Improve reporting of errors & efficiency of pr-size-labeler

[mhucka]

Errors in the invocation of curl were not being reported. Changes:

• size-labeler.sh: Added -f flag to curl, added return status checking, and added printing the response body in case of errors.
• pr-labeler.yaml: Removed token option in workflow_dispatch and added a trace option. The token turns out to be never (or rarely) needed, and the shell tracing is useful for debugging.

In addition, since the only file needed from the repository is the size-labeler.sh script, this also makes the git checkout in pr-labeler.yaml be sparse.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.66%. Comparing base (4fa82fb) to head (0b6c8a5).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7288   +/-   ##
=======================================
  Coverage   98.66%   98.66%           
=======================================
  Files        1106     1106           
  Lines       96186    96186           
=======================================
  Hits        94906    94906           
  Misses       1280     1280           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pavoljuhas]

I think it is better if we use --fail-with-body so we get to see the error response from the server. There were quite a few places in the original script which masked failure status from api_call so I rewrote them in a way which should hopefully cause early exit.

Also, any error messages from api_call need to go to stderr, because stdout is captured by callers.

PTAL at my take on this, it can be reviewed commit-by-commit.

[pavoljuhas]

is this used anywhere? If not please delete.

[mhucka]

Yes, it is. The environment variable is recognized by Bash: https://www.gnu.org/software/bash/manual/html_node/Bash-Variables.html#index-SHELLOPTS

Here what's happening is that when the Boolean trace is set by using workflow_dispatch, it causes SHELLOPTS to get the value xtrace. That's the same as using set -x: https://www.gnu.org/software/bash/manual/bash.html#index-set. Since the environment variable is set at the job level, all invocations get the SHELLOPTS value. The result is that all the Bash scripts and commands in the workflow get the equivalent of set -x, and thus output a trace of their steps. This is useful for debugging.

The beauty of this approach is that it doesn't require modifying any of the run: commands to add set -x, and it can be turned on and off at run time.

[pavoljuhas]

Looks like we get some diagnostics - yay!
https://github.com/quantumlib/Cirq/actions/runs/14654500719/job/41127085113#step:3:18

[pavoljuhas]

The pipe here masks the exit status from size-labeler.sh.
Please either add set -o pipefail before or just take out the |& tee action.out and
change line 79 to something like "see the output above".

PS: Or consider deleting the Detect and report errors... step altogether.

[mhucka]

Please either add set -o pipefail before

I don't believe that's necessary; according to https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defaultsrunshell the default Bash invocation used by GitHub runners is

bash --noprofile --norc -eo pipefail {0}

[pavoljuhas]

I don't believe that's necessary; ...

I can't see any other reason why would labeler workflow report success at https://github.com/quantumlib/Cirq/actions/runs/14654500719/job/41127085113. The script terminated at the api_call line below and per job output it did not get to the next info "Added label..." line.

Cirq/dev_tools/ci/size-labeler.sh

Lines 217 to 220 in 747fd6a

	if [[ "${correctly_labeled}" != true ]]; then
	api_call "issues/$PR_NUMBER/labels" -X POST -d "{\"labels\":[\"${size_label}\"]}" >/dev/null
	info "Added label '${size_label}'"
	fi

On a second look, the shell command is actually listed as /usr/bin/bash -e {0}, which is one of the possibilities in your link. Regardless of that, the final step just repeats the size-labeler.sh output and is not really necessary. The output of this workflow is not important to contributors and is not worth the extra complexity and space for bugs like we get here.

Please consider taking it out and just have a simple execution of size-labeler.sh.

PS: if size-labeler remains flaky, we should intentionally let it report success, e.g.,

run: ./dev_tools/ci/size-labeler.sh || true

so that contributors are not confused by CI failure that has nothing to do with their work.

[mhucka]

/usr/bin/bash -e {0}

You're right! And now reading the GitHub docs, I think I understand what's happening: it seems that if there is no shell: property, it defaults to this, whereas shell: bash evidently makes it use the arguments that I thought it was using. (Why is it that way? I don't understand what the point of that is.)

Anyway, I'll change it as you propose.

[mhucka]

Looks like we get some diagnostics - yay! quantumlib/Cirq/actions/runs/14654500719/job/41127085113#step:3:18

Oh, argh. It looks like it needs a PAT after all.

I'll change the token it uses in the next commmit.

[pavoljuhas]

Please take out the last step that is obscuring exit status from labeler script. Otherwise LGTM.

[pavoljuhas]

Also, w/r to workflow permissions, we should change event type to pull_request_target and go back to stock GITHUB_TOKEN. Its docs in fact state

... This event allows your workflow to do things like label or comment on pull requests from forks. ...

Also the workflow will then run with the main branch sources which is certainly safer than hoping a PR does not introduce some mischievous actions such as exposing PAT.

[mhucka]

Also, w/r to workflow permissions, we should change event type to pull_request_target and go back to stock GITHUB_TOKEN. Its docs in fact state

... This event allows your workflow to do things like label or comment on pull requests from forks. ...

Also the workflow will then run with the main branch sources which is certainly safer than hoping a PR does not introduce some mischievous actions such as exposing PAT.

Using a pull_request_target was a bit controversial the last time, so I avoided it, but I agree this seems safe. New commit puts it back.