Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🔒 Sign fails if main branch has new commits since release workflow run started #37

Closed
rtyley opened this issue May 24, 2024 · 0 comments · Fixed by #40
Closed

🔒 Sign fails if main branch has new commits since release workflow run started #37

rtyley opened this issue May 24, 2024 · 0 comments · Fixed by #40

Comments

@rtyley
Copy link
Member

rtyley commented May 24, 2024

On a full Main-Branch release, the release will fail at the 🔒 Sign job stage if anyone has added commits to the default branch while the release has been running - this makes a vulnerable period of several minutes where any push to main branch will break the release:

image
image

error: failed to push some refs to 'https://github.com/guardian/thrift-serializer'
hint: Updates were rejected because the remote contains work that you do not
hint: have locally. This is usually caused by another repository pushing to
hint: the same ref. If you want to integrate the remote changes, use
hint: 'git pull' before pushing again.
hint: See the 'Note about fast-forwards' in 'git push --help' for details.

How likely is this to happen?

It seems relatively common:

...for instance, this would happen if someone started a release, and in the next 5 minutes realised they wanted to update the ReadMe file.

What goes wrong?

The release process is trying to 'fast-forward' the main branch, so that the main branch is just one commit further along from when the release started (with the release commit that the process already created on the release-workflow/temporary/xxx branch) ...but that would mean wiping out that new work on the main branch, and git won't let us do that - not without force-pushing the branch, and we wouldn't want to do that anyway!

if [ "${{ needs.init.outputs.release_type }}" == "FULL_MAIN_BRANCH" ]
then
echo "Full Main-Branch release, fast-forwarding the default branch to the release commit"
git log --oneline -n 3
git push origin $RELEASE_COMMIT_ID:refs/heads/$GITHUB_REF_NAME

main-release

A rule in git is that a 'fast-forward' fails if it would mean rewriting history. This happens if any new commits have been added to the main branch since the workflow run started and captured GITHUB_SHA (the SHA id of the commit that triggered the workflow - the commit we branch from).

Should this be fatal?

Maybe not? We could be more flexible, and do a merge of the temporary-release branch into main, rather than a fast-forward - see PR #40.

@rtyley rtyley changed the title Don't be too shallow Are shallow git clones problematic if people are updating the repo at the same time...? Jun 11, 2024
@rtyley rtyley changed the title Are shallow git clones problematic if people are updating the repo at the same time...? 🔒 Sign fails if main branch has new commits since the release workflow run started Jun 21, 2024
@rtyley rtyley changed the title 🔒 Sign fails if main branch has new commits since the release workflow run started 🔒 Sign fails if main branch has new commits since release workflow run started Jun 21, 2024
@rtyley rtyley closed this as completed in 5f9ba7b Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant