-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"cargo vet certify" github bot workflow #330
Comments
#329 is an initial prototype of this but without any authentication logic, so it just has the user copy base64 strings of json blobs around to sheppard data between the app and github |
how to test the current impl's UI:
then go to this localhost url. Which should show this: |
To generate new errors for the cargo-vet to report/handle there is a mock project inside the tests. First, install whatever code for cargo-vet you currently have:
Then go to the test-project and update a package:
Now cargo vet should fail
You can get this report in json form with
With the changes in nika's PR, you can now pass
|
correction: the current base64 blob is actually a new json format designed for this usecase. in particular the current json is missing some information the GUI wants like a listing of every supported criteria you can audit for and their description strings / X-implies-Y relationships. If we move away from the base64 format I suggest that we either unconditionally emit this information in json output, or make it something you can toggle on with a flag. |
@mystor had you actually worked out what the bot scripting was going to look like, or were other people on the hook for that step? I'm mentally sketching out what I want a cleaned up version of this API to look like, I see two reasonable choices but which is better depends on how a bot wants to interface with things (will consult with my coworkers on this, but gonna sketch out the options from the cli's perspective to get them out there). (Also names here are kinda strawman.)
I aesthetically like 2 because it feels very orthogonal and generalizable. My expectation is that 1 is a lot nicer for bots because one json object unconditionally dumped sounds a lot easier than 2 objects, with the second needing to be manually requested on error. As for getting info back in, I'm not a huge fan of the |
Actually maybe https://docs.rs/twelf/0.7.0/twelf/ can let us have our cake an eat it too on the --from-gui side of things |
(we already have some amount of hand-rolled twelf-like logic and it sucks shit and I want to destroy my awful child) Lines 350 to 388 in ddae3ab
|
I don't think we'd really want this workflow to assume that main ever doesn't pass vet, so I expect it'd only run on existing PRs, and either update the PR or open a new PR into that PR's branch (though that's probably a github thing and might have bad ergonomics?) so that vet can be passing in the PR before merging into main.
I don't think it matters a ton either way. The auditor should definitely be credited in the
I think a single "all the audits" commit would be fine.
I would expect that they're batched up and applied in a single "all done", but I suppose doing something more live could be a reasonable approach? I worry a bit about wasting a ton of CI time with that though, as we'd be re-running CI for each new audit performed, and it wouldn't be passing.
I hadn't quite gotten to that step in figuring this out. I was originally working on getting a basic framework working with the UI and a mechanism for applying the changes, and was then going to figure out how that would integrate with a bot-based workflow.
One of the reasons I added a new system was to simplify the amount of data being sent into the app as much as possible, as I was planning to communicate it on the client side using the URL. The original idea bholley proposed in #293 was to use a wasm blob of
The decision do to it this way with |
"
cargo vet certify
, but all with bots/webapps in github so devs don't have to know/use the cli"An MVP for a bot-based UX should be based on github, either on top of dependabot or a different bot. The design should be extensible enough to port to other infra like gitlab or mozilla's stuff, but supporting those is not in scope for the first version. Of course we will keep that future in mind and not wildly hardcode github stuff. Use json messages, standard auth protocols, etc. where it makes sense.
Basic workflow sketch:
cargo vet diff
and friends would usecertify
supports)unclear details:
The text was updated successfully, but these errors were encountered: