Let pacman-helper deploy also to the GitHub repo git-for-windows/pacman-repo
#595
Conversation
I recently transitioned Git for Windows' snapshot builds away from being hosted on Azure Blobs. Instead, they are now hosted at https://github.com/git-for-windows/git-snapshots/releases, with the overview page as a GitHub Page at https://gitforwindows.org/git-snapshots Which means that the snapshot builds are not even uploaded to Azure Blobs anymore, and the corresponding code to upload them can be dropped, which I hereby do. Granted, the script's filename is now a bit misleading because the only operations it supports now are related to Git for Windows' Pacman repository that is hosted on Azure Blobs. But I am currently embarking on the project to transition also the Pacman repository to GitHub, concretely to the branches of https://github.com/git-for-windows/pacman-repo whose branch names reflect the corresponding CPU architecture. Once that transition is done, the entire `wingit-snapshot-helper.sh` script can be dropped, so I'll not bother with renaming it for that (hopefully short) time window. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
In the early days of Git for Windows v2.x, when automation meant running scripts in a clean VM I kept on my laptop, the Pacman repository was simply a remote mirror of a local directory tree. Over the years, many things changed. We transitioned from Bintray to Azure Blobs (because the former was woefully unreliable and also simply _stopped_ serving _any_ file once we hit a relatively low quota), we transitioned building Pacman packages first to Azure Pipelines and then to GitHub Actions. This also meant that the Pacman repository no longer had a local source of truth but instead a remote one, and the automation required the ability to add a package without initializing a local mirror on the Action runners: The `quick_add` sub-command was born, see b408f99 (pacman-helper: add a quick mode, 2019-11-27). This `quick_add` operation merely downloads the package databases, runs `repo_add` with the packages to add, and then uploads the package databases along with the new package version's archives. Ever since that operation was introduced, I haven't had the need for any of the other ways to upload or verify packages, and it is time to retire the code associated with those no-longer-used functionality. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Back in 8e9b157 (pacman-helper: be prepared to initialize the aarch64 Pacman repository, 2022-12-22), I had added code specifically to initialize the aarch64 part of Git for Windows' Pacman repository, which had not existed up to that point. Now that the aarch64 repository is a thing, we can drop that code. In fact, I could have dropped it a lot sooner, but hey, better late than never. It is actually a bit more pressing now because I want to transition Git for Windows away from the Azure Blobs-backed Pacman repository, and instead use https://github.com/git-for-windows/pacman-repo instead, via a `/etc/pacman.conf` modification looking something like this: [git-for-windows-x86_64] Server = https://raw.githubusercontent.com/git-for-windows/pacman-repo/refs/heads/x86_64 [git-for-windows-mingw32] Server = https://raw.githubusercontent.com/git-for-windows/pacman-repo/refs/heads/i686 For the transition period, I want to keep the Azure Blobs-backed Pacman repository in sync but no longer make it the source of truth. The code to initialize the aarch64 part of it would have made the necessary changes unnecessarily complex. So away it goes. This commit is best viewed with `-w`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
When deploying packages to the Pacman repository hosted on Azure Blobs, a token is required (unless it's "dry run"). Let's verify that this token is present early on, before doing any work. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
The plan is to mirror each Pacman repository deployment to a new GitHub Release in the `git-for-windows/pacman-repo` repository. To allow for that, the database filenames must be unique, which means that we will add the `-<architecture>` infix to the `git-for-windows.db` files (and likewise the `.files` ones). This requires the MINGW-only `git-for-windows-aarch64` to be renamed to `git-for-windows-clangarm64` (which it should have been named in the first place, in line with the other two MINGW-only databases whose filenames reflect the down-cased `MSYSTEM`). In preparation for modifying the code to upload these GitHub Releases, adapt the existing code to use the new-style naming at least locally. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
pacman-helper.sh
Outdated
| git -C "$dir" config set core.sparseCheckout true && | ||
| git -C "$dir" config set core.sparseCheckoutCone false && | ||
| printf '%s\n' 'git-*.db*' 'git-*.files*' >"$dir"/.git/info/sparse-checkout && | ||
| printf '%s\n' '/git-for-windows.db*' 'git-for-windows.files*' >"$dir"/.git/info/exclude && |
There was a problem hiding this comment.
I don't know the syntax here, but it seems odd there's a leading slash on just this one item.
There was a problem hiding this comment.
The resulting exclude file would be:
/git-for-windows.db*
git-for-windows.files*
..which means, exclude only files matching git-for-windows.db* from the root of the repository /, and exclude files matching git-for-windows.files* at any depth path.
There was a problem hiding this comment.
Right, that was an oversight. I should probably also add the leading slashes to the sparse-checkout lines. Not that it matters a lot, as I've been complaining about, Pacman repositories must have a flat directory structure (i.e. no subdirectories, let alone sibling directories allowed). Therefore those patterns can only match files in the root tree because there is only a root tree.
pacman-helper.sh
Outdated
|
|
||
| # Remove previous versions from the Git branch | ||
| printf '%s\n' $msys $mingw | | ||
| sed 's/-[0-9][^-]*-[0-9][^-]*-[^-]*\.pkg\.tar\.\(xz\|zst\)$/-[0-9]*/' | |
There was a problem hiding this comment.
Ouch. This sed pattern appears several times, so this comment applies to each of them: it is not necessarily safe: a version can start with a letter (such a version would compare less than a version that starts with a number). What msys2 does to get the package name from a filename is
pkgname="$(echo "$pkg" | rev | cut -d- -f4- | rev)"You could probably just drop the [0-9]s if you wanted to use sed.
There was a problem hiding this comment.
Huh. So what you're saying is that sed 's/\(-[^-]*\)\{3\}$//' would do the job, too? I guess that would work, but it would remove some of the sanity checking... I think I want to go with sed 's/\(-[^-]*\)\{3\}\.pkg\.tar\.\(xz\|zst\)$/-[0-9]*/' instead.
Note that the replacement -[0-9]* is a shell wildcard pattern designed to catch earlier package versions, and this still relies on version numbers starting with, ahem, numbers.
That's fine, though, as Git for Windows' Pacman repository does not contain any of those packages with funny "version numbers". In MSYS2, I only see colormake-git, cygnative, gyp, pactoys, mingw-w64-breakpad-git, mingw-w64-cppcoro, mingw-w64-daala-git, mingw-w64-devcon-git, mingw-w64-fxc2, mingw-w64-glsl-optimizer-git, mingw-w64-heimdall, mingw-w64-hlsl2glsl-git, mingw-w64-libbacktrace, mingw-w64-libfixmath, mingw-w64-libmpeg2-git, mingw-w64-libnatpmp, mingw-w64-libunifex, mingw-w64-libusb-compat-git, mingw-w64-libutp, mingw-w64-libvmime-git, mingw-w64-llama.cpp, mingw-w64-lldb-mi, mingw-w64-m68k-apple-macos-binutils-git, mingw-w64-mhook, mingw-w64-nanovg, mingw-w64-ntldd, mingw-w64-ogitor-git, mingw-w64-powerpc-apple-macos-binutils-git, mingw-w64-qoi, mingw-w64-rkdeveloptool, mingw-w64-stb, and mingw-w64-thor. None of which Git for Windows is threatening to shadow in its Pacman repository.
BTW mingw-w64-llama.cpp sticks out because it has the only "version number" that starts with a b, all the other non-numbers start with r.
For the record, I populated the list above using git grep 'pkgver="\?[^"0-9]' \*/PKGBUILD in MINGW-packages and MSYS2-packages, but in hindsight a slightly involved tar Oxvf /var/lib/pacman/sync/<db> | sed -e '<put-package-name-in-hold-then-print-it-for-every-package-version-that-does-not-start-with-a-digit>' invocation would have been a lot faster and a lot less manual.
There was a problem hiding this comment.
in hindsight a slightly involved
tar Oxvf /var/lib/pacman/sync/<db> | sed -e '<put-package-name-in-hold-then-print-it-for-every-package-version-that-does-not-start-with-a-digit>'invocation would have been a lot faster and a lot less manual.
Indeed, it only took me 5 minutes (as opposed to the 30 minutes before, but analysing it took a bit longer again because I was puzzled about llama.cpp, see below):
(
printf '| Version | Package |\n| - | - |\n'
for dbname in msys mingw64
do
tar Oxvf /var/lib/pacman/sync/$dbname.db 2>&1 |
sed -n '/%NAME%/{n;x};/%VERSION%/{n;G;s/^/| /;s/\n/ | /g;s/$/ |/;/^| [^0-9]/p}'
done
)yields:
| Version | Package |
|---|---|
| r8.9c1d2e6-2 | colormake-git |
| r9.2cbf760-2 | cygnative |
| r2173.a03d7413-3 | gyp |
| r65.b5fcc0f-1 | pactoys |
| r1680.70914b2d-2 | mingw-w64-x86_64-breakpad-git |
| r390.a87e97f-2 | mingw-w64-x86_64-cppcoro |
| r1505.52bbd43-2 | mingw-w64-x86_64-daala-git |
| r540.f0adcda0-3 | mingw-w64-x86_64-devcon-git |
| r19.807d26f-1 | mingw-w64-x86_64-fxc2 |
| r180.3997d5c-2 | mingw-w64-x86_64-heimdall |
| r115.1db8564-1 | mingw-w64-x86_64-libbacktrace |
| r1108.946bf4b-2 | mingw-w64-x86_64-libmpeg2-git |
| r84.07004b9-2 | mingw-w64-x86_64-libnatpmp |
| r564.d7d191e-2 | mingw-w64-x86_64-libunifex |
| r76.b5db9d0-2 | mingw-w64-x86_64-libusb-compat-git |
| r175.9cb9f9c-2 | mingw-w64-x86_64-libutp |
| r1270.d03ad5f0-1 | mingw-w64-x86_64-libvmime-git |
| r93.a6c8c66-2 | mingw-w64-x86_64-lldb-mi |
| r808.8d32c583ae-2 | mingw-w64-x86_64-m68k-apple-macos-binutils |
| r7.a159eed-2 | mingw-w64-x86_64-mhook |
| r398.c35e80c-2 | mingw-w64-x86_64-nanovg |
| r19.7fb9365-4 | mingw-w64-x86_64-ntldd |
| r893.58e2cca-1 | mingw-w64-x86_64-ogitor-git |
| r808.8d32c583ae-1 | mingw-w64-x86_64-powerpc-apple-macos-binutils |
| r346.b0b926e-1 | mingw-w64-x86_64-qoi |
| r70.21b25fd-1 | mingw-w64-x86_64-rkdeveloptool |
| r2193.31707d1-1 | mingw-w64-x86_64-stb |
| r271.3e320cb-2 | mingw-w64-x86_64-thor |
On the other hand, it missed mingw-w64-llama.cpp. That's because the package's filename contains the epoch 1 and therefore the version part does start with a digit (it's 1~b4458-1).
There was a problem hiding this comment.
Huh. So what you're saying is that
sed 's/\(-[^-]*\)\{3\}$//'would do the job, too? I guess that would work, but it would remove some of the sanity checking... I think I want to go withsed 's/\(-[^-]*\)\{3\}\.pkg\.tar\.\(xz\|zst\)$/-[0-9]*/'instead.Note that the replacement
-[0-9]*is a shell wildcard pattern designed to catch earlier package versions, and this still relies on version numbers starting with, ahem, numbers.
Also, this blob from makepkg
# clean up dangling symlinks to packages
for pkg in ${pkgname[@]}; do
for file in ${pkg}-*-*-*{${PKGEXT},${SRCEXT}}; do
if [[ -h $file && ! -e $file ]]; then
rm -f "$file"
fi
done
doneThere was a problem hiding this comment.
@jeremyd2019 I'm just worried about things like mingw-w64-x86_64-git-*-*-*${PKGEXT} totally matching mingw-w64-x86_64-git-extra-1.1.646.cafecafe-1-any.pkg.tar.xz...
For the record, I use the "single, honking big GitHub Release" method, and there is another issue with using a GitHub release that has to be worked around: certain characters are not allowed in the filenames, and get silently replaced with periods.
The only such character I have run into in practice is Note that this is silent, the upload won't fail, but attempts to fetch using the original name will fail. As a workaround, the files can be renamed before |
pacman-helper.sh
Outdated
| git -C "$dir" config set core.sparseCheckout true && | ||
| git -C "$dir" config set core.sparseCheckoutCone false && | ||
| printf '%s\n' 'git-*.db*' 'git-*.files*' >"$dir"/.git/info/sparse-checkout && | ||
| printf '%s\n' '/git-for-windows.db*' 'git-for-windows.files*' >"$dir"/.git/info/exclude && |
There was a problem hiding this comment.
The resulting exclude file would be:
/git-for-windows.db*
git-for-windows.files*
..which means, exclude only files matching git-for-windows.db* from the root of the repository /, and exclude files matching git-for-windows.files* at any depth path.
To make it much more transparent when and what was deployed to Git for Windows' Pacman repository, let's just upload all the files that went into a deployment to a new GitHub Release at https://github.com/git-for-windows/pacman-repo/releases. Historical deployments (modulo package databases, which were overwritten over and over again, and are therefore lost to archeology) have been uploaded there already. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
The idea is that the Pacman repository hosted on Azure Blobs keeps functioning as before, for now, but that the GitHub repository at https://github.com/git-for-windows/pacman-repo is now serviced as well. It will serve as Git for Windows' official Pacman repository in the future. The next step there is to do a couple of deployments, then make the following adjustment to `/etc/pacman.conf` locally, and once enough confidence has been gained, the post-install script of the `mingw-w64-git-extra` package will learn to make this adjustment: diff --git a/etc/pacman.conf b/etc/pacman.conf index 99179ac6024..9555ae89af4 100644 --- a/etc/pacman.conf +++ b/etc/pacman.conf @@ -70,17 +70,17 @@ LocalFileSigLevel = Optional # Server = https://repo.msys2.org/staging/ # SigLevel = Never -[git-for-windows-aarch64] -Server = https://wingit.blob.core.windows.net/aarch64 +[git-for-windows-clangarm64] +Server = https://raw.githubusercontent.com/git-for-windows/pacman-repo/refs/heads/aarch64 [clangarm64] Include = /etc/pacman.d/mirrorlist.mingw -[git-for-windows] -Server = https://wingit.blob.core.windows.net/x86-64 +[git-for-windows-x86_64] +Server = https://raw.githubusercontent.com/git-for-windows/pacman-repo/refs/heads/x86_64 [git-for-windows-mingw32] -Server = https://wingit.blob.core.windows.net/i686 +Server = https://raw.githubusercontent.com/git-for-windows/pacman-repo/refs/heads/i686 [mingw32] Include = /etc/pacman.d/mirrorlist.mingw What this means practically is that this commit introduces code that will update the `x86_64`, `aarch64`, and `i686` branches in `pacman-repo` to reflect the new deployment: new package version archives will be added, the package database updated, and any overridden package versions' archives will be removed. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
…sync Git for Windows' current Pacman repository is hosted on Azure Blobs. The intended new Pacman repository is actually a Git repository hosted on GitHub: https://github.com/git-for-windows/pacman-repo The `pacman-helper.sh` script was taught in the preceding commit to update both synchronously, not just the Azure Blobs one. To ensure that this is all working as intended, let's make extra certain that these two Pacman repositories have not diverged before making any changes. This uncovered a bug where the `sanitize_db` function would update the signature file even if that was not desired nor necessary. We fix that here because said "are we in sync?" check would otherwise fail. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
It is completely normal to have multiple concurrent deployments, say, `mingw-w64-curl` and `mingw-w64-git-extra`. This means that `pacman-helper quick_add` might update a branch locally that cannot be pushed because another deployment has already pushed the branch in the meantime. This is not a problem, as long as the deployments touch separate packages. In that instance, we simply need to revert the changes to the package database, then rebase to the latest commit from the public `pacman-repo` repository, and try again. Note: Currently this situation cannot even occur because we're doing the dual deployment both to Azure Blobs as well as to `pacman-repo`, and the former is protected against concurrent deployments via the lease mechanism. Nevertheless, it is a good idea to make the code ready for the day when we no longer deploy to Azure Blobs. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
dscho
force-pushed
the
let-pacman-helper-deploy-also-to-github-repo
branch
from
c527edf to
80a77f4
Compare
|
@jeremyd2019 @mjcheetham I have addressed these concerns in https://github.com/git-for-windows/build-extra/compare/c527edf5be3204469a7b72caa8c101a261c4bba1..80a77f4e211ead3a0cfb245e1b5ebf79e9699892, I believe. Could you have a look? |
LGTM |
In git-for-windows/build-extra#595, I started the official transition of Git for Windows' Pacman repository away from an Azure Blob container in my personal account to https://github.com/git-for-windows/pacman-repo. For the transition period, this still requires the token to upload to the Azure Blob container, but it also already requires the token to push to `pacman-repo` and to create GitHub releases there. The two users of `pacman-helper.sh quick_add` that now need this token are hereby adapted accordingly. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Well, here it is, that PR, at last: git-for-windows/git-for-windows-automation#113 |
me too, fwiw |
|
For the record, I needed a follow-up patch to make it actually work. The reason I did not spot that problem is that Git for Windows' automation has to play some games with |
|
Ah, I needed another follow-up patch, to accommodate for concurrent deployments: 1acb634. Note: This work-around is only necessary because we still deploy to Azure Blobs. Without that, there would not have been any waiting for the lease, and no downloading the package database from Azure Blobs, and no up to date check that could go wrong 😉 |
In git-for-windows/build-extra#595, I started the official transition of Git for Windows' Pacman repository away from an Azure Blob container in my personal account to https://github.com/git-for-windows/pacman-repo. For the transition period, this still requires the token to upload to the Azure Blob container, but it also already requires credentials to push to `pacman-repo`, in particular some committer information. The `pacman-packages` job of the `release-git` workflow still needed this, as I forgot to do this as part of 2d0492 (build-and-deploy/release-git: support the new Pacman repository, 2025-02-17). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
For a couple of months now, to precise: since git-for-windows#595 (Let `pacman-helper` deploy also to the GitHub repo `git-for-windows/pacman-repo`), every deployment to Git for Windows' Pacman repository is mirrored to a new location: https://github.com/git-for-windows/pacman-repo/ The idea set forth in one of the commits in that PR, 3fca5c7 (pacman-helper quick_add: start transitioning deployments to GitHub, 2025-02-16), is to switch to the new location eventually, avoiding the dependency on my personal Azure account (where the old location resides). I had meant to transition a lot quicker, but procrastinated on this for such a long time that I forgot. But today is the day! Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
For a couple of months now, to precise: since git-for-windows#595 (Let `pacman-helper` deploy also to the GitHub repo `git-for-windows/pacman-repo`), every deployment to Git for Windows' Pacman repository is mirrored to a new location: https://github.com/git-for-windows/pacman-repo/ The idea set forth in one of the commits in that PR, 3fca5c7 (pacman-helper quick_add: start transitioning deployments to GitHub, 2025-02-16), is to switch to the new location eventually, avoiding the dependency on my personal Azure account (where the old location resides). I had meant to transition a lot quicker, but procrastinated on this for such a long time that I forgot. But today is the day! Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
In my endeavor to disentangle Git for Windows' Pacman repository from my personal Azure account, I have started mirroring said Pacman repositories' contents to https://github.com/git-for-windows/pacman-repo/.
Most of the contents, namely the archives reflecting outdated package versions, were uploaded to https://github.com/git-for-windows/pacman-repo/releases.
The archives reflecting the current package versions, as well as the package databases, were uploaded to the
x86_64,i686, andaarch64branches of thegit-for-windows/pacman-reporepository. The idea is to eventually switch Git for Windows to that Pacman repository by modifying/etc/pacman.confas follows:There is a slight downside to using this approach: GitHub does not report a
Last-Modified:for raw blob URLs, and hencepacman -Sywill always download Git for Windows' package databases. Since those weigh only a couple dozen kilobytes, that should be okay, especially given the fact that most users (apart from those who are on their own) will clonegit-sdk-64and not update via Pacman at all.An alternative I had considered was to use GitHub Pages, but I am loathe to deploy ~130MB for
x86_64, ~174MB foraarch64and ~161MB fori686every single time any small package wants to be updated.Another alternative I considered was using the GitHub Releases, but since Pacman repositories have to have a flat directory layout, meaning that the package archives' URLs are expected to be siblings of the package databases' URLs, that would have needed ugly work-arounds:
XferCommandsetting to interpret a fake URL together with a (to be generated) mapping file that lives in every new GitHub Release so as to route the request to the correct GitHub Release for each package archive to download, orDELETEfollowed by a new upload, and during that time window the Pacman repository is broken, and also it would be tricky to deal with concurrent deployments).One alternative I dismissed quite early on was to follow Homebrew's footsteps who figured that GitHub Packages should really be used to host, you know, packages, but there seems not to have been any investment in a flexible-enough architecture to accommodate but the most common package management systems, Pacman not being one of them (or for that matter, Homebrew, who have to pretend that their packages are attachments to Docker containers even though they do not have any Docker containers, and then they still need to jump through major hoops just to get their hosted packages to download).
In the end, I think I found an acceptable solution that will work for us and won't need much in the way of maintenance, nor do I expect it to cause any burden on GitHub.
With all of that background, here is the explanation what this PR tries to accomplish: To start the transition away from Azure Blobs toward
git-for-windows/pacman-repo, this PR adjusts Git for Windows' deployment work horse,pacman-helper.sh quick_add, to not only deploy to Azure Blobs, but also togit-for-windows/pacman-repoat the same time.This will allow us to verify that this thing is working without changing
/etc/pacman.conffor the time being. Once it proves to be working all right, we can then change/etc/pacman.confand eventually drop the parts ofpacman-helper.shthat still want to upload to Azure Blobs (and then we can even retirewingit-snapshot-helper.sh!).Note that this PR will still need a
git-for-windows-automationcompanion to generate and use an installation access token in thebuild-and-deployworkflow so that it can push the updates togit-for-windows/pacman-repo. I spent the best part of today getting to this point, therefore that PR will need to be patient and await tomorrow.