azure-sdk-for-cpp icon indicating copy to clipboard operation
azure-sdk-for-cpp copied to clipboard

Published 20 hours ago verified publisher icon Azure

Investigate a way to auto-validate that a GA service SDK package release does not have non-GA dependencies listed

Open ahsonkhan opened this issue 3 years ago • 3 comments

We want to avoid cases like these in the future, where a GA release depends on beta version of core. Can we come up with an automatic validation step to catch this and fail the build: https://github.com/Azure/azure-sdk-for-cpp/blob/a3926d6437b84772eb55bd466763fd2fd420a714/sdk/attestation/azure-security-attestation/vcpkg/vcpkg.json#L17

That improves our release process. That said, it isn't release blocking though, since our dependency mentions >= and a new GA version of core resolves it correctly.

Example release: https://github.com/microsoft/vcpkg/pull/25629/files#diff-8a10b4f3178229f2d82b3f64c0568d1e8322005f1fef03bef9c141bd5b3d85e7R14

cc @danieljurek, @LarryOsterman

ahsonkhan avatar Jul 14 '22 19:07 ahsonkhan

This becomes useful especially when the beta releases for packages like Azure Core do not go into the main registry, but rather our beta one: https://github.com/Azure/azure-sdk-vcpkg-betas/

ahsonkhan avatar Jul 14 '22 19:07 ahsonkhan

@BillyONeal is there a way for vcpkg to help us validate this?

Also, that the versions in our Config.cmake.in and vcpkg.json match.

ahsonkhan avatar Jul 18 '22 18:07 ahsonkhan

@BillyONeal is there a way for vcpkg to help us validate this?

Hmmmm closest I can think of is that if you have a port that is 'everything' depend-info will tell you all the dependencies and transitive dependencies, but just list and grep for azure-* probably already gets you pretty close with that.

Also, that the versions in our Config.cmake.in and vcpkg.json match.

For your 'local' manifest you could do that by parsing vcpkg.json in your CMakeLists.txt with string(JSON GET https://cmake.org/cmake/help/latest/command/string.html#get

(This use case is one of the reasons we made vcpkg.json a json file in the first place)

We don't really have a 'canned' way to do this because there's no difference between a 'GA' version and a not 'GA' version to vcpkg.

We do have a thing that validates stuff if you want to add extra validation to we would be happy to merge for you so long as it only would touch an allowlist of ports: https://github.com/microsoft/vcpkg/blob/master/.github/workflows/untrustedPR.yml

BillyONeal avatar Jul 18 '22 20:07 BillyONeal