New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update packs to allow automatic release prep #7161
base: codeql-cli-2.7.3-fake
Are you sure you want to change the base?
Conversation
Looks good. A few questions inline.
We need to make sure there are proper docs or guidance for the languages team to maintain the changelog directories.
| @@ -1,7 +1,8 @@ | |||
| name: codeql/cpp-all | |||
| version: 0.0.2 | |||
| version: 0.0.3 | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to go with the -dev prefix here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to hold off on that until after our first release. The post-release tool can add that automatically.
| @@ -0,0 +1,7 @@ | |||
| --- | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a readme or some other file that will stick around in each of these directories to explain how they are supposed to work?
Or we at least need to have a good explanation somewhere that is easy to find.
| @@ -1,5 +1,5 @@ | |||
| name: codeql/java-tests | |||
| version: 0.0.2 | |||
| groups: [java, test] | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No version here? I guess we don't need it since it won't be published.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we never run pack create on it, we really don't need a version at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should make sure it is an error to run pack create on a pack that doesn't have a version. Not sure what the behaviour is now.
java/ql/lib/qlpack.yml
Outdated
| dependencies: | ||
| codeql/java-upgrades: 0.0.2 | ||
| codeql/java-upgrades: "*" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, the move from an explicit version to a * is ok because we are OK with users who try to compile codeql/java-all outside of this workspace getting an error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, let me think about this. For library packs this probably isn't right, because we want a real version dependency in the published library pack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah...yes. I think we need a hard version.
This complicates the upgrade process since we will need to bump the upgrades dependency as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For this release cycle, let's bump the upgrades references manually, but this should be very high on our list for automation since it is easy to screw up or forget a pack.
How easy would it be to merge upgrade packs into the codeql/*-all packs?
| @@ -1,7 +1,8 @@ | |||
| name: codeql/javascript-all | |||
| version: 0.0.3 | |||
| version: 0.0.4 | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to bump all of our libraries to 0.0.4 so we can at least start with consistency?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about that, but all our version numbers will diverge soon enough anyway, so I figured I'd leave the inconsistency in there so people get used to it:)
Please do not use the codeql sub folder for the codeql-pack.release.yml and change-notes.
| @@ -0,0 +1,2 @@ | |||
| --- | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are change notes and the codeql-pack.release.yml file stored in an arbitrary sub folder (codeql) containing also QL code instead of the pack root folder? In contrast to other languages that use semmle.code, Ruby uses codeql as top-level package name. It feels wrong to "pollute" the QL package folders with qlpack metadata.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, thanks for pointing that out! We'll either change the name of the directory where the extra pack metadata is collected, or just store it in the root (which would mean that there would be a top-level change-notes directory in your pack, but that actually seems more discoverable than codeql/change-notes).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
| "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml", | ||
| "misc/legacy-support/*/qlpack.yml", | ||
| "misc/suite-helpers/qlpack.yml", | ||
| "ruby/extractor-pack/codeql-extractor.yml", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dbartol I'm fine with this change, but I was wondering what prompted you to make it? It is to make things more consistent, or did you need to change this to workaround some technical limitation/complication?
Personally, I'd rather see language specific stuff in per-language manifest files and keep the top-level manifest clean. Of course doing things inconsistently like we had before is worse, so we should either move:
"cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
"javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml",
"javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
"ruby/extractor-pack/codeql-extractor.yml",
"ruby/extractor-pack/codeql-extractor.yml",
out of this file, or keep them all in the top-level file like you did. I have a slight preference for moving things out, but I leave it up to you to decide (or flip a coin ;-) )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The .codeqlmanifest.json (or its modern equivalent, codeql-workspace.yml) file defines a "CodeQL Workspace", which includes settings that apply to all packs directly contained in that workspace. That's where the set of available change note categories are defined, the versioning policies, and so forth. If we leave Ruby in its own, it would need its own copies of these policies.
Also, pack dependencies are automatically resolved when the target pack is in the same workspace, so with a separate .codeqlmanifest.json for Ruby, the codeql/suite-helpers pack can't be resolved by default unless you run codeql pack install to download a published version, or add a --additional-packs path to the command line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I completely follow what you say. The .codeqlmanifest.json file existed before the concept of "CodeQL Workspace" was invented, right? I suspect the semantics of .codeqlmanifest.json has been retro-fitted (and changed) to match the idea of a "CodeQL Workspace".
Isn't the problem here is that you don't seem to allow "nested" workspaces? A bit like maven's idea of a "parent" pom file? No need to implement nested workspaces, the simple solution of having only one large workspace is fine with me. I'm just trying to understand things.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer to think of it as ".codeqlmanifest.json has evolved and expanded to become a 'workspace'". Originally, .codeqlmanifest.json was used to allow you to add a single directory to your search path, but have the search look in many different paths under that directory. That aspect of it still applies. However, we now automatically resolve references between packs within the same workspace. Without Ruby being in the same workspace as the suite-helpers pack, you'd need to specify a search path. Before workspaces, you would have always needed a search path.
We currently support nested workspace in a somewhat limited sense: A pack in a parent workspace that references a pack in a nested workspace will automatically find the pack in that nested workspace. However, a pack in a nested workspace will not find packs in the parent workspace, nor in sibling workspaces. An early implementation of workspaces actually had this feature, but it was removed during review because we didn't actually have a real-world use case for it at the time. I'm open to adding that feature back, but I'm not sure I'd do it just to make one of our own workspaces only slightly cleaner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation!
| @@ -0,0 +1,2 @@ | |||
| --- | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dbartol What is the purpose of this file? To me it feels strange to keep this data in the source tree. It's yet another file that will cause conflicts on merge back. It looks like the same value is stored in each of the qlpack files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This stores the version number of the most recently released version of the pack. That will not necessarily be the version that is committed to the qlpack in main after the release. The codeql pack post-release command (see github/semmle-code#40925) can update the committed version number to have a prerelease suffix so that builds of a package from main are not confused with official releases. We already do something similar for the CLI version itself.
Because these files are only updated by the codeql pack release command, the only way to have a merge conflict is if a later release was merged back to main before a previous release was merged back. This could theoretically happen with a servicing release (say, we released version 2.0.0 of a package, but then discovered a serious issue in 1.5.4 and released a 1.5.5 that fixed to for customers who weren't yet ready to update to 2.0.0). However, this should be rare enough that manually resolving the conflict in favor of main won't be a big deal when it does happen.
|
I merging this, but note that it's being merged into a fake release branch, not |
These are the changes I made manually so that future automatic release prep would work:
codeql-pack.release.ymlfiles to record the previous release.groupsproperty to all relevant packs. Note that I added asharedgroup forcodeql-suite-helpers. We may want to consider what to do when asked to publish pack A that has a dependency on local pack B, where B is not being published.The text was updated successfully, but these errors were encountered: