Page MenuHomePhabricator
Create Task
Maniphest T370380

mediawiki/core and mediawiki/vendor both skip composer.lock checks
Closed, ResolvedPublic
Actions

Description

Today

A patch to mediawiki/core runs two kinds of jobs:

  1. Jenkins jobs that freshly install the latest third-party dependencies from packagist.org based the constraints in composer.json, and then run all PHPUnit tests with that.
  2. Jenkins jobs that download mediawiki/vendor.git, verify its lock file to be compatible, and then run with that.

They differ in exact versions of dependencies, since some ranges allow multiple versions.

Except.. this isn't what happens today. In reviewing https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1054944, which increments a mediawiki/core dependency across a semver-major version (wikimedia/less.php 4.x to 5.0), there was no failure in the mediawiki-vendor job.

Output of "mediawiki-quibble-vendor-mysql-php74" job, for a mediawiki/core pach:


mediawiki/vendor is used, skip composer.lock check

Now, comparing this to:

README file of mediawiki/vendor:

Note that you MUST pair patches changing versions of libraries used by MediaWiki itself with ones for the "core" repo. Specifically, the patch in mediawiki/core must have a Depends-On footer to the patch in mediawiki/vendor [otherwise it will fail CI].
The vendor repo has special configuration, which skips the integrity checks and so allowing a circular dependency Gordian knot to be fixed. However, this means that, if merged alone without a pair, you'll cause ALL patches in MediaWiki and ALL extensions to fail their continuous integration tests.

This is claiming the exact opposite, by saying it's vendor that skips the checks and core will do them instead.

Unfortunately both of these are correct in describing what they do, which means neither performs the checks anymore. It appears this has been broken since November 2023.

Background

From T333412: mediawiki/vendor can't be updated due to phpunit reporting composer.lock failure in https://gerrit.wikimedia.org/r/c/integration/quibble/+/903832:

# In the mediawiki/vendor update workflow, we patch vendor (and its
# lock file) first, and update the mediawiki/core composer.json after.
# As such, when testing mediawiki/vendor, it's normal that its lock
# file doesn't match mediawiki/core. This is tested by the
# mediawiki/core commit instead.
#
# T333412
if use_vendor:
    os.environ['MW_SKIP_EXTERNAL_DEPENDENCIES'] = '1'

It appears this has conflated the source with the destination.

It should be bypassing the check when running patches to the mediawiki/vendor repository.

Instead, it is bypassing the check for all mediawiki/core patches in the job that uses mediawiki/vendor. The check is neccessary there, since that's why we use Depends-On, and why it is generally safe to merge composer changes in mediawiki/core, and why the part where extra care is needed is in mediawiki/vendor. However, right now composer changes in core are unprotected and unverified.

Details

Show related patches Customize query in gerrit

Related Objects

Event Timeline

Krinkle created this task.Jul 18 2024, 12:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2024, 12:15 AM
Krinkle added a project: Quibble.Jul 18 2024, 12:15 AM
gerritbot added a comment.Jul 18 2024, 12:31 AM

Change #1054966 had a related patch set uploaded (by Krinkle; author: Krinkle):

[integration/quibble@master] Fix MW_SKIP_EXTERNAL_DEPENDENCIES to be set for is_vendor not use_vendor

https://gerrit.wikimedia.org/r/1054966

gerritbot added a project: Patch-For-Review.Jul 18 2024, 12:31 AM
Krinkle added a project: MediaWiki-Platform-Team (Radar).Jul 18 2024, 12:37 AM
gerritbot added a comment.Jul 19 2024, 10:06 AM

Change #1054966 merged by jenkins-bot:

[integration/quibble@master] Fix MW_SKIP_EXTERNAL_DEPENDENCIES to be set for is_vendor not use_vendor

https://gerrit.wikimedia.org/r/1054966

Maintenance_bot removed a project: Patch-For-Review.Jul 19 2024, 10:30 AM
gerritbot added a comment.Jul 19 2024, 1:47 PM

Change #1055442 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/quibble@master] release: Quibble 1.9.4

https://gerrit.wikimedia.org/r/1055442

gerritbot added a project: Patch-For-Review.Jul 19 2024, 1:47 PM
gerritbot added a comment.Jul 19 2024, 2:29 PM

Change #1055452 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/config@master] dockerfiles: update Quibble to 1.9.4

https://gerrit.wikimedia.org/r/1055452

gerritbot added a comment.Jul 19 2024, 2:38 PM

Change #1055453 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/config@master] jjb: switch jobs from Quibble 1.9.3 to 1.9.4

https://gerrit.wikimedia.org/r/1055453

gerritbot added a comment.Jul 19 2024, 2:43 PM

Change #1055442 merged by jenkins-bot:

[integration/quibble@master] release: Quibble 1.9.4

https://gerrit.wikimedia.org/r/1055442

Stashbot added a comment.Jul 19 2024, 2:45 PM

Mentioned in SAL (#wikimedia-releng) [2024-07-19T14:45:00Z] <hashar> Tag Quibble 1.9.4 @ 8d80ad0595b4273b4d0e35db71098f3cb577d4cd # T370380

gerritbot added a comment.Jul 19 2024, 2:47 PM

Change #1055452 merged by jenkins-bot:

[integration/config@master] dockerfiles: update Quibble to 1.9.4

https://gerrit.wikimedia.org/r/1055452

hashar subscribed.Jul 19 2024, 3:20 PM

The fix for MW_SKIP_EXTERNAL_DEPENDENCIES has been applied to the Jenkins jobs.

gerritbot added a comment.Jul 19 2024, 3:20 PM

Change #1055453 merged by jenkins-bot:

[integration/config@master] jjb: switch jobs from Quibble 1.9.3 to 1.9.4

https://gerrit.wikimedia.org/r/1055453

Maintenance_bot removed a project: Patch-For-Review.Jul 19 2024, 3:30 PM
Krinkle edited projects, added MediaWiki-Platform-Team; removed MediaWiki-Platform-Team (Radar).Jul 23 2024, 1:11 AM

Thanks @hashar. Moving back to our workboard to verify on the MediaWiki side.

When writing a patch to mediawiki/core that updates composer.json, the CI job should report a failure unless the mediawiki/vendor repository supports the same version already, or the patch has a Depends-On to a patch in mediawiki/vendor that performs the same update.

Krinkle claimed this task.Jul 26 2024, 9:44 PM
Krinkle triaged this task as Medium priority.
Krinkle added a project: Developer Productivity.
gerritbot added a comment.Jul 26 2024, 10:12 PM

Change #1057272 had a related patch set uploaded (by Krinkle; author: Krinkle):

[mediawiki/core@master] [WIP] Is composer.lock verification is working?

https://gerrit.wikimedia.org/r/1057272

gerritbot added a project: Patch-For-Review.Jul 26 2024, 10:12 PM
Krinkle added a comment.Jul 26 2024, 10:14 PM
In T370380#10019764, @gerritbot wrote:

Change #1057272 had a related patch set uploaded (by Krinkle; author: Krinkle):

[mediawiki/core@master] [WIP] Is composer.lock verification is working?

https://gerrit.wikimedia.org/r/1057272

The good news: CI is correctly detecting mismatches and failing the build.

From Jenkins job mediawiki-quibble-vendor-mysql-php74
> phpunit '--colors=always' '--testsuite=core:unit,extensions:unit,skins:unit' '--exclude-group' 'Broken,ParserFuzz,Stub'
Using PHP 7.4.33
Running without MediaWiki settings because there are no integration tests
wikimedia/less.php: 5.0.0 installed, 4.4.1 required.

Error: your composer.lock file is not up to date. Run "composer update --no-dev" to install newer dependencies
Script phpunit handling the phpunit event returned with error code 1

The bad news: The output also still contains this message much earlier on, around the time where the MW installer and update.php run:

mediawiki/vendor is used, skip composer.lock check
gerritbot added a comment.Jul 26 2024, 11:27 PM

Change #1057272 abandoned by Krinkle:

[mediawiki/core@master] [WIP] Is composer.lock verification is working?

https://gerrit.wikimedia.org/r/1057272

Maintenance_bot removed a project: Patch-For-Review.Jul 26 2024, 11:30 PM
Krinkle moved this task from Inbox, needs triage to Current Sprint on the MediaWiki-Platform-Team board.Jul 29 2024, 1:46 PM
Krinkle added a comment.EditedJul 30 2024, 3:11 PM

@hashar Do you remember why we control these separately? If we can toggle both on or off in the same circumstances, perhaps we can use the ENV for both?

hashar added a comment.EditedJul 30 2024, 3:13 PM

The bad news: The output also still contains this message much earlier on, around the time where the MW installer and update.php run:

mediawiki/vendor is used, skip composer.lock check

Looking at the console log, the output has:

22:13:04 Database was successfully set up
22:13:04 MediaWiki has been successfully installed. You can now visit <http://127.0.0.1:9413> to view your wiki. If you have questions, check out our frequently asked questions list: <https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:FAQ> or use one of the support forums linked on that page.
22:13:04 Copying /workspace/src/LocalSettings.php to /workspace/log/LocalSettings.php
22:13:04 Copying /workspace/src/LocalSettings-installer.php to /workspace/log/LocalSettings-installer.php
22:13:04 No syntax errors detected in /workspace/src/LocalSettings.php
22:13:04 mediawiki/vendor is used, skip composer.lock check
22:13:04 php maintenance/addSite.php wikidb CI --filepath=http://127.0.0.1:9413/$1 --pagepath=http://127.0.0.1:9413/index.php?title=$1

That is Quibble InstallMediaWiki command which output that message whenever use_vendor is set in order (T88211, T333412):

update_args = []
if self.use_vendor:  
    # When trying to update a library in mediawiki/core and
    # mediawiki/vendor, a circular dependency is produced as both
    # patches depend upon each other.
    #
    # All non-mediawiki/vendor jobs will skip checking for matching
    # versions and continue "at their own risk". mediawiki/vendor will
    # still check versions to make sure it stays in sync with MediaWiki
    # core.
    #
    # T88211, T333412
    log.info('mediawiki/vendor is used, skip composer.lock check')
    update_args.append('--skip-external-dependencies')

quibble.mediawiki.maintenance.addSite(
    args=[
        self.db.dbname,  # globalid
        'CI',  # site-group
        '--filepath=%s/$1' % self.web_url,
        '--pagepath=%s/index.php?title=$1' % self.web_url,
    ],
    mwdir=self.mw_install_path,
)

Which at first glance, is the same issue you fixed at f1e4f3af1847d03f9f0997bb68952be2b3866a98 for setting up the environment. I guess the fix is to change InstallMediaWiki the same way and switch to is_vendor? The caller in quibble/cmd.py:

parallel_steps.append(
    quibble.commands.InstallMediaWiki(
        mw_install_path=mw_install_path,
        db=database_backend,
        web_url=web_backend.url,
        log_dir=log_dir,
        tmp_dir=tmp_dir,
        use_vendor=use_vendor,   # <---- *whistles*
    )
)
Krinkle added a comment.Jul 30 2024, 3:24 PM

Yeah, if there's no reason to skip this in other repos with or without using vendor, we can do that.

Alternatively, I can change (or "fix") core to check the same ENV. Then, instead of fixing/syncing this duplicate code, we can remove it.

Right now in Quibble, the step I fixed previously checks is_vendor and sets an ENV. Now, this other step is still checking use_vendor (wrong) and uses it to append the --skip-external-dependencies option. But if update.php honours the ENV, we don't need that.

I'm wondering why we implemented it in two different ways.

gerritbot added a comment.Aug 19 2024, 10:30 PM

Change #1063911 had a related patch set uploaded (by Krinkle; author: Krinkle):

[mediawiki/core@master] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1063911

gerritbot added a project: Patch-For-Review.Aug 19 2024, 10:30 PM
gerritbot added a comment.Aug 19 2024, 10:38 PM

Change #1063912 had a related patch set uploaded (by Krinkle; author: Krinkle):

[integration/quibble@master] Remove update.php --skip-external-dependencies in favor of MW_SKIP_EXTERNAL_DEPENDENCIES

https://gerrit.wikimedia.org/r/1063912

gerritbot added a comment.Aug 26 2024, 5:23 PM

Change #1063911 merged by jenkins-bot:

[mediawiki/core@master] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1063911

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.20; 2024-08-27).Aug 26 2024, 6:01 PM
gerritbot added a comment.Aug 27 2024, 2:06 PM

Change #1067358 had a related patch set uploaded (by Krinkle; author: Krinkle):

[mediawiki/core@fundraising/REL1_39] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1067358

gerritbot added a comment.Aug 27 2024, 2:07 PM

Change #1067359 had a related patch set uploaded (by Krinkle; author: Krinkle):

[mediawiki/core@REL1_39] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1067359

gerritbot added a comment.Aug 27 2024, 2:20 PM

Change #1067359 merged by jenkins-bot:

[mediawiki/core@REL1_39] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1067359

ReleaseTaggerBot added a project: MW-1.39-notes.Aug 27 2024, 3:00 PM
kostajh subscribed.Aug 29 2024, 7:58 AM

The jobs for https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1064132 just failed with Error: your composer.lock file is not up to date. Run "composer update" to install newer dependencies, is the work here related?

kostajh mentioned this in T373581: Error in CI builds on patch test and gate-and-submit: "Error: your composer.lock file is not up to date".Aug 29 2024, 8:41 AM
Jdforrester-WMF subscribed.Aug 29 2024, 12:44 PM
In T370380#10101864, @kostajh wrote:

The jobs for https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/1064132 just failed with Error: your composer.lock file is not up to date. Run "composer update" to install newer dependencies, is the work here related?

That happens if the vendor patch has merged and the core patch hasn't, which is a race condition of a few minutes as patches land. The failure was previously hidden (as it was untested), yes.

Krinkle added a project: Fundraising-Backlog.EditedSep 4 2024, 12:24 AM
Krinkle added a subscriber: Ejegg.
In T370380#10096160, @gerritbot wrote:

Change #1067358 had a related patch set uploaded (by Krinkle; author: Krinkle):

[mediawiki/core@fundraising/REL1_39] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1067358

@Ejegg Could you have a look at this one? We generally maintain one version of Quibble that runs CI the same way on all branches. Unless we create a different version for fundraising, the above patch is blocking https://gerrit.wikimedia.org/r/c/integration/quibble/+/1063912 which resolves the bug described in this task.

The above patch has landed in the REL1_39 branch meanwhile, so a general fundraising/REL1_39 branch update would also achieve the same effect. Whichever you prefer :)

Krinkle removed projects: MW-1.39-notes, MW-1.43-notes (1.43.0-wmf.20; 2024-08-27), Continuous-Integration-Config.Sep 10 2024, 6:59 AM
Krinkle moved this task from Current Sprint to Blocked/waiting on the MediaWiki-Platform-Team board.Sep 16 2024, 2:59 PM
greg removed Krinkle as the assignee of this task.Sep 19 2024, 9:26 PM
AKanji-WMF moved this task from Triage to DRI Backlog on the Fundraising-Backlog board.Sep 24 2024, 7:41 PM
AKanji-WMF added a project: Fundraising Tech - Chaos Crew.
AKanji-WMF updated Other Assignee, added: Ejegg.
Ejegg added a comment.Sep 26 2024, 7:12 PM

Thanks for the suggestion, @Krinkle . I've just merged the REL1_39 branch in to fundraising/REL1_39 and it merged without an issue.

Ejegg moved this task from Backlog to Done on the Fundraising Tech - Chaos Crew board.Sep 27 2024, 3:27 PM
Krinkle claimed this task.Oct 6 2024, 10:33 PM
gerritbot added a comment.Oct 7 2024, 9:16 AM

Change #1078355 had a related patch set uploaded (by Hashar; author: Krinkle):

[mediawiki/core@REL1_41] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1078355

gerritbot added a comment.Oct 7 2024, 9:17 AM

Change #1078356 had a related patch set uploaded (by Hashar; author: Krinkle):

[mediawiki/core@REL1_42] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1078356

hashar added a comment.Oct 7 2024, 9:29 AM

The fundraising/REL1_39 branch has been updated by https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1075989

I have made the cherry picks for REL1_41 and REL1_42

I would have CR+2 them but I don't know what is the process nowadays for releases backports. I guess they can be approved as is?

Once merged, all branches would no more rely on --skip-external-dependencies and we can merge and deploy https://gerrit.wikimedia.org/r/c/integration/quibble/+/1063912 :)

gerritbot added a comment.Oct 7 2024, 11:54 AM

Change #1078355 merged by jenkins-bot:

[mediawiki/core@REL1_41] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1078355

gerritbot added a comment.Oct 7 2024, 11:55 AM

Change #1078356 merged by jenkins-bot:

[mediawiki/core@REL1_42] installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php

https://gerrit.wikimedia.org/r/1078356

ReleaseTaggerBot added projects: MW-1.41-notes, MW-1.42-notes.Oct 7 2024, 12:00 PM
gerritbot added a comment.Oct 7 2024, 12:32 PM

Change #1063912 merged by jenkins-bot:

[integration/quibble@master] Remove update.php --skip-external-dependencies in favor of MW_SKIP_EXTERNAL_DEPENDENCIES

https://gerrit.wikimedia.org/r/1063912

XenoRyet closed this task as Resolved.Oct 21 2024, 8:02 PM
hashar reopened this task as Open.Wed, Oct 23, 7:46 PM

This is not resolved since https://gerrit.wikimedia.org/r/c/integration/quibble/+/1063912 hasn't been released nor deployed on the CI infrastructure. That was pending the backport to all supported MediaWiki branches.

Krinkle updated Other Assignee, removed: Ejegg.Mon, Oct 28, 3:18 PM

Ack. We'll need a Quibble release and corresponding CI job updates. I'll finish a few other things this week first, and then in a few days if there's no other release by then, I'll do this.

gerritbot added a comment.Tue, Oct 29, 3:56 PM

Change #1084158 had a related patch set uploaded (by Krinkle; author: Krinkle):

[integration/quibble@master] release: Quibble 1.11.0

https://gerrit.wikimedia.org/r/1084158

gerritbot added a comment.Thu, Oct 31, 2:30 PM

Change #1084158 merged by jenkins-bot:

[integration/quibble@master] release: Quibble 1.11.0

https://gerrit.wikimedia.org/r/1084158

Stashbot mentioned this in T376602: Fix support for supplying patchset IDs when passing a change ID to Quibble.Thu, Oct 31, 3:13 PM

Mentioned in SAL (#wikimedia-releng) [2024-10-31T15:13:14Z] <hashar> Tag Quibble 1.11.0 @ 85874bf22de241cf23074515fd2aa7a57878e57e # T370380, T376602

gerritbot added a comment.Thu, Oct 31, 3:20 PM

Change #1085417 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/config@master] dockerfiles: update Quibble to 1.11.0

https://gerrit.wikimedia.org/r/1085417

gerritbot added a comment.Thu, Oct 31, 3:24 PM

Change #1085417 merged by jenkins-bot:

[integration/config@master] dockerfiles: update Quibble to 1.11.0

https://gerrit.wikimedia.org/r/1085417

gerritbot added a comment.Thu, Oct 31, 3:55 PM

Change #1085426 had a related patch set uploaded (by Hashar; author: Hashar):

[integration/config@master] jjb: switch jobs to Quibble 1.11.0

https://gerrit.wikimedia.org/r/1085426

gerritbot added a comment.Fri, Nov 1, 7:52 PM

Change #1085426 merged by jenkins-bot:

[integration/config@master] jjb: switch jobs to Quibble 1.11.0

https://gerrit.wikimedia.org/r/1085426

Jdforrester-WMF added a comment.Fri, Nov 1, 8:05 PM

The Quibble release is now deployed. Unfortunately the main core/vendor patch pair right now (1078411 and 1078410) have an actual cyclic dependency, so this isn't a great test of the new logic.

XenoRyet removed a project: Fundraising Tech - Chaos Crew.Mon, Nov 4, 8:29 PM
Krinkle closed this task as Resolved.Mon, Nov 11, 2:46 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits