We only run the releaser workflow on the default branch:

That means it's not possible to cut a release on a release branch. I'm not sure what the right solution is. We definitely don't want to cut the release on every push to any branch, this would make it impossible to create a PR in the first place.

cc @mvdan @galargh

Do we need a YAML linter? :(

This seems to be https://github.community/t/ubuntu-latest-runner-not-found-when-using-workflow-call-between-repositories/204957.

We need more people to have write/approve access on this repo. Ideally, any SWE at PL could write, but we can restrict merge access to a group.

Interestingly, it only fails in go-multiaddr, not in (all?) other repos. The workflows are exactly the same, so I'm not sure what's going on here.

The easy fix is probably to merge #92, alongside the other PRs that will cause a deployment to all now O(100) repos. We've been hesitant to do so, in order to avoid unnecessary noise, but if this problem begins popping up in other repos, this will soon become necessary noise.

Dependabot is now configured through .github/dependabot.yml. We should deploy this in at least some of our repos.

So, we occasionally merge PRs that depend on unreleased versions/branches. We absolutely should not do this as it causes builds to break.

We can fix this with a simple check: if the merge is to master and go list -m all includes an unreleased version of any package, fail.

We'll probably need to an exception for packages outside of our org, but I'm hoping we can limit that to v0.0.0-... and +incompatible versions.

Thoughts?

Unfortunately, 32bit tests will run without CGO support because the base-os is 64bit. We could either:

1. Run in a 32bit docker container (Ubuntu only).
2. Provide an option in config.json to disable 32bit tests.

For my current use-case (ipfs/go-bs-sqlite3#3), simply disabling 32bit tests is likely the simplest option. We can support a 32bit environment on Linux, but I'm not sure how to go about it on Windows.

It would be nice to run gorelease in CI, every time when a new v* tag is pushed. That would allow us to verify that the release obeys semver rules and we don't break downstream users, as we've done before (multiple times).

Unfortunately, gorelease doesn't support verifying of existing tags (see golang/go#47532), it can only suggest an appropriate version number before the version is released.

Alternative Suggestions

Imagine that we have one text file ./version per repository, which contains a single line with the current version number, e.g. "v0.5.2". Whenever we want to cut a new release, we'd send a PR to bump that version number, e.g. to "v0.5.3". That would give us two nice properties:

1. Version bumps could be reviewed.
2. We could have a GitHub Actions workflow running gorelease. If the version number from the PR is smaller than what gorelease suggests, that workflow would fail.

Once the PR is merged, we'd have another GitHub Actions workflow that would create and push a new release using that version number.

The main problems with this suggestion are:

1. There's no way to forbid manual pushing of tags. This is a deficiency of GitHub, that the company has failed to address for a long time.
2. We'd have to teach everyone in the company to use this new process.

Thoughts, @Stebalien and @mvdan?

Some recent (non exhaustive) examples where this has come up:

• 2021-09-25:
  • libp2p/go-libp2p-peerstore@v0.2.8...v0.2.9
  • https://protocollabs.slack.com/archives/CDF4W878S/p1632571272080600
• 2021-10-04
  • filecoin-project/lotus#6393 (comment)
  • https://protocollabs.slack.com/archives/C01QL4RUA79/p1633387776401700

The copy workflow runs go mod tidy and gofmt for repositories we deploy to, and we'll use a very similar logic to run go fix for future Go releases.

We need to do this for every module in a repository. We can probably use our new protocol/multiple-go-modules action for that.

For reference, this is what broke ipld/go-car#74.

The new version still does a curl | bash thing, but at least it verifies checksums.

On PR:

1. Fetch the test output from the latest test run on master to determine which tests already exist.
2. Fetch the test output from the go-test run on the PR and diff it with master to determine new tests.
3. Run those new tests for some period of time (consider using timing information from the PR's test run to figure out how many times the new tests should be run?).

This is very much not an easy thing to implement, but it should really help guard us from checking in new flaky tests by stress-testing new tests.

Problem: When we make changes to the workflow files, or even when we add more than just a small number of repos, the copy workflow will open a bunch of PRs. Most of these PRs will get automatically merged, when all tests pass successfully.
A small number of PRs might not get merged, for one of the following 2 reasons:

1. This is an initial deployment and GitHub Actions doesn't allow execution of the automerge workflow yet. We then have to merge the PR manually.
2. The tests failed. We then need to fix the tests.

In either case, it would be really nice to get some kind of notification "Manual action in repository XYZ needed".

IMO, the .github/workflows directory should be for code, not configuration. This will also make the config more discoverable.

It worries me that we're passing the entire github object. Even if we make sure it doesn't contain sensitive information right now, perhaps it will in the future.

You seem to only need the event data, so how about "event": ${{ toJson(github.event) }}?

Originally posted by @mvdan in #25 (comment)

Discover vulnerabilities across a codebase with CodeQL

• https://codeql.github.com/docs/
• https://github.com/github/codeql-action

https://github.com/protocol/.github/actions/runs/712309930

If a go repo has multiple modules, it seems only the coverage for root module is uploaded. It would be fantastic to get coverage for all modules uploaded to codecov.

Example:

go-car has a module in root and one in v2. But only the root module coverage shows up on codecov.

For example here: https://github.com/protocol/.github/actions/runs/698173097.

It looks like GitHub is imposing a limit on how many PRs we can create. I'm not exactly sure what the limit here is, but batch 1 went through, creating 12 PRs, and then about half the jobs (~16) in batch 0 succeeded. Therefore, the limit is probably somewhere between 25 and 30. I have no idea how long it takes for the window to open up again.
This is bad. This is not a lot.

One possible solution would be to build sleep statements into the dispatch workflow. Unfortunately, we'd have to assume that every run of the copy workflow makes changes to all files, if we want to reliably avoid workflow failures. If the workflow is managing 5 files (we're already managing 4 right now), each batch can only copy to 5 target repositories. After that, we'd have to sleep for a yet to be determined time before copying to the next 5 repos.

We occasionally need to go through and "fix" issue labels. It would be nice to have a script or a script framework where we could do things like: set need/triage on all issues lacking a kind/ label.

It looks like we're running it with go 1.15, which is causing the check that's later run with go 1.16 to fail.

... and apparently it only needs one if there are entries in go.sum.

See ipld/ipld#92.

https://github.com/ipfs/go-ipfs-provider/pull/36/checks?check_run_id=2603002796 fails on Go 1.15, but succeeds on Go 1.16, because the go.mod uses retract, which was added in Go 1.16.

We probably want to write this up, as we'll have to come back to this every 6 months.

Necessary steps:

• bump the Go version in go.mod (via go mod edit)
• remove Go version N-2 and add version N in go-test and go-check
• run gofmt
• run go fix
• run go mod tidy

All but the first point pose a challenge: We only want to run them once, when doing the version upgrade, not on every deployment.

https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions

For example, if running go test ./... on a cleanly checked out Go module results in a modified testdata file. That should never happen, at least not if that testdata file is checked into git.

This happened just now in go-car: ipld/go-car#181

A single go test ./... would work, but we'd append to a testdata file instead of replacing it, so a second go test ./... would fail.

This went unnoticed for a few hours, until I was developing code locally and ran into it when iterating on a code change.

I think this has an easy fix. We already check that operations like go mod tidy and gofmt -l -w . don't result in unstaged git changes, so we should apply the same rule to all forms of go test ./....

cc @marten-seemann @Stebalien @masih

Should we run go generate in CI (probably in go-check)?
In general, there's no reason why generated code should not be up to date, assuming that go generate is deterministic.

Not sure if that's a valid assumption. For quic-go it isn't, as we generate the fuzzing corpus there with a random input, but maybe that's a bug in quic-go that should be fixed?

I'm raising this issue because I just created a PR in the multicodec repo that adds a separate workflow for that.

When trying to figure out how to deploy issue templates, I've realized that I need some level of templating. E.g.,

• The org's name.
• The org's security email.
• The repo's name.
• The repo's URL.

The update to Go 1.18 will be an interesting one, as it adds generics. It is safe to assume that many developers will want to use these shiny new language features right away.

This poses a bit of a problem, as using generics requires the Go version in go.mod to be 1.18. However, when we deploy the next Go version bump, the go.mod version will be 1.17 (we always support the most recent two Go versions).

After discussing this with @mvdan offline, we came to the following conclusion:

• People are free to bump the Go version in go.mod manually, if they want to use generics. Having go-test test both 1.17 and 1.18 makes sure that we keep our backwards-compatibility guarantees.
• For the Go version update after that (1.19), we'll have to change our upgrade logic in

  .github/.github/workflows/copy-workflow.yml

  Line 109 in 130b30b

  if [[ $CURRENT_VERSION < $TARGET_VERSION ]]; then

  
  This can be as simple as grepping for 1.17 in go-test.

Currently, the PRs will always be named "update go-test workflow". We can do something more useful here: If the PR in the child repo was created due to a PR that was merged in this repo, we should be able to extract the title of that PR and reuse it.

For example, for #8 the title could be "update go-test workflow: drop Go 1.14, add Go 1.16".
Furthermore, it might be more helpful to link to that PR instead of the commit hash in the PR description.

gofmt -e -d ./... outputs the diff, which is nice, but it won't allow GitHub to annotate the PR.
It also always exits with status 0, so we'd have to look at the length of the output to actually fail the build on gofmt problems.

@mvdan, since you obviously spent a lot of time thinking about gofmt, what's the best way to run it in CI?

This isn't critical, but it would be nice if we could detect missing and misspelled repos in the config.json.

It would be great to get similar syncing of the .github/workflows folder for js repos as maintaining them is tedious work.

There are a few different setups with different CI requirements:

1. monorepos
2. repos that only target node.js
3. repos that target node.js and the browser

I spotted https://github.com/protocol/.github/tree/master/templates/.github/workflows - can we parameterise the repos in config.json to copy from subdirectories under templates? Something simple like:

[{
  "target": "filecoin-project/go-amt-ipld",
  "type": "go"
}, {
  "target": "libp2/libp2p-tcp",
  "type": "js/node"
}, {
  "target": "ipfs/js-datastore-s3",
  "type": "js/isomorphic"
}, {
  "target": "ipfs/js-unixfs",
  "type": "js/monorepo"
}
// etc

Then we can have templates/go, templates/js/monorepo, templates/js/node, templates/js/isomorphic, etc.

What do you think? Some other way?

Also, some repos have unique build requirements, like js-ipfs testing itself with various repos from the https://github.com/ipfs-examples org - I guess maybe the copying of the templates could just overwrite files that are in the templates and leave others alone? Then js-ipfs could have a .github/workflows/examples.yml file that would survive an update to templates/js/monorepo in this repo.

Each deployment causes go-test and go-check to run, spawning a lot of jobs across all our repos. We quickly build up a queue, due to GitHub Action's usage limits: https://docs.github.com/en/actions/reference/usage-limits-billing-and-administration, and jobs take a long time to execute.
Even worse, when a developer opens a new PR, it will now also sit in the queue.

@mvdan pointed out that GitHub Actions has a concurrency option now:
https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency.
We could use this option to make sure that only one copy workflow runs at the same time. Iff that workflow opens a new PR, it would sleep for a minute after that.

We could even allow N copy workflows to run concurrently, by setting concurrency: ci-${{ math.Ceil(id/N) }}. This is to speed up the common case of adding new a repository to the workflow: In this case, we run all O(100) copy workflows, but almost all of them won't open a PR. Booting the VM and cloning the repo might still take 15-20s, so running a few jobs concurrently will speed up things.

When merging #109, which just added go-bitfield, the workflow also opened ipld/go-ipld-graphql#30.
We should only run go mod tidy and gofmt on initial deployment.

CI should detect API breaking changes and leave comments indicating these breaking changes in the code. The merge doesn't have to be blocked, but these changes should at least be called out.

There are repositories which have long-running tests that exceed the default 10m timeout. The suggestion here is to increase the global timeout to 30m (see ipfs/go-ds-crdt#123 (comment) for details).

Right now one way to increase a timeout in a particular repository is to add a custom go-test-setup action in that repository that looks something like that:

name: extend-tests-timeout
description: add -timeout 20m flag to GOFLAGS to extend timeout for tests

runs:
  using: "composite"
  steps:
    - name: Extend timeout for tests
      shell: bash
      run: echo "GOFLAGS=$GOFLAGS -timeout=20m" >> $GITHUB_ENV

In my opinion, we shouldn't increase the default timeout. Here are some reasons why:

• by keeping the default timeout low we encourage test optimisation;
• we keep the feedback loop smaller. For (extreme) example, if someone writes a test that hangs forever they'd receive feedback in 10 minutes rather than 30 minutes proposed here;
• the timeout itself acts as a guard for introduction of long-running tests.

So maybe instead we could think of a better way (than the one mentioned above) to override the default timeout on a per-repo basis.

go-libp2p-core currently runs a go-compat workflow: https://github.com/libp2p/go-libp2p-core/blob/master/.github/workflows/go-compat.yml
That workflow is rather annoying, because it 1. fails your build if you change the API and 2. it doesn't tell you why (you have to look into the output of the workflow run).

Would it be a good idea to run go-compat on all our repos, but instead of failing the build, the bot would comment on the PR (at least if any non-compatible changes are made)?

We'll occasionally make some fancy new library and add it as a dependency to one of our projects but fail to actually setup CI.

We should add a action that:

1. Checks that all (transitive) go.mod dependencies housed in one of our orgs has CI correctly configured.
2. If not, fails CI, and makes a PR to deploy CI to that repo.

This should help prevent this from happening in the future.

The suggestion here is for the versioning workflows and manual version pushes to create a GitHub release among with the version tag.

Below, I've gathered some ideas for the process from Slack discussions.

How to generate release notes?

• use auto generated release notes; API access to this feature
• for versioning workflow - we could use the comments/description of the PR updating the version to create the release notes (Q: how to access PR in the workflow?)
• for manual push workflow - we could use the comments/description of the issue that was created as a result of pushing tag manually (Q: should we check if the release was created manually too?)

How to verify the GitHub release before subscribers get notified about it?

• initially create the GitHub release in a draft state (make it possible for owners to change this behaviour once they gain enough confidence in the workflow); API access to this feature

See ipld/go-ipld-adl-hamt@13de624 for example. Can we just use rebase-merges, or failing that, squash-merges?

Currently, we only upload to Codecov is there's a codecov.yml in the repository: https://github.com/ipld/.github/blob/93f9b881a3420019d5aa9114c61c6f82c8311d78/workflow-templates/go-test.yml#L31-L41

Most of our repos don't have that, and they still use Codecov. I suggest to always upload to Codecov, while at the same time taming Codecov as described in our Best Practices, i.e. preventing it from failing our builds and posting coverage reports under every single PR.

cc @mvdan @Stebalien

We currently use git bash as the default bash shell. Unfortunately, the build environment is a bit lacking. At the moment, building with openssl support on windows is tricky to say the least. With msys2, we can install openssl and pkgconfig with pacman.

Note: msys2 is already installed by default, but it's easier to configure with https://github.com/msys2/setup-msys2.

Remaining steps:

• run go mod tidy in the copy workflow
• run gofmt -s in the copy workflow
• remove Travis and CircleCI config in the copy workflow (on first deployment)
• fix go vet, staticcheck and go test errors in all repos (see https://docs.google.com/spreadsheets/d/1Vwk-OUKXXNQkp4BkOoMndLylnJRW7a2c_mmvXu6jIj8/edit#gid=0 for the current status)
• add repos that are good to go to config.json

It's really easy to make mistakes resulting in a Go module lacking a valid LICENSE file. For example: https://pkg.go.dev/github.com/ipld/go-car/[email protected]

Documentation not displayed due to license restrictions.

I messed up that release because the v2 module was in a sub-directory, and that sub-directory did not have a LICENSE.md file like the root directory. So the published module zip file, as described by https://golang.org/ref/mod#zip-files, was unlicensed.

This is one of those problems that's really hard for a human to foresee and prevent. In fact, I was pretty sure I did things right, as I was using a symlink like v2/LICENSE.md -> LICENSE.md. But as per https://golang.org/ref/mod#zip-path-size-constraints, the zips ignore symlinks, as they are not portable.

I think CI should perform either or both of these two checks:

1. Ensure that the repository, as a whole, has a LICENSE file that matches the common one that all PL software should have. We could even make the automation update the file as necessary, such as what I did manually here: ipld/go-car@6c87996

2. Ensure that each Go module has a valid LICENSE file when released. Only public modules would be checked, like module github.com/ipld/foobar, and not module example/foo or module test/bar.

I realise point 2 is pretty Go-specific, and I think that's fine. If/when the unified CI learns about JS, Rust, or other languages, I would hope that we could also teach it to do a similar check for their package repositories.

Now, for the specifics on how to implement this.

A) How do we check if a license file is valid?

Option A1: Ensure that it's a byte-by-byte exact copy of the PL dual-license markdown file. This assumes that all software built within PL must use this license.

Option A2: Ensure that it's a valid OSI license. We could use https://github.com/google/licensecheck for this.

B) How do we check what LICENSE or LICENSE.md file would end up in a released module zip?

Option B1: We do a go mod download of the @latest known version from proxy.golang.org, and then look in the extracted directory inside the module download cache.

Option B2: We figure out what files would end up in a zip by ourselves, via https://pkg.go.dev/golang.org/x/mod/zip. This method is slightly better than B1, since we're checking the current git tree, not the last published version from a previous commit/tag.

We can use GitHub actions to

1. Create self-contained template workflows that repositories across the org can use (as a first step for unit testing, later maybe also for linting).
2. Use GitHub Actions to automatically create PRs in all participating repositories every time we make a change to those workflows. This solves the two main problems with our current setup:
   1. It ensures consistent and up-to-date workflows across all participating repositories.
   2. It makes sure that test failures resulting from a change to the workflow are surfaced immediately.

The current plan is to use this repository for a unit testing template, and use that workflow in some IPLD repositories first to gain some experience, and roll this out to other projects later.

See https://docs.google.com/document/d/1O0vFKxTNv9-JvfETAPUexY--93dC_7l3ZaPzIey-3c0/edit?usp=sharing for details.

@mvdan suggests that we could have test that update alls direct and indirect deps to their latest versions and re-build and re-tests.
That would catch bugs that occur when downstream users require a higher version of a dependency than MVS results in.

As this is expected to fail from time to time when we introduce breaking changes, a failure in this workflow should probably be treated differently from a test failure of the unit tests.

We often push new commits to ci deploy branches to try to fix CI. However, the current logic will overwrite these changes when deploying updates. Ideally, we'd only remove commits made by the bot.

Currently we use go install to install dependencies:
https://github.com/ipld/.github/blob/738ae9ec7a27b6dddb266cccb6edfb17b418eb74/workflow-templates/go-test.yml#L21-L22

This seems to work fine, as long as the test files don't use any additional dependencies. Otherwise, those additional dependencies are installed only when running go test, see https://github.com/libp2p/go-libp2p-quic-transport/runs/1739483487 for an example.

Now there 2 things we can do here:

• Use go mod download -x instead of go install to download all dependencies.
• Remove this step, and just have go test deal with pulling dependencies.

cc @mvdan