Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using actionlint in brew style makes updating actionlint impossible #18382

Closed
3 tasks done
carlocab opened this issue Sep 23, 2024 · 6 comments · Fixed by #18441
Closed
3 tasks done

Using actionlint in brew style makes updating actionlint impossible #18382

carlocab opened this issue Sep 23, 2024 · 6 comments · Fixed by #18441
Labels
bug Reproducible Homebrew/brew bug help wanted We want help addressing this

Comments

@carlocab
Copy link
Member

carlocab commented Sep 23, 2024
edited
Loading

brew doctor output

❯ brew doctor
Your system is ready to brew.

Verification

  • My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
  • I ran brew update twice and am still able to reproduce my issue.
  • This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

❯ brew config
HOMEBREW_VERSION: 4.3.24-5-gbd3c7f8
ORIGIN: https://github.com/Homebrew/brew
HEAD: bd3c7f80530d21e791ccc01b02234b299941dd29
Last commit: 12 hours ago
Core tap HEAD: 106915c12000db5e8212bf8b33001d87b34bf9d6
Core tap last commit: 55 minutes ago
Core tap JSON: 23 Sep 18:53 UTC
HOMEBREW_PREFIX: /home/linuxbrew/.linuxbrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: nvim
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_MAKE_JOBS: 2
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.4 => /home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/vendor/portable-ruby/3.3.4_1/bin/ruby
CPU: dual-core 64-bit zen3
Clang: N/A
Git: 2.46.1 => /home/linuxbrew/.linuxbrew/bin/git
Curl: 7.81.0 => /bin/curl
Kernel: Linux 6.5.0-1025-azure x86_64 GNU/Linux
OS: Ubuntu 22.04.5 LTS (jammy)
Host glibc: 2.35
/usr/bin/gcc: 11.4.0
/usr/bin/ruby: N/A
glibc: N/A
gcc@11: N/A
gcc: N/A
xorg: N/A

What were you trying to do (and why)?

Update actionlint, because a new version has been released.

What happened (include all command output)?

  ==> Installing `actionlint` for GitHub Actions checks...
  ==> Downloading https://ghcr.io/v2/homebrew/core/actionlint/manifests/1.7.2
  curl: (22) The requested URL returned error: 404
  ==> Fetching actionlint
  ==> Downloading https://ghcr.io/v2/homebrew/core/actionlint/blobs/sha256:b2d56dfd91f6e3f4a50705e5040a9350744cf1e16d26ff8afb4261f9598e56f5
  ==> Pouring actionlint--1.7.2.x86_64_linux.bottle.tar.gz
  Error: /home/linuxbrew/.linuxbrew/Cellar/actionlint/1.7.2 is not a directory
  Error: /home/linuxbrew/.linuxbrew/Cellar/actionlint/1.7.2 is not a directory
  Error: Failure while executing; `/home/linuxbrew/.linuxbrew/bin/brew install --formula actionlint` exited with 1.
  Error: Failure while executing; `/home/linuxbrew/.linuxbrew/bin/brew install --formula actionlint` exited with 1.

https://github.com/Homebrew/homebrew-core/actions/runs/11001085951/job/30545070937?pr=191626#step:5:27

What did you expect to happen?

No errors.

Step-by-step reproduction instructions (by running brew commands)

cd "$(brew --repository homebrew/core)"
gh pr checkout 191607
brew style homebrew/core

See Homebrew/homebrew-core#191607.
@carlocab carlocab added bug Reproducible Homebrew/brew bug help wanted We want help addressing this labels Sep 23, 2024
@carlocab
Copy link
Member Author

Actually, following my steps above produces unexpected output too.

❯ brew style homebrew/core
Inspecting 7152 files
[snip]
7152 files inspected, no offenses detected
==> Upgrading `actionlint` for GitHub Actions checks...
==> Upgrading 1 outdated package:
actionlint 1.7.1 -> 1.7.2
==> Downloading https://ghcr.io/v2/homebrew/core/actionlint/manifests/1.7.2
#=O#-   #      #                                                                                                                                                                                         curl: (22) The requested URL returned error: 404

==> Fetching actionlint
==> Downloading https://ghcr.io/v2/homebrew/core/actionlint/blobs/sha256:4659f9ed86be188cf49b0835bab640270c8ce1f96ac0aae832ef42cdbbec1ad4
################################################################################################################################################################################################## 100.0%
==> Upgrading actionlint
  1.7.1 -> 1.7.2
==> Verifying attestation for actionlint
Error: The bottle for actionlint has an invalid build provenance attestation.

This may indicate that the bottle was not produced by the expected
tap, or was maliciously inserted into the expected tap's bottle
storage.

Additional context:

no attestation matches subject: actionlint--1.7.2.arm64_sequoia.bottle.tar.gz
Error: Failure while executing; `/opt/homebrew/bin/brew upgrade --formula actionlint` exited with 1.

Seems like it tried to download a bottle based on the checksum in the bottle block.

And then when I disable attestation verification:

❯ HOMEBREW_NO_VERIFY_ATTESTATIONS=1 brew upgrade actionlint
==> Upgrading 1 outdated package:
actionlint 1.7.1 -> 1.7.2
==> Downloading https://ghcr.io/v2/homebrew/core/actionlint/manifests/1.7.2
#=O#-   #      #                                                                                                                                                                                         curl: (22) The requested URL returned error: 404

==> Fetching actionlint
==> Downloading https://ghcr.io/v2/homebrew/core/actionlint/blobs/sha256:4659f9ed86be188cf49b0835bab640270c8ce1f96ac0aae832ef42cdbbec1ad4
Already downloaded: /opt/workbrew/home/Library/Caches/Homebrew/downloads/063f28440362c5eb09444ab4d36a12aedc9088fdb673999afae74224d51dd16b--actionlint--1.7.2.arm64_sequoia.bottle.tar.gz
==> Upgrading actionlint
  1.7.1 -> 1.7.2
==> Pouring actionlint--1.7.2.arm64_sequoia.bottle.tar.gz
cp: /opt/homebrew/Cellar/actionlint/./1.7.1/bin/actionlint: Permission denied
Error: Failure while executing; `/usr/bin/env cp -pR /private/var/folders/by/r3kqb74j2zn0010s9mcbsvv00000gp/T/homebrew-unpack20240924-7580-f2eu79/actionlint/. /opt/homebrew/Cellar/actionlint` exited with 1. Here's the output:
cp: /opt/homebrew/Cellar/actionlint/./1.7.1/bin/actionlint: Permission denied

So at least I didn't get a weird install, but it seems like this should have errored out much earlier with a better error message. Wonder if this is related to changes from #18278.

@carlocab carlocab mentioned this issue Sep 23, 2024
Merged
@Bo98
Copy link
Member

Bo98 commented Sep 24, 2024
edited
Loading

So at least I didn't get a weird install, but it seems like this should have errored out much earlier with a better error message. Wonder if this is related to changes from #18278.

This regression is new for brew fetch (it should fallback to source but that fallback is currently broken).

It is however not new for brew install. That regressed in 9fcdaa2. I tested this by git checkout an older 4.3.x.

The overall actionlint failing is a regression after adding actionlint to brew style (7d0ac4d) - this is the first time there's been an upgrade to actionlint since (1.7.1 was technically after that merge but that's because brew style homebrew/core was actually completely broken until #17482). shellcheck is probably affected too since actionlint pulls that in, though that hasn't been updated in even longer.

Note that for Homebrew/core we already have https://github.com/Homebrew/homebrew-core/blob/master/.github/workflows/actionlint.yml so maybe the easiest option is to disable brew style's actionlint check for Homebrew/core CI specifically. Alternatively if we rather delete that workflow instead, we could force the tap syntax check to brew install from the API.

@MikeMcQuaid
Copy link
Member

Note that for Homebrew/core we already have Homebrew/homebrew-core@master/.github/workflows/actionlint.yml so maybe the easiest option is to disable brew style's actionlint check for Homebrew/core CI specifically.

This makes sense to me 👍🏻

Alternatively if we rather delete that workflow instead, we could force the tap syntax check to brew install from the API.

Also fine with this 👍🏻

@carlocab
Copy link
Member Author

Whichever we 🔥, note that actionlint.yml currently supports some things that brew style doesn't:

If we keep only brew style we should ideally make sure brew style does this too.

@nikaro
Copy link

nikaro commented Sep 26, 2024

My vote would go for removing/disabling brew style's actionlint check as it is already covered by the actionlint.yml workflow. And GitHub Actions linting feels a bit unrelated to the Homebrew formulae and casks style. That was my 2 cents.

@MikeMcQuaid
Copy link
Member

My vote would go for removing/disabling brew style's actionlint check as it is already covered by the actionlint.yml workflow.

This will break it for all taps that don't include an actionlint.yml which is undesirable. At most, it should be removed for official taps that have this check.

carlocab added a commit that referenced this issue Sep 27, 2024
@carlocab
style: skip actionlint checks if an actionlint workflow is present
53f6e46 
Fixes #18382.
@carlocab carlocab mentioned this issue Sep 27, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Reproducible Homebrew/brew bug help wanted We want help addressing this
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

style: skip actionlint checks if an actionlint workflow is present Homebrew/brew
4 participants
@MikeMcQuaid @Bo98 @nikaro @carlocab