setup maven cd workflow #1
Conversation
|
@lemeurherve who had you intended to review this, with write access 😅 |
| @@ -0,0 +1,65 @@ | |||
| # Note: additional setup is required, see https://www.jenkins.io/redirect/continuous-delivery-of-plugins | |||
There was a problem hiding this comment.
.github/workflows/maven-cd.yml not sure if maven-cd is the best filename for this workflow
There was a problem hiding this comment.
although gradle could likely be supported in the same workflow, the actions would just need a flag, it just doesn't support it atm
There was a problem hiding this comment.
Gradle CD would need to use a different versioning scheme and it could follow a different flow. I would stick to maven-cd. If and when some Gradle user wishes to introduce their own reusable CD flow, they can figure out how to refactor things to share parts of this one, or not.
|
Seems to work as intended: |
|
@jglick the question becomes do we want versioning on our reusable workflows? My suggestion has been to point to main and never look back. Because it allows infra team to fix the workflow if something broke and distribute fixes to workflows faster. |
| @@ -1,2 +1,3 @@ | |||
| # github-reusable-workflows | |||
|
|
|||
There was a problem hiding this comment.
I think it would suffice to edit https://github.com/jenkinsci/.github/blob/1292a5224fbc08abedc30408c14f71e804c95bbb/workflow-templates/cd.yaml#L11-L61
pinning to main should be fine for this, you can always pin to a commit if something breaks. |
|
cc @NotMyFault and @olamy who were looking at similar for release drafter and maybe crowdin |
Better hope you never have to evolve a workflow in a backward incompatible way. Took me just 11 days for |
we do the same with Not ideal but a lot less maintenance for maintainers. Far less dependabot spam |
|
@daniel-beck reminded me that you can move tags around etc. What he did with security scan was have a which may be a better option? |
And I kept updating each tag to point to the newest commit that made sense. So some management overhead is involved. Only makes sense when you have one repo per workflow though. |
|
I (probably) would recommend pinning versions for |
|
Pinning client repos to |
Either that, or use a orphaned branch per workflow, or include the workflow name in tags. I tend to agree that using a repo dedicated to this workflow would make more sense from a versioning perspective. Maybe we can just archive this repo and use |
I expect that may be a barrier to successfully contributing for some people unfamiliar with those; GitHub seems to be pushing "just dump everyone on the default branch" hard. (I may well be wrong though, maintainers seem to handle the weird default orphan branch of private CERT "fork" repos well.)
FWIW I considered something like that for |
|
I would keep this repository and have multiple workflows hosted behind main or v1. No need to make it more complicated. Again I would compare shared pipeline library to reusable workflows. Keeps maintenance simple and separates consumer and producer as noted by @daniel-beck |
Unless and until we find the need to make some incompatible change to the workflow that would affect so many repos we cannot feasibly update them all promptly enough. Yes we have avoided any such change to |
|
Theoretical problem, I am pretty sure we can make something that can also solve that. Use workflow inputs, create another reusable workflow, ask users to stay on v1 while we move on in v2 or they could self host their special workflow. This solves a immediate problem. I don't want to speculate too much future problems or never problems. This is simply hosting a group of actions in a workflow and handling updates dependabot noise, if anything the actions are more likely to run into this issue. |
Indeed that would be the most straightforward approach. |
|
Filed jenkinsci/jenkins-infra-test-plugin#20 as a sanity check. I think we can move ahead with this? |
| output_result: true | ||
|
|
||
| - name: Release Drafter | ||
| uses: release-drafter/release-drafter@v5 |
There was a problem hiding this comment.
I guess we could actually pin this to a specific version in the shared workflow: we would get DB bumps, which PRs would not test, but after merging we would be sure to run jenkins-infra-test-plugin again to make sure everything still works.
There was a problem hiding this comment.
are we talking v5.x.x level of pinning or commit sha pinning? 😅
There was a problem hiding this comment.
I meant v5.x.x, I am not that paranoid!
There was a problem hiding this comment.
(I did see a tool recently that let you pin actions to hashes and still get them updated.)
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up JDK 8 | ||
| uses: actions/setup-java@v3 |
| @@ -1,2 +1,3 @@ | |||
| # github-reusable-workflows | |||
|
|
|||
There was a problem hiding this comment.
I think it would suffice to edit https://github.com/jenkinsci/.github/blob/1292a5224fbc08abedc30408c14f71e804c95bbb/workflow-templates/cd.yaml#L11-L61
Co-authored-by: Jesse Glick <[email protected]>
|
IIRC both the workflow template as well as the reusable workflow need to declare permissions, otherwise commits from Dependabot will fail the run because the token lacks permissions. See https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions and jenkins-infra/jenkins-security-scan#7 / jenkinsci/.github#75 for when I did this on Jenkins Security Scan workflows. Mostly cosmetic here because these are unlikely to create releases, but still FYI. |
|
jenkinsci/jenkins-infra-test-plugin#20 (comment) and then https://github.com/jenkinsci/workflow-aggregator-plugin/runs/6573189329?check_suite_focus=true#step:4:14 again failed to create a release, due to what I suspect is a race condition. Can we try introducing a delay between Release Drafter and the interesting categories action? |
fixes jenkins-infra/jenkins-maven-cd-action#10