feat: Upload kubernetes/kubernetes SCIP index #327
Conversation
jupblb
force-pushed
the
michal/GRAPH-1255
branch
from
594c93e to
6ee9462
Compare
| - name: Configure git safe.directory | ||
| run: git config --global --add safe.directory $GITHUB_WORKSPACE |
There was a problem hiding this comment.
What's the reason for configuring this? I read the docs, but I don't remember us configuring this in other CI jobs before.
There was a problem hiding this comment.
I did try to run a workflow without it and it failed. I've seen this being used here: https://github.com/sourcegraph/sourcegraph/blob/f80ec0d84a54336daf66fa6e9c8a43cea9ac1fc2/.github/workflows/scip-go.yml#L26-L27
There was a problem hiding this comment.
Hmm, that's weird, I guess it's a relatively new git behavior.
Do you remember what error you saw? (I tried looking at previous Actions runs, but couldn't find it in a couple of minutes of looking.)
Fine with leaving this in, but it'd be nice to add a comment summarizing the error to describe why we have this line.
There was a problem hiding this comment.
There was a problem hiding this comment.
Explanation given by amp:
The src code-intel upload command needs to determine the Git commit SHA to associate the uploaded SCIP index with the correct code
version on Sourcegraph.
Internally, it runs Git commands (like git rev-parse HEAD) to get the current commit. When Git detects the repository is owned by a
different user (common in CI/CD environments), it refuses to execute any Git commands due to the CVE-2022-24765 security check.
The error message shows this flow:
1. src code-intel upload tries to auto-detect the commit
2. Git fails with "dubious ownership" (exit status 128)
3. The upload fails with "Unable to determine commit from environment"
That's why you need to either:
* Add the directory to safe.directory so Git commands work
* Bypass Git entirely by providing -commit=$GITHUB_SHA explicitly
This does match src-cli behavior:
https://github.com/sourcegraph/src-cli/blob/a8695294ab07ad884fa2b4801f6e568dfa9d32e7/cmd/src/code_intel_upload_flags.go#L252-L254
jupblb
force-pushed
the
michal/GRAPH-1255
branch
from
0f6a322 to
d850c3e
Compare
- Runs daily at midnight UTC with manual trigger option - Checks out kubernetes/kubernetes at depth 1 for efficiency - Uses 4-core runner with 180 minute timeout - Implements Go module/build caching for 30-60% faster runs - Adds concurrency control to prevent overlapping runs - Validates SCIP dump size before upload - Pins src-cli version for deterministic builds - Includes error handling and debug artifacts on failure Co-authored-by: Amp <[email protected]> Amp-Thread-ID: https://ampcode.com/threads/T-c9aa572a-3f3a-47a2-b56a-7f0120ed7c27
jupblb
force-pushed
the
michal/GRAPH-1255
branch
2 times, most recently
from
8b96480 to
f356ec3
Compare
jupblb
force-pushed
the
michal/GRAPH-1255
branch
from
f356ec3 to
73535ff
Compare
jupblb
force-pushed
the
michal/GRAPH-1255
branch
2 times, most recently
from
a08ad20 to
916548c
Compare
Adding only
kubernetes/kubernetesfor now, to see if this works well.The Service Account used for SCIP index upload is named
scip-upload-service-account. It has SCIP index upload permission and has repo permission for kubernetes/kubernetes.Test plan
N/A