Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Policy bot stuck on Commit hash does not have a pushed date #598

Closed
joseparajelesGL opened this issue Jul 6, 2023 · 29 comments · Fixed by #599, #602 or product-os/policy-bot#4
Closed
Labels
bug Something isn't working

Comments

@joseparajelesGL
Copy link

Hello, we are seeing errors on policy bot where it's stuck on trying to get the pushed date
image

Is there anything we can do to debug this issue?

Attached is the stack trace

failed to compute approval status: failed to list commits: Commit f3bed522f4 does not have a pushed date. This is usually caused by delays in the GitHub API
github.com/palantir/policy-bot/policy/approval.(*Rule).filteredCommits
	/home/runner/work/policy-bot/policy-bot/policy/approval/approve.go:345
github.com/palantir/policy-bot/policy/approval.(*Rule).IsApproved
	/home/runner/work/policy-bot/policy-bot/policy/approval/approve.go:204
github.com/palantir/policy-bot/policy/approval.(*Rule).Evaluate
	/home/runner/work/policy-bot/policy-bot/policy/approval/approve.go:141
github.com/palantir/policy-bot/policy/approval.(*RuleRequirement).Evaluate
	/home/runner/work/policy-bot/policy-bot/policy/approval/evaluate.go:63
github.com/palantir/policy-bot/policy/approval.(*OrRequirement).Evaluate
	/home/runner/work/policy-bot/policy-bot/policy/approval/evaluate.go:86
github.com/palantir/policy-bot/policy/approval.(*AndRequirement).Evaluate
	/home/runner/work/policy-bot/policy-bot/policy/approval/evaluate.go:146
github.com/palantir/policy-bot/policy/approval.(*evaluator).Evaluate
	/home/runner/work/policy-bot/policy-bot/policy/approval/evaluate.go:39
github.com/palantir/policy-bot/policy.evaluator.Evaluate
	/home/runner/work/policy-bot/policy-bot/policy/policy.go:80
github.com/palantir/policy-bot/server/handler.(*EvalContext).EvaluatePolicy
	/home/runner/work/policy-bot/policy-bot/server/handler/eval_context.go:125
github.com/palantir/policy-bot/server/handler.(*Details).ServeHTTP
	/home/runner/work/policy-bot/policy-bot/server/handler/details.go:132
github.com/bluekeyes/hatpear.Try.func1
	/home/runner/work/policy-bot/policy-bot/vendor/github.com/bluekeyes/hatpear/hatpear.go:84
net/http.HandlerFunc.ServeHTTP
	/opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122
goji%2eio.dispatch.ServeHTTP
	/home/runner/work/policy-bot/policy-bot/vendor/goji.io/dispatch.go:17
github.com/palantir/policy-bot/server/handler.RequireLogin.func1.1
	/home/runner/work/policy-bot/policy-bot/server/handler/login.go:95
net/http.HandlerFunc.ServeHTTP
	/opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122
goji%2eio.(*Mux).ServeHTTP
	/home/runner/work/policy-bot/policy-bot/vendor/goji.io/mux.go:74
goji%2eio.dispatch.ServeHTTP
	/home/runner/work/policy-bot/policy-bot/vendor/goji.io/dispatch.go:17
goji%2eio.(*Mux).ServeHTTP
	/home/runner/work/policy-bot/policy-bot/vendor/goji.io/mux.go:74
goji%2eio.dispatch.ServeHTTP
	/home/runner/work/policy-bot/policy-bot/vendor/goji.io/dispatch.go:17
github.com/bluekeyes/hatpear.Recover.func1.1
	/home/runner/work/policy-bot/policy-bot/vendor/github.com/bluekeyes/hatpear/hatpear.go:113
net/http.HandlerFunc.ServeHTTP
	/opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122
github.com/bluekeyes/hatpear.Catch.func1.1
	/home/runner/work/policy-bot/policy-bot/vendor/github.com/bluekeyes/hatpear/hatpear.go:60
net/http.HandlerFunc.ServeHTTP
	/opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122
github.com/palantir/go-baseapp/baseapp.AccessHandler.func1.1
	/home/runner/work/policy-bot/policy-bot/vendor/github.com/palantir/go-baseapp/baseapp/middleware.go:88
net/http.HandlerFunc.ServeHTTP
	/opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122
github.com/rs/zerolog/hlog.RequestIDHandler.func1.1
	/home/runner/work/policy-bot/policy-bot/vendor/github.com/rs/zerolog/hlog/hlog.go:187
net/http.HandlerFunc.ServeHTTP
	/opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122
github.com/palantir/go-baseapp/baseapp.NewMetricsHandler.func1.1
	/home/runner/work/policy-bot/policy-bot/vendor/github.com/palantir/go-baseapp/baseapp/middleware.go:55
net/http.HandlerFunc.ServeHTTP
	/opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122
github.com/rs/zerolog/hlog.NewHandler.func1.1
	/home/runner/work/policy-bot/policy-bot/vendor/github.com/rs/zerolog/hlog/hlog.go:29
net/http.HandlerFunc.ServeHTTP
	/opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122
goji%2eio.(*Mux).ServeHTTP
	/home/runner/work/policy-bot/policy-bot/vendor/goji.io/mux.go:74
@ab77
Copy link
Contributor

ab77 commented Jul 7, 2023

According to this, a breaking change was made to Commit.pushedDate and pushedDate appears to be no longer supported.

@esmelser-apex
Copy link

We are also experiencing this issue and would love to see a fix. ➕ 1️⃣

@johnwonkim
Copy link

+1 as well.

@zliu2-wish
Copy link

We are hitting the issue as well. Don't have context into the repo but thanks to @ab77 did some digging in the code and found PushedDate being used:

PushedDate *time.Time

Looking at the graphql docs on Commit that field did get deprecated: https://docs.github.com/en/graphql/reference/objects#commit

I went through all the fields looking for possible replacements and found these fields:
authoredDate
committedDate

Could consider swapping out the pushDate for the above two fields but one possible issue I see:

  • if the pushDate was used to determine when to reset approvals, using the other two fields allows someone to author/commit early but hold the change locally
  • The user would be able to submit v1 of the changes (but already have v2 locally). Get the approval for v1 then push out v2. Since the v2 author/commit time was before the approval, it wouldn't reset the approvals

@asvoboda
Copy link
Member

asvoboda commented Jul 7, 2023

Thanks for the report. Its definitely a shame that the field has been removed from the graphql api:

Breaking A change will be made to Commit.pushedDate.
Description:
pushedDate will be removed.

Reason:
pushedDate is no longer supported.

You are correct @zliu2-wish that the PushedDate is used to determine approvals with the invalidate_on_push option, so this breaking change is particularly problematic.

@asvoboda
Copy link
Member

asvoboda commented Jul 7, 2023

I'm going to file a ticket with our enterprise reps to better understand what options we have on the GH side (#2241100).

I believe this should only affect policies where invalidate_on_push is used. I think the only short term option at the moment is to write a policy that has a fallback OR condition where a maintainer/admin has approved. I'll continue thinking about this.

paulgessinger added a commit to acts-project/acts that referenced this issue Jul 7, 2023
@asvoboda
Copy link
Member

asvoboda commented Jul 7, 2023

I think we'll want to create an option to disable the push date loading for commits that can be toggled at the server level. Right now we attempt to load the pushed dates for commits even for rules that don't use the invalidate_on_push option, which is contributing to slowness in requests.

@asvoboda
Copy link
Member

asvoboda commented Jul 7, 2023

From support:

The Commit.pushedDate field was deprecated because the information calculated and presented is incorrect. The noticed was first announced in our changelog here and then deprecation happen 2023-07-01 as you already noted.

As I understand, there is currently no way to map a commit to a push, and establish that it's the first time the commit has been seen. There isn't a similar date object elsewhere in the API that can replace this.

We hope one day to offer some mapping from commit to push as it is on our radar but this isn't something that will be prioritized in the short/medium term.

@DepickereSven
Copy link
Contributor

From support:

The Commit.pushedDate field was deprecated because the information calculated and presented is incorrect. The noticed was first announced in our changelog here and then deprecation happen 2023-07-01 as you already noted.

As I understand, there is currently no way to map a commit to a push, and establish that it's the first time the commit has been seen. There isn't a similar date object elsewhere in the API that can replace this.

We hope one day to offer some mapping from commit to push as it is on our radar but this isn't something that will be prioritized in the short/medium term.

So this would mean that for now there is no solution in the near future to be able to use invalidate_on_push?

@asvoboda
Copy link
Member

asvoboda commented Jul 7, 2023

Thats correct; it looks like on github.com support for invalidate on push has been entirely broken.

@DepickereSven
Copy link
Contributor

Thats correct; it looks like on github.com support for invalidate on push has been entirely broken.

That's sad to hear because that was powerful in combination with the property ignore_commits_by.
So now when we switch back to letting GitHub decide to invalidate on push that property will no longer work either.

@asvoboda
Copy link
Member

asvoboda commented Jul 7, 2023

More information from support:

We discovered that the Commit GraphQL object returns a PushedDate field. This field is calculated in a problematic way. We do not have a way to tie a commit back to a specific push, so we cannot reliably calculate the first time we see a commit and which push it belongs to.

Instead, this field attempts to do it by finding the first Push in the pushes table across all repositories that has an after SHA that matches the commit in question. This doesn't work if the commit is somewhere in the middle of a group of commits in a push. It's possible that the commit's SHA isn't ever a push's after SHA. It's also possible that we do find a push with the matching after SHA, but it's not the first time we saw the commit.

All this to say, the field is very unreliable, and not accurate.

This probably explains why policy-bot needs a significant amount of code to handle pushedDate unreliability in https://github.com/palantir/policy-bot/blob/develop/pull/github.go#L856-L875

@samandmoore
Copy link

Wow. Well this is quite unfortunate. It's especially weird because GitHub seems to support similar behavior with their "dismiss stale reviews" branch protection rule setting. It clearly dismisses reviews older than the latest pushed changes on a PR.

@lamebear
Copy link

lamebear commented Jul 7, 2023

Could policy bot be updated so that if:

  1. (github.PullRequestEvent).GetAction() == "synchronize", and
  2. github.PullRequestEvent.PullRequest.Head.SHA has changed

it invalidates on push?

@bluekeyes
Copy link
Member

Unfortunately, the way Policy Bot evaluation currently works requires being able to order commits and comments at any time, which means we can't easily switch to invalidating based on events without a larger refactor.

I do think that's how we'll have to fix this, but I'll have to think a bit about how to best do it. I think we'll have to store state somehow, but I'd really like to avoid introducing an external database. I think we can do something by looking at the times of previous statuses posted by Policy Bot, but I'm not clear on all the details yet.

@asvoboda asvoboda reopened this Jul 7, 2023
@asvoboda
Copy link
Member

asvoboda commented Jul 7, 2023

This should now be available as docker.io/palantirtechnologies/policy-bot:snapshot if anyone is interested in trying it out. I think we should leave this issue open to continue to track further improvements and attempt to correctly invalidate commits pushed after approvals.

From github support, it looks like this behaviour won't land in GHES until 3.11, which is at least one more major version away (likely in 2024 based on the timing of previous releases).

@asvoboda asvoboda added the bug Something isn't working label Jul 7, 2023
@agirlnamedsophia
Copy link
Contributor

@asvoboda this appears to resolve our issues! thank you.

@joseparajelesGL
Copy link
Author

Can confirm as well, latest snapshot version works!
Thank you so much @asvoboda

@zliu2-wish
Copy link

zliu2-wish commented Jul 7, 2023

Thanks @asvoboda!
Quick question - I have the below config option (following the sample setup) with the latest snapshot and am seeing this error:
failed to compute approval status: failed to list commits: Commit 0403ce40f4 does not have a pushed date. This is usually caused by delays in the GitHub API

I've removed all references to invalidate_on_push in the .policy.yml file. Am I missing something in the config?

options:
  # The path within repositories to find the policy.yml file
  policy_path: .policy.yml
  # The context for status checks created by the bot
  status_check_context: policy-bot
  # The name of the application as registered with GitHub
  app_name: policy-bot

  # As of 2023-07-01 the commit.pushedDate graphql field is removed from GitHub.
  # Setting this option effectively breaks all usage of the invalidate_on_push approval rule
  do_not_load_commit_pushed_date: true

@zliu2-wish
Copy link

zliu2-wish commented Jul 7, 2023

root@policy-bot-0ac779999e81f3372:~# docker container ls
CONTAINER ID        IMAGE                                      COMMAND                  CREATED             STATUS                 PORTS               NAMES
2847c13056ed        palantirtechnologies/policy-bot:snapshot   "bin/linux-amd64/pol…"   2 hours ago         Up 2 hours                                 docker_policy-bot
root@policy-bot-0ac779999e81f3372:/# docker image ls
REPOSITORY                        TAG                 IMAGE ID            CREATED             SIZE
palantirtechnologies/policy-bot   snapshot            4f2e6a7e0ca4        3 hours ago         36.6MB
palantirtechnologies/policy-bot   1.25.0              5d5e389db35d        14 months ago       16.9MB
root@policy-bot-0ac779999e81f3372:/# docker pull palantirtechnologies/policy-bot:snapshot
snapshot: Pulling from palantirtechnologies/policy-bot
Digest: sha256:4ebb3c982f8601aceaf78886f956ca95e04c0cf37d5a1dd0ec0a346b46049fe9
Status: Image is up to date for palantirtechnologies/policy-bot:snapshot

Will try to see if using the env variable option would help

@sawyerward
Copy link

@asvoboda It's working for us as well. Thank you.

@zliu2-wish
Copy link

zliu2-wish commented Jul 7, 2023

@asvoboda

Update: adding the env variable (POLICYBOT_OPTIONS_DO_NOT_LOAD_COMMIT_PUSHED_DATE: true) makes it work for the repo that had invalidate_on_push fully removed from .policy.yml

However, for repos with invalidate_on_push still present, am getting this error now:

failed to filter candidates: no commit contained a push date

Going to go through the repos and remove the references one by one

Much appreciated for the fix

@RyanDinglei
Copy link

works for me. Many thanks.

@gpadavala
Copy link

gpadavala commented Jul 10, 2023

i just tried the snapshot tag "palantirtechnologies/policy-bot:snapshot" with digest "sha256:5e14d46e0bf2ea178f11c6d0b9668131ac9644e88229b25ea68c13f7f087a68e"

I still have the same error

EDIT: seems will have to disable the invalidate_on_push, we have 100's of repositories, so not convenient to change them all though

@waynechowhk01
Copy link

Thank you @asvoboda. The patch and ENV work with invalidate_on_push disabled.
To skip the action for those repositories, I have forked and make a simple workaround removing the r.Options.InvalidateOnPush function PR
The image is available at https://hub.docker.com/r/waynechowhk01/policy-bot/tags . Feel free to use it with
docker pull waynechowhk01/policy-bot:snapshot

ChrisLovering added a commit to python-discord/kubernetes that referenced this issue Jul 11, 2023
This is to resolve an isue with policybot:latest using a field that was removed from Github's API.
See palantir/policy-bot#598 for reference
paulgessinger added a commit to paulgessinger/acts that referenced this issue Jul 24, 2023
@rallydan
Copy link

@bluekeyes, thanks for this fix (and the caching optimization in #612). Is there some testing or other development still pending, or would it be possible to get a release tag with these changes?

@bluekeyes
Copy link
Member

I'd like to run one more test pass against our internal staging environment to verify everything before release. I'm planning to do that today, so hopefully I can tag a release by the end of the day (PDT).

@bluekeyes
Copy link
Member

A permanent fix for this issue is now available in version 1.31.0. If you previously removed the invalidate_on_push option from your policy files, it should be safe to re-add them after upgrading to this version. While you can continue to the set the do_not_load_commit_pushed_date option, it's ignored by the server and has no effect.

If you encounter any issues with invalidate_on_push as a result of the new implementation, please file a new issue and we'll take a look.

klutchell added a commit to product-os/policy-bot that referenced this issue Jul 31, 2023
Resolves: palantir/policy-bot#598
Change-type: patch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet