renovate
renovate copied to clipboard
renovatebot
PostUpgradeTasks: Support binarySource=docker/install
What Renovate type, platform and version are you using?
GHE Self hosted
{
"renovateVersion": "24.10.1"
}
Describe the request
When setting the constraint in the config like this
"force": {
"constraints": {
"node": "< 13.0.0"
}
}
then Renovate should respect this constraint during the execution of the postUpgrade tasks.
The underlying problem is that one repo still uses Node 12.X and lockfile updates are failing after the Renovate docker image updated the Version to 14.X: https://github.com/renovatebot/docker-renovate/pull/55
{
"branch": "renovate/babel-monorepo",
"dep": "@babel/core",
"cmd": "node common/scripts/install-run-rush.js update",
"stdout": "The rush.json configuration requests Rush version 5.30.1\nCopying /var/jenkins/renovate/repos/github/my/repo/common/config/rush/.npmrc --> /var/jenkins/renovate/repos/github/my/repo/common/temp/install-run/@[email protected]/.npmrc\nInstalling @microsoft/rush...\nadded 12 packages from 12 contributors and audited 32 packages in 5.739s\n\n15 packages are looking for funding\n run `npm fund` for details\n\nfound 1 low severity vulnerability\n run `npm audit fix` to fix them, or `npm audit` for details\nSuccessfully installed @microsoft/[email protected]\n\nInvoking \"rush update\"\n----------------------\n\n\n\nRush Multi-Project Build Tool 5.30.1 - https://rushjs.io\nNode.js version is 14.15.3 (LTS)\n\n\n",
"stderr": "npm notice created a lockfile as package-lock.json. You should commit this file.\n\nERROR: Your dev environment is running Node.js version v14.15.3 which does not\nmeet the requirements for building this repository. (The rush.json\nconfiguration requires nodeSupportedVersionRange=\">=12.18.0 <13.0.0\")\n"
}
To Reproduce
Have a rush.json file with the following constraint: "nodeSupportedVersionRange": ">=12.18.0 <13.0.0",
Then run the following in a postUpgradeTask: node common/scripts/install-run-rush.js update
Additional context
The problem should be solved when we apply the same restriction of the postUpdate tasks to the postUpgrade tasks.
Can you build a small public reproduction repo. So we can debug this.
It's also important how are you running renovate. Currently only binarySource=docker is able to respect constraints.
I've checked the code now. So currently the postUpgrade tasks are run as direct child without any docker container.
It also don't have any concept of constraints, so it's not easy to apply them to postUpgrade
https://github.com/renovatebot/renovate/blob/62c68d07e31624d838fb4692c18fca802b3587b6/lib%2Fworkers%2Fbranch%2Findex.ts#L380-L382
yes, as we don't pass any docker args to exec
checked here: https://github.com/renovatebot/renovate/blob/5d99ff9862bac803dcea4e6ded5f3fec34abccfc/lib%2Futil%2Fexec%2Findex.ts#L126-L141
Maybe we can use node:14 to at least let it run in Docker. Then maybe a new admin option of allowed image patterns plus configurable image in the user config
I think we can label this status:ready now? We seem to have decided on a course of action?
yes, as we don't pass any docker args to exec
Maybe we can use node:14 to at least let it run in Docker. Then maybe a new admin option of allowed image patterns plus configurable image in the user config
sounds good, but we should use
renovate/node:14
When I read the above I'm still not sure exactly what needs to be done, and we don't have a reproduction repo either. So I think leave it as requirements
Hi there,
The Renovate team needs your help! To fix the problem, we first need to know exactly what's causing the bug. A minimal reproduction help us to pinpoint the exact cause of the bug.
To get started, please read our guide on minimal reproductions to understand what is needed.
We may close the issue if you have not provided a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment.
Good luck,
The Renovate team
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
We are running into a similar issue.
This issue talks about the fact that renovate itself is running fine. They have constraints in their package.json that sets node < 13.0.0. This still works because during upgrade renovate is able to detect and use an appropriate node verison.
However, if trying to run a PostUpgradeTask then the version of node bundled in the renovate/renovate docker image is used. Right now its 14.x. So whatever script they are trying to run which seems does some stuff with deps as well fails because it sees node 14.x but requires node < 13.0.0.
For us, we have a project with constraints >=16 for node. So when we run our post upgrade script to do some dependency massaging we get errors Error: Command failed with exit code 1: yarn add --dev @babel/core@^7.0.0\nerror <some-internal-pacakge>@1.17.6: The engine \"node\" is incompatible with this module. Expected version \">=16\". Got \"14.18.2\".
So what is needed is either:
- renovate to honor the
package.jsonconstraints duringPostUpgradeTasks. Not sure if this should be some new config or just happen automatically. I don't think it'd be uncommon to run post upgrade tasks using the language and dependencies/constraints of your project. - easy way to specify environment to run postUpgradeTasks in
Having said all that, I'll see if I can provide something to reproduce today as well.
Here is a reproduction repo I created: https://github.com/jmccann/renovate-post-upgrade-constraints
When I ran renovate against it (using renovate/renovate:32.99) this is what I saw:
DEBUG: Executing post-upgrade task (repository=jmccann/renovate-post-upgrade-constraints, branch=renovate/rimraf-3.x)
"dep": "rimraf",
"cmd": "yarn post-upgrade"
DEBUG: Executing command (repository=jmccann/renovate-post-upgrade-constraints, branch=renovate/rimraf-3.x)
"dep": "rimraf",
"command": "yarn post-upgrade"
DEBUG: rawExec err (repository=jmccann/renovate-post-upgrade-constraints, branch=renovate/rimraf-3.x)
"dep": "rimraf",
"err": {
"killed": false,
"code": 1,
"signal": null,
"cmd": "yarn post-upgrade",
"stdout": "yarn run v1.22.19\ninfo Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.\n",
"stderr": "warning package.json: No license field\nerror [email protected]: The engine \"node\" is incompatible with this module. Expected version \">=16\". Got \"14.19.3\"\nerror Commands cannot run with an incompatible environment.\n",
"message": "Command failed: yarn post-upgrade\nwarning package.json: No license field\nerror [email protected]: The engine \"node\" is incompatible with this module. Expected version \">=16\". Got \"14.19.3\"\nerror Commands cannot run with an incompatible environment.\n",
"stack": "Error: Command failed: yarn post-upgrade\nwarning package.json: No license field\nerror [email protected]: The engine \"node\" is incompatible with this module. Expected version \">=16\". Got \"14.19.3\"\nerror Commands cannot run with an incompatible environment.\n\n at ChildProcess.exithandler (child_process.js:383:12)\n at ChildProcess.emit (events.js:400:28)\n at ChildProcess.emit (domain.js:475:12)\n at maybeClose (internal/child_process.js:1088:16)\n at Process.ChildProcess._handle.onexit (internal/child_process.js:296:5)"
}
Idea:
Allow configure tools (like we do in manager artifact update) on postupdateconfig object. Thsat ways we can simply validate and pass through known tools and install them before running post update task. As first step user needs to manualls configure tool name and version. Later we can try to detect the version required.
Before I found this issue, I was looking through the code to see how difficult it would be to add an option to run postUgradeTasks in the renovate child container if the executionMode is set to update and renovate is using the docker binary source for the dependency. I'll try to find time to get a minimal demo of that working. Having the binarySource option available in postUpgradeTasks would be great but this option may be a quicker intermediate step.
i think we can allow toolConstraints on post update tasks and renovate should use those on binarySource=docker/install.
on binarySource=docker we should run those in our sidecar docker image.
https://github.com/renovatebot/renovate/blob/0e43f41da61009073b7c9dac766b38d5d3b6dc14/lib/modules/manager/npm/post-update/yarn.ts#L188
We ran into the same issue (#17994) in our renovatebot instance we are running for Joomla. (https://github.com/joomla/joomla-cms/)
@Hackwar are you self-hosting? If so, can you describe specifically how? e.g. using slim image and binarySource=docker ?
How we run renovate in our script:
docker run \
--rm \
-e RENOVATE_TOKEN \
-e RENOVATE_FORK_TOKEN="$RENOVATE_TOKEN" \
-e RENOVATE_DOCKER_USER="1000:0" \
-v /run/docker.sock:/var/run/docker.sock \
-v "/tmp/renovatebot:/tmp/renovatebot" \
-v "/srv/docker/joomla-renovatebot/config.js:/usr/src/app/config.js" \
renovate/renovate \
--base-dir=/tmp/renovatebot \
--persist-repo-data=true \
--binary-source=docker
module.exports = {
platform: 'github',
onboardingConfig: {
extends: ['config:base', ':preserveSemverRanges', ':disableMajorUpdates'],
versioning: 'semver',
dependencyDashboard: true,
lockFileMaintenance: { enabled: true },
composerIgnorePlatformReqs: ["ext-*", "lib-*"],
rangeStrategy: "update-lockfile"
},
enabledManagers: ['composer', 'npm'],
forkMode: true,
includeForks: true,
repositories: [
'joomla/joomla-cms'
],
"allowedPostUpgradeCommands": ["^composer install", "^node build/build\.js --copy-assets$", "^npm run ", "^npm i$"],
};
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":preserveSemverRanges",
":disableMajorUpdates"
],
"versioning": "semver",
"dependencyDashboard": true,
"lockFileMaintenance": { "enabled": true },
"composerIgnorePlatformReqs": ["ext-*", "lib-*"],
"rangeStrategy": "update-lockfile",
"baseBranches": ["4.2-dev", "4.3-dev", "5.0-dev"],
"constraints": {
"composer": "> 2.3",
"npm": "> 8.0"
},
"postUpgradeTasks": {
"commands": ["npm ci", "node build/build.js --copy-assets"],
"fileFilters": ["**/*.*"],
"executionMode": "branch"
}
}
That is the whole configuration we have. In a test repo I added composer install --ignore-reqs to the postUpgradeTasks and that one works fine, but npm ci fails because it requires nodejs 16. You can see the build.js here: https://github.com/joomla/joomla-cms/blob/4.2-dev/build/build.js
And our repo is here: https://github.com/joomla/joomla-cms/
@viceice were you thinking to limit it to sidecar images + user configurable tool constraints?
I'm also wondering if we need just the tool name and can reuse config.constraints?
we probably should do our idea of have a single sidecar image per repo, so all tools should be ready when running post upgrade tasks.
Even then the user may want an extra tool or custom version installed for post upgrade tasks
Even then the user may want an extra tool or custom version installed for post upgrade tasks
then there needs to be some explicit tools definitions on post upgrade tasks for those tools.
In that case I think we can start with the simplest use case. What do you think of this?
- Run post upgrade tasks in sidecar only
- Allow a list of tools to be defined for installing
- Install latest version if config.constraints.tool is not set
So let's have a new field installTools as a subfield of postUpgradeTasks, like this:\
"constraints": {
"composer": "> 2.3",
"npm": "> 8.0"
},
"postUpgradeTasks": {
"commands": ["npm ci", "node build/build.js --copy-assets"],
"fileFilters": ["**/*.*"],
"executionMode": "branch",
"installTools": ["npm"]
}
The possible tools should come from our existing list of supported tools.