Fix SIGPIPE false negative in Backport Release workflow validation#14041
Conversation
54ee580 to
5e1a3f8
Compare
📝 WalkthroughWalkthroughThis PR updates the backport release workflow’s ancestry validation to capture 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Warning Review ran into problems🔥 ProblemsGit: Failed to clone repository. Please run the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/backport_release.yaml:
- Around line 122-126: The current check uses git merge-base --is-ancestor which
only enforces DAG ancestry and can wrongly allow cases where ${LATEST_TAG_SHA}
is a non-first-parent ancestor; replace that check with an explicit first-parent
containment test by checking membership of ${LATEST_TAG_SHA} in the first-parent
history of ${source_sha} (e.g., run git rev-list --first-parent "${source_sha}"
and test that ${LATEST_TAG_SHA} appears), and use a SIGPIPE-safe test (grep -F
-x -q or equivalent) so the workflow truly enforces "tag is on the first-parent
chain" before proceeding.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 6623bd1b-2320-47e8-8f0a-7fd340f57077
📒 Files selected for processing (1)
.github/workflows/backport_release.yaml
There was a problem hiding this comment.
♻️ Duplicate comments (1)
.github/workflows/backport_release.yaml (1)
113-119:⚠️ Potential issue | 🟡 Minor | ⚖️ Poor tradeoffMisleading comment: the checks do not fully enforce first-parent containment.
The comment claims the two checks together enforce "tag is on the first-parent chain", but
git merge-base --is-ancestoronly checks DAG ancestry, not first-parent membership specifically. There exist edge cases where both checks pass despite the tag being a non-first-parent ancestor (e.g., the tag is the second parent of a commit on the first-parent chain, and the commits added afterward form a linear chain).The past review comment on lines 122-126 correctly identified this issue and provided a SIGPIPE-safe alternative that maintains the first-parent guarantee by explicitly checking membership via
grepon the captured first-parent history.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/backport_release.yaml around lines 113 - 119, The comment is incorrect: git merge-base --is-ancestor only checks DAG ancestry, not first-parent chain membership. Replace the current git merge-base --is-ancestor check (which compares "${LATEST_TAG_SHA}" and "${source_sha}") with a first-parent membership test that enumerates the first-parent history of "${source_sha}" (using git rev-list --first-parent) and then verifies "${LATEST_TAG_SHA}" appears in that list (use a SIGPIPE-safe check such as capturing the rev-list output into a variable and testing it with grep -Fxq or grep via a here-string) so the workflow truly enforces "tag is on the first-parent chain."
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/backport_release.yaml:
- Around line 113-119: The comment is incorrect: git merge-base --is-ancestor
only checks DAG ancestry, not first-parent chain membership. Replace the current
git merge-base --is-ancestor check (which compares "${LATEST_TAG_SHA}" and
"${source_sha}") with a first-parent membership test that enumerates the
first-parent history of "${source_sha}" (using git rev-list --first-parent) and
then verifies "${LATEST_TAG_SHA}" appears in that list (use a SIGPIPE-safe check
such as capturing the rev-list output into a variable and testing it with grep
-Fxq or grep via a here-string) so the workflow truly enforces "tag is on the
first-parent chain."
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: bbf21dd2-1982-4ddb-8376-60f9ba5a8480
📒 Files selected for processing (1)
.github/workflows/backport_release.yaml
The `grep -qx` consumer exits on first match and closes the pipe, causing the upstream `git rev-list --first-parent` (which streams thousands of SHAs) to receive SIGPIPE and exit 141. Under `set -o pipefail`, that 141 becomes the pipeline's exit code, making the check report `not found` even when the tag SHA is present in the first-parent chain. Fix by capturing rev-list output into a variable and grepping against a here-string. This preserves the original first-parent-membership semantics (unlike `git merge-base --is-ancestor`, which would only check DAG ancestry) and has no live pipe between producer and consumer, so SIGPIPE cannot occur. Amp-Thread-ID: https://ampcode.com/threads/T-019e4c8d-8a7c-7388-a025-88c474d155e3 Co-authored-by: Amp <amp@ampcode.com>
5e1a3f8 to
109f1fb
Compare
The "Validate source branch is cut directly from the latest stable release" step in the Backport Release workflow fails with a spurious
not founderror even when the source branch is correctly cut from the latest stable tag. This blocked the first attempted run: https://github.com/Comfy-Org/ComfyUI/actions/runs/26257815677Root cause
The check uses:
�ash set -euo pipefail ... if ! git rev-list --first-parent "${source_sha}" \ | grep -qx "${LATEST_TAG_SHA}"; thenOn a real ComfyUI branch
git rev-list --first-parentstreams ~10k SHAs (~400 KB) — well beyond the 64 KB pipe buffer.grep -qfinds the match on roughly line 4 and exits immediately, closing the read end of the pipe.git rev-listthen receivesSIGPIPEon its next write and exits 141. Withpipefail, the pipeline's exit code becomes 141 (the leftmost non-zero), soif !interprets the result as "no match" and emits the error — even though the SHA was actually found.Fix
Capture the first-parent rev-list output into a variable, then
grepagainst a here-string:�ash first_parent_chain="$(git rev-list --first-parent "${source_sha}")" if ! grep -Fxq "${LATEST_TAG_SHA}" <<< "${first_parent_chain}"; then ... fiWhy this form:
git rev-listruns to completion (its output is buffered into the shell variable) beforegrepever sees the data, so SIGPIPE cannot occur regardless ofpipefail.LATEST_TAG_SHAis on the first-parent chain of the source branch, not merely a DAG-ancestor. (An earlier revision of this PR usedgit merge-base --is-ancestor, but that only checks DAG ancestry and would accept the edge case whereLATEST_TAG_SHAis the second parent of a merge commit on the branch.)The follow-up
all_addedvsfirst_parent_addedcheck is unchanged. Both of itsrev-list | sortpipelines are already SIGPIPE-safe becausesortdrains stdin to EOF.