ci: workflows: pin python dependencies #87609
Conversation
zephyrbot
added
platform: nRF BSIM
zephyrbot
requested review from
aescolar,
andyross,
ceolin,
cfriedt,
dcpleung,
fabiobaltieri,
kartben,
npitre,
peter-mitsis,
stephanosio and
TaiJuWu
nashif
force-pushed
the
topic/ci/pin_deps
branch
2 times, most recently
from
e13a855 to
68c2a9b
Compare
nashif
force-pushed
the
topic/ci/pin_deps
branch
2 times, most recently
from
18b79c3 to
374367f
Compare
|
hmm, not sure about this one: I have not seen this during testing :( |
Can we update the |
nashif
force-pushed
the
topic/ci/pin_deps
branch
2 times, most recently
from
f7b1d2e to
4ebcffb
Compare
Well I would argue we do. This effectively freezes all dependencies (duh!) so should any one of them be affected by a CVE 1/ we won't know about it and 2/, and more importantly, we will never get the fix that may come in a later version and will just be hard-stuck with the vulnerable version, where the current approach would at least have had the benefit to always give us the latest version of the package (for better or worse, too). So what I'm saying is that basically we will need dependabot eventually if we are to pin dependencies ; and while it can be added in a PR coming shortly after this one, we do need to at least test it works and be confident it will be happy with managing uv compiled requirements before introducing this change in the first place. In any case, CI seems to be failing so maybe that'll be the opportunity to add this to the next update :) |
maybe, but I prefer to do that later because tbh I have no idea what needs to be done. Re this CI failure, I am not sure why the twister thing is failing with this version of python. @LukaszMrugala any idea? |
nashif
force-pushed
the
topic/ci/pin_deps
branch
from
a21ca0d to
ba2ad47
Compare
github-actions
bot
requested review from
gchwier,
golowanow,
hakehuang,
LukaszMrugala and
PerMac
nashif
force-pushed
the
topic/ci/pin_deps
branch
from
ba2ad47 to
30216ea
Compare
|
Should help with caching / false positives as well. |
|
Why was the "Checkout source code" step skipped in the failed "Publish Unit Tests Results"? 🤔 |
nashif
force-pushed
the
topic/ci/pin_deps
branch
from
30216ea to
81f8987
Compare
this is fixed now |
|
The commit to temporarily disable the failing test also touches the |
no, will fix, thanks. |
nashif
force-pushed
the
topic/ci/pin_deps
branch
from
81f8987 to
fb12ef5
Compare
ok, fixed |
| @@ -178,7 +178,6 @@ jobs: | |||
| - name: Merge Test Results | |||
| run: | | |||
| pip install junitparser junit2html | |||
There was a problem hiding this comment.
Looks like you just dropped them as I can't see any step where you install the requirements?
There was a problem hiding this comment.
those are already in the docker image, no need to install them
.github/workflows/clang.yaml
Outdated
| cache: pip | ||
| cache-dependency-path: scripts/requirements-actions.txt | ||
|
|
||
| - name: install-packages |
There was a problem hiding this comment.
If you have a chance to do a s/install-packages/Install Python packages/g so that steps have consistent naming that would be great (non blocking obviously)
.github/workflows/scripts_tests.yml
Outdated
| - name: Rebase | ||
| continue-on-error: true | ||
| env: | ||
| BASE_REF: ${{ github.base_ref }} | ||
| PR_HEAD: ${{ github.event.pull_request.head.sha }} | ||
| run: | | ||
| git config --global user.email "actions@zephyrproject.org" | ||
| git config --global user.name "Github Actions" | ||
| rm -fr ".git/rebase-apply" | ||
| rm -fr ".git/rebase-merge" | ||
| git rebase origin/${BASE_REF} | ||
| git clean -f -d | ||
| git log --graph --oneline HEAD...${PR_HEAD} | ||
Pin python dependencies to hashes and cleanup/unify python setup steps in various workflows. We now have one dependency file containing all requirements for github actions that is managed centrally with hashes. No direct pip installs are needed in workflow files and everything shall go via the requirements file. Pinning to specific version and hashes helps with preventing supply chain attacks. Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Pin dependencies on the workflow and move it from using docker to the zephyr setup action. Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This test fails on older python versions (3.10) and only on CI. Disabling it while we investigate. The test itself verifies inline logs options, so the functionality test is not impacted. Tracked in zephyrproject-rtos#87769 Signed-off-by: Anas Nashif <anas.nashif@intel.com>
nashif
force-pushed
the
topic/ci/pin_deps
branch
from
9b43181 to
fc7e570
Compare
Pin python dependencies to hashes and cleanup/unify python setup steps in
various workflows.
We now have one dependency file containing all requirements for github
actions that is managed centrally with hashes. No direct pip installs
are needed in workflow files and everything shall go via the
requirements file.
Pinning to specific version and hashes helps with preventing supply
chain attacks.
Signed-off-by: Anas Nashif anas.nashif@intel.com