Page MenuHomePhabricator
Create Task
Maniphest T202748

[Bug] Popup build synchronization tests are not failing when they ought to
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

The Popups build check is permitting the source inputs and build outputs to become out of sync. This is very dangerous as build products are not code reviewed and arbitrary code could be shipped to prod unknowingly. A failed attempt to fix the issue is here.

Observed behavior

The patch Use getPageviewToken api does not update the built assets.

npm run check-built-assets when run does not throw an error code meaning Jenkins does not catch this mistake and allows the possibility of not deploying the changes that have been made.

Acceptance criteria

  • Any change which updates the code in resources/dist/ should fail Jenkins checks if that code has not been committed.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Do not merge: test unbuilt inputsmediawiki/extensions/Popupsmaster+1 -1
Do not merge: test Node v10.9.0 built assetsmediawiki/extensions/Popupsmaster+2 -2
Update package.json to ensure assets get built on every commitmediawiki/extensions/Popupsmaster+7 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Niedzielski created this task.Aug 24 2018, 3:24 PM
Restricted Application changed the subtype of this task from "Deadline" to "Task". · View Herald TranscriptAug 24 2018, 3:24 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Niedzielski added a parent task: T202747: Add build product synchronization test.Aug 24 2018, 3:24 PM
Jdlrobson moved this task from Incoming to Needs Prioritization on the Web-Team-Backlog-Archived board.Aug 24 2018, 4:51 PM
Jdlrobson raised the priority of this task from Medium to High.Aug 28 2018, 12:06 AM
Jdlrobson updated the task description. (Show Details)
Jdlrobson moved this task from Needs Prioritization to Upcoming on the Web-Team-Backlog-Archived board.
phuedx subscribed.Aug 28 2018, 2:32 PM

I would go so far as to say that this is UBN!

ovasileva set the point value for this task to 3.Aug 28 2018, 4:15 PM
ovasileva edited projects, added Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1); removed Web-Team-Backlog-Archived.
Jdlrobson moved this task from To Do to Doing on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Aug 28 2018, 9:33 PM
Jdlrobson moved this task from Doing to Needs Code Review on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.
gerritbot subscribed.Aug 28 2018, 9:36 PM

Change 456028 had a related patch set uploaded (by Jdlrobson; owner: Jdlrobson):
[mediawiki/extensions/Popups@master] Update package.json to ensure assets get built on every commit

https://gerrit.wikimedia.org/r/456028

gerritbot added a project: Patch-For-Review.Aug 28 2018, 9:36 PM
Jdlrobson moved this task from Needs Code Review to Needs More Work on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Aug 29 2018, 7:06 PM
Jdrewniak added subscribers: Jdlrobson, Jdrewniak.Aug 30 2018, 10:39 AM

In addition to @Jdlrobson's patch, @Niedzielski had a similar WIP here
https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Popups/+/454566/

In the comments, Stephen mentioned off-hand that this might be an issue with different NPM versions.
I tested this today, and it appears that it is!

Using nvm, I switched to Node V6 (lts/boron -> v6.14.4), deleted my node_modules folder, did an npm install, and ran npm -s run build
The output was different than when I ran the same process with Node V9.

Screen Shot 2018-08-30 at 12.34.02.png (2×2 px, 946 KB)

These might be differences in the minifier. Regardless, I don't think we can change this behaviour unless we run an older version of Node locally, or CI runs a newer version.

Also of note, the current script runs git diff -q resources/dist I couldn't find any references to -q in the git docs, only --quiet.

gerritbot added a comment.Aug 30 2018, 9:15 PM

Change 456028 abandoned by Jdlrobson:
Update package.json to ensure assets get built on every commit

https://gerrit.wikimedia.org/r/456028

gerritbot added a comment.Aug 30 2018, 9:15 PM

Change 456028 restored by Jdlrobson:
Update package.json to ensure assets get built on every commit

https://gerrit.wikimedia.org/r/456028

gerritbot added a comment.Aug 30 2018, 9:15 PM

Change 456028 abandoned by Jdlrobson:
Update package.json to ensure assets get built on every commit

https://gerrit.wikimedia.org/r/456028

gerritbot added a comment.Aug 30 2018, 9:15 PM

Change 456028 restored by Jdlrobson:
Update package.json to ensure assets get built on every commit

https://gerrit.wikimedia.org/r/456028

Jdlrobson moved this task from Needs More Work to Doing on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Aug 30 2018, 9:25 PM
Jdlrobson moved this task from Doing to Needs More Work on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Aug 30 2018, 11:01 PM
Jdlrobson moved this task from Needs More Work to Needs Code Review on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Aug 30 2018, 11:05 PM
Niedzielski claimed this task.Sep 4 2018, 5:06 PM

@Niedzielski to review.

Niedzielski reassigned this task from Niedzielski to Jdlrobson.Sep 4 2018, 6:54 PM
Niedzielski moved this task from Needs Code Review to Needs More Work on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.
Niedzielski mentioned this in T203013: Page previews should use mw.user.getPageviewToken().Sep 4 2018, 7:39 PM
Jdlrobson moved this task from Needs More Work to Needs Code Review on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Sep 4 2018, 9:50 PM
Jdlrobson moved this task from Needs Code Review to Blocked on Others on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Sep 4 2018, 10:54 PM

Blocked by T203522

phuedx added a subtask: T203522: Popups php unit tests mysteriously failing and blocking merges.Sep 5 2018, 5:24 PM
phuedx mentioned this in T203522: Popups php unit tests mysteriously failing and blocking merges.
Jdlrobson moved this task from Blocked on Others to Needs Code Review on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Sep 5 2018, 7:08 PM
gerritbot added a comment.Sep 5 2018, 7:50 PM

Change 456028 merged by jenkins-bot:
[mediawiki/extensions/Popups@master] Update package.json to ensure assets get built on every commit

https://gerrit.wikimedia.org/r/456028

Jdlrobson moved this task from Needs Code Review to Ready for Signoff on the Web-Team-Backlog-Archived (Readers-Web-Kanbanana-Board-2018-19-Q1) board.Sep 5 2018, 7:58 PM
ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)).Sep 5 2018, 8:00 PM
Jdlrobson removed Jdlrobson as the assignee of this task.Sep 5 2018, 8:03 PM

Can skip QA, design review as a technical task.
Need a signer-offer to submit a naughty patch and check that Jenkins refuses it. Any volunteers?

Niedzielski claimed this task.Sep 10 2018, 5:06 PM
gerritbot added a comment.Sep 10 2018, 6:14 PM

Change 459594 had a related patch set uploaded (by Niedzielski; owner: Stephen Niedzielski):
[mediawiki/extensions/Popups@master] Do not merge: test Node v10.9.0 built assets

https://gerrit.wikimedia.org/r/459594

gerritbot added a comment.Sep 10 2018, 6:17 PM

Change 459597 had a related patch set uploaded (by Niedzielski; owner: Stephen Niedzielski):
[mediawiki/extensions/Popups@master] Do not merge: test unbuilt inputs

https://gerrit.wikimedia.org/r/459597

gerritbot added a comment.Sep 10 2018, 6:21 PM

Change 459594 abandoned by Niedzielski:
Do not merge: test Node v10.9.0 built assets

Reason:
Success! A build product difference causes the patch tests to fail:

18:18:26 Binary files a/resources/dist/index.js and b/resources/dist/index.js differ
18:18:26 diff --git a/resources/dist/index.js.json b/resources/dist/index.js.json

https://gerrit.wikimedia.org/r/459594

Niedzielski closed subtask T203522: Popups php unit tests mysteriously failing and blocking merges as Resolved.Sep 10 2018, 6:27 PM
gerritbot added a comment.Sep 10 2018, 6:31 PM

Change 459597 abandoned by Niedzielski:
Do not merge: test unbuilt inputs

Reason:
Abandon! The build outputs differ:

18:30:25 diff --git a/resources/dist/index.js b/resources/dist/index.js
18:30:25 index 80895dd..32c5eac 100644
18:30:25 Binary files a/resources/dist/index.js and b/resources/dist/index.js differ
18:30:25 diff --git a/resources/dist/index.js.json b/resources/dist/index.js.json
18:30:25 index ab577b5..151463c 100644
18:30:25 Binary files a/resources/dist/index.js.json and b/resources/dist/index.js.json differ

https://gerrit.wikimedia.org/r/459597

Niedzielski closed this task as Resolved.Sep 10 2018, 6:32 PM
Jdlrobson mentioned this in T203591: Popups daily jobs currently unusable.Sep 11 2018, 5:25 PM
Jdlrobson added a subscriber: zeljkofilipin.Sep 11 2018, 5:34 PM
In T203591#4574473, @zeljkofilipin wrote:

I'm not sure what the problem is. Are you saying I can't make a commit to Popups unless I have Node v6.11.0? If that is the case, it should be documented in ALL CAPS in the readme. 😉

you can make a commit, but you if you run npm run build the version is important.
It seems the error message is not being broadcast well enough.
I don't think adding to the README makes sense, as we already make the node version clear inside package.json and .nvmrc as well as the script that fails.
We should probably update the README to ensure that the correct version of Node is being used and that we recommend using nvm.

Niedzielski added a comment.Sep 11 2018, 5:46 PM

For what it's worth, @zeljkofilipin, I think this problem will go away in time. Once NPM v5 is deployed in CI, lockfiles will be honored and hopefully we won't have build differences across newer Node.js / NPM versions.

zeljkofilipin added a comment.Sep 12 2018, 11:27 AM
In T202748#4574859, @Jdlrobson wrote:

you can make a commit, but you if you run npm run build the version is important.

No, I could not make the commit. See T203591#4562169. Popups has a precommit git hook and it fails on my machine, aborting the commit. All I wanted to do is add a dev dependency to package.json (one line change), but I was not even able to make a commit.

It seems the error message is not being broadcast well enough.
I don't think adding to the README makes sense, as we already make the node version clear inside package.json and .nvmrc as well as the script that fails.
We should probably update the README to ensure that the correct version of Node is being used and that we recommend using nvm.

I might just be more ignorant than an average contributor, but I've sent minor patches to many repositories and I can't remember ever being unable to make a commit.

I was not aware that node version can be specified in package.json and I have never used nvm, so I've ignored .nvmrc. Now that I know that, it's obvious. I did check readme file but I could not find any special requirements for the repo.

zeljkofilipin added a comment.Sep 12 2018, 11:27 AM
In T202748#4574904, @Niedzielski wrote:

For what it's worth, @zeljkofilipin, I think this problem will go away in time. Once NPM v5 is deployed in CI, lockfiles will be honored and hopefully we won't have build differences across newer Node.js / NPM versions.

All problems will go away in time. 😄

Jdlrobson added a comment.Sep 12 2018, 3:09 PM

The problem with the commit is the pre-commit hook (which runs the npm run build command) is failing. You should be able to disable it to not run into this problem.

Is there a task tracking NPM v5 being used in CI? I want to work out what the trade-offs here are for making this better or waiting for that. It's clearly not ideal right now and is annoying for us too.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits