Update main sync#25
Conversation
* Bump all dependencies * build and reformat * lint * format
* Update codeowners * Update CODEOWNERS Co-authored-by: Rocio Montes <88550502+rociomontes@users.noreply.github.com> --------- Co-authored-by: Rocio Montes <88550502+rociomontes@users.noreply.github.com>
Bumps [@eslint/plugin-kit](https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit) from 0.3.3 to 0.3.4. - [Release notes](https://github.com/eslint/rewrite/releases) - [Changelog](https://github.com/eslint/rewrite/blob/main/packages/plugin-kit/CHANGELOG.md) - [Commits](https://github.com/eslint/rewrite/commits/plugin-kit-v0.3.4/packages/plugin-kit) --- updated-dependencies: - dependency-name: "@eslint/plugin-kit" dependency-version: 0.3.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [form-data](https://github.com/form-data/form-data) from 4.0.3 to 4.0.4. - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v4.0.3...v4.0.4) --- updated-dependencies: - dependency-name: form-data dependency-version: 4.0.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Separate tests * Update .github/workflows/build.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* bump actions * experiment using init container to prepare working environment * rm script before continuing * fix * Update packages/k8s/src/hooks/run-script-step.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * leverage exec stat instead of printf * npm update * document the new constraint --------- Co-authored-by: DenisPalnitsky <DenisPalnitsky@users.noreply.github.com>
* Prepare 0.8.0 release and bump dependencies once more * Update releaseNotes.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…s#263) * Change command to copy externals instead of move * fix: using only mv, remove sudo
* Sort 'find' output before hashing for consistency across different platforms * fix style issues
* feat: check if required binaries are present Previously the necessary binaries were copied over using the runner container. This lead to issues in case your main container was using the musl libc implementation. Instead of copying over any binaries, the initContainer now checks if the required binaries are present in the main container. * feat: get rid of the init container * fix: add _runner_file_commands * fix: do not fail if _runner_file_commands does not exist It seems that for container actions this directory does not exist.
* Allow non-root container * format * add lint:fix and fix lint errors * fix tests and volume mounts
* fix: calculate hash again after failure The hash from the source is calculated only once. The source hash is checked with the destination hash, but if the destination hash does not match, the destination match is calculated again. The problem is that if the source hash is incorrect, the check will keep failing because the source hash is never re-calculated. Now, in the event that the hashes do not match, the hash of the source and the destination are calculated again. * fix: use size instead of block size Previously the %b parameter was used with stat. This displays the block size of the file. We noticed that in some cases the block size of the source and the destination file could be slightly different. Since the source and target run in different containers, they can have different block sizes defined. If the block size did not match, the hash would also not match, even if the file content would be exactly the same. With this change, the block size is no longer used. Instead the actual size in bytes of the file is listed.
…actions#283) * Fix workingDir permissions issue by creating it within init container * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * rework init commands --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…olume mode (actions#287) In run-script-step, the _temp directory was being copied to the workflow pod, but the _github_home and _github_workflow directories were not being moved from their temporary location to the /github directory structure where they are expected by GitHub Actions. This caused event.json to be missing at /github/workflow/event.json, breaking actions that depend on GITHUB_EVENT_PATH. The fix adds a setup step that copies _github_home and _github_workflow from /__w/_temp/ to /github/ after copying the temp directory to the pod, matching the behavior of run-container-step and prepareJobScript. Uses cp -r instead of symlinks to avoid symlink validation errors when copying files back from the pod to the runner.
Bumps [glob](https://github.com/isaacs/node-glob) from 10.4.5 to 10.5.0. - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v10.4.5...v10.5.0) --- updated-dependencies: - dependency-name: glob dependency-version: 10.5.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [glob](https://github.com/isaacs/node-glob) from 10.4.5 to 10.5.0. - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v10.4.5...v10.5.0) --- updated-dependencies: - dependency-name: glob dependency-version: 10.5.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* run script copies back only runner file commands * wip * fix * fmt * user volume mount * try doing only file commands * typo * remove _temp_pre * Update packages/k8s/src/hooks/run-script-step.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update packages/k8s/src/hooks/run-script-step.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * better escape * no useless escapes --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Bump packages * bump exec
…ing errors
getPodConditionErrors() checks pod.status.conditions without needing
the optional 'events' list RBAC permission:
- PodScheduled=False (Unschedulable): nodeSelector mismatch, resource
requests exceed limits, no matching node
In waitForPodPhases():
- eventErrors (events-API based) is tried first; it's richer (carries
event.count and detailed message)
- conditionErrors is only added when eventErrors is empty, i.e. when
the events RBAC permission is absent — avoids duplicate output
This means FailedScheduling fast-fail now works in both cases:
- RBAC allows events → FailedScheduling event detected
- RBAC blocks events → PodScheduled=False condition detected
FailedBinding still relies on the FailedMount event path (the PVC
binding failure eventually surfaces as a FailedMount pod event).
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…mpty The previous logic only called getPodConditionErrors() when getPodEventErrors() returned [] (events RBAC unavailable). This created a race: if events take a few extra seconds to propagate, the first several polls would return eventErrors=[], run conditionErrors (and detect Unschedulable), but later polls (after events appear) would skip conditionErrors even though events may show an unrelated reason. Change: always run both checks each poll iteration. Deduplicate with a simple filter so FailedScheduling (event) + Unschedulable (condition) for the same pod don't both appear in the error output. This ensures PodScheduled=False/Unschedulable is detected reliably even when events RBAC permission is absent, covering: - FailedScheduling (nodeSelector mismatch) - FailedScheduling (resource shortage including NPU) - FailedMount (pod stuck Pending because NPU is busy) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…comment Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…lity Rename utils.ts → utils/index.ts in k8s, docker, and hooklib packages so source files match the CI coverage gate pattern '**/utils/**'. Add collectCoverageFrom config to jest.config.js in k8s and docker packages to enable coverage reporting. All existing imports resolve unchanged via TS module resolution. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Remove collectCoverage: true from jest.config.js (avoid forced coverage on every local run); coverage now opt-in via --coverage flag - Expand collectCoverageFrom to src/**/*.ts (was src/**/utils/**/*.ts) to prevent blind spots in coverage reporting - Add test:coverage script to package.json for explicit CI/local use Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
k8s/tests/k8s-utils-test.ts: - Add writeContainerStepScript: path return, env escaping, invalid workdir, invalid env key - Add prepareJobScript: path return, mkdir content, empty mounts - Add fixArgs: quoted args, single-quoted shell, plain args - Add sleep: resolves after given ms - Add listDirAllCommand: find command content, shell-quoting - Add mergeObjectMeta: label/annotation merge, throws on undefined metadata - Add useKubeScheduler: true/false/unset env var cases docker/tests/utils-test.ts: - Add checkEnvironment: passes with GITHUB_WORKSPACE set, throws when unset hooklib: add jest infrastructure (jest.config.js, jest.setup.js, tsconfig.test.json) and devDependencies (jest, ts-jest, babel-jest) hooklib/tests/utils-test.ts: - Add writeToResponseFile: string/object/null/undefined values, empty path, missing file, sequential appends - Add getInputFromStdin: mock readline, parse JSON from emitted line root package.json: include hooklib in test script Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Add index.spec.ts alongside each utils/index.ts so the CI coverage gate
(vitest, include: **/*.{test,spec}.ts) can discover and run them:
- packages/k8s/src/k8s/utils/index.spec.ts: generateContainerName, fixArgs,
sleep, listDirAllCommand, useKubeScheduler, mergeObjectMeta, writeRunScript,
writeContainerStepScript, prepareJobScript, readExtensionFromFile,
mergeContainerWithOptions, mergePodSpecWithOptions
- packages/docker/src/utils/index.spec.ts: sanitize, fixArgs,
optionsWithDockerEnvs, checkEnvironment
- packages/hooklib/src/utils/index.spec.ts: writeToResponseFile
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…inerStepScript
'/too-short'.split('/').slice(-2) yields ['', 'too-short'] (length 2),
which does not trigger the throw. Use 'tooshort' (no slash) instead:
'tooshort'.split('/').slice(-2) = ['tooshort'] (length 1) → throws.
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Revert all changes except:
- packages/{k8s,docker,hooklib}/src/**/utils/index.ts (rename from utils.ts)
- packages/{k8s,docker,hooklib}/src/**/utils/index.spec.ts (vitest spec files)
These two minimal changes are sufficient for the coverage gate:
- utils/index.ts satisfies gate pattern '**/utils/**'
- index.spec.ts satisfies vitest include '**/*.spec.ts'
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
更新 package.json 和 package-lock.json 中的 uuid 依赖版本,以获取最新的安全补丁和功能改进。
…tibility refactor: move utils.ts to utils/index.ts for coverage gate compatibility
…-only to 11 types - Add FailedMount to UNRECOVERABLE_WAITING_REASONS (covers waiting-state volume mount failures) - Add UNRECOVERABLE_TERMINATED_REASONS (OOMKilled, Error, FailedPostStartHookError) for Running-phase errors - Add getUnrecoverableTerminatedReasons() with env var extension support - Add getContainerTerminatedErrors() for detecting terminated containers with unrecoverable reasons - Add terminated error detection in runContainerStep catch block with describePodFailure diagnostics - Branch based on release/no_volumes (not main) per issue #1203 request UT coverage: - wait-for-pod-phases-test.ts: 10 new tests for getContainerTerminatedErrors (8) and getUnrecoverableTerminatedReasons (4) - run-container-step-terminated-test.ts: 5 new tests for runContainerStep terminated error detection (OOMKilled, Error, FailedPostStartHookError, no errors, getPodByName failure)
[需求] CI容器通用化k8s错误反馈机制-补充优化-的开发实现-runner-container-hooks部分
…rmat fix: properly unescape k8s API error body for consistent error format
Merge upstream/main (cf62bcc) and opensourceways/release/no_volumes into update-main-sync branch to produce a unified main. Strategy: - Base: upstream/main (emptyDir volumes, k8s client v1.3, heartbeat, etc.) - Added: no_volumes features from release/no_volumes (pod diagnostics, error detection, utils refactor to utils/index.ts, spec files) - Conflict resolution: - package.json: kept upstream newer versions (js-yaml ^5, uuid ^14, tar-fs ^3.1.2) - prepare-job.ts: used release/no_volumes detailed HTTP exception parsing - k8s/index.ts waitForPodPhases: used release/no_volumes full diagnostics - utils/index.ts: kept formatError from upstream (still used by k8s/index.ts) - Updated error-serialization-test assertions to match new message format Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
CLA Signature Guide@Longwt123 , thanks for your pull request. The following commit(s) are not associated with a signed Contributor License Agreement (CLA).
To sign CLA, click here. To check if your email is configured correctly, refer to the FAQs. Once you've signed the CLA or updating your email, please comment |
Linking Issue Notice@Longwt123 , the pull request must be linked to at least one issue. |
Welcome To opensourceways CommunityHey @Longwt123 , thanks for your contribution to the community. Bot Usage ManualI'm the Bot here serving you. You can find the instructions on how to interact with me at Here . That means you can comment below every pull request or issue to trigger Bot Commands. |
There was a problem hiding this comment.
Code Review
This pull request introduces significant updates to the runner container hooks, particularly for the Kubernetes (k8s) implementation. Key changes include transitioning from Kubernetes Jobs to Pods for container steps, replacing persistent volume claims with emptyDir volumes initialized via an init container, and using tar streaming to copy files to and from the workflow pod. Additionally, it introduces a WebSocket heartbeat mechanism to prevent stale connections, improves error serialization to avoid circular reference crashes, and adds robust fast-fail checks for unrecoverable pod and container errors. Feedback from the code review highlights a critical command injection vulnerability in writeContainerStepScript due to unquoted shell arguments, potential TypeError crashes from missing defensive checks on environment variables and API response items, redundant promise settlement paths in copy functions, and a potential promise hang in log streaming.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
- security: shlex.quote entryPoint, entryPointArgs, parts.join, and targetVolumePath in shell scripts to prevent command injection - fix: add return before reject() in execCpToPod/execCpFromPod callbacks to prevent resolve() being called after rejection - fix: guard RUNNER_WORKSPACE and GITHUB_WORKSPACE env vars with explicit null checks and early throws instead of unsafe cast-to-string - fix: propagate logStream error events to the awaiting promise so getPodLogs does not hang on stream errors - fix: use result.items ?? [] in both listNamespacedEvent calls to guard against null/undefined items arrays Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
CLA Signature Guide@Longwt123 , thanks for your pull request. The following commit(s) are not associated with a signed Contributor License Agreement (CLA).
To sign CLA, click here. To check if your email is configured correctly, refer to the FAQs. Once you've signed the CLA or updating your email, please comment |
|
|||||||||||||||||
描述
根据上游仓库和当前仓库开发分支,更新并重新启用当前仓库main分支
合并更新,并检查是否有什么问题
相关 Issue
resolve https://github.com/opensourceways/backlog/issues/1203
变更类型