You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Don't pass secrets down, instead obtain directly from environment
Only expose secret on steps that need it (Nuke step)
Reason for change
We're moving AZURE_DEVOPS_TOKEN from being a repo secret to a protected environment secret. This does some of the associated cleanup.
Implementation details
Don't try to pass the secrets in to the worfklow. AFAICT, this technically wasn't working as we expected 😅 The "top level" create_normal_draft_release workflow was trying to access and pass in the variables, but as it wasn't running in an environment, this was passing an empty string. However, this didn't break anything, because {{ secrets.AZURE_DEVOPS_TOKEN }} was transparently accessing the environment secret anyway. So we can just stop trying to pass them in now.
create-system-test-docker-base-images.yml needs to be in the "release" env, because it needs the azure devops token to grab the build results from CI (avoiding rate limits)
Additionally, I duplicated the repo-secret AZURE_DEVOPS_TOKEN into the existing publish-debug-symbols-env environment, so when we merge this, everything should "just work".
Finally, we can make the publish-debug-symbols-env, "protected" so it only runs on release branches.
Test coverage
Nope, we can't really test any of this 🙁 Hence why I want to babysit it the first time 😅
Other details
I'd like to change publish-debug-symbols-env to be called release-env (or something similar), but that means changing a whole bunch of sts token stuff, across multiple repos, and it doesn't seem worth the hassle 😅
Found 0 performance improvements and 1 performance regressions! Performance is the same for 71 metrics, 0 unstable metrics, 63 known flaky benchmarks, 63 flaky benchmarks without significant changes.
Explanation
This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:
🟩 = significantly better candidate vs. baseline
🟥 = significantly worse candidate vs. baseline
We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.
If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.
Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.
More details about the CI and significant changes
You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.
CIs of the difference of means are often centered around 0%, because often changes are not that big:
---------------------------------(------|---^--------)-------------------------------->
-0.6% 0% 0.3% +1.2%
| | |
lower bound of the CI --' | |
sample mean (center of the CI) -------------' |
upper bound of the CI ----------------------'
As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).
For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:
----------------------------------------|---------|---(---------^---------)---------->
0% 1% 1.3% 2.2% 3.1%
| | | |
significant impact threshold --------------' | | |
lower bound of CI --------------' | |
sample mean (center of the CI) --------------------------' |
upper bound of CI ----------------------------------'
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of changes
Reason for change
We're moving
AZURE_DEVOPS_TOKENfrom being a repo secret to a protected environment secret. This does some of the associated cleanup.Implementation details
create_normal_draft_releaseworkflow was trying to access and pass in the variables, but as it wasn't running in anenvironment, this was passing an empty string. However, this didn't break anything, because{{ secrets.AZURE_DEVOPS_TOKEN }}was transparently accessing the environment secret anyway. So we can just stop trying to pass them in now.create-system-test-docker-base-images.ymlneeds to be in the "release" env, because it needs the azure devops token to grab the build results from CI (avoiding rate limits)Additionally, I duplicated the repo-secret
AZURE_DEVOPS_TOKENinto the existingpublish-debug-symbols-envenvironment, so when we merge this, everything should "just work".Finally, we can make the
publish-debug-symbols-env, "protected" so it only runs on release branches.Test coverage
Nope, we can't really test any of this 🙁 Hence why I want to babysit it the first time 😅
Other details
I'd like to change
publish-debug-symbols-envto be calledrelease-env(or something similar), but that means changing a whole bunch ofststoken stuff, across multiple repos, and it doesn't seem worth the hassle 😅