-
-
Notifications
You must be signed in to change notification settings - Fork 422
[skip changelog] Detect unused dependency license metadata files #1712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The "Check Go Dependencies" GitHub Actions workflow checks for dependencies with incompatible or unapproved license types. The dependency license metadata consumed by the "Licensed" tool is cached in the project repository, in a dedicated file for each dependency. The `check-cache` job of the workflow checks whether that cache is in sync with the project's current dependencies. It does this by using the "Licensed" tool to update the cache and then a `git diff` command to check whether that resulted in any changes (which would indicate it is out of sync). Out of sync states could result from any of three distinct conditions: - Missing metadata file - Incorrect metadata file contents - Superfluous metadata file An incorrectly configured `git diff` command previously caused the last of these to be missed. My first take at this system was simply using `git diff --exit-code` alone. That detects the last two, but misses the first. I added the `git add --intent-to-add .` command to detect added files, but didn't realize that it caused the last to be missed. Superfluous files in the dependency license metadata cache won't actually interfere with its intended functionality, but it is still important to avoid an accumulation of unused files. The new commands will catch all three of the possible out of sync conditions by staging all changes that result from the metadata cache update to the repository and then comparing those against the `HEAD` commit. I considered an alternative approach which works just as well as the chosen one: ``` git add . git diff --exit-code HEAD ``` However, I feel that the `--cached` flag makes the `git diff` command more self-explanatory.
@per1234
per1234
added
topic: infrastructure
Related to project infrastructure
type: imperfection
Perceived defect in any part of project
labels
Apr 15, 2022
umbynos
umbynos
approved these changes
Apr 15, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please check if the PR fulfills these requirements
before creating one)
our contributing guidelines
(削除) [N/A] Tests for the changes have been added (for bug fixes / features) (削除ここまで)(削除) [N/A] Docs have been added / updated (for bug fixes / features) (削除ここまで)(削除) [N/A]UPGRADING.mdhas been updated with a migration guide (for breaking changes) (削除ここまで)Bug fix
The "Check Go Dependencies" GitHub Actions workflow checks for dependencies with incompatible or unapproved license types.
The dependency license metadata consumed by the "Licensed" tool is cached in the project repository, in a dedicated file for each dependency.
The
check-cachejob of the workflow checks whether that cache is in sync with the project's current dependencies. It does this by using the "Licensed" tool to update the cache and then agit diffcommand to check whether that resulted in any changes (which would indicate it is out of sync).Out of sync states could result from any of three distinct conditions:
🐛 An incorrectly configured
git diffcommand previously caused the last of these to be missed.For example, here an unnecessary dependency license metadata file is introduced into the repository:
c3b7aa5
🐛 However, the
check-cachejob run for that commit passed:https://github.com/arduino/arduino-cli/runs/6009282571
My first take at this system was simply using
git diff --exit-codealone. That detects the last two, but misses the first. I added a precedinggit add --intent-to-add .command to detect added files, but didn't realize that it also caused the last condition to be missed.Superfluous files in the dependency license metadata cache won't actually interfere with its intended functionality, but it is still important to avoid an accumulation of unused files.
The new commands will catch all three of the possible out of sync conditions by staging all changes that result from the metadata cache update to the repository and then comparing those against the
HEADcommit.Demonstration of the superfluous file being caught by the version of the
check-cachejob from this PR:https://github.com/per1234/arduino-cli/runs/6036878271?check_suite_focus=true
And then passing after the file is removed:
https://github.com/per1234/arduino-cli/runs/6036924036?check_suite_focus=true
titled accordingly?
No breaking change.
Related discussion here : #1711 (comment)
I considered an alternative approach which works just as well as the chosen one (explanation of the two approaches here):
However, I feel that the
git diffcommand with the--cachedflag is more self-explanatory.