-
Notifications
You must be signed in to change notification settings - Fork 24.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(aio): freeze the lockfile for CI builds #19616
ci(aio): freeze the lockfile for CI builds #19616
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM (as soon as Travis is happy).
Should we do the same for the examples boilerplate?
Oh yes. I forgot about that
…On Mon, 9 Oct 2017, 09:58 George Kalpakas, ***@***.***> wrote:
***@***.**** approved this pull request.
LGTM (as soon as Travis is happy).
Should we do the same for the examples boilerplate?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#19616 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAA9J7K1fBGai54eprY5BWDTIWZtr1zZks5sqeAagaJpZM4PyFF1>
.
|
a65bff9
to
ee629ff
Compare
You can preview ee629ff at https://pr19616-ee629ff.ngbuilds.io/. |
ee629ff
to
33f0cab
Compare
And the examples dependency installation uses the pure lockfile flag, so won't actually fail if the package has changed but will always use what is in the lockfile. Is this acceptable? |
You can preview 33f0cab at https://pr19616-33f0cab.ngbuilds.io/. |
You can preview 377e2a6 at https://pr19616-377e2a6.ngbuilds.io/. |
Why not use |
No you're right there are no downsides. I was worried about people getting errors calling |
377e2a6
to
2546c0d
Compare
Updated to use |
You can preview 2546c0d at https://pr19616-2546c0d.ngbuilds.io/. |
@@ -52,7 +52,7 @@ if [[ ${TRAVIS} && (${CI_MODE} == "aio" || ${CI_MODE} == "aio_e2e" || ${CI_MODE} | |||
travisFoldStart "yarn-install.aio" | |||
( | |||
cd ${PROJECT_ROOT}/aio | |||
yarn install | |||
yarn install --frozen-lockfile --non-interactive |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you also update the main repo yarn install
on line 40?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
otherwise lgtm. I didn't know about this option. Thanks for turning it on.
@IgorMinar - added |
095635f
to
c175f85
Compare
@@ -156,7 +156,7 @@ RUN find $AIO_SCRIPTS_SH_DIR -maxdepth 1 -type f -printf "%P\n" \ | |||
# Set up the Node.js scripts | |||
COPY scripts-js/ $AIO_SCRIPTS_JS_DIR/ | |||
WORKDIR $AIO_SCRIPTS_JS_DIR/ | |||
RUN yarn install --production | |||
RUN yarn install --production --freeze-lockfile --non-interactive |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure this is worth it, because we don't run it on CI anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that the --non-interactive
is not needed in that case. but the --freeze-lockfile
still has value, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--non-interactive
is fine actually, because this is automatically built on the preview server.
We will be testing with --freeze-lockfile
on CI, so leaving it here shouldn't be an issue theoretically. Thinking about it again, it is probably better to keep the flags (worst case scenario: the preview server will remain on an older version until this is fixed).
docs/DEVELOPER.md
Outdated
@@ -58,7 +58,7 @@ Next, install the JavaScript modules needed to build and test Angular: | |||
|
|||
```shell | |||
# Install Angular project dependencies (package.json) | |||
yarn install | |||
yarn install --freeze-lockfile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This here seems redundant. Theoretically, they've just cloned the repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The point is that it could automatically update the yarn.lock file if you don't do this, which could be breaking and confusing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would only happen if we messed up and committed package.json
changes without the corresponding yarn.lock
changes. In that case, using --freeze-lockfile
would be fail which will probably be even more confusing 😃
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not how I understand yarn
. Imagine a dependency in package.json
that is a range (e.g. ^1.2.3
). This could have a lockfile dependency of 1.2.4
say. Now suppose that the owner of that dependency releases 1.2.5
. If we do not freeze the lockfile, then yarn install
will install 1.2.5
and then modify the lockfile accordingly. Surely this is not what we want. We want the developers of Angular to install the versions in the lockfile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is how yarn install
works. Normally, yarn install
just installs what is in the lockfile. (That's the whole point, right? 😃)
If there are "indications" that package.json
has been modified without a corresponding update to yarn.lock
, then and (only then) yarn install
will update the lockfile (possible upgrading other dependencies in the process). Here is where the --freeze-lockfile
takes effect (failing in case that happens).
So, afaict, what --freeze-lockfile
protects us from is updating package.json
manually (not via yarn
) and forgetting to also update the lockfile.
(That's just my understanding; could be wrong 😁)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I get it now: yarnpkg/yarn#4147
So if I do anything to any dependency, then the yarn.lock will get modified unless the lock file is frozen. So indeed if you have just cloned then this is not needed.
You can preview c175f85 at https://pr19616-c175f85.ngbuilds.io/. |
c175f85
to
4f576f9
Compare
You can preview 4f576f9 at https://pr19616-4f576f9.ngbuilds.io/. |
The CI will now fail if the dependencies in the AIO package.json have been modified without the lockfile being updated.
4f576f9
to
a5e0a94
Compare
@IgorMinar has approved this PR, so not sure why pullapprove is still complaining... |
You can preview a5e0a94 at https://pr19616-a5e0a94.ngbuilds.io/. |
The CI will now fail if the dependencies in the AIO package.json have been modified without the lockfile being updated. PR Close #19616
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
The CI will now fail if the dependencies in the AIO
package.json have been modified without the
lockfile being updated.