarily restricted to access only the current Pull Request. However, the `check-whitespace` workflow threw a wrench into this plan: it _requires_ write access (because it wants to add a PR comment in case of a whitespace issue). Let's just skip that PR comment. The user can always click through to the actual error, even if it is slightly less convenient. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> --- .github/workflows/check-whitespace.yml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/.github/workflows/check-whitespace.yml b/.github/workflows/check-whitespace.yml index f1483059c76..c53614d6033 100644 --- a/.github/workflows/check-whitespace.yml +++ b/.github/workflows/check-whitespace.yml @@ -51,21 +51,5 @@ jobs: if test -n "${log}" then - echo "::set-output name=checkout::"${log}"" exit 2 fi - - - name: Add Check Output as Comment - uses: actions/github-script@v3 - id: add-comment - env: - log: ${{ steps.check_out.outputs.checkout }} - with: - script: | - await github.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: `Whitespace errors found in workflow ${{ github.workflow }}:\n\n\`\`\`\n${process.env.log.replace(/\\n/g, "\n")}\n\`\`\`` - }) - if: ${{ failure() }} -- gitgitgadget ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token 2021-07-14 22:09 ` [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token Johannes Schindelin via GitGitGadget @ 2021-07-14 22:20 ` Junio C Hamano 0 siblings, 0 replies; 8+ messages in thread From: Junio C Hamano @ 2021-07-14 22:20 UTC (permalink / raw) To: Johannes Schindelin via GitGitGadget Cc: git, Chris. Webster, Johannes Schindelin "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com> writes: > However, the `check-whitespace` workflow threw a wrench into this plan: > it _requires_ write access (because it wants to add a PR comment in case > of a whitespace issue). OK. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 2/2] ci(check-whitespace): restrict to the intended commits 2021-07-14 22:09 [PATCH 0/2] check-whitespace: two fixes Johannes Schindelin via GitGitGadget 2021-07-14 22:09 ` [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token Johannes Schindelin via GitGitGadget @ 2021-07-14 22:09 ` Johannes Schindelin via GitGitGadget 2021-07-14 22:25 ` Junio C Hamano 1 sibling, 1 reply; 8+ messages in thread From: Johannes Schindelin via GitGitGadget @ 2021-07-14 22:09 UTC (permalink / raw) To: git; +Cc: Chris. Webster, Johannes Schindelin, Johannes Schindelin From: Johannes Schindelin <johannes.schindelin@gmx.de> During a run of the `check-whitespace` we want to verify that the commits introduced in the Pull Request have no whitespace issues. We only want to look at those commits, not the upstream commits (because the contributor cannot do anything about the latter). However, by using the `-<count>` form in `git log --check`, we run the risk of looking at the wrong commits. The reason is that the `actions/checkout` step does _not_ check out the tip commit of the Pull Request's branch: Instead, it checks out a merge commit that merges that branch into the target branch. For that reason, we already adjust the commit count by incrementing it, but that is not enough: if the upstream branch has newer commits, they are traversed _first_. And obviously we will then miss some of the commits that we _actually_ wanted to look at. Therefore, let's be careful to stop assuming a linear, up to date commit topology in the contributed commits, and instead specify the correct commit range. Unfortunately, this means that we no longer can rely on a shallow clone: There is no way of knowing just how many commits the upstream branch advanced after the commit from which the PR branch branched off. So let's just go with a full clone instead, and be safe rather than sorry (if we have "too shallow" a situation, a commit range `@{u}..` may very well include a shallow commit itself, and the output of `git show --check <shallow>` is _not_ pretty). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> --- .github/workflows/check-whitespace.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/check-whitespace.yml b/.github/workflows/check-whitespace.yml index c53614d6033..8c4358d805c 100644 --- a/.github/workflows/check-whitespace.yml +++ b/.github/workflows/check-whitespace.yml @@ -12,15 +12,9 @@ jobs: check-whitespace: runs-on: ubuntu-latest steps: - - name: Set commit count - shell: bash - run: echo "COMMIT_DEPTH=$((1+$COMMITS))" >>$GITHUB_ENV - env: - COMMITS: ${{ github.event.pull_request.commits }} - - uses: actions/checkout@v2 with: - fetch-depth: ${{ env.COMMIT_DEPTH }} + fetch-depth: 0 - name: git log --check id: check_out @@ -47,7 +41,7 @@ jobs: echo "${dash} ${etc}" ;; esac - done <<< $(git log --check --pretty=format:"---% h% s" -${{github.event.pull_request.commits}}) + done <<< $(git log --check --pretty=format:"---% h% s" ${{github.event.pull_request.base.sha}}..) if test -n "${log}" then -- gitgitgadget ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] ci(check-whitespace): restrict to the intended commits 2021-07-14 22:09 ` [PATCH 2/2] ci(check-whitespace): restrict to the intended commits Johannes Schindelin via GitGitGadget @ 2021-07-14 22:25 ` Junio C Hamano 2021-07-14 22:29 ` Taylor Blau 2021-07-15 12:59 ` Johannes Schindelin 0 siblings, 2 replies; 8+ messages in thread From: Junio C Hamano @ 2021-07-14 22:25 UTC (permalink / raw) To: Johannes Schindelin via GitGitGadget Cc: git, Chris. Webster, Johannes Schindelin "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com> writes: > Unfortunately, this means that we no longer can rely on a shallow clone: > There is no way of knowing just how many commits the upstream branch > advanced after the commit from which the PR branch branched off. So > let's just go with a full clone instead, and be safe rather than sorry > (if we have "too shallow" a situation, a commit range `@{u}..` may very > well include a shallow commit itself, and the output of `git show > --check <shallow>` is _not_ pretty). Makes sense. As long as you have pull-request base, I suspect that you could shallow clone the base and incrementally fetch the rest to update, perhaps? But I do not know if it is worth doing so for a small project like ours. Thanks. > Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> > --- > .github/workflows/check-whitespace.yml | 10 ++-------- > 1 file changed, 2 insertions(+), 8 deletions(-) > > diff --git a/.github/workflows/check-whitespace.yml b/.github/workflows/check-whitespace.yml > index c53614d6033..8c4358d805c 100644 > --- a/.github/workflows/check-whitespace.yml > +++ b/.github/workflows/check-whitespace.yml > @@ -12,15 +12,9 @@ jobs: > check-whitespace: > runs-on: ubuntu-latest > steps: > - - name: Set commit count > - shell: bash > - run: echo "COMMIT_DEPTH=$((1+$COMMITS))" >>$GITHUB_ENV > - env: > - COMMITS: ${{ github.event.pull_request.commits }} > - > - uses: actions/checkout@v2 > with: > - fetch-depth: ${{ env.COMMIT_DEPTH }} > + fetch-depth: 0 > > - name: git log --check > id: check_out > @@ -47,7 +41,7 @@ jobs: > echo "${dash} ${etc}" > ;; > esac > - done <<< $(git log --check --pretty=format:"---% h% s" -${{github.event.pull_request.commits}}) > + done <<< $(git log --check --pretty=format:"---% h% s" ${{github.event.pull_request.base.sha}}..) > > if test -n "${log}" > then ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] ci(check-whitespace): restrict to the intended commits 2021-07-14 22:25 ` Junio C Hamano @ 2021-07-14 22:29 ` Taylor Blau 2021-07-15 13:00 ` Johannes Schindelin 2021-07-15 12:59 ` Johannes Schindelin 1 sibling, 1 reply; 8+ messages in thread From: Taylor Blau @ 2021-07-14 22:29 UTC (permalink / raw) To: Junio C Hamano, F Cc: Johannes Schindelin via GitGitGadget, git, Chris. Webster, Johannes Schindelin On Wed, Jul 14, 2021 at 03:25:15PM -0700, Junio C Hamano wrote: > "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com> > writes: > > > Unfortunately, this means that we no longer can rely on a shallow clone: > > There is no way of knowing just how many commits the upstream branch > > advanced after the commit from which the PR branch branched off. So > > let's just go with a full clone instead, and be safe rather than sorry > > (if we have "too shallow" a situation, a commit range `@{u}..` may very > > well include a shallow commit itself, and the output of `git show > > --check <shallow>` is _not_ pretty). > > Makes sense. > > As long as you have pull-request base, I suspect that you could > shallow clone the base and incrementally fetch the rest to update, > perhaps? But I do not know if it is worth doing so for a small > project like ours. Agreed, and... > > - uses: actions/checkout@v2 > > with: > > - fetch-depth: ${{ env.COMMIT_DEPTH }} > > + fetch-depth: 0 ...I wondered whether "fetch-depth: 0" was the default and whether or not this hunk could have just removed "fetch-depth" entirely. But the default is "1", and "0" means "fetch everything". So we really do need it. Thanks, Taylor ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] ci(check-whitespace): restrict to the intended commits 2021-07-14 22:29 ` Taylor Blau @ 2021-07-15 13:00 ` Johannes Schindelin 0 siblings, 0 replies; 8+ messages in thread From: Johannes Schindelin @ 2021-07-15 13:00 UTC (permalink / raw) To: Taylor Blau Cc: Junio C Hamano, Johannes Schindelin via GitGitGadget, git, Chris. Webster Hi Taylor, On Wed, 14 Jul 2021, Taylor Blau wrote: > On Wed, Jul 14, 2021 at 03:25:15PM -0700, Junio C Hamano wrote: > > "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com> > > writes: > > > > > Unfortunately, this means that we no longer can rely on a shallow clone: > > > There is no way of knowing just how many commits the upstream branch > > > advanced after the commit from which the PR branch branched off. So > > > let's just go with a full clone instead, and be safe rather than sorry > > > (if we have "too shallow" a situation, a commit range `@{u}..` may very > > > well include a shallow commit itself, and the output of `git show > > > --check <shallow>` is _not_ pretty). > > > > Makes sense. > > > > As long as you have pull-request base, I suspect that you could > > shallow clone the base and incrementally fetch the rest to update, > > perhaps? But I do not know if it is worth doing so for a small > > project like ours. > > Agreed, and... > > > > - uses: actions/checkout@v2 > > > with: > > > - fetch-depth: ${{ env.COMMIT_DEPTH }} > > > + fetch-depth: 0 > > ...I wondered whether "fetch-depth: 0" was the default and whether or > not this hunk could have just removed "fetch-depth" entirely. But the > default is "1", and "0" means "fetch everything". So we really do need > it. Indeed. One of the things that makes `action/checkout@v2` so much faster than `@v1` is that it fetches shallow by default. But we can't have that here. Ciao, Dscho ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] ci(check-whitespace): restrict to the intended commits 2021-07-14 22:25 ` Junio C Hamano 2021-07-14 22:29 ` Taylor Blau @ 2021-07-15 12:59 ` Johannes Schindelin 1 sibling, 0 replies; 8+ messages in thread From: Johannes Schindelin @ 2021-07-15 12:59 UTC (permalink / raw) To: Junio C Hamano; +Cc: Johannes Schindelin via GitGitGadget, git, Chris. Webster Hi Junio, On Wed, 14 Jul 2021, Junio C Hamano wrote: > "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com> > writes: > > > Unfortunately, this means that we no longer can rely on a shallow clone: > > There is no way of knowing just how many commits the upstream branch > > advanced after the commit from which the PR branch branched off. So > > let's just go with a full clone instead, and be safe rather than sorry > > (if we have "too shallow" a situation, a commit range `@{u}..` may very > > well include a shallow commit itself, and the output of `git show > > --check <shallow>` is _not_ pretty). > > Makes sense. > > As long as you have pull-request base, I suspect that you could > shallow clone the base and incrementally fetch the rest to update, > perhaps? Fetching into shallow clones is very expensive on the server. I want to avoid that whenever possible. > But I do not know if it is worth doing so for a small project like ours. And then there's that. Ciao, Dscho ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-07-15 13:00 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-07-14 22:09 [PATCH 0/2] check-whitespace: two fixes Johannes Schindelin via GitGitGadget 2021-07-14 22:09 ` [PATCH 1/2] ci(check-whitespace): stop requiring a read/write token Johannes Schindelin via GitGitGadget 2021-07-14 22:20 ` Junio C Hamano 2021-07-14 22:09 ` [PATCH 2/2] ci(check-whitespace): restrict to the intended commits Johannes Schindelin via GitGitGadget 2021-07-14 22:25 ` Junio C Hamano 2021-07-14 22:29 ` Taylor Blau 2021-07-15 13:00 ` Johannes Schindelin 2021-07-15 12:59 ` Johannes Schindelin
Code repositories for project(s) associated with this public inbox https://80x24.org/mirrors/git.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).