COMP: Bump srvaroa/labeler v0.8 → v1 to avoid per-run Go build flakes#6181
Conversation
|
Heads-up: the failing Label PRs / build check on this very PR is the same flake the PR fixes -- and it's expected to stay red here.
In other words: this PR is the chicken-and-egg fix; the red check is proof that the bug exists, and merging the bump unblocks every subsequent PR. Other CI lanes (build, pre-commit, ARMBUILD, Azure) are still pending and should pass since they don't depend on the labeler at all. |
The pinned v0.8 (2018-2019) ships an action that builds the Go binary from source on every CI run. Each build downloads dependencies from gopkg.in, which intermittently fails the TLS handshake and aborts the labeling job. The failure has been observed across multiple recent PRs (InsightSoftwareConsortium#5775, InsightSoftwareConsortium#6177, InsightSoftwareConsortium#6164 -- 'Docker build failed with exit code 1' from 'go: gopkg.in/check.v1: net/http: TLS handshake timeout'). srvaroa/labeler ships a pre-built Docker image starting at v1.8.1, so newer versions skip the Go-compile step entirely. The maintainer publishes a floating 'v1' major tag that auto-tracks minor/patch releases; v1.14.0 is current upstream. The v1 schema replaces the v0.8-era flat dict-of-rules with a 'version: 1' header + 'labels:' list of {label, title, files, ...} objects, so .github/labeler.yml is migrated alongside the workflow bump. Pattern semantics are unchanged: both v0.8 and v1 use Go's RE2 regex engine, matching unanchored against PR file paths -- so existing patterns like 'Modules/IO/*' (which is regex 'Modules/IO/' followed by zero-or-more '/') continue to behave the same in v1.
hjmjohnson
force-pushed
the
comp-bump-labeler-action
branch
from
a5d4ac8 to
577ce95
Compare
|
Force-pushed Pattern semantics are unchanged (both v0.8 and v1 use Go RE2 regex matched unanchored against PR file paths), so the 25 label rules are migrated 1-to-1 with their existing patterns intact. No new labels added, no labels removed. Validation
|
|
| Filename | Overview |
|---|---|
| .github/workflows/label-pr.yml | Single-line change bumping srvaroa/labeler from @v0.8 to @v1 (floating tag); workflow uses pull_request_target which warrants pinning to a commit SHA rather than a mutable tag. |
| .github/labeler.yml | Migrated config from v0.8 flat-key schema to v1 version: 1 / labels: list schema; all label rules and file/title patterns are preserved correctly. |
Sequence Diagram
sequenceDiagram
participant GH as GitHub
participant WF as label-pr.yml (pull_request_target)
participant LA as srvaroa/labeler@v1 (pre-built image)
participant Repo as Repository Labels
GH->>WF: pull_request_target event
WF->>LA: run action (GITHUB_TOKEN)
LA->>LA: read .github/labeler.yml (v1 schema)
LA->>LA: match PR title + changed files → labels
LA->>Repo: apply labels via API (pull-requests: write)
Note over LA: No Go compile step,<br/>no gopkg.in network calls
Reviews (1): Last reviewed commit: "COMP: Bump srvaroa/labeler v0.8 → v1 to ..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
|
||
| steps: | ||
| - uses: srvaroa/labeler@v0.8 | ||
| - uses: srvaroa/labeler@v1 |
There was a problem hiding this comment.
pull_request_target is a supply chain risk
The workflow is triggered by pull_request_target, which runs with write access to the base repository and has access to GITHUB_TOKEN. A floating @v1 tag means any new commit pushed under that tag by the upstream maintainer is automatically trusted and executed with those privileges. Pinning to a specific commit SHA (e.g., srvaroa/labeler@<sha>) eliminates silent tag-overwrite risk. The PR description already notes this trade-off, and the permissions scope is limited to pull-requests: write, which meaningfully reduces blast radius — but pinning the SHA is the common defense-in-depth recommendation for pull_request_target workflows.
There was a problem hiding this comment.
I think the v1 tag is what we want to minimize future maintenance burden.
There was a problem hiding this comment.
@blowekamp @dzenanz @thewtex I don't think that the floating tag is a sufficient enough concern to justify the added burden. NOTE: All PR's (including this one) will fail (or be really flakey) the Labeler CI until this (or similar) is merged into the main branch.
hjmjohnson
merged commit 9ae80bb
into
InsightSoftwareConsortium:main
2 participants
The Label PRs workflow has been intermittently failing across recent PRs (#5775, #6177, #6164 …) with
Docker build failed with exit code 1fromgo: gopkg.in/check.v1: net/http: TLS handshake timeout. Pinning atsrvaroa/labeler@v0.8builds the Go binary from source on every run; bumping to@v1(currently v1.14.0) uses the pre-built image introduced in v1.8.1 and skips the Go-compile step entirely.Diagnosis
srvaroa/labeler@v0.8(2018-2019) ships a Dockerfile that runsgo build -o action ./cmdinside the CI runner. The build pulls dependencies fromgopkg.in(notablygopkg.in/check.v1andgopkg.in/yaml.v2);gopkg.inintermittently TLS-handshake-times-out from GitHub-hosted runners, which kills the labeler container build before the action can run. Affected jobs report no real error — just network flake fetching Go modules.srvaroa/labelerv1.8.1 introduced a pre-built Docker image, so newer versions never compile Go in the runner and never touchgopkg.in. The floatingv1tag tracks the latest patch (currently v1.14.0).Compatibility check
The current
.github/labeler.ymlonly uses the v0.8-era config schema -- per-ruletitle:regexes ("^COMP:.*"etc.) andfiles:glob lists. Per the upstream README those are still supported in v1.x (the only deprecated key in 1.x issize-above/size-below, which we do not use). No config changes required.Pinning choice
Used
@v1(floating major) rather than@v1.14.0(exact pin). Tradeoff:@v1@v1.14.0Happy to switch to the exact tag if reviewers prefer; one-character diff.
Test plan
pre-commit run --all-filesclean