Skip to content

Update main sync#25

Open
Longwt123 wants to merge 85 commits into
mainfrom
update-main-sync
Open

Update main sync#25
Longwt123 wants to merge 85 commits into
mainfrom
update-main-sync

Conversation

@Longwt123

@Longwt123 Longwt123 commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

描述

根据上游仓库和当前仓库开发分支,更新并重新启用当前仓库main分支

合并更新,并检查是否有什么问题

相关 Issue

resolve https://github.com/opensourceways/backlog/issues/1203

变更类型

  • Bug 修复
  • 新功能
  • 代码重构
  • 文档更新
  • 样式改进
  • 性能优化
  • 测试相关
  • 其他

nikola-jokic and others added 30 commits July 29, 2025 11:06
* Bump all dependencies

* build and reformat

* lint

* format
* Update codeowners

* Update CODEOWNERS

Co-authored-by: Rocio Montes <88550502+rociomontes@users.noreply.github.com>

---------

Co-authored-by: Rocio Montes <88550502+rociomontes@users.noreply.github.com>
Bumps [@eslint/plugin-kit](https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit) from 0.3.3 to 0.3.4.
- [Release notes](https://github.com/eslint/rewrite/releases)
- [Changelog](https://github.com/eslint/rewrite/blob/main/packages/plugin-kit/CHANGELOG.md)
- [Commits](https://github.com/eslint/rewrite/commits/plugin-kit-v0.3.4/packages/plugin-kit)

---
updated-dependencies:
- dependency-name: "@eslint/plugin-kit"
  dependency-version: 0.3.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [form-data](https://github.com/form-data/form-data) from 4.0.3 to 4.0.4.
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.3...v4.0.4)

---
updated-dependencies:
- dependency-name: form-data
  dependency-version: 4.0.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Separate tests

* Update .github/workflows/build.yaml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* bump actions

* experiment using init container to prepare working environment

* rm script before continuing

* fix

* Update packages/k8s/src/hooks/run-script-step.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* leverage exec stat instead of printf

* npm update

* document the new constraint

---------

Co-authored-by: DenisPalnitsky <DenisPalnitsky@users.noreply.github.com>
* Prepare 0.8.0 release and bump dependencies once more

* Update releaseNotes.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…s#263)

* Change command to copy externals instead of move

* fix: using only mv, remove sudo
* Sort 'find' output before hashing for consistency across different platforms

* fix style issues
* feat: check if required binaries are present

Previously the necessary binaries were copied over using the runner
container. This lead to issues in case your main container was using the
musl libc implementation.

Instead of copying over any binaries, the initContainer now checks if
the required binaries are present in the main container.

* feat: get rid of the init container

* fix: add _runner_file_commands

* fix: do not fail if _runner_file_commands does not exist

It seems that for container actions this directory does not exist.
* Allow non-root container

* format

* add lint:fix and fix lint errors

* fix tests and volume mounts
* fix: calculate hash again after failure

The hash from the source is calculated only once. The source hash is
checked with the destination hash, but if the destination hash does not
match, the destination match is calculated again.

The problem is that if the source hash is incorrect, the check will keep
failing because the source hash is never re-calculated.

Now, in the event that the hashes do not match, the hash of the source
and the destination are calculated again.

* fix: use size instead of block size

Previously the %b parameter was used with stat. This displays the block
size of the file. We noticed that in some cases the block size of the
source and the destination file could be slightly different. Since the
source and target run in different containers, they can have different
block sizes defined. If the block size did not match, the hash would also not match, even if
the file content would be exactly the same.

With this change, the block size is no longer used. Instead the actual
size in bytes of the file is listed.
…actions#283)

* Fix workingDir permissions issue by creating it within init container

* Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* rework init commands

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…olume mode (actions#287)

In run-script-step, the _temp directory was being copied to the workflow pod,
but the _github_home and _github_workflow directories were not being moved
from their temporary location to the /github directory structure where they
are expected by GitHub Actions.

This caused event.json to be missing at /github/workflow/event.json, breaking
actions that depend on GITHUB_EVENT_PATH.

The fix adds a setup step that copies _github_home and _github_workflow from
/__w/_temp/ to /github/ after copying the temp directory to the pod, matching
the behavior of run-container-step and prepareJobScript.

Uses cp -r instead of symlinks to avoid symlink validation errors when copying
files back from the pod to the runner.
Bumps [glob](https://github.com/isaacs/node-glob) from 10.4.5 to 10.5.0.
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v10.5.0)

---
updated-dependencies:
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [glob](https://github.com/isaacs/node-glob) from 10.4.5 to 10.5.0.
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v10.5.0)

---
updated-dependencies:
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* run script copies back only runner file commands

* wip

* fix

* fmt

* user volume mount

* try doing only file commands

* typo

* remove _temp_pre

* Update packages/k8s/src/hooks/run-script-step.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update packages/k8s/src/hooks/run-script-step.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* better escape

* no useless escapes

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Bump packages

* bump exec
Longwt123 and others added 19 commits June 29, 2026 09:27
…ing errors

getPodConditionErrors() checks pod.status.conditions without needing
the optional 'events' list RBAC permission:
  - PodScheduled=False (Unschedulable): nodeSelector mismatch, resource
    requests exceed limits, no matching node

In waitForPodPhases():
  - eventErrors (events-API based) is tried first; it's richer (carries
    event.count and detailed message)
  - conditionErrors is only added when eventErrors is empty, i.e. when
    the events RBAC permission is absent — avoids duplicate output

This means FailedScheduling fast-fail now works in both cases:
  - RBAC allows events   → FailedScheduling event detected
  - RBAC blocks events   → PodScheduled=False condition detected

FailedBinding still relies on the FailedMount event path (the PVC
binding failure eventually surfaces as a FailedMount pod event).

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…mpty

The previous logic only called getPodConditionErrors() when
getPodEventErrors() returned [] (events RBAC unavailable). This created
a race: if events take a few extra seconds to propagate, the first
several polls would return eventErrors=[], run conditionErrors (and
detect Unschedulable), but later polls (after events appear) would skip
conditionErrors even though events may show an unrelated reason.

Change: always run both checks each poll iteration. Deduplicate with a
simple filter so FailedScheduling (event) + Unschedulable (condition)
for the same pod don't both appear in the error output.

This ensures PodScheduled=False/Unschedulable is detected reliably even
when events RBAC permission is absent, covering:
  - FailedScheduling (nodeSelector mismatch)
  - FailedScheduling (resource shortage including NPU)
  - FailedMount (pod stuck Pending because NPU is busy)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…comment

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…lity

Rename utils.ts → utils/index.ts in k8s, docker, and hooklib packages so
source files match the CI coverage gate pattern '**/utils/**'. Add
collectCoverageFrom config to jest.config.js in k8s and docker packages to
enable coverage reporting. All existing imports resolve unchanged via TS
module resolution.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
- Remove collectCoverage: true from jest.config.js (avoid forced coverage
  on every local run); coverage now opt-in via --coverage flag
- Expand collectCoverageFrom to src/**/*.ts (was src/**/utils/**/*.ts)
  to prevent blind spots in coverage reporting
- Add test:coverage script to package.json for explicit CI/local use

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
k8s/tests/k8s-utils-test.ts:
- Add writeContainerStepScript: path return, env escaping, invalid workdir,
  invalid env key
- Add prepareJobScript: path return, mkdir content, empty mounts
- Add fixArgs: quoted args, single-quoted shell, plain args
- Add sleep: resolves after given ms
- Add listDirAllCommand: find command content, shell-quoting
- Add mergeObjectMeta: label/annotation merge, throws on undefined metadata
- Add useKubeScheduler: true/false/unset env var cases

docker/tests/utils-test.ts:
- Add checkEnvironment: passes with GITHUB_WORKSPACE set, throws when unset

hooklib: add jest infrastructure (jest.config.js, jest.setup.js,
tsconfig.test.json) and devDependencies (jest, ts-jest, babel-jest)
hooklib/tests/utils-test.ts:
- Add writeToResponseFile: string/object/null/undefined values, empty path,
  missing file, sequential appends
- Add getInputFromStdin: mock readline, parse JSON from emitted line

root package.json: include hooklib in test script

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Add index.spec.ts alongside each utils/index.ts so the CI coverage gate
(vitest, include: **/*.{test,spec}.ts) can discover and run them:

- packages/k8s/src/k8s/utils/index.spec.ts: generateContainerName, fixArgs,
  sleep, listDirAllCommand, useKubeScheduler, mergeObjectMeta, writeRunScript,
  writeContainerStepScript, prepareJobScript, readExtensionFromFile,
  mergeContainerWithOptions, mergePodSpecWithOptions
- packages/docker/src/utils/index.spec.ts: sanitize, fixArgs,
  optionsWithDockerEnvs, checkEnvironment
- packages/hooklib/src/utils/index.spec.ts: writeToResponseFile

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…inerStepScript

'/too-short'.split('/').slice(-2) yields ['', 'too-short'] (length 2),
which does not trigger the throw. Use 'tooshort' (no slash) instead:
'tooshort'.split('/').slice(-2) = ['tooshort'] (length 1) → throws.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Revert all changes except:
- packages/{k8s,docker,hooklib}/src/**/utils/index.ts (rename from utils.ts)
- packages/{k8s,docker,hooklib}/src/**/utils/index.spec.ts (vitest spec files)

These two minimal changes are sufficient for the coverage gate:
- utils/index.ts satisfies gate pattern '**/utils/**'
- index.spec.ts satisfies vitest include '**/*.spec.ts'

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
更新 package.json 和 package-lock.json 中的 uuid 依赖版本,以获取最新的安全补丁和功能改进。
…tibility

refactor: move utils.ts to utils/index.ts for coverage gate compatibility
…-only to 11 types

- Add FailedMount to UNRECOVERABLE_WAITING_REASONS (covers waiting-state volume mount failures)
- Add UNRECOVERABLE_TERMINATED_REASONS (OOMKilled, Error, FailedPostStartHookError) for Running-phase errors
- Add getUnrecoverableTerminatedReasons() with env var extension support
- Add getContainerTerminatedErrors() for detecting terminated containers with unrecoverable reasons
- Add terminated error detection in runContainerStep catch block with describePodFailure diagnostics
- Branch based on release/no_volumes (not main) per issue #1203 request

UT coverage:
- wait-for-pod-phases-test.ts: 10 new tests for getContainerTerminatedErrors (8) and getUnrecoverableTerminatedReasons (4)
- run-container-step-terminated-test.ts: 5 new tests for runContainerStep terminated error detection (OOMKilled, Error, FailedPostStartHookError, no errors, getPodByName failure)
[需求] CI容器通用化k8s错误反馈机制-补充优化-的开发实现-runner-container-hooks部分
…rmat

fix: properly unescape k8s API error body for consistent error format
Merge upstream/main (cf62bcc) and opensourceways/release/no_volumes into
update-main-sync branch to produce a unified main.

Strategy:
- Base: upstream/main (emptyDir volumes, k8s client v1.3, heartbeat, etc.)
- Added: no_volumes features from release/no_volumes (pod diagnostics,
  error detection, utils refactor to utils/index.ts, spec files)
- Conflict resolution:
  - package.json: kept upstream newer versions (js-yaml ^5, uuid ^14, tar-fs ^3.1.2)
  - prepare-job.ts: used release/no_volumes detailed HTTP exception parsing
  - k8s/index.ts waitForPodPhases: used release/no_volumes full diagnostics
  - utils/index.ts: kept formatError from upstream (still used by k8s/index.ts)
- Updated error-serialization-test assertions to match new message format

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@opensourceways-bot

Copy link
Copy Markdown

CLA Signature Guide

@Longwt123 , thanks for your pull request.

The following commit(s) are not associated with a signed Contributor License Agreement (CLA).

Commit Reason
589414ea Bump all dependencies (#234) * ... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
878781f9 docker: fix readOnly volumes in ... the email used in the commit is an invalid email!
please check all commits.
605551ff Bump @eslint/plugin-kit from 0.3... the email used in the commit is an invalid email!
please check all commits.
ea25fd1b Change command to remove sudo to... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
2934de33 Sort 'find' output before hashin... the email used in the commit is an invalid email!
please check all commits.
ad9cb43c feat: check if required binaries... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
0951cc73 Improve validation checks after ... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
5f5708a2 Overwrite runnner file commands ... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
ee5c48b9 Adding websocket heartbeat (#333... the email used in the commit is an invalid email!
please check all commits.
bcd95aee Fix error serialization in 4 cat... the email used in the commit is an invalid email!
please check all commits.
d170a93f fix(k8s): prevent circular-JSON ... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
721a06a6 Fix misleading error/debug messa... the email used in the commit is an invalid email!
please check all commits.

To sign CLA, click here.

To check if your email is configured correctly, refer to the FAQs.

Once you've signed the CLA or updating your email, please comment /check-cla to revalidate CLA status.

@opensourceways-bot

Copy link
Copy Markdown

Linking Issue Notice

@Longwt123 , the pull request must be linked to at least one issue.
If an issue has already been linked, but the needs-issue label remains, you can remove the label by commenting /check-issue .

@opensourceways-bot

Copy link
Copy Markdown

Welcome To opensourceways Community

Hey @Longwt123 , thanks for your contribution to the community.

Bot Usage Manual

I'm the Bot here serving you. You can find the instructions on how to interact with me at Here . That means you can comment below every pull request or issue to trigger Bot Commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant updates to the runner container hooks, particularly for the Kubernetes (k8s) implementation. Key changes include transitioning from Kubernetes Jobs to Pods for container steps, replacing persistent volume claims with emptyDir volumes initialized via an init container, and using tar streaming to copy files to and from the workflow pod. Additionally, it introduces a WebSocket heartbeat mechanism to prevent stale connections, improves error serialization to avoid circular reference crashes, and adds robust fast-fail checks for unrecoverable pod and container errors. Feedback from the code review highlights a critical command injection vulnerability in writeContainerStepScript due to unquoted shell arguments, potential TypeError crashes from missing defensive checks on environment variables and API response items, redundant promise settlement paths in copy functions, and a potential promise hang in log streaming.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread packages/k8s/src/k8s/utils/index.ts Outdated
Comment thread packages/k8s/src/k8s/index.ts
Comment thread packages/k8s/src/k8s/index.ts
Comment thread packages/k8s/src/k8s/utils/index.ts Outdated
Comment thread packages/k8s/src/hooks/run-container-step.ts Outdated
Comment thread packages/k8s/src/k8s/index.ts Outdated
Comment thread packages/k8s/src/k8s/index.ts Outdated
Comment thread packages/k8s/src/k8s/index.ts Outdated
- security: shlex.quote entryPoint, entryPointArgs, parts.join, and
  targetVolumePath in shell scripts to prevent command injection
- fix: add return before reject() in execCpToPod/execCpFromPod callbacks
  to prevent resolve() being called after rejection
- fix: guard RUNNER_WORKSPACE and GITHUB_WORKSPACE env vars with explicit
  null checks and early throws instead of unsafe cast-to-string
- fix: propagate logStream error events to the awaiting promise so
  getPodLogs does not hang on stream errors
- fix: use result.items ?? [] in both listNamespacedEvent calls to guard
  against null/undefined items arrays

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@opensourceways-bot

Copy link
Copy Markdown

CLA Signature Guide

@Longwt123 , thanks for your pull request.

The following commit(s) are not associated with a signed Contributor License Agreement (CLA).

Commit Reason
589414ea Bump all dependencies (#234) * ... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
878781f9 docker: fix readOnly volumes in ... the email used in the commit is an invalid email!
please check all commits.
605551ff Bump @eslint/plugin-kit from 0.3... the email used in the commit is an invalid email!
please check all commits.
ea25fd1b Change command to remove sudo to... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
2934de33 Sort 'find' output before hashin... the email used in the commit is an invalid email!
please check all commits.
ad9cb43c feat: check if required binaries... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
0951cc73 Improve validation checks after ... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
5f5708a2 Overwrite runnner file commands ... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
ee5c48b9 Adding websocket heartbeat (#333... the email used in the commit is an invalid email!
please check all commits.
bcd95aee Fix error serialization in 4 cat... the email used in the commit is an invalid email!
please check all commits.
d170a93f fix(k8s): prevent circular-JSON ... the email used in the commit is not linked to a signed CLA!
please verify that it matches the email you used when signing the CLA.
721a06a6 Fix misleading error/debug messa... the email used in the commit is an invalid email!
please check all commits.

To sign CLA, click here.

To check if your email is configured correctly, refer to the FAQs.

Once you've signed the CLA or updating your email, please comment /check-cla to revalidate CLA status.

@opensourceways-bot

Copy link
Copy Markdown
检查项 状态
敏感信息扫描
安全编码扫描
漏洞扫描
开源license合规扫描
UT测试覆盖率
开发阶段设计文档检查
流水线链接 点击跳转查看日志

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.