vendor
Open, Needs TriagePublic
Actions

Assigned To

None

Authored By

	Tgr
	Wed, Feb 4, 10:01 PM

Description

The mediawiki/vendor README has a detailed explanation of how to create new patches, but the part on how to merge / deploy them is very vague (basically "ask someone who knows"). The process is nontrivial (or at least used to be, not sure about the exact state today) due to circular dependencies, and the uncertainty around it can make vendor patches a bottleneck - e.g. the train was just delayed by a day because T416456: Lcobucci\JWT\Signer\InvalidKeyProvided: Key cannot be empty (/w/rest.php/oauth2/access_token) blocked it and no one available was confident how to revert a library version bump. There should be clear step-by-step documentation, just like for creating the patch.

Related Objects

Mentioned In: T416456: Lcobucci\JWT\Signer\InvalidKeyProvided: Key cannot be empty (/w/rest.php/oauth2/access_token)
Mentioned Here: T416456: Lcobucci\JWT\Signer\InvalidKeyProvided: Key cannot be empty (/w/rest.php/oauth2/access_token)

Event Timeline

Tgr created this task.Wed, Feb 4, 10:01 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptWed, Feb 4, 10:01 PM

Either the README or wikitech (Backport windows/Deployers or How to deploy code) should say something about this, preferably with the other one linking to it.

Possibly relevant documentation for specific components: Parsoid, Fundraising

Tgr mentioned this in T416456: Lcobucci\JWT\Signer\InvalidKeyProvided: Key cannot be empty (/w/rest.php/oauth2/access_token).Wed, Feb 4, 10:07 PM

SomeRandomDeveloper subscribed.Wed, Feb 4, 10:26 PM

sbassett added a subscriber: Reedy.Wed, Feb 4, 10:34 PM

A_smart_kitten subscribed.Wed, Feb 4, 10:51 PM

hashar subscribed.Wed, Feb 4, 11:04 PM

The way I did it was:

Revert https://gerrit.wikimedia.org/r/c/mediawiki/vendor/+/1235417 in Gerrit by using the Revert button
Fetch the change locally (and maybe I rebased it, I don't remember)
If there was a conflict in composer.json, I resolved it

I went to use the documented docker run --rm -it -u "$(id -u):$(id -g)" -v "$PWD/.git:/src/.git:ro" -v "$PWD:/src" -w /src docker-registry.wikimedia.org/releng/composer-php82:8.2.29 update --no-dev.

That complained about a mismatching parsoid version. Turns out I forgot to reset the composer.lock to the previous version:

Rollback composer.lock to the parent version (git show HEAD^:composer.lock > composer.lock)

I think I ended up having unwanted updates but maybe that was due to the mismatching composer.lock. I thus went to require the package:

# Parent state:
git show HEAD^:composer.lock > composer.lock

composer require --update-no-dev lcobucci/jwt 4.1.5

My guess is we can directly run the documented composer update --no-dev IF we rollback composer.lock to its previous state.

Maybe we can script the steps instead of having to follow a README?

Krinkle subscribed.Thu, Feb 5, 8:28 PM

Document the process of merging / deploying changes to mediawiki/vendorOpen, Needs TriagePublicActions

Description

Related Objects

Event Timeline

Document the process of merging / deploying changes to mediawiki/vendor
Open, Needs TriagePublic
Actions