[MDBF-523] protect branches against cross-version pushes Created: 2023-01-16  Updated: 2023-01-30

Status: Open
Project: MariaDB Foundation Development
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Critical
Reporter: Sergei Golubchik Assignee: Vicențiu Ciorbaru
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File screenshot-1.png    

 Description   

last weekend a 10.5 merge was mistakenly pushed into 10.4. To fix that I had to force-push into the main 10.4 branch. This is a very expensive fix and it would be best if branch protection would prevent such pushes in the future.

To this it buildbot needs to ensure that a 10.5 commit, won't be allowed into 10.4. To do it buildbot can provide a set of dummy builders that don't build anything but only look at the VERSION file and immediately return whether it matched the builder name. That is, builder names are, like, ok-10.3, ok-10.4, ok-10.5, etc. Then any bb-10.5-merge push will pass ok-10.5, but will fail ok-10.4, and the latter builder will be required for any push into 10.4

 Comments   
Comment by Daniel Black [ 2023-01-17 ]

Could also use a check app.

A GH Action might be a quick way.

.github/workflows/versioncheck.yml

name: version check
 
on:
 
   pull_requests:
 
      branches:
 
         - '[1-9][0-9].[0-9]+'
 
      paths:
 
        - VERSION
 
jobs:
 
  version_check:
 
     if: github.actor != 'dbart'
 
     runs-on: ubuntu-latest
 
     steps:
 
        - run: echo "version changes by dbart only"
 
        - run: false

So only dbart can bump VERSION in a pull request. As a required workflow in branch protection.

Comment by Daniel Black [ 2023-01-18 ]

The case that caused the failure was:

git push bb-10.5-xxx
 
# build/branch protection passed
 
git push HEAD:10.5
 
# succeeded as expected
 
git push HEAD:10.4
 
# succeeded, as branch protection passed and linear path from 10.4 to the lastest commit existed (via 1000 commits). This is the case to prevent.

Comment by Daniel Black [ 2023-01-20 ]

serg, as buildbot the github status checks only run on committed code, the only way to prevent changes like the mistake that happened is to "Require a pull request before merging" in the branch protection.

With this failures will occur like https://github.com/grooverdan/mariadb-server/pull/5

For the convenience of workflows github has an automerge which enabled those with write access to the repository.

After a PR is created those with access have an option to mark the PR as automerge where passing the protected branches (and the version check) will auto merge the PR.

Comment by Daniel Black [ 2023-01-30 ]

Protection of submodule changes (e.g. dc646c23897802bb634a1c95afde6f854a49ebb1) could be done also. Who's on the list for this? (if desired).

Generated at Thu Feb 08 03:38:30 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.