BUILD-11553: Avoid workspace pollution in CI actions#287
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the get-build-number composite action and its ShellSpec tests to store the cached build_number.txt under RUNNER_TEMP (instead of the workspace checkout), preventing ephemeral cache state from modifying the repository tree during workflow runs.
Changes:
- Update the action to write/read the build number file via a
BUILD_NUMBER_FILEpath pointing to${RUNNER_TEMP}/build_number.txt. - Update the underlying
get_build_number.shscript to useBUILD_NUMBER_FILE/RUNNER_TEMPfor its cache file location. - Adjust ShellSpec tests to set
RUNNER_TEMPand assert the cache file is created in the temp directory.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| spec/get_build_number_spec.sh | Sets RUNNER_TEMP in tests and updates assertions to expect the cache file in temp. |
| get-build-number/get_build_number.sh | Uses BUILD_NUMBER_FILE / RUNNER_TEMP to determine where to write the cache file. |
| get-build-number/action.yml | Exports BUILD_NUMBER_FILE into the composite action environment and updates cache/read/write steps to use it. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
matemoln
changed the title
matemoln
force-pushed
the
mate/BUILD-11553-runnerTempBuildNumber
branch
from
8230a09 to
387d67f
Compare
matemoln
force-pushed
the
mate/BUILD-11553-runnerTempBuildNumber
branch
from
387d67f to
d0c01f6
Compare
julien-carsique-sonarsource
left a comment
julien-carsique-sonarsource
left a comment
There was a problem hiding this comment.
This looks as good improvement.
However, the motivation for it is unclear: "working tree is polluted with untracked files or directories". There are many other files and directories created by the build. If they are breaking Gitar tagging behavior, then the fix should live in Gitar with running a git clean.
Keep the GitHub workspace checkout clean so downstream steps (e.g. Docker
image tagging in gitar) behave consistently regardless of whether CI
actions have run.
- get-build-number: write build_number.txt to ${RUNNER_TEMP} instead of
the workspace; update cache paths, get_build_number.sh, and specs
- config-npm, build-npm, build-yarn: use jf npm-config --global so
.jfrog/projects/ is stored under the runner home, not the workspace
- config-npm, build-npm, build-yarn: remove transient .actions/ symlinks
after local composite action references are consumed
matemoln
force-pushed
the
mate/BUILD-11553-runnerTempBuildNumber
branch
from
d0c01f6 to
fcb20bf
Compare
|
There are many other files and directories created by the build, but that is expected and they have entries in the |
Code Review ✅ ApprovedMoves ephemeral CI state for NPM, Yarn, and build number generation to runner-specific directories to prevent workspace pollution. No issues found. OptionsAuto-apply is off → Gitar will not commit updates to this branch. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
Summary
Keep the GitHub workspace checkout clean by moving ephemeral CI state out of the repository tree. This prevents downstream steps (e.g. Docker image tagging in gitar) from behaving differently when the working tree is polluted with untracked files or directories.
build_number.txtto${RUNNER_TEMP}instead of the workspace; update cache paths and shell specs accordinglyjf npm-config --globalso.jfrog/projects/is created under the runner home, not the workspace.actions/symlinks after local composite action references are consumed (only symlinks created by the action;rmdirif empty)Why
Blocks gitar/actions/runs/27045793684: image tagging logic behaves differently when the workspace is clean vs polluted.
Test plan
config-npm,build-npm,build-yarn,get-build-number