build
build copied to clipboard
nodejs
Windows build authentication issue with nodejs-private
@joaocgreis https://ci.nodejs.org/job/node-test-commit-windows-fanned/ currently does this:
CLEAN_REF=`echo $GIT_REMOTE_REF | python -c "import sys; s=sys.stdin.read(); print(s.replace('refs/','') if '/' in s else 'heads/'+s)"`
export GIT_COMMIT=`curl -s https://api.github.com/repos/$GITHUB_ORG/$REPO_NAME/git/refs/$CLEAN_REF | python -c "import sys, json; print json.load(sys.stdin)['object']['sha']" || true`
export TEMP_BRANCH="jenkins-${JOB_NAME}-${GIT_COMMIT}"
export TEMP_PUSH_BRANCH=${TEMP_BRANCH}
i.e. it makes an unauthenticated call to the GitHub rest API to get the commit hash to build the TEMP_BRANCH name used to push to the internal Git repo. This doens't work with nodejs-private repos,
e.g.
https://ci.nodejs.org/job/node-test-commit-windows-fanned/44822/console
22:29:47 ++ curl -s https://api.github.com/repos/nodejs-private/node-private/git/refs/heads/v14.18.1-proposal
22:29:47 ++ python -c 'import sys, json; print json.load(sys.stdin)['\''object'\'']['\''sha'\'']'
22:29:47 Traceback (most recent call last):
22:29:47 File "<string>", line 1, in <module>
22:29:47 KeyError: 'object'
22:29:47 ++ true
22:29:47 + export GIT_COMMIT=
22:29:47 + GIT_COMMIT=
22:29:47 + export TEMP_BRANCH=jenkins-node-test-commit-windows-fanned-
22:29:47 + TEMP_BRANCH=jenkins-node-test-commit-windows-fanned-
22:29:47 + export TEMP_PUSH_BRANCH=jenkins-node-test-commit-windows-fanned-
22:29:47 + TEMP_PUSH_BRANCH=jenkins-node-test-commit-windows-fanned-
which means we end up with non-unique branch names which is bad if multiple Windows builds for different commits are started at the same time.
I don't remember the full range of issues that led to this solution, but it was mainly being able to resume jobs. Previously the id of the job was used, but that would change when using the resume job button, and the job would fail because it couldn't find the binaries in the temporary repo. This fixed that issue.
At this point, I don't see anything we can do to have both resumed jobs and support for nodejs-private, except perhaps investigate how to issue that call to the GH API using authentication.
We'll need to figure out how to pass a token through to GH securely (i.e. not exposed in the Jenkins job output or workspace).
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
As far as I'm aware https://ci.nodejs.org/job/node-test-commit-arm-fanned/ doesn't have this problem so we should see if whatever that is doing to generate the branch names for the temp binary repository can be used in https://ci.nodejs.org/job/node-test-commit-windows-fanned/.
As far as I'm aware https://ci.nodejs.org/job/node-test-commit-arm-fanned/ doesn't have this problem so we should see if whatever that is doing to generate the branch names for the temp binary repository can be used in https://ci.nodejs.org/job/node-test-commit-windows-fanned/.
https://ci.nodejs.org/job/node-test-commit-arm-fanned/ does a git checkout, and then uses the GIT_COMMIT environment variable that the git plugin sets to set the temporary branch name.
I've modified https://ci.nodejs.org/job/node-test-commit-windows-fanned/ to also do a git checkout (it wasn't before), and to use the same GIT_COMMIT environment variable when setting the temporary branch name (I've commented out the line that did the export GIT_COMMIT.... This appears to be working -- we now get temporary branch names with git commit hashes even when building from the private repo:
e.g. https://ci.nodejs.org/job/node-test-commit-windows-fanned/53097/console
Audit trail: https://github.com/nodejs/jenkins-config-test/commit/ba01a66b74d0c189800b60f63feaa05d42eba6dc