Adding a Tide Configuration for checking only github required checks.

[sebastienvas]

Ref: https://goo.gl/cd9MEu which was discussed with @fejta @cjwagner @BenTheElder

Instead of getting required checks from the github api, it will use the branch protection configuration and infere the required context from it. We are also adding a optional options to Prow Presubmits.

Config would look like this:

...
branch-protection:
  skip-unknown-contexts: true

...
presubmits:
  org/repo:
  - name: my-presubmit
    optional: true
...

#7140

[0xmichalis]

GetRequiredChecks

[0xmichalis]

unfinished sentence

[0xmichalis]

How do I configure the required checks? If this is something that is done on Github alongside configuring branch protection, please add pointers to documentation on how to do it.

[cjwagner]

You can just use == to check for string equality in golang.

[cjwagner]

All the tests have the same name.

[cjwagner]

This needs to be updated.

[cjwagner]

This could use too many API tokens. We need to cache this info, but I'm not sure what a sane eviction policy would be. Maybe just use a 1 hour TTL?
A proxy cache layer would handle this transparently. @stevekuznetsov @BenTheElder

[BenTheElder]

I don't really like the idea that we'll pull this from GitHub and lag behind the current state or that we'll instead eat API tokens for this. We could accomplish the same thing by instead requiring you to set the list of required statuses in Prow when you set them on GitHub.

It's more effort and but it's also much less complex and less magical. This worked fine for the submit-queue...

[BenTheElder]

With the branch protector we're also currently deriving these from Prow config for Kubernetes repos anyhow, that would just leave non-Prow statuses, which generally seem to be made required without automation anyhow.

[cjwagner]

I think this variable name is a misnomer. It is the set of contexts seen on the PR, nothing is combined?

[cjwagner]

s/". "/", "/
s/Info/Warnf/

[cjwagner]

pickBatch should accept bp as a parameter from its caller instead of looking it up from the config.

[stevekuznetsov]

This should be paired with a change to the PR dashboard as well

[0xmichalis]

Needs a link to github docs for setting up the required checks.

[sebastienvas]

Do you have an example ?

[sebastienvas]

I added a README.md file in cmd/tide

[sebastienvas]

@stevekuznetsov I don't understand what you mean. Can you elaborate ?

[sebastienvas]

@stevekuznetsov please take an extra look since this PR conflicted with #7454

[stevekuznetsov]

I'll create a deck PR to change the required branches and link you there to show an example of what I mean.

[stevekuznetsov]

Maybe contextRequired as a name?

[sebastienvas]

done

[stevekuznetsov]

Shouldn't construct semi-initialized Context object here, someone's going to nil pointer downstream of this

[sebastienvas]

done

[stevekuznetsov]

Let's break this out -- the doc on this method reads "unsuccessfulContexts determines which contexts from the list are failed" -- contexts that are not in the list should not be returned? Maybe a method missingContexts -- but unsure of the usefulness of this actually as once you mark a context required, GitHub automatically adds it to every commit, so we're coding against GitHub acting up?

[stevekuznetsov]

Or actually on second thought, you are changing the semantics of the check entirely -- rename this method to reflect the fact that instead of identifying failed contexts from an owning set, you are checking for successful contexts from a required set.

[sebastienvas]

I don't think we are changing the semantic. Here, we still skip the test we don't care about, ie tests that are not required, and we add required tests that are missing. (In theory this should not happen, as github will add them as pending by default, but it is a safe guard). I updated the documentation.

[stevekuznetsov]

Why should we fetch this twice (in takeAction and here) for the same controller?

[cjwagner]

As stated above, we shouldn't be fetching this from Github at all. Rather, we should maintain a list of contexts that can be ignored in the Prow config.

[BenTheElder]

Yes, right now AFAIK all users are either:

• manually setting required jobs, in which case it shouldn't be a big deal to add them to a prow config entry
• autogenerating the required jobs from prow config with the branch protector, in which case we should reuse that.

I think this will have much less surprising behavior than attempting to sync with github behind a cache. Without some form of caching this will probably waste too many API calls.

[sebastienvas]

we should not :)

[0xmichalis]

Why can't a required context be inferred by the following combination in the config:

• job exists (thus can be controlled)
• job.always_run: true || job.run_if_changed != ""
• job.skip_report: false

[sebastienvas]

@Kargakis this only works for Prow jobs, what about other CI ?

[BenTheElder]

I tought of getting the required contexts from the PR using githubql as this would not take any additional api call, but then I saw you were already making an API call for combined status, so the same argument holds.

No? Getting the required contexts does cost more.

[BenTheElder]

it will be out of sync, because that s problem that we have right now with mungegithub. We have multiple admins, and people doing changes out of our control. And you can tell people that they need to update it, but you cannot force them to.

Not if you write it in a config in the first place, which also creates a public record and controls it via PR instead of admins randomly changing merge requirements silently. Nothing is out of sync if we push out the requirements to GitHub on config load instead of trying to keep up with GitHub.

And you can tell people that they need to update it, but you cannot force them to.

Well I mean, you can't force them to use tide or the queue either, they can click merge manually even when it is deployed, but we don't optimize for this sort of broken usage either...

[cjwagner]

headContexts should not be used as an example, it is a hacky workaround for getting the status contexts for the most recent commit even though Github returns the commits in a non-useful ordering. I just had a discussion with @BenTheElder about more scalable alternatives to this.
Furthermore, headContexts uses far fewer tokens than fetching the required contexts like you are doing would. headContexts doesn't usually have to actually make an API call whereas GetRequiredChecks always makes an API call.

Using GetRequiredChecks the way it is used now is prohibitively expensive. Tide is designed to operate on multiple thousands of open PRs. If we listed the required contexts for each of these PRs when setting statuses, Tide's status sync loop could use up all of the bots hourly API tokens in a matter of minutes all on its own. This is problematic because the tokens are shared by Tide's main sync loop and all of the other Prow components.

[sebastienvas]

That's fair, but it disabled by default in your use case. So can we still get this in until we have a better approach ?

[stevekuznetsov]

nit: You've got a couple of these newline diffs, maybe remove?

[sebastienvas]

done

[stevekuznetsov]

Do we want to use the GithubQL types instead of raw string literals for the context status?

[sebastienvas]

That would be changing the signature of the interface method.

[sebastienvas]

but I used the githubql const.

[stevekuznetsov]

githubql.StatusStateSuccess ?

[sebastienvas]

Done

[stevekuznetsov]

githubql.StatusStateFailure?

[sebastienvas]

Done

[stevekuznetsov]

"required checks but not used" what does this mean? Maybe "no required checks configured"?

[stevekuznetsov]

Wait, why is this a valid case? Shouldn't we never query GitHub for the list of required checks if the useRequiredChecksOnly field is not true?

[sebastienvas]

Right this is what the test is checking, I renamed it. PTAL

[stevekuznetsov]

This seems like something we should validate at config load time -- if you require checks but configured none, that's a user error in config

[sebastienvas]

the required checks are coming from the github api, so validating the config would require an api call for every branch, plus checking it at config parsing does not actually guarantees that it'll still be valid a couple of minute after.

[sebastienvas]

I am doing validation now since I am gertting the required checks from the branch protection config.

[sebastienvas]

Thanks for the review @stevekuznetsov PTAL

[cjwagner]

I think using a whitelist/blacklist approach is the right way to go in order to save API tokens and keep config in one place instead of spread across both Prow and Github.
I'm fine with this merging as a temporary solution if this is needed urgently as long as the intent is to change it soon. What do others think?

[cjwagner]

Please avoid variable shadowing (c).

[sebastienvas]

@fejta @cjwagner @BenTheElder @stevekuznetsov could we continue the review ? I'll resolved the conflicts once we have an agreement.

[stevekuznetsov]

Whitelist/blacklist seems like a good approach but what were the original design intents behind tide? IIRC they were to use the query and just have an overall passing check, right? It was not even to post a status and just use the query API for aggregate status. Why did we want that? The more we head down this rabbit hole the more we lose whatever we were after with that. FWIW I think it's inevitable because of the reality of GitHub status contexts, but we should just keep that in mind...

[sebastienvas]

/assign fejta

[fejta]

Unnecessary change? It doesn't format anything.

[sebastienvas]

it is just that it was inconsistent all over the code. Some use fmt.Errorf some use errors.New. Since errors was conflicting with errors renamed from Errors I used fmt.Errorf

[sebastienvas]

will revert to ease review

[fejta]

One thing we need is to change this to if !j.SkipReport && !j.Optional

[sebastienvas]

what is optional ?

[fejta]

A second thing would be to write a allBranchRequirements(org, repo, branch string, cfg config.Confg) that combines repoRequirements() with the union of all the contexts at branch, repo, org, overall levels...

For this PR can we focus on making these minimal set of changes and save refactoring the whole thing for later?

[sebastienvas]

that s done here https://sourcegraph.com/github.com/sebastienvas/k8s-test-infra@34a25d3febb106ca88b5ba7c8560f73cf791609f/-/blob/prow/config/branch_protection.go#L121

I moved those to the branch_protection config as this is config parsing

[fejta]

Please avoid double negatives.

if optional is easier on the brain than if !NonRequiredCheck

[sebastienvas]

well I have to make nonrequired default so I don't have much choice.

[fejta]

Choose a better name than non-required, look up antonyms of required if you don't like my naming suggestion (optional).

optional = false is easier to understand than nonrequired = false

[sebastienvas]

you are right ! Yes optional is better, sorry somehow I understood that optional was reverse of non required. I ll change it.

[fejta]

I don't understand why this is necessary. Tide can just read the branch-protection options?

[sebastienvas]

don't you think one would still want to prevent merging when one of the non required checks is failing ?If not then, you are right.

[sebastienvas]

@BenTheElder @cjwagner what do you think ? I am fine either way.

[fejta]

This makes more sense as an enum/boolean field on each TideQuery

Just like I can toss a reviewApprovedRequired: true into a query I'd expect to be able to toss a ignoreOptionalContexts: true here

[sebastienvas]

I was gonna do that first, but then since you can't really query it I decided to use a separate option, but I really like your idea.

[sebastienvas]

actually looking at the implementation, you can define multiple queries per PR, and therefore you could define a query with ignoreOptionalContexts enabled and another disabled which could be a nice option, however when we go in the subpool we loose the query information. We could hack the code to make this happen, but that's ugly. The more I think about it, the more I think we should have an option in the branch protection config. What do you think ?

[fejta]

I think it would be useful to better separate out the concerns here, so send optionalContexts sets.String or else an interface like:

type foo interface {
  requiredSubset([]string) []string
}

[sebastienvas]

I ll wait for you to answer to "don't you think one would still want to prevent merging when one of the non required checks is failing ?If not then, you are right." before fixing this one

[fejta]

Please do not change default behavior in this PR

[sebastienvas]

I am not this is coming from https://sourcegraph.com/github.com/kubernetes/test-infra@f2213eb3e19d95930c192db44ac06dffc1f4caf9/-/blob/prow/cmd/branchprotector/protect.go#L198

[sebastienvas]

Note that yours tests were pretty good, so it was easy to make sure that my change kept the funcionality

[fejta]

Given that I'm essentially in the middle of refactoring this whole file to support the rest of the github options, a secondary goal is to make it as easy as possible for me to understand what parts you need me to pull in

[fejta]

I agree with this sort of thing generally (I had done something similar in my PR), but given that there is already a lot going on in this PR please keep as many lines the same as possible (I removed those changes from my PR to help simplify review).

[sebastienvas]

ok will fix

[0xmichalis]

This PR is too large to review and needs to be broken down into smaller self-contained PRs. Before that happens I would suggest writting up a proposal in a google doc where we can bikeshed the design of this and discuss alternatives.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebastienvas
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: fejta

Assign the PR to them by writing /assign @fejta in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• prow/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fejta]

Can we squash/rebase away some of these commits?

[0xmichalis]

nit: return c == statusContext

[0xmichalis]

Add a comment that this is used for ignoring the tide status context.

[sebastienvas]

I actually changed the implementation to be a lot simpler.

[0xmichalis]

So if I understand this correctly, branch protection configuration stored in github specifies required contexts. Also optional in the presubmits specifies required contexts from the prow side. Is tide going to merge based on the union of these contexts?

[sebastienvas]

So instead of using the data stored in github (querying github for required check on every PR consumes too many token), we use the branch protection data stored in the config. The branch protection parse the config + the prow jobs settings and all that information goes into the contextRegister

[fejta]

@cjwagner @Kargakis @stevekuznetsov can one of you take the lead for this PR?

This feels more like your part of the codebase, want to make sure it is written according to your preferred style &c

[fejta]

This now lives in the TideQuery struct above, right?

[sebastienvas]

No. I tried this option, but it does not feel natural (you can't really query it) and is a bit hacky I feel. There could be multiple tide queries per PR, subpools regroups PR per (org, repo, branch), not per Tide query, so that means that we need to attach the query or the information to the PullRequest struct since querying happens way before we check for required checks. Right now I simplified this PR by creating a global tide option, but I think the right place to put this would be in the branch protection configuration. I can do that in another PR.

[fejta]

what other packages need a ContextChecker?

[sebastienvas]

just tide.

[fejta]

I don't understand the need for thread safety... I don't see where we concurrently register required contexts

[sebastienvas]

I don't see why it would hurt anything. Tide runs multiple things in goroutine.

[fejta]

I don't see other packages using this method. Can we keep things private until they are needed?

[sebastienvas]

Everthing should be private I guess.

[sebastienvas]

@stevekuznetsov @Kargakis @cjwagner could you please take a final look. Based on all the feedback I reduced the change dramatically to ease code review.

[cjwagner]

This function need to use the mutex as a reader.

[sebastienvas]

done

[cjwagner]

This function need to use the mutex as a reader.

[sebastienvas]

done

[cjwagner]

It doesn't seem right that all of this is conditional on sc.ca.Config().Tide.SkipOptionalContexts.
If SkipOptionalContexts is false we should still require the required contexts.
Additionally, it doesn't look like we are ever actually adding the optional contexts with registerOptionalContexts.

[sebastienvas]

Should we get ride of the SkipOptionalContexts all together ?

The way it is implemented now, is that once required checks are registered all other checks are optional, so you don't need to register the optional ones.

[cjwagner]

It doesn't provide all of the behavior cases that we need to support. I think what we really want is a SkipUnknownContexts instead.
As this PR is currently, if we require that all statuses are green to merge (including ephemeral ones that might be on a PR) by setting SkipOptionalContexts=false we wouldn't be able to require/expect specific statuses. This is problematic because this is the default value for a Tide config and will likely be the common case for smaller deployments since requiring all statuses to be green to merge is simple and intuitive.

We should change the contextRegister to have a set of required contexts, a set of known optional contexts (tide and jobs marked optional) and a bool indicating if unknown statuses should be required (SkipUnknownContexts).

When we are checking if a context can be ignored we just check that it is either

1. in the optional set
   or
2. it is not in the required set and SkipUnknownContexts is true.

When we are checking for missing required contexts we just ensure that all the contexts in the required set are present.

WDYT?

[sebastienvas]

I think there is a misunderstanding, if SkipOptionalContexts=false it is exactly as it is today. the only optional check will be tide and all other will be considered required.

[sebastienvas]

https://sourcegraph.com/github.com/sebastienvas/k8s-test-infra@7b4ef04aa5779be59c91d555fb697f8339d81c7f/-/blob/prow/tide/contextregister.go#L70

[cjwagner]

The problem is that if SkipOptionalContexts=false we don't want to just require that all statuses we see are green. We also want to ensure that all the required statuses actually appear and are not missing.
In other words the ignoreContext function will work properly when SkipOptionalContexts=false, but the missingRequiredContexts function will not because no required contexts will have been registered.

[sebastienvas]

which is not different than today

[cjwagner]

Please leave this log message.

[sebastienvas]

done

[cjwagner]

Same comment as above in setStatuses.

[cjwagner]

Please add some test cases for optional contexts.

[sebastienvas]

done

[cjwagner]

Is this lock actually necessary? It doesn't look like the contextRegister is ever used concurrently.
If it is necessary, please either switch it to a normal mutex or use the RLock and RUnlock methods where appropriate.

[sebastienvas]

I don't understand this comment ? Why having a lock would hurt ? if there no concurrency it does not change perf and if there is it does the right thing. What is the technical concern that I am missing ?

[sebastienvas]

Updated to read lock.

[cjwagner]

I was just wondering why it was added since this doesn't seem like something that would require locking given that we need to register all the contexts before it can be used and I would expect that to always be done from one thread.

It doesn't hurt though and is definitely fine to leave as is! We may encounter a concurrent use case later.

[cjwagner]

It doesn't provide all of the behavior cases that we need to support. I think what we really want is a SkipUnknownContexts instead.
As this PR is currently, if we require that all statuses are green to merge (including ephemeral ones that might be on a PR) by setting SkipOptionalContexts=false we wouldn't be able to require/expect specific statuses. This is problematic because this is the default value for a Tide config and will likely be the common case for smaller deployments since requiring all statuses to be green to merge is simple and intuitive.

We should change the contextRegister to have a set of required contexts, a set of known optional contexts (tide and jobs marked optional) and a bool indicating if unknown statuses should be required (SkipUnknownContexts).

When we are checking if a context can be ignored we just check that it is either

1. in the optional set
   or
2. it is not in the required set and SkipUnknownContexts is true.

When we are checking for missing required contexts we just ensure that all the contexts in the required set are present.

WDYT?

[sebastienvas]

PTAL

[sebastienvas]

@cjwagner Please take a look!

[sebastienvas]

closed in favor of #7983