Adds ability to set required and optional checks

[sebastienvas]

Redoing #7457 as it takes forever to load.

Ref: https://goo.gl/cd9MEu which was discussed with @fejta @cjwagner @BenTheElder

Instead of getting required checks from the github api, it will use the branch protection configuration and infere the required context from it. We are also adding a optional options to Prow Presubmits.

Config would look like this:

...
tide:
  ...
  context_options:
    policy:
      # Use branch protection options to define required and optional contexts
      from-branch-protection: true
      # Treat unknown contexts as optional
      skip-unknown-contexts: true
    orgs:
      org:
        repo:
          branch:
            policy:
              from-branch-protection: false
              required-contexts:
              - "required_test"
              optional-contexts:
              - "optional_test"
  

#7140

[stevekuznetsov]

/ok-to-test
/area prow
/kind feature

[stevekuznetsov]

-1 to named returns

[0xmichalis]

Agreed on not using named returns

[sebastienvas]

May I ask why ?

[0xmichalis]

harder to maintain, it's not obvious what's the returned value

[stevekuznetsov]

I find almost universally they are harder to reason about and read through. They are almost nonexistant in the codebase as it is. Stats:

$ grep -rh func prow/ | grep -Po "(?<=\) \()[^\(\)]+(?=\) \{)" | tr ',' '\n' | awk '{print $2 }' | grep -v "^$" | wc -l 
19
$ grep -rh func prow/ | wc -l 
2084

[sebastienvas]

I actually discovered them in k8s codebase :) but right it may be confusing ! fixed.

[stevekuznetsov]

-1 to named returns

[sebastienvas]

fixed

[stevekuznetsov]

extend the test to test both?

[sebastienvas]

done

[stevekuznetsov]

Configuration for tide actions should not live in the branch protector's config.

[0xmichalis]

+1, this should be part of the job spec

[sebastienvas]

For prow jobs we already have the optional setting. For optional jobs that are not prowjob we need to define it somewhere. I had a global setting in tide configuration, but that was not practical. It makes sense for me to define it in branch protection since this option only works when branch protection is set and you might want to apply this globally, on a repo or on a branch which branch protection already does. I had discussed this with @cjwagner

[sebastienvas]

also skipunknown context does not have any meaning if we don't have a branch protection, meaning no jobs defined at all in Prow config since all are unknown.

[stevekuznetsov]

but that was not practical.

Why not? It's a simple mapping with the same parent/child scheme as in this config. I would expect it to live in tide config exclusively. It's configuring tide to run. Members can protect their branches without using the branch-protector and can run the branch-protector without running tide.

[sebastienvas]

So the original idea was to use the github required check to figure that out, but that was doing too many request to the github api. After a meeting with the @fejta, @cjwagner and @BenTheElder it was decided to use branch protection instead. You don't have to actually enforce branch protection, you can just use the config and set protect to false, and then use that to define the required checks that you required for a PR to be merged. I don't see the point of duplicating those configs since they map back to protecting a branch. I think the Prow config is big and complicated enough.

[stevekuznetsov]

You don't have to actually enforce branch protection, you can just use the config and set protect to false, and then use that to define the required checks that you required for a PR to be merged.

Err, what? If you want to configure branch protection for statuses, do that. Then let tide honor required statuses. If you want to configure statuses for tide, do that, and don't touch the branch protection config (which you might have never even written since you don't use the branch protector). IDK. These seem like two entirely separate use cases that are being put in one place.

[sebastienvas]

I agree I am defining a tide options which will basically allow you to use branch protection or otherwise allow you to define your own if you don't want to use branch protection. If that option is not set, it will use combined status from github as it is today.

[stevekuznetsov]

nit: indent of this repo should be in separate block at bottom

[sebastienvas]

done

[stevekuznetsov]

nit: bad error

[sebastienvas]

fixed

[stevekuznetsov]

this seems like a regression if we mark the tide status required

[sebastienvas]

cc already ignores tide

[stevekuznetsov]

Why are we changing this functionality? If we want to do this, let's do it in a separate PR?

[sebastienvas]

The goal of this PR is to allow optional jobs to be skipped for tide. So yes this is in scope.

[stevekuznetsov]

Right now we have the SkipReport as the means by which we accomplish that. Why do we want to change that right now? Can we continue honoring the SkipReport as well? Breaking changes for cluster admins are annoying.

[sebastienvas]

The reason is that SkipReport = false does not mean the check is required. In our use case you might want to push a status on a PR for a test that is not required, this is the reason I added Optional a while back. Optional is false by default so it will not impact anything, but then if you define a prowjob with Optional set to true, you defintely want to skip it to merge a PR. So this is the reason I added this.

[stevekuznetsov]

I understand they are not identical features, what I am saying is today we use SkipReport to mean "tide ignore" because whether or not it's required, if it's not reported, tide ignores it. As long as SkipReport=true continues to mean that tide ignores the job, but now in addition, SkipReport=false Optional=true works, that is OK.

[sebastienvas]

ok.

[stevekuznetsov]

these names are a bit confusing

[sebastienvas]

thanks for pointing that out. After reviewing some of the test I discovered some issues.

[stevekuznetsov]

@fejta is it even valid config to have a policy with explicitly listed required checks but have the policy be set to not enforce? why?

[sebastienvas]

I think there could multiple use cases. When you define policy at the repo or org level, and then you create a branch for testing and you don't want to protect it or if you just want to disable temporarily.

[sebastienvas]

PTAL

[stevekuznetsov]

Please no merge commits. Rebase on master

[sebastienvas]

@stevekuznetsov I think we got it. I think you are going to like this.

[sebastienvas]

PTAL

[sebastienvas]

I had it since tide code is using multiple go routine, but since the object is created inside a funciton, the lock is overkill.

[sebastienvas]

it is coming from tide.go (its the tide status). I know the name is not very well chosen, but I am trying to do the least amount of changes.

[sebastienvas]

we do, that s tide status. its registered by default. This implementation could be use in another context, so I did not want to hard code in there.

[sebastienvas]

it will but why bother doing all that when you already know the answer.

[cjwagner]

Merge a and b, not c and b.

[cjwagner]

Please also add a test case to catch this.

[sebastienvas]

done

[cjwagner]

I don't think that we should consider this an error. If I set FromBranchProtection at the org level I wouldn't expect an error if some repo in the org does not have RequiredStatusChecks. In this case we should probably just not add anything to required?

[sebastienvas]

done

[cjwagner]

Please add a TideContextPolicy.Validate function and call it here to validate the policy before it is returned.
Specifically, validate that no required context is also an optional context.

[sebastienvas]

done and added tc

[cjwagner]

I don't think that we need this any more. Its functionality could be moved into the TideContextPolicy struct.
In other words, instead of constructing a contextRegister from a TideContextPolicy in order to get a contextChecker, just make the TideContextPolicy match the contextChecker interface itself.

[sebastienvas]

I tend to agree with you, but that would create circular dependency and I would have to move the Context struct out as an example. Plus I would have to hard code the tide status in there. I am trying to keep this as the minimum amount of change. However, I don't think that the context checker interface is something that we need. The implementation is very general and straightforward. What do you think ?

[cjwagner]

What is the circular dependency? The contextRegister is basically copying the fields from TideContextPolicy and defining new methods so I'd really prefer to condense these into one struct and just configure the packages and imports properly to avoid a circular dependency.

The tide status shouldn't need to be hard coded? It can be passed down from the tide package.

[sebastienvas]

The circular deps is on the Context object defined in prow/tide/tide.go

[sebastienvas]

Done

[cjwagner]

This error message is no longer accurate.

[sebastienvas]

done

[sebastienvas]

@cjwagner Please take a look

[cjwagner]

Just a couple nits. This is looking ready.

[cjwagner]

This func is no longer needed.

[cjwagner]

It might make more sense to just pass the tide context name to GetTideContextPolicy and have that func make the tide context required. That is all that RegisterOptionalContexts is used for now.

Not a big deal either way.

[sebastienvas]

We can also just revert part of my change such that tide skip its own status. What do you think ?

[sebastienvas]

@cjwagner Please take a look. I ll be deploying this today for istio. Will keep you up to date.

[cjwagner]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cjwagner, sebastienvas

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• prow/OWNERS [cjwagner]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment