-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ENH: Use pixi to run action as composite #91
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😎
@@ -0,0 +1,14 @@ | |||
[project] | |||
authors = ["Matthew Feickert <matthew.feickert@cern.ch>"] | |||
channels = ["conda-forge"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Nitpicking: @matthewfeickert could we follow a fork-based workflow here in the future, so the main repo won't be peppered with feature branches? |
@bsipocz I would, but c.f. #81 (comment) for why if we want CI to run we can't. (I also don't find a transient feature branch terrible, but I fully agree that a fork based workflow is the way to go.) |
The issue is that some of the branches are not exactly transient, but are around for a while when part of some experimenting or draft PR. |
Re CI: I think it's OK to separate the current workflow into two, one that runs all the anaconda upload/cleanup checks, and one that does everything else. Then we can run most of the tests from forks, too, and in practice those would cover most of the PR cases anyway. |
(however, that said, dependabot PRs, from local feature branches are also failing with TOKEN issues: #86) |
@bsipocz I don't think that will work for the reasons I describe in the two previous responses I've linked, as you'll need secrets to run the upload and a secret to delete the files and neither can be run on a fork safely. But can you make an Issue to describe more what you have in mind here? Full disclosure, there may be some clever (or obvious :P) way to get around this I've overlooked so far. |
Cool 👍 Just a fly by comment. What do you think about uv otherwise? Looks like this is going to be the thing sooner than later. |
Yes, my point is to separate those that need the secret in a separate workflow/job, so 1) tests can pass on forks with the acknowledgement that the secret-requiring ones are skipped. (most of the times that approach should be good enough) But also, something is broken with the current setup as e.g. #86 failed even though it run from a feature branch here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note
Though this is passing CI, I'm going to leave this in draft for a bit, to think if there's cleaner and safer ways to do everything, before I move it to 'ready for review' and ask people to spend time on it. That realistically won't be until next week though given that I have work (travel, talks, reviews) and personal deadline-driven tasks looming.
(I'll also want to rebase things and try to write more clear commit messages for reviewers.)
using: "composite" | ||
steps: | ||
- name: Set up pixi | ||
uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need to look at what the prefix-dev/setup-pixi
action is actually doing to see if pinning at the hash level actually provides any safeguards. I'll also ask the pixi
team to review this PR once it is ready to move from draft to review.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the setup-pixi action is designed to be backwards compatible (like pixi as well) but there are no guarantees yet.
with a proper dependabot configuration and automatic updates, i would just keep it pinned to the SHA level, though for additional reproducibility
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, thanks @pavelzw. That's useful info.
uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1 | ||
with: | ||
cache: true | ||
cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not fully clear on how github.ref_name
works when the action is being used by other workflows, so this might all be wrong. (Here I'm just copying from the https://github.com/prefix-dev/setup-pixi README).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This still holds true, but worst case scenario we cache for some and not others and I think that's okay.
# Avoid post cleanup errors if action run multiple times | ||
post-cleanup: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the action is run multiple times in the same workflow (like we do in the CI to test) then at the end of the workflow each of the job steps gets cleaned up sequentially. As
post-cleanup:
description: |
If the action should clean up after itself. Defaults to `true`.
If `true`, the pixi environment, the pixi binary and the rattler files in ~/.rattler and ~/.cache/rattler are removed.
this will try to delete the same directory path multiple times and will error when those paths don't exist after the first clean up.
I'd like to find a smarter way around this, as I'm not sure if leaving things around is ideal, but I also don't think it is bad.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
currently this is the only workaround. there are some nieche use cases where it actually makes sense to run setup-pixi twice. we might want to open an issue for this
action.yml
Outdated
INPUT_ANACONDA_NIGHTLY_UPLOAD_TOKEN: ${{ inputs.anaconda_nightly_upload_token }} | ||
INPUT_ANACONDA_NIGHTLY_UPLOAD_LABELS: ${{ inputs.anaconda_nightly_upload_labels }} | ||
run: | | ||
pixi run cmd.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cmd.sh
is executable now (post chmod +x cmd.sh
). We can also rename it to something more descriptive.
channels = ["conda-forge"] | ||
description = "Environment for the scientific-python/upload-nightly-action GitHub action" | ||
name = "upload-nightly-action" | ||
platforms = ["linux-64", "osx-64", "osx-arm64"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding the macOS platforms as though I assume that people will be using this following a cibuildwheel
workflow on Linux, providing the extra platforms in the lock file allows for this action to be run on macOS runners as well.
@tupui I like That being said, I like |
Interesting thanks for the write up! |
11b88f2
to
ec7c415
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are just some final comments in addition to the comments I left for others in my previous self-reviews.
@@ -4,7 +4,8 @@ This is a GitHub Action that uploads nightly builds to the [scientific-python ni | |||
as recommended in [SPEC4 — Using and Creating Nightly Wheels][]. | |||
|
|||
In a GitHub Actions workflow (`.github/workflows/*.yaml`), use the | |||
following snippet to upload built wheels to the channel: | |||
following snippet on a Linux or macOS runner to upload built wheels to the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding this as we've gotten questions in the past about what runner OS are supported and this PR extends support beyond Linux.
uses: prefix-dev/setup-pixi@ba3bb36eb2066252b2363392b7739741bb777659 # v0.8.1 | ||
with: | ||
cache: true | ||
cache-write: ${{ github.event_name == 'push' && github.ref_name == 'main' }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This still holds true, but worst case scenario we cache for some and not others and I think that's okay.
@scientific-python/nightly-wheels-developers this is now ready for review. As I had this in draft before to figure things out I've intentionally squashed and rebased this so that it will be easier to follow my actual intended changes from both the GitHub UI and from a local checkout. @pavelzw @ruben-arts as you've contributed the most to the edit: Also pinging @stefanv too as he's not on the @scientific-python/nightly-wheels-developers list but was kind enough to give an initial review. :) |
Thanks for reviewing for @scientific-python/nightly-wheels-developers, @MridulS! 🙏 If we're able to get one more review from another @scientific-python/nightly-wheels-developers person that would be great, but if no one else reviews by Tuesday (2024-10-01) I'll go ahead and squash and merge. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thank you @matthewfeickert for the refactor!
Thanks @bsipocz! I'm going to do a relock and it there's any changes to a rebase and push and then squash and merge this. I'll then update the |
* Use pixi to manage the environment fully, which removes the needs for micromamba and a Linux container, allowing the action to be run as a 'composite' action. - This allows the action to be used on macOS runners in addition to Linux. - Add pixi project configuration and pixi lock file. - Add 'osx-64' and 'osx-arm64' platforms to pixi environment solves to allow for use on Linux and macOS runners. - Use prefix-dev/setup-pixi GitHub action to setup pixi for the action. - Explicitly enable the 'locked' option for prefix-dev/setup-pixi. - Don't allow for post job cleanup to avoid errors if the action is run multiple times in a workflow (this is a downside of no longer being in a Linux container). - Note: GitHub Actions takes care of cleaning up the environment after each run, so you are not responsible for manually unsetting all environment variables between steps to avoid secret leakage. - Make cmd.sh executable (chmod +x). * Remove use of micromamba in the upload script. * Remove the conda-lock files and the Docker based locking workflow. * Remove Dockerfile. * Note in the README that the runner used can be either Linux or macOS. * Update version numbers of action to v0.5.0.
* As the script is no longer the CMD of a Linux container but is now a standalone Bash script, having a more descriptive name is preferable.
1f08c30
to
6f223fe
Compare
Resolves #71
Description
Use
pixi
to manage the environment fully, which removes the needs formicromamba
and a Linux container, allowing the action to be run as a 'composite' action.pixi
project configuration (pixi.toml
) andpixi
lock file (pixi.lock
).prefix-dev/setup-pixi
GitHub action to setuppixi
for the action.prefix-dev/setup-pixi
.cmd.sh
executable (chmod +x
).Remove use of micromamba in the upload script.
Remove the conda-lock files and the Docker based locking workflow.
Remove
Dockerfile
.Note in the README that the runner used can be either Linux or macOS.
Update version numbers of action to
v0.5.0
.Rename script from
cmd.sh
toupload_wheels.sh
.Note
GitHub Actions takes care of cleaning up the environment after each run, so you are not responsible for manually unsetting all environment variables between steps to avoid secret leakage.