Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ENH: Use pixi to run action as composite #91

Merged
merged 2 commits into from
Sep 27, 2024

Conversation

matthewfeickert
Copy link
Member

@matthewfeickert matthewfeickert commented Sep 19, 2024

Resolves #71

Description

  • Use pixi to manage the environment fully, which removes the needs for micromamba and a Linux container, allowing the action to be run as a 'composite' action.

    • This allows the action to be used on macOS runners in addition to Linux.
    • Add pixi project configuration (pixi.toml) and pixi lock file (pixi.lock).
    • Add 'osx-64' and 'osx-arm64' platforms to pixi environment solves to allow for use on Linux and macOS runners.
    • Use prefix-dev/setup-pixi GitHub action to setup pixi for the action.
    • Explicitly enable the 'locked' option for prefix-dev/setup-pixi.
    • Don't allow for post job cleanup to avoid errors if the action is run multiple times in a workflow (this is a downside of no longer being in a Linux container).
    • Make cmd.sh executable (chmod +x).
  • Remove use of micromamba in the upload script.

  • Remove the conda-lock files and the Docker based locking workflow.

  • Remove Dockerfile.

  • Note in the README that the runner used can be either Linux or macOS.

  • Update version numbers of action to v0.5.0.

  • Rename script from cmd.sh to upload_wheels.sh.

    • As the script is no longer the CMD of a Linux container but is now a standalone Bash script, having a more descriptive name is preferable.

Note

GitHub Actions takes care of cleaning up the environment after each run, so you are not responsible for manually unsetting all environment variables between steps to avoid secret leakage.

@matthewfeickert matthewfeickert self-assigned this Sep 19, 2024
Copy link
Member

@stefanv stefanv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😎

Dockerfile Outdated Show resolved Hide resolved
default_linux-64_conda_spec.txt Outdated Show resolved Hide resolved
@@ -0,0 +1,14 @@
[project]
authors = ["Matthew Feickert <matthew.feickert@cern.ch>"]
channels = ["conda-forge"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Dockerfile Outdated Show resolved Hide resolved
@bsipocz
Copy link
Member

bsipocz commented Sep 19, 2024

Nitpicking: @matthewfeickert could we follow a fork-based workflow here in the future, so the main repo won't be peppered with feature branches?

Dockerfile Outdated Show resolved Hide resolved
Dockerfile Outdated Show resolved Hide resolved
default_linux-64_conda_spec.txt Outdated Show resolved Hide resolved
pixi.toml Outdated Show resolved Hide resolved
@matthewfeickert
Copy link
Member Author

matthewfeickert commented Sep 19, 2024

could we follow a fork-based workflow here in the future, so the main repo won't be peppered with feature branches?

@bsipocz I would, but c.f. #81 (comment) for why if we want CI to run we can't. (I also don't find a transient feature branch terrible, but I fully agree that a fork based workflow is the way to go.)

@bsipocz
Copy link
Member

bsipocz commented Sep 19, 2024

I also don't find a transient feature branch terrible

The issue is that some of the branches are not exactly transient, but are around for a while when part of some experimenting or draft PR.

pixi.toml Outdated Show resolved Hide resolved
@bsipocz
Copy link
Member

bsipocz commented Sep 19, 2024

Re CI: I think it's OK to separate the current workflow into two, one that runs all the anaconda upload/cleanup checks, and one that does everything else. Then we can run most of the tests from forks, too, and in practice those would cover most of the PR cases anyway.

@bsipocz
Copy link
Member

bsipocz commented Sep 19, 2024

(however, that said, dependabot PRs, from local feature branches are also failing with TOKEN issues: #86)

@matthewfeickert
Copy link
Member Author

matthewfeickert commented Sep 19, 2024

Re CI: I think it's OK to separate the current workflow into two, one that runs all the anaconda upload/cleanup checks, and one that does everything else. Then we can run most of the tests from forks, too, and in practice those would cover most of the PR cases anyway.

@bsipocz I don't think that will work for the reasons I describe in the two previous responses I've linked, as you'll need secrets to run the upload and a secret to delete the files and neither can be run on a fork safely. But can you make an Issue to describe more what you have in mind here?

Full disclosure, there may be some clever (or obvious :P) way to get around this I've overlooked so far.

@tupui
Copy link
Member

tupui commented Sep 19, 2024

Cool 👍 Just a fly by comment. What do you think about uv otherwise? Looks like this is going to be the thing sooner than later.

@bsipocz
Copy link
Member

bsipocz commented Sep 19, 2024

I don't think that will work for the reasons I describe in the two previous responses I've linked, as you'll need secrets to run the upload and a secret to delete the files and neither can be run on a fork safely.

Yes, my point is to separate those that need the secret in a separate workflow/job, so 1) tests can pass on forks with the acknowledgement that the secret-requiring ones are skipped. (most of the times that approach should be good enough)

But also, something is broken with the current setup as e.g. #86 failed even though it run from a feature branch here.

Copy link
Member Author

@matthewfeickert matthewfeickert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note

Though this is passing CI, I'm going to leave this in draft for a bit, to think if there's cleaner and safer ways to do everything, before I move it to 'ready for review' and ask people to spend time on it. That realistically won't be until next week though given that I have work (travel, talks, reviews) and personal deadline-driven tasks looming.

(I'll also want to rebase things and try to write more clear commit messages for reviewers.)

using: "composite"
steps:
- name: Set up pixi
uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to look at what the prefix-dev/setup-pixi action is actually doing to see if pinning at the hash level actually provides any safeguards. I'll also ask the pixi team to review this PR once it is ready to move from draft to review.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the setup-pixi action is designed to be backwards compatible (like pixi as well) but there are no guarantees yet.

with a proper dependabot configuration and automatic updates, i would just keep it pinned to the SHA level, though for additional reproducibility

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, thanks @pavelzw. That's useful info.

uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1
with:
cache: true
cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not fully clear on how github.ref_name works when the action is being used by other workflows, so this might all be wrong. (Here I'm just copying from the https://github.com/prefix-dev/setup-pixi README).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still holds true, but worst case scenario we cache for some and not others and I think that's okay.

Comment on lines +34 to +36
# Avoid post cleanup errors if action run multiple times
post-cleanup: false
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the action is run multiple times in the same workflow (like we do in the CI to test) then at the end of the workflow each of the job steps gets cleaned up sequentially. As

  post-cleanup:
    description: |
      If the action should clean up after itself. Defaults to `true`.
      If `true`, the pixi environment, the pixi binary and the rattler files in ~/.rattler and ~/.cache/rattler are removed.

this will try to delete the same directory path multiple times and will error when those paths don't exist after the first clean up.

I'd like to find a smarter way around this, as I'm not sure if leaving things around is ideal, but I also don't think it is bad.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

currently this is the only workaround. there are some nieche use cases where it actually makes sense to run setup-pixi twice. we might want to open an issue for this

action.yml Outdated
INPUT_ANACONDA_NIGHTLY_UPLOAD_TOKEN: ${{ inputs.anaconda_nightly_upload_token }}
INPUT_ANACONDA_NIGHTLY_UPLOAD_LABELS: ${{ inputs.anaconda_nightly_upload_labels }}
run: |
pixi run cmd.sh
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cmd.sh is executable now (post chmod +x cmd.sh). We can also rename it to something more descriptive.

cmd.sh Outdated Show resolved Hide resolved
channels = ["conda-forge"]
description = "Environment for the scientific-python/upload-nightly-action GitHub action"
name = "upload-nightly-action"
platforms = ["linux-64", "osx-64", "osx-arm64"]
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding the macOS platforms as though I assume that people will be using this following a cibuildwheel workflow on Linux, providing the extra platforms in the lock file allows for this action to be run on macOS runners as well.

@matthewfeickert
Copy link
Member Author

What do you think about uv otherwise? Looks like this is going to be the thing sooner than later.

@tupui I like uv a lot and I use it on many projects. uv pip compile is excellent and I use it in container runtimes where I don't have control over the Python runtime given the base image environment (this is actually one area/thing that pixi doesn't really allow you to do as it needs to control the entire environment — some caveats there if you export the shell activation though and manually use it.)

That being said, I like pixi more in general, and I think for something like this where you want to have hash level reproducibility of the entire stack and not just of the Python packages then pixi is a clear winner (well really more just "locked conda installs in an isolated/containerized environment" is the winner).

@tupui
Copy link
Member

tupui commented Sep 20, 2024

Interesting thanks for the write up!

@matthewfeickert matthewfeickert force-pushed the feat/use-pixi-for-locking branch from 11b88f2 to ec7c415 Compare September 25, 2024 15:49
@matthewfeickert matthewfeickert changed the title ENH: Use pixi to maintain lock file ENH: Use pixi to run action as composite Sep 25, 2024
Copy link
Member Author

@matthewfeickert matthewfeickert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are just some final comments in addition to the comments I left for others in my previous self-reviews.

@@ -4,7 +4,8 @@ This is a GitHub Action that uploads nightly builds to the [scientific-python ni
as recommended in [SPEC4 — Using and Creating Nightly Wheels][].

In a GitHub Actions workflow (`.github/workflows/*.yaml`), use the
following snippet to upload built wheels to the channel:
following snippet on a Linux or macOS runner to upload built wheels to the
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding this as we've gotten questions in the past about what runner OS are supported and this PR extends support beyond Linux.

uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1
with:
cache: true
cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still holds true, but worst case scenario we cache for some and not others and I think that's okay.

@matthewfeickert matthewfeickert marked this pull request as ready for review September 25, 2024 15:58
@matthewfeickert matthewfeickert requested a review from a team September 25, 2024 15:58
@matthewfeickert
Copy link
Member Author

matthewfeickert commented Sep 25, 2024

@scientific-python/nightly-wheels-developers this is now ready for review. As I had this in draft before to figure things out I've intentionally squashed and rebased this so that it will be easier to follow my actual intended changes from both the GitHub UI and from a local checkout.

@pavelzw @ruben-arts as you've contributed the most to the setup-pixi action if you're able to review this as well that would be very much appreciated.

edit: Also pinging @stefanv too as he's not on the @scientific-python/nightly-wheels-developers list but was kind enough to give an initial review. :)

action.yml Show resolved Hide resolved
@matthewfeickert
Copy link
Member Author

Thanks for reviewing for @scientific-python/nightly-wheels-developers, @MridulS! 🙏 If we're able to get one more review from another @scientific-python/nightly-wheels-developers person that would be great, but if no one else reviews by Tuesday (2024-10-01) I'll go ahead and squash and merge.

Copy link
Member

@bsipocz bsipocz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thank you @matthewfeickert for the refactor!

@matthewfeickert
Copy link
Member Author

Thanks @bsipocz!

I'm going to do a relock and it there's any changes to a rebase and push and then squash and merge this. I'll then update the v0.5.0 info in the repo to v0.6.0 and make a new release on GitHub.

* Use pixi to manage the environment fully, which removes the needs for
  micromamba and a Linux container, allowing the action to be run as a
  'composite' action.
   - This allows the action to be used on macOS runners in addition
     to Linux.
   - Add pixi project configuration and pixi lock file.
   - Add 'osx-64' and 'osx-arm64' platforms to pixi environment solves
     to allow for use on Linux and macOS runners.
   - Use prefix-dev/setup-pixi GitHub action to setup pixi for the action.
   - Explicitly enable the 'locked' option for prefix-dev/setup-pixi.
   - Don't allow for post job cleanup to avoid errors if the action is
     run multiple times in a workflow (this is a downside of no longer
     being in a Linux container).
   - Note: GitHub Actions takes care of cleaning up the environment after
     each run, so you are not responsible for manually unsetting all
     environment variables between steps to avoid secret leakage.
   - Make cmd.sh executable (chmod +x).
* Remove use of micromamba in the upload script.
* Remove the conda-lock files and the Docker based locking workflow.
* Remove Dockerfile.
* Note in the README that the runner used can be either Linux or macOS.
* Update version numbers of action to v0.5.0.
* As the script is no longer the CMD of a Linux container but is now a
  standalone Bash script, having a more descriptive name is preferable.
@matthewfeickert matthewfeickert force-pushed the feat/use-pixi-for-locking branch from 1f08c30 to 6f223fe Compare September 27, 2024 19:39
@matthewfeickert matthewfeickert merged commit cb54b9a into main Sep 27, 2024
2 checks passed
@matthewfeickert matthewfeickert deleted the feat/use-pixi-for-locking branch September 27, 2024 19:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Document that the action requires to run on ubuntu
6 participants