Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attestation: remove gh version detection #17899

Merged
merged 2 commits into from
Jul 29, 2024
Merged

attestation: remove gh version detection #17899

merged 2 commits into from
Jul 29, 2024

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented Jul 29, 2024
edited
Loading

I'm declaring bankruptcy on this entire approach:

  1. We can attempt to match on versions, but this will fail when the version of gh installed is built from HEAD or similar.
  2. We can match on dates instead (since gh --version also includes the date), but this is even more brittle + implies a support contract we don't actually have (we don't actually want to say we support random dated builds between public releases of gh).

This moves us back to a simpler approach: if gh is present, we use it. If gh is not present, we attempt to install it with ensure_executable!. If the user's gh is present but too old, it'll fail during attestation verification with a reasonable error, which IMO is fine for now since this is all still in beta.

CC @nandahkrishna

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

See https://github.com/orgs/Homebrew/discussions/5530 for the originating failure here.

Fixes #17898.

@woodruffw
attestation: remove gh version detection
5e0e0d5 
I'm declaring bankruptcy on this entire approach:

1. We can attempt to match on versions, but this will fail
   when the version of `gh` installed is built from `HEAD`
   or similar.
2. We can match on dates instead (since `gh --version` also includes
   the date), but this is even more brittle + implies a support
   contract we don't actually have (we don't actually want
   to say we support random dated builds between public releases
   of `gh`).

This moves us back to a simpler approach: if `gh` is present,
we use it. If `gh` is not present, we attempt to install it
with `ensure_executable!`. If the user's `gh` is present but too old,
it'll fail during attestation verification with a reasonable error,
which IMO is fine for now since this is all still in beta.

Signed-off-by: William Woodruff <william@yossarian.net>
@llimllib
Copy link

Thanks for the quick fix!

linking #17898 , the issue that came out of the linked discussion

@woodruffw
extend/kernel: forward the latest: kwarg
107d57d 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw woodruffw mentioned this pull request Jul 29, 2024
Closed
3 tasks
nandahkrishna
nandahkrishna approved these changes Jul 29, 2024
View reviewed changes
Copy link
Member

@nandahkrishna nandahkrishna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @woodruffw!

@nandahkrishna nandahkrishna merged commit d99c2bc into master Jul 29, 2024
24 checks passed
@nandahkrishna nandahkrishna deleted the ww/no-version-sniffing branch July 29, 2024 18:08
@MikeMcQuaid
Copy link
Member

Makes sense for now, thanks @woodruffw!

If the user's gh is present but too old, it'll fail during attestation verification with a reasonable error, which IMO is fine for now since this is all still in beta.

If we get too many of these errors: we should probably just only attempt attestations if gh is up to date.

@woodruffw woodruffw mentioned this pull request Aug 1, 2024
Open
4 tasks
mmrwoods referenced this pull request Aug 1, 2024
@MikeMcQuaid
Widen attestation verification rollout
b8ff4b3 
Take 2 of #17692 but with:

- provide and document `HOMEBREW_NO_VERIFY_ATTESTATIONS`
- don't try to run unless there's GitHub credentials
- don't try to run unless `gh` is installed
- don't try to run in CI

While we're here:
- split out a `Homebrew::EnvConfig.devcmdrun?` helper method
- add some missing `Homebrew::EnvConfig.github_api_token` presence
  checks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nandahkrishna nandahkrishna nandahkrishna approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

"brew upgrade" fails with "Error: Version must not be empty"
4 participants
@woodruffw @llimllib @MikeMcQuaid @nandahkrishna