Migrate from Azure to GH Actions #1306
Conversation
|
@wholmgren when you get a chance could you set up repo secrets for PSM3 and BSRN? I don't want to fiddle with codecov until the tests pass as expected. No rush of course :) |
|
@kanderso-nrel sorry for the delayed response. I just added the secrets. Not sure if either CI is actually case sensitive but GitHub appears to require all caps for secrets so it's now |
|
There's a bit of a problem -- turns out github secrets aren't available to PRs opened from forks. I think the values are being set to the empty string. This page lists some workarounds: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ But it got me wondering if maybe we should stop running the One downside I can think of is that it would complicate calculating coverage on PRs, but maybe that is easy to solve with a sprinkling of I guess another option is to not run just tests that require secrets, which is a subset of all the |
|
Unrelated to this github actions business, Azure and RTD are both timing out on things related to forecasts:
https://readthedocs.org/projects/pvlib-python/builds/14923696/ |
|
The linked securitylab article suggested applying labels as a workaround. It mentioned they could be prone to human error but I don't think it matters here. Anyways, my thought is we create a new label "remote data" and maintainers only apply it to PRs that need remote data testing. Then GitHub runs a test job with This is also another reason to prefer mocked remote data tests. Finally I support running jobs on a schedule in general, but I don't think that solves this problem because we really need the coverage report before the PR is merged. |
kandersolar
force-pushed
the
github_actions
branch
from
6904d52 to
4c2e755
Compare
|
@wholmgren do you agree that these pvlib-python/ci/azure/conda_linux.yml Lines 55 to 56 in 8d0f863 Maybe a copy/paste artifact from here? https://github.com/codecov/example-azure-pipelines They show up as independent coverage calcs here: https://app.codecov.io/gh/pvlib/pvlib-python/compare/1306?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=checks&utm_campaign=pr%20comments&utm_term=pvlib Asking because if |
|
@kanderso-nrel I think you're probably right, but it's been a long time since I carefully looked at any of this. It does feel like it's suboptimal. |
kandersolar
added
remote-data
|
Check out this mamba github action as an alternative to the conda action. I don't have experience with either action, but I've recently started using mamba and it is way faster than conda for non-trivial environments. I'm guessing it would take a minute off the CI runs that don't use a cached environment. But certainly fine to stick with the conda action. |
|
I think this is finally ready for review. The main challenge in supporting two sets of tests (one required, one optional) was getting coverage calculation and reporting to do something that made sense. I ended up at one github actions workflow per test group and keeping track of coverage for each of the two groups using codecov's "flags" feature. Unfortunately there's a lot of copy/paste between the two workflow files; since the two workflows are triggered differently, I think that might just be something we have to live with. Hopefully the notes in the files are sufficient explanation for the rest of what's going on here. Here are two example PRs I opened over on my fork:
Still to-do: nix Azure. I can remove the Azure config files in this PR but I think someone else will need to disable the integration on Azure's side.
Looks cool and worth exploring (conda is ~70% of total time in some of these jobs!), but I would rather explore it in a separate PR 👍 |
|
Regarding the copy-paste for the remote data workflow, did you look into https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow ? My impression is that it provides enough configurability that it might work, but wouldn't be surprised if I'm missing something. |
|
While deleting the Azure config I noticed that I had forgotten about the
I did not look into that. I agree it seems like it could work for us. Perhaps we can take that as another possible future improvement in the interest of getting this merged before I lose momentum again :) |
The point of that job was to actually publish to PyPI - it had nothing to do with testing. Testing that the package can be built sounds like a good idea, but I think that would be a separate job, perhaps with fail on warnings if possible. There's probably some github actions dependency workflow that can allow a publish job to leverage a build job. All that is certainly fine to leave for future work.
+1 |
|
Ok, I guess it's time to hit merge here. Since this is a change which is not very easy to test, I suggest we all scrutinize the CI more than usual for a while to make sure it's doing what we want it to do :) We'll also need to merge/rebase open PRs on master for the new CI to kick in. I'll submit issues to track the "future improvement" items (mamba, reusable workflows, distribution builds) shortly. |
|
I deleted the azure devops project. |
* add pytest workflow * add some comments * set fail-fast to false * see if secrets work * move --remote-data tests to other workflow * remove secrets from default pytest workflow * simplify bare environment installation * simplify * un-simplify * thrashing around the "debug the CI" morass * fix macos py3.6 * disable codecov upload in azure pipelines * enable codecov in github actions * fix janky coverage hack * undo unnecessary changes to .coveragerc * add label reminder to PR template * rework workflows and codecov * whatsnew * remove azure config files * don't pytest on all pushes, only master * build sdist on PRs * switch to more convenient environment filenames * use most recent checkout action
|
|
||
| on: | ||
| pull_request_target: | ||
| types: [labeled] |
There was a problem hiding this comment.
@kanderso-nrel if we were to delete this line, then we wouldn't have to add and remove the remote-data label every time to trigger the tests.
For PRs that do NOT have the remote-data label, the remote tests would simply be skipped due to the if statement in line 66:
Maybe there are some security aspects that I'm not aware of.
There was a problem hiding this comment.
Having thought about this more, I think this was intentional on my part (see the comments at the top of the workflow file). Removing this line would allow a scenario where someone can submit a benign PR to lure us into adding the remote-data label, then push another commit with malicious content and have the workflow run without our sign off. The way it is now, the workflow cannot run without a maintainer explicitly triggering it.
Whether keeping that security hole plugged is worth the annoyance of repeated labeling is another question...
There was a problem hiding this comment.
PyPI's recent labeling of pvlib as a critical project has me feeling like we should err on the side of caution here. Tests should have a minimum of real API calls anyways - the vast majority should be mocked.
[ ] Closes #xxxx[ ] Tests added[ ] Updates entries todocs/sphinx/source/api.rstfor API changes.docs/sphinx/source/whatsnewfor all changes. Includes link to the GitHub Issue with:issue:`num`or this Pull Request with:pull:`num`. Includes contributor name and/or GitHub username (link with:ghuser:`user`).[ ] New code is fully documented. Includes numpydoc compliant docstrings, examples, and comments where necessary.I've been playing with this on my fork and I think all of these are working correctly:
--remote-dataonly on conda+linuxAll in one workflow, so no separate yml files for each platform. To me this seems like a good thing, but maybe others would prefer separate workflows?
To-do:
NREL_API_KEY,BSRN_FTP_USERNAME,BSRN_FTP_PASSWORD. Someone else will have to do this as I don't have admin access topvlib/pvlib-python. (note that the jobs are going to fail until this happens)