From 9dd7ef341b7f9280c070c4deec7171f5a14e2547 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Thu, 27 Jul 2023 13:25:30 -0400 Subject: [PATCH 1/4] build_test command --- .github/workflows/ci-build-image.yml | 6 +- .github/workflows/ci-code-analysis.yml | 6 +- .github/workflows/pr-ci.yml | 169 +++++++++++++++++++------ 3 files changed, 129 insertions(+), 52 deletions(-) diff --git a/.github/workflows/ci-build-image.yml b/.github/workflows/ci-build-image.yml index 57758b1c17..e6ebea155a 100644 --- a/.github/workflows/ci-build-image.yml +++ b/.github/workflows/ci-build-image.yml @@ -18,10 +18,6 @@ on: image-version: description: the Cryostat application version that will be built value: ${{ jobs.get-pom-properties.outputs.image-version }} - secrets: - GH_PKGS_READ_TOKEN: - required: true - description: read-only token for pulling artifacts from GitHub Packages jobs: get-pom-properties: @@ -73,7 +69,7 @@ jobs: - run: git submodule update --remote - run: mvn -B -U -Dbuild.arch=${{ inputs.build-arch }} clean package env: - GITHUB_TOKEN_REF: ${{ secrets.GH_PKGS_READ_TOKEN }} + GITHUB_TOKEN_REF: ${{ secrets.GITHUB_TOKEN }} - name: Save cryostat image run: podman save -o cryostat-${{ inputs.build-arch }}.tar --format oci-archive quay.io/cryostat/cryostat - uses: actions/upload-artifact@v3 diff --git a/.github/workflows/ci-code-analysis.yml b/.github/workflows/ci-code-analysis.yml index b3ae6d6d3a..04b3549506 100644 --- a/.github/workflows/ci-code-analysis.yml +++ b/.github/workflows/ci-code-analysis.yml @@ -7,10 +7,6 @@ on: checkout-ref: required: false type: string - secrets: - GH_PKGS_READ_TOKEN: - required: true - description: read-only token for pulling artifacts from GitHub Packages jobs: spotless: @@ -47,7 +43,7 @@ jobs: - name: Run spotbugs run: mvn -B -U -Dheadless=true compile spotbugs:check env: - GITHUB_TOKEN_REF: ${{ secrets.GH_PKGS_READ_TOKEN }} + GITHUB_TOKEN_REF: ${{ secrets.GITHUB_TOKEN }} shellcheck: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml index 06c6ea87ca..d94f1a9e30 100644 --- a/.github/workflows/pr-ci.yml +++ b/.github/workflows/pr-ci.yml @@ -1,85 +1,170 @@ name: CI build and push (PR) concurrency: - group: pr-${{ github.event.number }} + group: ci-${{ github.run_id }} cancel-in-progress: true on: - pull_request_target: + issue_comment: types: - - opened - - reopened - - synchronize - - labeled - - unlabeled - branches: - - main - - v[0-9]+ - - v[0-9]+.[0-9]+ - - cryostat-v[0-9]+.[0-9]+ + - created jobs: + check-before-build: + runs-on: ubuntu-latest + if: github.repository_owner == 'cryostatio' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/build_test') + steps: + - name: Fail if needs-triage label applied + if: ${{ contains(github.event.issue.labels.*.name, 'needs-triage') }} + run: exit 1 + - name: Show warning if permission is denied + if: | + !(github.event.comment.author_association == 'MEMBER' || + github.event.comment.author_association == 'OWNER') + && !contains(github.event.issue.labels.*.name, 'safe-to-test') + uses: thollander/actions-comment-pull-request@v2 + with: + message: |- + You do not have permission to run the /build_test command. Please ask Cryostat @reviewers + to resolve the issue. + - name: Fail if command permission is not allowed + if: | + !(github.event.comment.author_association == 'MEMBER' || + github.event.comment.author_association == 'OWNER') + && !contains(github.event.issue.labels.*.name, 'safe-to-test') + run: exit 1 + - name: Show warning if safe-to-test applied and permission denied + if: | + !(github.event.comment.author_association == 'MEMBER' || + github.event.comment.author_association == 'OWNER' || + github.event.issue.user.name == github.event.comment.user.name) + uses: thollander/actions-comment-pull-request@v2 + with: + message: |- + You do not have permission to run the /build_test command. Please ask Cryostat @reviewers + to resolve the issue. + - name: Fail if safe-to-test applied and command permission is not allowed + if: | + !(github.event.comment.author_association == 'MEMBER' || + github.event.comment.author_association == 'OWNER' || + github.event.issue.user.name == github.event.comment.user.name) + run: exit 1 + - name: React to comment + uses: actions/github-script@v4 + with: + script: | + const {owner, repo} = context.issue + github.reactions.createForIssueComment({ + owner, + repo, + comment_id: context.payload.comment.id, + content: "+1", + }); + + checkout-branch: + runs-on: ubuntu-latest + needs: [check-before-build] + permissions: + contents: read + issues: read + pull-requests: read + outputs: + PR_head_ref: ${{ fromJSON(steps.comment-branch.outputs.result).ref }} + PR_head_sha: ${{ fromJSON(steps.comment-branch.outputs.result).sha }} + PR_repo: ${{ fromJSON(steps.comment-branch.outputs.result).repo.full_name }} + steps: + - uses: actions/github-script@v4 + id: comment-branch + with: + script: | + const result = await github.pulls.get ({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number + }) + return result.data.head + code-analysis: + needs: [checkout-branch] uses: ./.github/workflows/ci-code-analysis.yml with: - checkout-repo: ${{ github.event.pull_request.head.repo.full_name }} - checkout-ref: ${{ github.event.pull_request.head.ref }} - secrets: inherit - if: github.repository_owner == 'cryostatio' && contains(github.event.pull_request.labels.*.name, 'safe-to-test') - + checkout-repo: ${{ needs.checkout-branch.outputs.PR_repo }} + checkout-ref: ${{ needs.checkout-branch.outputs.PR_head_ref }} + build-and-test: + needs: [code-analysis, checkout-branch] strategy: matrix: arch: [amd64, arm64] uses: ./.github/workflows/ci-build-image.yml with: build-arch: ${{ matrix.arch }} - checkout-repo: ${{ github.event.pull_request.head.repo.full_name }} - checkout-ref: ${{ github.event.pull_request.head.ref }} + checkout-repo: ${{ needs.checkout-branch.outputs.PR_repo }} + checkout-ref: ${{ needs.checkout-branch.outputs.PR_head_ref }} skip-itests: ${{ matrix.arch != 'amd64' }} - secrets: inherit - if: github.repository_owner == 'cryostatio' && contains(github.event.pull_request.labels.*.name, 'safe-to-test') push-to-ghcr: runs-on: ubuntu-latest strategy: matrix: arch: [amd64, arm64] - needs: [code-analysis, build-and-test] - if: always() && github.repository_owner == 'cryostatio' + outputs: + amd64_image: ${{ steps.amd64_image.outputs.image }} + arm64_image: ${{ steps.arm64_image.outputs.image }} + needs: [build-and-test, checkout-branch] + env: + head_sha: ${{ needs.checkout-branch.outputs.PR_head_sha}} steps: - - name: Fail if needs-triage label applied - if: ${{ contains(github.event.pull_request.labels.*.name, 'needs-triage') }} - run: exit 1 - - name: Fail if safe-to-test label NOT applied - if: ${{ !contains(github.event.pull_request.labels.*.name, 'safe-to-test') }} - run: exit 1 - uses: actions/download-artifact@v3 with: name: cryostat-${{ matrix.arch }} - if: github.repository_owner == 'cryostatio' - name: Load cryostat image run: podman load -i cryostat-${{ matrix.arch }}.tar - if: github.repository_owner == 'cryostatio' - name: Tag cryostat image - run: podman tag cryostat ghcr.io/${{ github.repository_owner }}/cryostat:pr-${{ github.event.number }}-${{ github.event.pull_request.head.sha }}-linux-${{ matrix.arch }} - if: github.repository_owner == 'cryostatio' + run: podman tag cryostat ghcr.io/${{ github.repository_owner }}/cryostat:pr-${{ github.event.number }}-${{ env.head_sha }}-linux-${{ matrix.arch }} - name: Push PR test image to ghcr.io id: push-to-ghcr uses: redhat-actions/push-to-registry@v2 with: image: cryostat - tags: pr-${{ github.event.number }}-${{ github.event.pull_request.head.sha }}-linux-${{ matrix.arch }} + tags: pr-${{ github.event.number }}-${{ env.head_sha }}-linux-${{ matrix.arch }} registry: ghcr.io/${{ github.repository_owner }} - username: ${{ github.event.pull_request.user.login }} - password: ${{ secrets.GHCR_PR_TOKEN }} - if: github.repository_owner == 'cryostatio' - - name: Comment test image link - uses: thollander/actions-comment-pull-request@v1 + username: ${{ github.event.comment.user.login }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Store images as output amd64 + if: ${{ matrix.arch == 'amd64' }} + id: amd64_image + run: echo "image=${{ steps.push-to-ghcr.outputs.registry-path }}" >> "$GITHUB_OUTPUT" + - name: Store images as output + if: ${{ matrix.arch == 'arm64' }} + id: arm64_image + run: echo "image=${{ steps.push-to-ghcr.outputs.registry-path }}" >> "$GITHUB_OUTPUT" + + comment-image: + runs-on: ubuntu-latest + needs: [push-to-ghcr] + env: + amd64_image: ${{ needs.push-to-ghcr.outputs.amd64_image }} + arm64_image: ${{ needs.push-to-ghcr.outputs.arm64_image }} + steps: + - name: Create markdown table + id: md-table + uses: petems/csv-to-md-table-action@v3.0.0 + with: + csvinput: | + ARCH, IMAGE + AMD64, ${{ env.amd64_image }} + ARM64, ${{ env.arm64_image }} + - uses: thollander/actions-comment-pull-request@v2 with: message: |- - Test image available: + ${{ steps.md-table.outputs.markdown-table }} + + To run smoketest: ``` - $ CRYOSTAT_IMAGE=${{ steps.push-to-ghcr.outputs.registry-path }} sh smoketest.sh + # amd64 + CRYOSTAT_IMAGE=${{ amd64_image }} sh smoketest.sh + + # or arm64 + CRYOSTAT_IMAGE=${{ arm64_image }} sh smoketest.sh ``` - if: github.repository_owner == 'cryostatio' From d6b4db1a3bb667d30d4dd32235de974fb4c617d3 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Tue, 22 Aug 2023 09:03:50 -0400 Subject: [PATCH 2/4] updates --- .github/workflows/pr-ci.yml | 34 ++++++++-------------------------- 1 file changed, 8 insertions(+), 26 deletions(-) diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml index d94f1a9e30..3690141479 100644 --- a/.github/workflows/pr-ci.yml +++ b/.github/workflows/pr-ci.yml @@ -19,35 +19,17 @@ jobs: run: exit 1 - name: Show warning if permission is denied if: | - !(github.event.comment.author_association == 'MEMBER' || - github.event.comment.author_association == 'OWNER') - && !contains(github.event.issue.labels.*.name, 'safe-to-test') + !(github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER') + && (!contains(github.event.issue.labels.*.name, 'safe-to-test') || github.event.issue.user.name != github.event.comment.user.name) uses: thollander/actions-comment-pull-request@v2 with: message: |- You do not have permission to run the /build_test command. Please ask Cryostat @reviewers to resolve the issue. - - name: Fail if command permission is not allowed + - name: Fail if command permission is denied if: | - !(github.event.comment.author_association == 'MEMBER' || - github.event.comment.author_association == 'OWNER') - && !contains(github.event.issue.labels.*.name, 'safe-to-test') - run: exit 1 - - name: Show warning if safe-to-test applied and permission denied - if: | - !(github.event.comment.author_association == 'MEMBER' || - github.event.comment.author_association == 'OWNER' || - github.event.issue.user.name == github.event.comment.user.name) - uses: thollander/actions-comment-pull-request@v2 - with: - message: |- - You do not have permission to run the /build_test command. Please ask Cryostat @reviewers - to resolve the issue. - - name: Fail if safe-to-test applied and command permission is not allowed - if: | - !(github.event.comment.author_association == 'MEMBER' || - github.event.comment.author_association == 'OWNER' || - github.event.issue.user.name == github.event.comment.user.name) + !(github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER') + && (!contains(github.event.issue.labels.*.name, 'safe-to-test') || github.event.issue.user.name != github.event.comment.user.name) run: exit 1 - name: React to comment uses: actions/github-script@v4 @@ -113,7 +95,7 @@ jobs: arm64_image: ${{ steps.arm64_image.outputs.image }} needs: [build-and-test, checkout-branch] env: - head_sha: ${{ needs.checkout-branch.outputs.PR_head_sha}} + head_sha: ${{ needs.checkout-branch.outputs.PR_head_sha }} steps: - uses: actions/download-artifact@v3 with: @@ -153,8 +135,8 @@ jobs: with: csvinput: | ARCH, IMAGE - AMD64, ${{ env.amd64_image }} - ARM64, ${{ env.arm64_image }} + amd64, ${{ env.amd64_image }} + arm64, ${{ env.arm64_image }} - uses: thollander/actions-comment-pull-request@v2 with: message: |- From 940e98bfb25b328fadfe337aee52bfdd05206954 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Wed, 23 Aug 2023 10:01:36 -0400 Subject: [PATCH 3/4] correct cryostat reviewers --- .github/workflows/pr-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml index 3690141479..74c61f4b20 100644 --- a/.github/workflows/pr-ci.yml +++ b/.github/workflows/pr-ci.yml @@ -24,7 +24,7 @@ jobs: uses: thollander/actions-comment-pull-request@v2 with: message: |- - You do not have permission to run the /build_test command. Please ask Cryostat @reviewers + You do not have permission to run the /build_test command. Please ask @cryostatio/reviewers to resolve the issue. - name: Fail if command permission is denied if: | From 6232387c16bde09877804e48ca6ade92f33c47c5 Mon Sep 17 00:00:00 2001 From: Ming Wang Date: Wed, 23 Aug 2023 14:25:10 -0400 Subject: [PATCH 4/4] call env vars --- .github/workflows/pr-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml index 74c61f4b20..2fcd7f1212 100644 --- a/.github/workflows/pr-ci.yml +++ b/.github/workflows/pr-ci.yml @@ -145,8 +145,8 @@ jobs: To run smoketest: ``` # amd64 - CRYOSTAT_IMAGE=${{ amd64_image }} sh smoketest.sh + CRYOSTAT_IMAGE=${{ env.amd64_image }} sh smoketest.sh # or arm64 - CRYOSTAT_IMAGE=${{ arm64_image }} sh smoketest.sh + CRYOSTAT_IMAGE=${{ env.arm64_image }} sh smoketest.sh ```