[WIP] chore: clarify build dependencies for future hermetic builds #10039
Conversation
Remove `eslintrc` references to outside directories, consolidate
`.gitignores`.
Annotate package.jsons with a new field "ostools" which the new
build tool needs to build a properly hermetic build environment.
Replace `require('../.....')` in integ-helpers.
Add undeclared `@types` dependencies missing in various `package.json`s.
Turn straggling eslint.json into an eslintrc.js.
Stop relying on ambient import of `@types/aws-lambda`, it doesn't
play well with downstream packages. Make it an explicit import.
Rewrite cloudformation-include/decdk/monocdk codegen scripts to be
out-of-source-build aware.
rix0rrr
changed the title
| const baseConfig = require('cdk-build-tools/config/eslintrc'); | ||
| baseConfig.parserOptions.project = __dirname + '/tsconfig.json'; | ||
| module.exports = baseConfig; | ||
| // This cannot reference the build rules from cdk-build-tools as this |
There was a problem hiding this comment.
The content here is not equivalent to the imported eslintrc.js anymore (the style part has evolved). I understand the circular dependency issue here, how about moving the /config part of cdk-build-tools to a separate package cdk-build-tools-config?
@rix0rrr does this mean that I will be able to "sync/download" those artifacts to my local dev env from a public S3 (updated by the CI)? |
That's the idea, yes. |
| @@ -7,6 +7,10 @@ import { Stack } from '@aws-cdk/core'; | |||
| import { NodejsFunction } from '../lib'; | |||
| import { Bundling } from '../lib/bundling'; | |||
|
|
|||
| const PROJECT_ROOT = process.env.NZM_SOURCE_PACKAGE | |||
There was a problem hiding this comment.
Is there a way to avoid taking this dependency on the nozem
Environment?
There was a problem hiding this comment.
I don't think so. I'll be honest with you, the aws-lambda-nodejs package is the bane of my existence here.
In this case, this exists to tell it where the .git directory of the source repository is. I don't know why it needs to know that, but right now I'm just telling it in an attempt to get the build to pass.
There was a problem hiding this comment.
We lookup the project root because this is what we mount as /asset-input to be sure to have access to all node modules and dependencies when bundling in the container. Would a fallback on looking for a lockfile (yarn.lock, package-lock.json) improve things here?
There was a problem hiding this comment.
I feel auto discovery of the project root is a source of confusion and odd issues for many users. Maybe we should just make that explicitly required?
There was a problem hiding this comment.
I think it's nice to have it auto discovered.
What about this?
// Find project root
const projectRoot = options.projectRoot
?? findUp(`.git${path.sep}`)
?? findUp('yarn.lock')
?? findUp('package-lock.json')
?? findUp('package.json');here
aws-cdk/packages/@aws-cdk/aws-lambda-nodejs/lib/bundling.ts
Lines 117 to 121 in 9ffb268
There was a problem hiding this comment.
Using a lockfile in this case also doesn't help me. I'm trying to do an isolated build of the package. There's a yarn.lock somewhere but you shouldn't care about that.
My build script has set up the build environment exactly as Node-based tools should expect it (node_modules in the right place and everything). There's no yarn.lock or package-lock.json in sight.
There was a problem hiding this comment.
But there's a package.json right? so it should work.
| @@ -7,14 +7,23 @@ class TestStack extends Stack { | |||
| constructor(scope: Construct, id: string, props?: StackProps) { | |||
| super(scope, id, props); | |||
|
|
|||
| const projectRoot = process.env.NZM_PACKAGE_SOURCE | |||
There was a problem hiding this comment.
Feels odd that we will need to do that everywhere
There was a problem hiding this comment.
That's the least odd part about it. If we need to do it once we need to do it everywhere :)
|
@jogold is the regular aws-lambda-nodejs build supposed to use a Docker build or a Local build? Right now I'm seeing this and I have no idea what I'm supposed to expect: |
|
Does it work when not forcing Docker for |
It's |
|
A local bundling fails with Not quite sure why parcel needs us to depend on |
It's a dev dependency to allow one of the integ test to run locally... |
|
But that's apparently not what it's doing--it's searching for |
|
I guess I'll just add the dependency on |
|
I think that there is an issue when then somehow Can you give me the tools to reproduce (nozem setup etc.) so I can try to fix this? |
|
For this error (when Docker ran):
The fix is here #10181 (would allow to revert the change on |
rix0rrr
changed the title
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Enhance our `package.json`s with enough information to make hermetic, cacheable builds possible. Mostly consists of: * Adding missing `@types/*` packages to `devDepencendies` everywhere. Those dependencies were always required but undeclared. * Add `nozem.ostools` to various packages to indicate the non-hermetic binaries these scripts depend on. * Add `/// !cdk-integ pragma:ignore-assets` to all integ tests that use assets. * Fix some `.gitignores` that were ignoring files that were already committed inside git. * Update `pkglint` to not be reliant on its *own* location inside the monorepo, but instead search upwards for the monorepo root from the package it's checking. To give this a shot yourself, run: ``` $ npx nozem ``` This is a revival of #10039, which is now obsolete. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…4341) Enhance our `package.json`s with enough information to make hermetic, cacheable builds possible. Mostly consists of: * Adding missing `@types/*` packages to `devDepencendies` everywhere. Those dependencies were always required but undeclared. * Add `nozem.ostools` to various packages to indicate the non-hermetic binaries these scripts depend on. * Add `/// !cdk-integ pragma:ignore-assets` to all integ tests that use assets. * Fix some `.gitignores` that were ignoring files that were already committed inside git. * Update `pkglint` to not be reliant on its *own* location inside the monorepo, but instead search upwards for the monorepo root from the package it's checking. To give this a shot yourself, run: ``` $ npx nozem ``` This is a revival of aws#10039, which is now obsolete. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…4341) Enhance our `package.json`s with enough information to make hermetic, cacheable builds possible. Mostly consists of: * Adding missing `@types/*` packages to `devDepencendies` everywhere. Those dependencies were always required but undeclared. * Add `nozem.ostools` to various packages to indicate the non-hermetic binaries these scripts depend on. * Add `/// !cdk-integ pragma:ignore-assets` to all integ tests that use assets. * Fix some `.gitignores` that were ignoring files that were already committed inside git. * Update `pkglint` to not be reliant on its *own* location inside the monorepo, but instead search upwards for the monorepo root from the package it's checking. To give this a shot yourself, run: ``` $ npx nozem ``` This is a revival of aws#10039, which is now obsolete. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR is in preparation of future changes. It cleans up various parts of our build process that made it impossible to build packages individually, including:
node_modulesdependencies that were used but not declared, and happened to work because they were hoisted byyarn(not the runtime ones, because we have aneslintrule for that, but mostly around command-line tools and typings).This is all in preparation for a potential future new build tool that can build in isolation and can aggressively cache artifacts (locally and in S3). You can try it today:
New concepts introduced as part of this change: I've added some annotations into the
package.jsons that are needed bynozemto do a proper hermetic build. Notably: tell it what type of OS tools are necessary in order to execute the build (sed/grep/awk/docker/...).The build tool is not production-quality yet and this is not a bid to switch over to it. However, it's starting to be onerous to maintain these changes in a separate branch, so I'd like to start merging them in.
Not everything builds yet but we have to start somewhere.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license