ci(aio): freeze the lockfile for CI builds #19616
Conversation
petebacondarwin
added
comp: aio
action: review
|
Oh yes. I forgot about that
…On Mon, 9 Oct 2017, 09:58 George Kalpakas, ***@***.***> wrote:
***@***.**** approved this pull request.
LGTM (as soon as Travis is happy).
Should we do the same for the examples boilerplate?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#19616 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAA9J7K1fBGai54eprY5BWDTIWZtr1zZks5sqeAagaJpZM4PyFF1>
.
|
petebacondarwin
force-pushed
the
aio-freeze-lockfile
branch
from
a65bff9
to
ee629ff
Compare
|
You can preview ee629ff at https://pr19616-ee629ff.ngbuilds.io/. |
petebacondarwin
force-pushed
the
aio-freeze-lockfile
branch
from
ee629ff
to
33f0cab
Compare
|
And the examples dependency installation uses the pure lockfile flag, so won't actually fail if the package has changed but will always use what is in the lockfile. Is this acceptable? |
|
You can preview 33f0cab at https://pr19616-33f0cab.ngbuilds.io/. |
|
You can preview 377e2a6 at https://pr19616-377e2a6.ngbuilds.io/. |
|
Why not use |
|
No you're right there are no downsides. I was worried about people getting errors calling |
petebacondarwin
force-pushed
the
aio-freeze-lockfile
branch
from
377e2a6
to
2546c0d
Compare
|
Updated to use |
|
You can preview 2546c0d at https://pr19616-2546c0d.ngbuilds.io/. |
| @@ -52,7 +52,7 @@ if [[ ${TRAVIS} && (${CI_MODE} == "aio" || ${CI_MODE} == "aio_e2e" || ${CI_MODE} | |||
| travisFoldStart "yarn-install.aio" | |||
| ( | |||
| cd ${PROJECT_ROOT}/aio | |||
| yarn install | |||
| yarn install --frozen-lockfile --non-interactive | |||
There was a problem hiding this comment.
can you also update the main repo yarn install on line 40?
IgorMinar
added
action: cleanup
|
@IgorMinar - added |
petebacondarwin
force-pushed
the
aio-freeze-lockfile
branch
from
095635f
to
c175f85
Compare
| @@ -156,7 +156,7 @@ RUN find $AIO_SCRIPTS_SH_DIR -maxdepth 1 -type f -printf "%P\n" \ | |||
| # Set up the Node.js scripts | |||
| COPY scripts-js/ $AIO_SCRIPTS_JS_DIR/ | |||
| WORKDIR $AIO_SCRIPTS_JS_DIR/ | |||
| RUN yarn install --production | |||
| RUN yarn install --production --freeze-lockfile --non-interactive | |||
There was a problem hiding this comment.
Not sure this is worth it, because we don't run it on CI anyway.
There was a problem hiding this comment.
I agree that the --non-interactive is not needed in that case. but the --freeze-lockfile still has value, no?
There was a problem hiding this comment.
--non-interactive is fine actually, because this is automatically built on the preview server.
We will be testing with --freeze-lockfile on CI, so leaving it here shouldn't be an issue theoretically. Thinking about it again, it is probably better to keep the flags (worst case scenario: the preview server will remain on an older version until this is fixed).
docs/DEVELOPER.md
Outdated
| @@ -58,7 +58,7 @@ Next, install the JavaScript modules needed to build and test Angular: | |||
|
|
|||
| ```shell | |||
| # Install Angular project dependencies (package.json) | |||
| yarn install | |||
| yarn install --freeze-lockfile | |||
There was a problem hiding this comment.
This here seems redundant. Theoretically, they've just cloned the repo.
There was a problem hiding this comment.
The point is that it could automatically update the yarn.lock file if you don't do this, which could be breaking and confusing.
There was a problem hiding this comment.
This would only happen if we messed up and committed package.json changes without the corresponding yarn.lock changes. In that case, using --freeze-lockfile would be fail which will probably be even more confusing 😃
There was a problem hiding this comment.
This is not how I understand yarn. Imagine a dependency in package.json that is a range (e.g. ^1.2.3). This could have a lockfile dependency of 1.2.4 say. Now suppose that the owner of that dependency releases 1.2.5. If we do not freeze the lockfile, then yarn install will install 1.2.5 and then modify the lockfile accordingly. Surely this is not what we want. We want the developers of Angular to install the versions in the lockfile.
There was a problem hiding this comment.
I don't think this is how yarn install works. Normally, yarn install just installs what is in the lockfile. (That's the whole point, right? 😃)
If there are "indications" that package.json has been modified without a corresponding update to yarn.lock, then and (only then) yarn install will update the lockfile (possible upgrading other dependencies in the process). Here is where the --freeze-lockfile takes effect (failing in case that happens).
So, afaict, what --freeze-lockfile protects us from is updating package.json manually (not via yarn) and forgetting to also update the lockfile.
(That's just my understanding; could be wrong 😁)
There was a problem hiding this comment.
Oh I get it now: yarnpkg/yarn#4147
So if I do anything to any dependency, then the yarn.lock will get modified unless the lock file is frozen. So indeed if you have just cloned then this is not needed.
petebacondarwin
added
action: review
|
You can preview c175f85 at https://pr19616-c175f85.ngbuilds.io/. |
petebacondarwin
force-pushed
the
aio-freeze-lockfile
branch
from
c175f85
to
4f576f9
Compare
|
You can preview 4f576f9 at https://pr19616-4f576f9.ngbuilds.io/. |
The CI will now fail if the dependencies in the AIO package.json have been modified without the lockfile being updated.
petebacondarwin
force-pushed
the
aio-freeze-lockfile
branch
from
4f576f9
to
a5e0a94
Compare
petebacondarwin
added
action: merge
|
@IgorMinar has approved this PR, so not sure why pullapprove is still complaining... |
|
You can preview a5e0a94 at https://pr19616-a5e0a94.ngbuilds.io/. |
The CI will now fail if the dependencies in the AIO package.json have been modified without the lockfile being updated. PR Close #19616
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
The CI will now fail if the dependencies in the AIO
package.json have been modified without the
lockfile being updated.