build: fall back to previous image version on release PRs#12848
build: fall back to previous image version on release PRs#12848
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a fallback mechanism for the hermetic library generation script. When a release PR branch is detected, the script attempts to pull the specified Docker image; if it fails, it tries to extract and use the image tag from the target branch's workflow configuration. The review feedback suggests improving the robustness of the tag extraction logic to better handle potential multiple matches, comments, or colons within the YAML file.
meltsufin
force-pushed
the
release-please--fix-12825
branch
from
6880d59 to
def6f2d
Compare
The library generation pipeline fails on release PRs because it attempts to pull a Docker image version that has not yet been built or pushed to the registry. This PR adds a fallback mechanism in hermetic_library_generation.sh to use the previous version of the image from the main branch if the requested version fails to pull on a release PR. To verify this in CI, this branch is named with the prefix 'release-please--' to simulate a release PR. Fixes #12825
meltsufin
force-pushed
the
release-please--fix-12825
branch
from
def6f2d to
823b98c
Compare
|
Fallback validated in a separate release simulation PR #12849: |
| echo "Detected release PR branch: $current_branch" | ||
| if ! docker pull "${IMAGE_NAME}:${image_tag}"; then | ||
| echo "Image not found for version ${image_tag}. Falling back to previous version from ${target_branch}." | ||
| previous_tag=$(git show "${target_branch}":.github/workflows/hermetic_library_generation.yaml | grep -m 1 "^[[:space:]]*image_tag:" | cut -d ':' -f 2- | cut -d '#' -f 1 | xargs || true) |
There was a problem hiding this comment.
The main branch is updated through a snapshot version of the container. Using an old version brings the change back.
Blake wrote:
The flow after migration is:
every commit to main triggers a Cloud Build job ->
create a snapshot hermetic image ->
nightly generation uses the latest snapshot image to regenerate the whole repo
-> google-cloud-java release
There was a problem hiding this comment.
Can you clarify what is the problem?
Since Release Please PRs only update versions and changelogs and do not modify the generator itself, using the previously pushed image from the latest commit in main should be safe. It should not produce regressions because the generation logic is identical to what produced the current state of main.
There was a problem hiding this comment.
using the previously pushed image from the latest commit in main
If that's the case (it's using the latest pushed snapshot image), then that's good. I was under the impression that the "previous image version" to be the one published in the previous release cycle (2 weeks ago). Can you confirm which is the case?
For reference, I got 2.71.0 from this command:
suztomo@suztomo:~/migration-work/google-cloud-java$ git show "${target_branch}":.github/workflows/hermetic_library_generation.yaml | grep -m 1 "^[[:space:]]*image_tag:" | cut -d ':' -f 2- | cut -d '#' -f 1 | xargs || true
2.71.0
There was a problem hiding this comment.
Since Release Please PRs only update versions and changelogs and do not modify the generator itself
But the image contains the generator, I think this does introduce risks as @suztomo mentioned.
There was a problem hiding this comment.
Why don't we just use the "latest" tag? The intention is more clear than these if-statements and $(git show "${target_branch}":.github/workflows/hermetic_library_generation.yaml | grep -m 1 "^[[:space:]]*image_tag:" | cut -d ':' -f 2- | cut -d '#' -f 1 | xargs || true).
There was a problem hiding this comment.
@blakeli0 Can you please explain the risk a bit more? As far as I understand, the image gets rebuilt on push to main and tagged with :latest and :{version}. The version tag is floating to the latest build from that branch. So, a release pull request targeting that branch should be able to use the latest image at last version safely because it should have no functional difference with the release commit version of the generator.
There was a problem hiding this comment.
Does the script checking for previous SNAPSHOT versions as well? If yes, then we should be good.
There was a problem hiding this comment.
Yes, it should always use gapic-generator-java:current version, which would at times have -SNAPSHOT.
| echo "Detected release PR branch: $current_branch" | ||
| if ! docker pull "${IMAGE_NAME}:${image_tag}"; then | ||
| echo "Image not found for version ${image_tag}. Falling back to previous version from ${target_branch}." | ||
| previous_tag=$(git show "${target_branch}":.github/workflows/hermetic_library_generation.yaml | grep -m 1 "^[[:space:]]*image_tag:" | cut -d ':' -f 2- | cut -d '#' -f 1 | xargs || true) |
There was a problem hiding this comment.
Since Release Please PRs only update versions and changelogs and do not modify the generator itself
But the image contains the generator, I think this does introduce risks as @suztomo mentioned.
|
|
||
| # run hermetic code generation docker image. | ||
| # Attempt to pull the image to see if it exists on release PRs. | ||
| if [[ "$current_branch" =~ ^release-please-- ]]; then |
There was a problem hiding this comment.
We could create release-please PRs from CLI as well.
There was a problem hiding this comment.
That's fine, as long as the branch prefix is release-please--.
There was a problem hiding this comment.
But that means we have to remember using release-please-- as the branch name, is there any harm we do this for every branches?
There was a problem hiding this comment.
You shouldn't have to use the Release Please CLI going forward which should eliminate the need to remember the branch prefix. The risk of always falling back is that if someone configures and invalid generator version, they won't get a CI failure as feedback.
suztomo
left a comment
suztomo
left a comment
There was a problem hiding this comment.
Approving but please consider whether to use the "latest" tag.
| echo "Detected release PR branch: $current_branch" | ||
| if ! docker pull "${IMAGE_NAME}:${image_tag}"; then | ||
| echo "Image not found for version ${image_tag}. Falling back to previous version from ${target_branch}." | ||
| previous_tag=$(git show "${target_branch}":.github/workflows/hermetic_library_generation.yaml | grep -m 1 "^[[:space:]]*image_tag:" | cut -d ':' -f 2- | cut -d '#' -f 1 | xargs || true) |
There was a problem hiding this comment.
Why don't we just use the "latest" tag? The intention is more clear than these if-statements and $(git show "${target_branch}":.github/workflows/hermetic_library_generation.yaml | grep -m 1 "^[[:space:]]*image_tag:" | cut -d ':' -f 2- | cut -d '#' -f 1 | xargs || true).
@suztomo I think using the version in the target branch is more robust because it allows the code to support multiple branches with different versions of the generator. |
meltsufin
force-pushed
the
release-please--fix-12825
branch
from
9a162ab to
ef92609
Compare
| @@ -1,4 +1,3 @@ | |||
| gapic_generator_version: 2.70.0 | |||
There was a problem hiding this comment.
@blakeli0 Note that I'm removing this version declaration because it's confusing as it doesn't get updated, and it's not used anyway.
|
|
3 participants
The library generation pipeline fails on release PRs because it attempts to pull a Docker image version that has not yet been built or pushed to the registry.
This PR adds a fallback mechanism in hermetic_library_generation.sh to use the previous version of the image from the main branch if the requested version fails to pull on a release PR.
To verify this in CI, this branch is named with the prefix 'release-please--' to simulate a release PR.
Fixes #12825