ci(integration): install app via git of the PR's exact head SHA#7
Merged
ci(integration): install app via git of the PR's exact head SHA#7
Conversation
Concern (raised on the previous integration.yml): > docker exec --user www-data nc php occ app:enable interfonts > > This will install the last official release, not the code being > tested. App should be installed using git so it pulls the exact > pull request being tested — otherwise what's the point? Why the previous flow was technically correct but obscured intent ----------------------------------------------------------------- `occ app:enable interfonts` does NOT download anything; it just enables whatever's on disk under custom_apps/interfonts/. The previous flow `docker cp /tmp/app/interfonts ...` did put the PR's files there (built from actions/checkout's runner-side tree), so the PR's code WAS what got loaded. Verified locally: nextcloud:32-apache ships only `contactsinteraction` under apps/, no interfonts — so nothing else could have shadowed the install. That said, the workflow read like an App Store install. A reader shouldn't need to know NC internals to be confident the PR's code is exercised. This change - Replaces `docker cp` of the runner's tree with `git clone` of this repo + `git checkout` of the PR's exact head SHA inside the container — installation provenance is now self-evident - Resolves the head SHA from `github.event.pull_request.head.sha` on PR events, falling back to `github.sha` on push events - Resolves the clone URL from `github.event.pull_request.head.repo.clone_url` for fork PRs, falling back to the base repo URL for same-repo PRs (e.g. Dependabot) and pushes - apt-get-installs `git` + `ca-certificates` inside the NC image before cloning (Debian-based, neither is preinstalled) - Uses `--filter=blob:none --depth 1` for a fast partial fetch (~1-2 s vs full clone) - Stages the cloned tree into custom_apps/interfonts using the SAME release-tarball allowlist already used by release-publish.yml and the tarball-dry-run job — three places to keep in sync - Adds a hard assertion that the version `occ app:list` reports matches the version in the PR's `appinfo/info.xml`. Anything shadowing the install (a baked-in App Store version, a stale custom_apps copy from a previous run, etc.) would diverge here and the job fails loudly with `::error::version mismatch` - Drops the now-redundant "Build the release-shape app directory" step (the staging happens inline in the install step now) Validated locally on nextcloud:32-apache against origin/main's HEAD: clone takes ~1 s, install takes ~5 s, version assertion matches (2.1.1 = 2.1.1), stylesheet smoke test returns 200. Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the
docker cpinstall flow inintegration.ymlwithgit clone+git checkoutof the PR's exact head SHA inside the Nextcloud container, plus a version-match assertion as proof.Why
occ app:enable interfontsdoesn't download anything — it only enables what's on disk undercustom_apps/interfonts/. The previousdocker cpflow was installing the PR's code (fromactions/checkout's runner tree), andnextcloud:32-apachedoesn't shipinterfonts(verified — onlycontactsinteractionis there), so nothing was actually shadowing the install.But the workflow read like an App Store install. The intent is now self-evident: clone the repo, check out the PR's head SHA, install. No interpretation needed.
What changed in .github/workflows/integration.yml
/tmp/app/interfontsfrom runner's checkout viacp -rdocker cp /tmp/app/interfonts nc:/var/www/html/custom_apps/...git clone --filter=blob:none+git fetch --depth 1 origin <PR head SHA>+git checkout FETCH_HEADinside the containerapp:list-reported version must equalappinfo/info.xml-declared version, else::error::version mismatchapp:enablelog lineapp:enablelog line +git log -1printout of the commit's SHA + subject + authorThe cloned tree is staged into
custom_apps/interfonts/using the same release-tarball allowlist thatrelease-publish.ymlships andtarball-dry-runvalidates. Three places to keep in sync; if they ever drift, integration is testing something different from what we ship.Ref + URL resolution
REFCLONE_URLpull_request(same repo)github.event.pull_request.head.shagithub.event.pull_request.head.repo.clone_url(≡ base repo)pull_request(fork)github.event.pull_request.head.shagithub.event.pull_request.head.repo.clone_url(the fork)pushgithub.shahttps://github.com/${{ github.repository }}.gitworkflow_dispatchgithub.sha(current ref's HEAD)Bash null-coalescing:
${HEAD_REPO_URL:-https://github.com/${REPO}.git}.Local validation (PR-style end-to-end)
nextcloud:32-apachecold bootapt-get install git ca-certificatesin containergit clone --filter=blob:none+fetch --depth 1SHA + checkoutcustom_apps/+chown+app:enable interfonts2.1.1vs PR2.1.1Test plan
Nextcloud 32 smoke testandNextcloud 33 smoke testjobs run the new git-based install and the version-match assertion against this PR's head SHA)--- commit under test ---block with this PR's SHA + commit messageInstalled version : <X> Expected (PR) : <X>with matching versions