-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve migration docs #220
base: master
Are you sure you want to change the base?
Improve migration docs #220
Conversation
A little late here but if you are willing to rebase, we have got the examples update so we can safely remove them from this PR. Thanks for the help! |
85963be
to
09be881
Compare
I've rebased the PR as requested. Note: You can safely enable the CircleCI -> Project settings -> Advanced "Build forked PRs" flag for this PR ... and once this is merged, you can safely leave it enabled because this PR turns off the dev-publish job (which requires a context) for forked PRs. (and if you update other orbs' test-deploy.yml files to follow this pattern, you can then enable forked-PR builds for those too, which will really help non-CircleCI folks contribute usefully to the orb code and generally make your job a little easier 😉) PS. ensure that the "Pass secrets to builds from forked pull requests" flag is OFF (it defaults to "on"). That setting should never be "on" for a publicly-visible repo. |
Highly appreciate the help. Unfortunately it was not (only) the publish job that forces us to disable forked builds. We may still experiment with turning it back on, but the original reason was due to crypto miners. We used to get a LOT of spam PRs that totally changed the config to mine crypto. We actually have a config policy feature that I haven't yet to dove too deeply into which can probably help too. |
Crypto miners? Wow - that's "unsociable" ... but I guess it's not entirely unexpected; any loophole will be exploited if it can be. I've been told that OPA config policies are "the CircleCI answer" to all of those security concerns ... although I've personally found that OPA syntax rather difficult; if you do find an answer then please do share because we want to have some of our own CircleCI builds be public and forkable too... |
.circleci/test-deploy.yml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove all changes to the CI process to keep this a docs only change. Was there a reason for these config changes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reasons are two-fold.
Improved example of how to build an orb
This orb is the orb that builds orbs; it is "the primary source of truth" when it comes to building orbs.
As a result, the documentation here (especially the example code) in this orb contains the most "official" recommendation for how to build an orb.
This PR updates the example orb-build code such that CI builds from forked-PRs don't try to do a dev-publish (as they wouldn't have access to the context, e.g. as demonstrated by the failure in this orb PR).
i.e. this makes the orb build process suitable for use "in the more general usecase".
This change is an essential step on the road towards enabling forked-PR builds on CircleCI's public orbs.
While I accept that this step isn't the only thing that'll need to change (as per your previous comments about malicious PRs), it is the only thing that will need to change within this orb's source code - all the other concerns will be solved by changes in other places.
i.e. this change to "how we should all be building orbs" is "the final link in the chain" towards having viable public CI builds of forked-PRs on orb code.
Dogfooding
aka "Eating your own dog food" aka "Drinking our own champagne".
If we're going to tell everyone else to do this, we should "Put our money where our mouth is" and do it ourselves.
... and because this orb is, itself, an orb, it should follow its own recommendations (otherwise we'll look insincere and hypocritical).
In summary
We should all be doing orb builds in a forked-PR-friendly manner, including CircleCI's orb-tools orb.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I agree with the changes shown here should be added, we can not accept them as part of the same PR that makes changes to the docs, as we are going to be required to squash the commits and rename them using our conventional commit standard.
I recommend we break this up into at least two separate PRs, one for the migration guide, and one for the CI and usage example changes.
src/examples/step2_test-deploy.yml
Outdated
filters: | ||
tags: | ||
only: /.*/ | ||
- orb-tools/publish: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure we need to bake in the dev orb publishing process by default. It may be good for documentation but I'm worried it could also complicate the example as it is not a required step.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it depends what you mean by "required".
I mean, strictly speaking, folks could code an orb by doing cat | curl -X POST ... and then typing really carefully. It wouldn't be an efficient coding method ... but it is possible.
Similarly, folks don't need to run shellcheck, bats etc; it's not "required" but it is very much recommended.
A "normal" and productive orb development method is to commit to a PR branch and make use of the dev-published version of the orb it generates.
e.g. Most of the time I'm writing orb code, it's for a specific usecase where I've got a build (somewhere else) that needs "the thing I'm writing in the orb", and so after I've done a dev orb publish, I'll go tell my other build to use that dev orb "to prove it works in the real world".
It's incredibly rare that I'll go straight from "build was green" to "release an official version", so it's very rare that I won't want a dev publish, and if I really didn't want one, I could always comment out that bit of the build in my PR. Commenting out code is a lot easier than adding it.
IMO, if we're only going to have one single usage example, that example ought to be "an example of best practice" ... and IMO most users will want dev publishes (not on forked PRs of course, but on internal ones).
So, while I agree that it does make things a little more complicated, if we remove it then either "just about everyone" will need to manually re-add it or they'll end up developing orbs without access to this almost indispensable feature and find that they're making their development experience needlessly hard.
TL;DR: I understand your concerns ... but I disagree 😉
.circleci/test-deploy.yml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I agree with the changes shown here should be added, we can not accept them as part of the same PR that makes changes to the docs, as we are going to be required to squash the commits and rename them using our conventional commit standard.
I recommend we break this up into at least two separate PRs, one for the migration guide, and one for the CI and usage example changes.
OK, understood. (Sorry for the delay in responding; had an end-of-year work-rush, followed by xmas break. I'll get on with this as soon as I've cleared the holiday backlog) |
I've split this PR up. See #229 and #230.
|
The existing v11 -> v12 migration documentation is missing some necessary information.
The net effect is that, if one follows the documented migration process as-is, it doesn't work.
This PR, together with #229 and #230, fixes that.
... and also makes this orb's test-deploy (step2) build "practise what it preaches" by avoiding the dev-publish step for forked-PR builds (as they should fail to get a context).