flatpak-external-data-checker icon indicating copy to clipboard operation
flatpak-external-data-checker copied to clipboard
verified publisher icon flathub-infra

Possibility to run post update/pre PR script

Open geovie opened this issue 4 years ago • 12 comments

Some sources need to perform additional updates when a source is changed e.g a node package might need to update it's dependencies as well (see https://github.com/flathub/org.freedesktop.Sdk.Extension.node14/issues/25 for an use case).

A possible way to implement this is to add a new key to the flathub.json which specifies a script to run after an update. The script is placed in the repository and is executed right before the PR is created (https://github.com/flathub/flatpak-external-data-checker/blob/master/src/main.py#L222).

If this sounds like a good solution I'd open a PR for it.

geovie avatar Nov 06 '21 09:11 geovie

This feature is on my todo list, but currently it's blocked by the fact that Flathub runs a single f-e-d-c instance to check all the apps, which means that we can't allow arbitrary code execution.

add a new key to the flathub.json which specifies a script to run after an update.

This should be done on per-source basis (meaning that post-update commands should be specified in x-checker-data).

gasinvein avatar Nov 06 '21 09:11 gasinvein

runs a single f-e-d-c instance to check all the apps, which means that we can't allow arbitrary code execution

Oh yeah that's a problem, would https://github.com/flathub/flatpak-external-data-checker/issues/148 help here? Then each project could run their own f-d-e-c. And if the post-update command is hidden by a --post-update flag then the Flathub f-e-d-c instance could ignore it.

This should be done on per-source basis (meaning that post-update commands should be specified in x-checker-data).

That makes sense 👍

geovie avatar Nov 06 '21 10:11 geovie

Oh yeah that's a problem, would #148 help here?

To some extent.

Then each project could run their own f-d-e-c.

You already can run f-e-d-c from a github workflow without a special action; the problem is the transition - apps on flathub will need to opt-in to "workflow" f-e-d-c and opt-out (somehow - it's not possible yet) from "hosted" f-e-d-c manually.

And if the post-update command is hidden by a --post-update flag then the Flathub f-e-d-c instance could ignore it.

Yes, we need some mechanism to disable unsafe features for the "hosted" f-e-d-c instance, since it's a blocker for other potential features as well.

gasinvein avatar Nov 06 '21 10:11 gasinvein

I've created https://github.com/flathub/actions/pull/16 to allow repositories to opt-out of the "hosted" f-e-d-c.

This way we can implement our custom workflow for the node SDK.

geovie avatar Nov 06 '21 13:11 geovie

@geovie to avoid flathubbot doing partial updates, I'm separating the f-e-d-c properties from the manifest, merge them when manually checking for updates, and split them back again.
I had this working in a GitHub workflow, but I didn't update my docker image yet for the latest runtime, so the workflow is disabled.
See here, and here.

tinywrkb avatar Nov 06 '21 13:11 tinywrkb

@tinywrkb This seems orthogonal to this issue. The feature you probably want is #249

gasinvein avatar Nov 06 '21 13:11 gasinvein

@gasinvein if you look in the second link, after f-e-d-c, I'm fetching an updated Cargo.lock, and running flatpak-cargo-generator.py.

tinywrkb avatar Nov 06 '21 14:11 tinywrkb

@tinywrkb So the juggling with x-checker-data is just to disable "hosted" f-e-d-c, but still be able to run it manually, correct? If so, I suppose it won't be needed once we get an option to opt-out from "hosted" f-e-d-c.

gasinvein avatar Nov 06 '21 14:11 gasinvein

@gasinvein

  1. I need to disable the f-e-d-c check for the source, because Flathub CI doesn't have the helper tools I need, specifically flatpak-builder-tools are missing. So yes, the suggested optional opt-out feature will help here.
  2. It would still be nice if f-e-d-c will trigger the needed commands to fetch dependencies (e.g. from cargo) if the source was updated by f-e-d-c. Without this, I need a script to wrap around f-e-d-c, and check if the source was updated, and if so, then update the dependencies.

For my use case, what would really help is flatpak-builder-tools integration in f-e-d-c.

On the hand, for build-only dependencies, the suggested opt-out f-e-d-c feature would be perfect, and with these kind of modules I also took the same approach of juggling x-checker-data.

tinywrkb avatar Nov 06 '21 16:11 tinywrkb

I need a script to wrap around f-e-d-c, and check if the source was updated

f-e-d-c prints to stdout information about updated sources. We probably can add an option to print a JSON instead, so it could be fed into some other script and thus ease integrating f-e-d-c with external scripts. This seems like a separate feature request, though.

gasinvein avatar Nov 06 '21 17:11 gasinvein

@tinywrkb flathub/actions#16 was merged, you can now opt-out from "hosted" f-e-d-c.

gasinvein avatar Nov 26 '21 11:11 gasinvein