-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expand "CI best practicies" section to the guide #5656
Comments
A blog post about this feature: https://blog.illicitonion.com/2018/06/rust-minimum-versions-semver-is-lie.html |
I assume this means to expand https://github.com/rust-lang/cargo/blob/master/src/doc/src/guide/continuous-integration.md? Should it maybe leverage or at least point to japaric/trust? |
Ah, I haven't realized that https://github.com/rust-lang/cargo/blob/master/src/doc/src/guide/continuous-integration.md exists.
Yep, we should definitely mention it! |
@ehuss That is a good place for it to go, thanks for the reminder! The impetus for this is that when we stabilize |
Relevant: rust-lang/rfcs#2483 |
I've just posted a blog post that talks about version selection in detail, and touches on the questions here as well. |
That is an excellent read. Thank you for writing this up so articulately. I especially liked the paragraph of:
That sounds like the tradeoff bending I know and love from the rust ethic. I.E. a careful and pedantic system to ensure you are correct but with a large pit of success to make it usable. It also involves the most design work, so it may not be feasible. In our earlier discussion today you suggested that "equality constraints are rare in the ecosystem" and I resisted being pedantic and pointing out lock files. So I was glad to see them addressed in your blog post. But I do have one nit with:
Currently that adjustment is very conservative, if the version of the sub dependency that appears in the lock file satisfies the requirement of the new dependency then it is not unlocked. Meaning that I am often testing a combination not in the well tested set. So if the new dependency does not have lower-bound precision and my lockfile is old enough then I will brake. Thanks for the thought provoking guidance of this community. |
There's also the https://crate-ci.github.io/ project (cc @epage). Maybe the Cargo Guide could have a small CI best practices section and link out to a larger exploration of the area like this? |
The important difference with lock files is that you once you have one you should have a successful build, and because it was generated using max versions, it will not run into the too low min version problem. Ceiling'd constraints are a problem because they influence version resolution, whereas the lockfile is after version resolution. You do identify exactly where a problem can arise, though: |
I've run into this problem quite a few times lately. I'm using dependabot on some of my projects to automatically update dependencies, and the updates regularly break CI because the lockfile has an older transitive dependency, but some other dependency relies on it being the most recent release. Examples:
Hopefully the examples above are helpful in that regard |
I've been working to improve CI times on crates I work on here. There's gitlab-ci examples there (minimum version, stable, nightly, with/without feature flags, For Cirrus CI, I have keyutils. Though it runs the Basic strategy for "optimal" builds (AFAICT):
|
I recently added CI / CD for a Rust project and after a good amount of research this is what I ended up with (specific to GitHub Actions), in case it is helpful for this issue: Run CI when pushing to branches for pull requeestsname: Pull request
on:
push:
branches-ignore:
- master
jobs:
verify:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v1
- name: Check
run: cargo check
- name: Test
run: cargo test
- name: Lint
run: cargo clippy --all-targets -- -D warnings
- name: Format
run: cargo fmt -- --check
- name: Publish
run: cargo publish --dry-run Run CI and CD when merging pull requests to mastername: Merge
on:
push:
branches:
- master
jobs:
verify:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v1
- name: Check
run: cargo check
- name: Test
run: cargo test
- name: Lint
run: cargo clippy --all-targets -- -D warnings
- name: Format
run: cargo fmt -- --check
executable:
runs-on: ubuntu-latest
needs: [verify]
steps:
- name: Checkout
uses: actions/checkout@v1
- name: Login
run: cargo login ${{ secrets.CRATE_REGISTRY_PAT }}
- name: Publish
if: success()
run: cargo publish |
So my feedback on this:
|
To reduce our pipeline time I have come up with following testing strategy:
When building is already doing cargo check can we just skip it or did I get that wrong? |
imo Similarly, My CI tends to be broken down into
|
#12382 documented a way to verify latest dependencies. #13056 documents a way to verify MSRV Holes I still see
|
IMO, this project (cargo) isn't the place to document CI best practices for Rust projects, even ones that use Cargo. I do think that such guides need to exist but why burden the cargo project with maintaining these docs? |
Because there isn't a better place at this time?
|
docs: Provide pointers for MSRV ### What does this PR try to resolve? In today's cargo team meeting, we discussed the Pre-RFC for MSRV-aware resolver for #9930. In that discussion, the question of recommending a policy came up. While we didn't feel the ecosystem has coalesced enough to set one (and we hope MSRV-aware resolver will avoid the need), it became clear that some we can provide some basic help to the user, including - Raising awareness of tools to find the actual MSRV - The policy that they should verify it with examples on how to do so ### How should we test and review this PR? While this recommends some specific third-party tools, I'm not aware of other tools within this for us to worry about at this time for us to create any guidelines on which we should include. Explanations are given for the example CI job to discourage cargo culting and instead give people the information they need in making decisions relevant to their project. ### Additional information I'd love to provide information to help users create their own MSRV policy but only if there was an automated way of collecting and reporting some of the data, like crates.io providing a dashboard of MSRVs set or rust-versions inferred from user-agents. Without that, I felt it not worth getting into other policy discussions like reactive vs proactive updating of MSRV, automated MSRV updates, etc. These can always be added later. This also helps towards #5656.
thanks for working on this! would it be an option to provide a (set of) GitHub Workflows which contain these best practices (where possible)? as workflows are versioned (semver) and come with documentation that might be a good way of rolling out new patterns over time (and if users have dependabot enabled for the workflows then they'll also notice if a new version comes around) |
Things I do in my Rust CI (though on GitLab-CI; the steps might be useful at least) that aren't mentioned here:
|
For what we've included so far, we list a lot of trade offs so there isn't a single right solution. Personally, I also am unsure of the value of providing an Action over people just calling the commands directly. The exception is I have a specific workflow in my own projects for clippy that leverages SARIF reporting in github.
Some of this gets in the question of how much we talk about principles vs CI specific practices (caching for that one CI provider).
One question would be
There are multiple solutions. We'd need to at least reference the main ones even if we point to one
imo this isn't GA enough for us to include yet. |
Things to talk about:
~/.cargo
,./target
, but keep~/.cargo/credentials
in mind)--minimal-versions
to verify dependencies in Cargo.tomlIdeally, the section should contain copy-pastable config files for various CI providers.
The text was updated successfully, but these errors were encountered: