Implement #194: remove latest composer deps from default generated pipelines
#197
Conversation
| @@ -0,0 +1,10 @@ | |||
| { | |||
There was a problem hiding this comment.
I'm checking whether latest still works here: will see.
|
@boesing do you have any tip about where to document the dependency upgrade endorsement, perhaps? 🤔 |
Ocramius
force-pushed
the
feature/#194-stop-testing-latest-dependencies-by-default
branch
from
51415e2
to
80449e9
Compare
|
Added some docs meanwhile, unsure if sufficient :) |
Ocramius
force-pushed
the
feature/#194-stop-testing-latest-dependencies-by-default
branch
from
80449e9
to
3c7580a
Compare
Ocramius
requested review from
boesing,
internalsystemerror,
weierophinney and
Xerkus
…erated pipelines This change removes `latest` from default composer dependencies in the generated CI matrix. The rationale is that `latest` dependencies tend to break our builds, and we usually run @renovate-bot or @dependabot on our repositories, keeping both `composer.json` and `composer.lock` fairly updated. Because of this kind of disciplined approach, we can assume that `latest` dependencies are already regularly tested by refreshing `composer.lock` regularly, and further testing with explicit `composer update` is considered risky, because it moves into unexplored land, breaking builds that are otherwise quite stable. We also don't want to break builds by contributors, or builds that upgrade perfectly safe to upgrade dependencies, just because a specific `latest` upstream dependency broke, and we didn't really touch it. The final objective is that CI can break, but only in commits that change `composer.json` and `composer.lock`, and those are handled every day by automation. Therefore, the default testing approach will cover `lowest` and `locked` dependencies, which both move much less than `latest`, and don't cause instability.
Ocramius
force-pushed
the
feature/#194-stop-testing-latest-dependencies-by-default
branch
from
3c7580a
to
6d71ad6
Compare
|
You make a sound argument and I'm all in favour. However by removing
Users on PHP 8.2 will require package A which will indirectly install package B |
|
I don't support this idea myself, but just throwing this out there ... Could the above be solved by multliple lock files, one for each PHP minor? Edit: sry accidentally clicked comment + close on this. |
|
@internalsystemerror I agree with you that this leaves uncovered corners, but dependencies varying and breaking otherwise perfectly stable builds is, IMO, more of a priority to fix, especially with the vast number of packages that we have. This is even more problematic as dependencies keep adding bad side effects, like deprecation warnings. Effectively this attempts to shield our maintenance efforts from random failures happening due to shifting dependencies, whilst still keeping Also, this will encourage us to upgrade our lowest supported dependency ranges a bit more often 😁 |
I don't see this working with contemporary tooling, sadly. |
|
Considering users get latest dependencies, I can not see how
|
|
I will check this tomorrow. The only reason why I think this is okayish is, that we have still kinda "latest" checks in the composer.lock Updates from renovate. So we remove side-effects caused by latest versions of packages from contributor PRs but they will be covered by renovate and thus we can tackle these. At least that is how I understand is the plan, correct? |
|
We have lock file on whatever lowest php we support, 8.0 at this time, mostly. It won't install dependencies that list PHP 8.1 or 8.2 as lowest. Neither will Using either lock file or |
|
Then we might want to have an additional - maybe daily - executed action which checks latest. having no checks at all would be a nogo from me. At least somehow we should verify if some downstream package starts doing weird things. I'd be fine if that would be a daily executed action which is not executed in PRs. I am +1 of reducing contributor pain. |
|
Now that I think about it, with the platform version set in composer file, do we even install possible latest versions for newer PHP versions? |
|
Latest possible dependencies are not installed in pipelines at all currently. Except when platform is ignored. Separate run might need to be added which strips platform set in composer and runs with latest. |
|
@Xerkus afaik, the CI Pipeline removes the config.platform.php setting for lowest and latest runs. |
Having nightly runs for |
|
This doesn't seem to have unanimous support at all, so I'd say that we can drop it from Alternatively useful to discuss during Monday's Laminas TSC meeting /cc @laminas/technical-steering-committee |
Ocramius
added
the
RFC
|
Id be on it if we have an alternative way to have latest tested. But without an alternative, that would feel weird. Could be opt-in via config and Auto-enabled for laminas/mezzio/api-tools orgs. |
|
The main rationale I can think of for latest, considering renovate is bumping the But those cases are niche. A config setting that allows opt-in to that approach (lowest/locked/latest) would suffice. |
| @@ -13,7 +13,6 @@ export const ACTION = 'laminas/laminas-continuous-integration-action@v1'; | |||
| export enum ComposerDependencySet { | |||
| LOWEST = 'lowest', | |||
| LOCKED = 'locked', | |||
| LATEST = 'latest', | |||
There was a problem hiding this comment.
I would not remove this. It should be possible to generate Jobs with latest, but that wont be the default tho besides opt-in.
I still see this being necessary as something has to check latest, just not every PR.
| @@ -111,10 +110,10 @@ function discoverPhpVersionsForJob(job: JobDefinitionFromFile, config: Config): | |||
|
|
|||
| function discoverComposerDependencySetsForJob(job: JobDefinitionFromFile, config: Config): ComposerDependencySet[] { | |||
| const dependencySetFromConfig = job.dependencies | |||
| ?? (config.lockedDependenciesExists ? ComposerDependencySet.LOCKED : ComposerDependencySet.LATEST); | |||
| ?? (config.lockedDependenciesExists ? ComposerDependencySet.LOCKED : ComposerDependencySet.LOWEST); | |||
There was a problem hiding this comment.
not sure if this makes sense at all. if there is no lock-file, latest would be installed in projects as well. since we are not affected in the laminas components (as we do have lockfiles), I'd say there is no need to touch this.
|
|
||
| if (isAnyComposerDependencySet(dependencySetFromConfig)) { | ||
| return [ ComposerDependencySet.LOWEST, ComposerDependencySet.LATEST ]; | ||
| return [ ComposerDependencySet.LOWEST ]; |
There was a problem hiding this comment.
I wonder if we should keep this as it is explicitly required from a manually written config entry. If some component does not need/want latest, they can remove that from their config.
| @@ -295,7 +294,7 @@ function createJobsForTool( | |||
| if (tool.executionType === ToolExecutionType.STATIC) { | |||
| const lockedOrLatestDependencySet: ComposerDependencySet = config.lockedDependenciesExists | |||
| ? ComposerDependencySet.LOCKED | |||
| : ComposerDependencySet.LATEST; | |||
| : ComposerDependencySet.LOWEST; | |||
There was a problem hiding this comment.
same as above. If there is no lockfile, having lowest would be super weird imho.
| By operating on locked dependencies, you will be able to pinpoint the exact dependency | ||
| change that caused a test regression. | ||
| We endorse regularly updating dependencies with automation like [renovate](https://github.com/renovatebot) or | ||
| [dependabot](https://github.com/dependabot). |
There was a problem hiding this comment.
what renovate/dependabot config entry would be required to have these updates?
besides this, it seems that lockfile updates do not properly handle latest. So we might want to have an additional action to be registered - or we go the way that we do only run latest for auto-contributions such as dependabot/renovate.
There was a problem hiding this comment.
The lockfile maintenance is as if you run composer update on the PHP version specified in config.platform.php, so we won't get updates that require a higher minimum PHP version.
|
I like the idea of running latest nightly/weekly to still cover the outliers 👍. We could discuss how to handle that specifically during the TSC meeting on Monday. With that in mind, I'm in favour of proceeding with this PR as is. |
Fixes #194
This change removes
latestfrom default composer dependencies in the generated CI matrix.The rationale is that
latestdependencies tend to break our builds, and we usually run @renovate-bot or @dependabot on our repositories, keeping bothcomposer.jsonandcomposer.lockfairly updated.Because of this kind of disciplined approach, we can assume that
latestdependencies are already regularly tested by refreshingcomposer.lockregularly, and further testing with explicitcomposer updateis considered risky, because it moves into unexplored land, breaking builds that are otherwise quite stable.We also don't want to break builds by contributors, or builds that upgrade perfectly safe to upgrade dependencies, just because a specific
latestupstream dependency broke, and we didn't really touch it.The final objective is that CI can break, but only in commits that change
composer.jsonandcomposer.lock, and those are handled every day by automation.Therefore, the default testing approach will cover
lowestandlockeddependencies, which both move much less thanlatest, and don't cause instability.