Add automation for updating OpenSSL dependency
#45605
Conversation
|
Review requested:
|
nodejs-github-bot
added
meta
| 1. Check the `CHANGES.md` file in the [repo](https://github.com/quictls/openssl) | ||
| for things that might require changes in Node.js. | ||
| 2. Check the diffs to ensure the changes are right. Even if there are no changes | ||
| in the source, `buildinf.h` files will be updated because they have timestamp |
There was a problem hiding this comment.
Not related to this PR, but we should add a task somwhere to see if we can address this. Having it be more repeatable would be good.
tools/dep_updaters/update-openssl.sh
Outdated
| exit 1 | ||
| fi | ||
|
|
||
| command -v perl >/dev/null 2>&1 || { echo >&2 "Error: 'Perl' required but not installed."; exit 1; } |
There was a problem hiding this comment.
again likely a follow on, but I wonder if we need to pin/capture what versions of perl etc was used. The same might be asked about the environment/os level in the action but. Not a blocker for this PR as we don't specify/fix those when people are running manually today.
|
I'm adding the labels to not backport it to versions that use openssl 1 |
|
This will only create one commit instead of two? I don't know if that will make the PR harder to review. |
Are the changes manually reviewed? Since the update consists a copy-paste of an entire repo followed by regenerating config files programatically, the resulting PRs are pretty big. For example, the latest update in this PR #45309 has changes in 800 files, with I ask because the current CI workflow for creating PRs to update dependencies assume that all dependencies will be updated using a single commit. If there's value in having two commits for OpenSSL we can do it, but it will require modifying that workflow to have a special case for OpenSSL separate from the rest of the dependencies. |
There was a problem hiding this comment.
If there's value in having two commits for OpenSSL we can do it, but it will require modifying that workflow to have a special case for OpenSSL separate from the rest of the dependencies.
There's a value in two commits. The second commit is arch build and normally some errors are caught in this phase (for example, nasm build issue - mentioned in the maintaining guide) so you just need to re-do the second one.
@RafaelGSS do you mean we should have |
Yes, the first option. Triggering it manually through workflow_dispatch. |
|
I think having the ability to trigger it manually would be good, but having a PR auto generated and available when there is a new release seems useful, provided it does not require manual work most of the time. I think for OpenSSL we probably want to try to keep as up to date as possible in the main branch. |
|
The current documentation does say to land as 2 commits so unless its hard/lots of work to do that I'm thinking we should do that now versus later. @richardlau what's your take? |
My take is that the conservative option is the status quo -- two commits. On one hand that allows people to validate the first commit -- you should be able to get the exact same files. Keeping that property may be helpful in the future in terms of potential work around supply chain/verifying our dependencies. The second commit has timestamps and local directories written into it which makes it harder to compare/validate. On the other hand the two commit approach has always been the exception to the
|
@facutuesca I think it would be best to try to implement the 2 commits unless its going to take a larger effort. |
|
It will require including that support in our current tooling (dep_updaters) |
facutuesca
requested review from
mhdawson and
RafaelGSS
and removed request for
mhdawson
|
@mhdawson @RafaelGSS @richardlau I changed it to create 2 commits instead of one. I re-requested reviews since the new approach is different enough that it should be reviewed as a new PR. The things to keep in mind are:
(edit: for some reason I cannot correctly re-request reviews, maybe a permissions issue since I also don't have permissions to add reviewers) |
facutuesca
requested review from
mhdawson
and removed request for
RafaelGSS and
mhdawson
facutuesca
requested review from
RafaelGSS and
mhdawson
and removed request for
RafaelGSS
| persist-credentials: false | ||
| - name: Check if update branch already exists | ||
| run: | | ||
| BRANCH_EXISTS=$(git ls-remote --heads origin actions/tools-update-openssl) |
There was a problem hiding this comment.
I think this block the automatic backport. We won't be able to update v14 and v16 at same time considering the race condition of the branch creation.
So, I'll include the labels dont-land-on-vX and after landing you will need to manually backport and change the branch name to actions/tools-update-openssl-vX.
Does that make sense to you?
There was a problem hiding this comment.
This is the same logic used for the other deps. See this line from the current dependency update action:
node/.github/workflows/tools.yml
Line 153 in 9b1ed04
As far as I understand, this would be already an issue for corepack, eslint, etc right? Since the branches created for them are called tools-update-corepack and tools-update-eslint without mentioning the Node version.
Do you know how those are handled currently?
There was a problem hiding this comment.
I don't think we have different versions of eslint/corepack in each release line. Could you check if the bot has ever opened PR targeting other branches instead of main?
There was a problem hiding this comment.
The bot will not because the automatic scheduled runs only happen on the default branch:
https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
Scheduled workflows run on the latest commit on the default or base branch.
| # Only run rest of the workflow if the update branch does not yet exist | ||
| if: ${{ env.BRANCH_EXISTS == '' }} | ||
| run: | | ||
| NEW_VERSION=$(gh api repos/quictls/openssl/releases -q '.[].tag_name|select(contains("openssl-3"))|ltrimstr("openssl-")' | head -n1) |
There was a problem hiding this comment.
this also blocks the automatic backport to v14.x. We use the original repo on v14.x
There was a problem hiding this comment.
Does v14.x have any existing action for dependency updates? I could not find any
There was a problem hiding this comment.
Currently there is no automation via Actions for dependency updates for any version of Node.js outside of the main branch.
RafaelGSS
added
the
dont-land-on-v18.x
Add a Github Action that checks for new versions of the `OpenSSL` library, and creates a PR to update it if a newer version than the one present in the repo is found. Refs: nodejs/security-wg#828
|
ping @mhdawson |
Add a Github Action that checks for new versions of the `OpenSSL` library, and creates a PR to update it if a newer version than the one present in the repo is found. Refs: nodejs/security-wg#828 PR-URL: #45605 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
|
Landed in c4103c1 |
Add a Github Action that checks for new versions of the `OpenSSL` library, and creates a PR to update it if a newer version than the one present in the repo is found. Refs: nodejs/security-wg#828 PR-URL: #45605 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Add a Github Action that checks for new versions of the `OpenSSL` library, and creates a PR to update it if a newer version than the one present in the repo is found. Refs: nodejs/security-wg#828 PR-URL: #45605 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Add a Github Action that checks for new versions of the
OpenSSLlibrary, and creates a PR to update it if a newer version than the one present in the repo is found.Refs: nodejs/security-wg#828