Deduplicate github actions

We have multiple github actions that run e2e tests and share a significant amount of logic. We'll add reusable actions, making the workflows much easier to maintain.
canonical · Dec 12, 2024 · 30a2688 · 30a2688
1 parent 50bc0b9
commit 30a2688
Show file tree

Hide file tree

Showing 12 changed files with 436 additions and 441 deletions.
diff --git a/.github/actions/download-k8s-snap/action.yaml b/.github/actions/download-k8s-snap/action.yaml
@@ -0,0 +1,55 @@
+name: Download k8s-snap
+
+inputs:
+  # Download k8s-snap using either a GH action artifact or a snap channel.
+  artifact:
+    description: The name of a GH action artifact.
+    type: string
+  channel:
+    description: k8s snap channel.
+    type: string
+
+outputs:
+  snap-path:
+    description: The *.snap destination path.
+    value: ${{ steps.retrieve-path.outputs.snap-path }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Exit if no input provided
+      if: inputs.artifact == '' && inputs.channel == ''
+      shell: bash
+      run: |
+        echo "No k8s-snap artifact or channel specified..."
+        exit 1
+    - name: Exit if multiple inputs provided
+      if: inputs.artifact != '' && inputs.channel != ''
+      shell: bash
+      run: |
+        echo "Received snap artifact AND snap channel."
+        exit 1
+
+    - name: Download snap artifact
+      if: inputs.artifact != ''
+      uses: actions/download-artifact@v4
+      with:
+        name: ${{ inputs.artifact }}
+        path: ${{ github.workspace }}
+
+    - name: Download snap channel
+      if: inputs.channel != ''
+      shell: bash
+      run: |
+        snap download k8s --channel=${{ inputs.channel }} --basename k8s
+
+    - name: Retrieve resulting snap path
+      shell: bash
+      id: retrieve-path
+      run: |
+        if [[ -n "${{ inputs.artifact }}" ]]; then
+          snap_path="${{ github.workspace }}/${{ inputs.artifact }}"
+        else
+          snap_path="${{ github.workspace }}/k8s.snap"
+        fi
+        echo "snap-path=$snap_path" >> "$GITHUB_OUTPUT"
diff --git a/.github/actions/install-lxd/action.yaml b/.github/actions/install-lxd/action.yaml
@@ -0,0 +1,20 @@
+name: Install lxd
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install lxd snap
+      shell: bash
+      run: |
+        sudo snap refresh lxd --channel 5.21/stable
+    - name: Initialize lxd
+      shell: bash
+      run: |
+        sudo lxd init --auto
+        sudo usermod --append --groups lxd $USER
+        sg lxd -c 'lxc version'
+    - name: Apply Docker iptables workaround
+      shell: bash
+      run: |
+        sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT
+        sudo iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
diff --git a/.github/workflows/build-snap.yaml b/.github/workflows/build-snap.yaml
@@ -0,0 +1,51 @@
+name: Build k8s-snap
+
+on:
+  workflow_call:
+    inputs:
+      flavor:
+        description: k8s-snap flavor (e.g. moonray or strict)
+        type: string
+    outputs:
+      snap-artifact:
+        description: Name of the uploaded snap artifact
+        value: ${{ jobs.build-snap.outputs.snap-artifact }}
+
+jobs:
+  build-snap:
+    name: Build snap
+    runs-on: ubuntu-20.04
+    outputs:
+      snap-artifact: ${{ steps.build.outputs.snap-artifact }}
+    steps:
+      - name: Checking out repo
+        uses: actions/checkout@v4
+      - name: Apply patches
+        if: inputs.flavor != ''
+        run: |
+          ./build-scripts/patches/${{ inputs.flavor }}/apply
+      - name: Install lxd
+        uses: ./.github/actions/install-lxd
+      - name: Install snapcraft
+        run: |
+          sudo snap install snapcraft --classic
+      - name: Build snap
+        id: build
+        env:
+          flavor: ${{ inputs.flavor }}
+        run: |
+          if [[ -n "$flavor" ]]; then
+            out_snap=k8s-$flavor.snap
+          else
+            out_snap=k8s.snap
+          fi
+
+          sg lxd -c 'snapcraft --use-lxd'
+          mv k8s_*.snap $out_snap
+
+          echo "snap-artifact=$out_snap" >> "$GITHUB_OUTPUT"
+      - name: Uploading snap
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.build.outputs.snap-artifact }}
+          path: ${{ steps.build.outputs.snap-artifact }}
diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml
@@ -3,6 +3,10 @@ name: Security and quality nightly scan
 on:
   schedule:
     - cron: '0 10 * * *'
+  pull_request:
+    paths:
+      - .github/workflows/cron-jobs.yaml
+      - .github/workflows/security-scan.yaml
 
 permissions:
   contents: read
@@ -70,7 +74,6 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-    runs-on: ubuntu-latest
     strategy:
       matrix:
         include:
@@ -80,47 +83,7 @@ jobs:
           # Add branches to test here
           - { branch: release-1.30, channel: 1.30-classic/edge }
           - { branch: release-1.31, channel: 1.31-classic/edge }
-
-    steps:
-      - name: Checking out repo
-        uses: actions/checkout@v4
-        with:
-          ref: ${{matrix.branch}}
-      - name: Setup Trivy vulnerability scanner
-        run: |
-          mkdir -p sarifs
-          VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}');
-          wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
-          tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: "fs"
-          ignore-unfixed: true
-          format: "sarif"
-          output: "trivy-k8s-repo-scan--results.sarif"
-          severity: "MEDIUM,HIGH,CRITICAL"
-        env:
-          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
-      - name: Gather Trivy repo scan results
-        run: |
-          cp trivy-k8s-repo-scan--results.sarif ./sarifs/
-      - name: Run Trivy vulnerability scanner on the snap
-        run: |
-          snap download k8s --channel ${{ matrix.channel }}
-          mv ./k8s*.snap ./k8s.snap
-          unsquashfs k8s.snap
-          for var in $(env | grep -o '^TRIVY_[^=]*'); do
-            unset "$var"
-          done
-          ./trivy --db-repository public.ecr.aws/aquasecurity/trivy-db rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
-      - name: Get HEAD sha
-        run: |
-          SHA="$(git rev-parse HEAD)"
-          echo "head_sha=$SHA" >> "$GITHUB_ENV"
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: "sarifs"
-          sha: ${{ env.head_sha }}
-          ref: refs/heads/${{matrix.branch}}
+    uses: ./.github/workflows/security-scan.yaml
+    with:
+      channel: ${{ matrix.channel }}
+      checkout-ref: ${{ matrix.branch }}
diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml
@@ -0,0 +1,72 @@
+name: Run k8s-snap e2e tests
+
+on:
+  workflow_call:
+    inputs:
+      arch:
+        description: Job runner architecture (amd64 or arm64)
+        default: amd64
+        type: string
+      os:
+        description: LXD image to use when running e2e tests
+        default: ubuntu:24.04
+        type: string
+      # Download k8s-snap using either a GH action artifact or a snap channel.
+      artifact:
+        description: The name of a GH action artifact.
+        type: string
+      channel:
+        description: k8s snap channel.
+        type: string
+      test-tags:
+        description: Test filter tags (e.g. pull_request, up_to_weekly)
+        default: pull_request
+        type: string
+
+jobs:
+  test-integration:
+    name: Integration Test ${{ inputs.os }} ${{ inputs.arch }} ${{ inputs.artifact }}
+    runs-on: ${{ inputs.arch == 'arm64' && 'self-hosted-linux-arm64-jammy-large' || 'self-hosted-linux-amd64-jammy-large' }}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+      - name: Download k8s-snap
+        id: download-snap
+        uses: ./.github/actions/download-k8s-snap
+        with:
+          channel: ${{ inputs.channel }}
+          artifact: ${{ inputs.artifact }}
+      - name: Install lxd
+        uses: ./.github/actions/install-lxd
+      - name: Install tox
+        run: pip install tox
+      - name: Run e2e tests
+        env:
+          TEST_SNAP: ${{ steps.download-snap.outputs.snap-path }}
+          TEST_SUBSTRATE: lxd
+          TEST_LXD_IMAGE: ${{ inputs.os }}
+          TEST_INSPECTION_REPORTS_DIR: ${{ github.workspace }}/inspection-reports
+          # Test the latest (up to) 6 releases for the flavour
+          # TODO(ben): upgrade nightly to run all flavours
+          TEST_VERSION_UPGRADE_CHANNELS: "recent 6 classic"
+          # Upgrading from 1.30 is not supported.
+          TEST_VERSION_UPGRADE_MIN_RELEASE: "1.31"
+          TEST_STRICT_INTERFACE_CHANNELS: "recent 6 strict"
+          TEST_MIRROR_LIST: '[{"name": "ghcr.io", "port": 5000, "remote": "https://ghcr.io", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}, {"name": "docker.io", "port": 5001, "remote": "https://registry-1.docker.io", "username": "", "password": ""}, {"name": "rocks.canonical.com", "port": 5002, "remote": "https://rocks.canonical.com/cdk"}]'
+        run: |
+          cd tests/integration && sg lxd -c "tox -e integration -- --tags ${{ inputs.test-tags }}"
+      - name: Prepare inspection reports
+        if: failure()
+        run: |
+          tar -czvf inspection-reports.tar.gz -C ${{ github.workspace }} inspection-reports
+          echo "artifact_name=inspection-reports-${{ inputs.os }}" | sed 's/:/-/g' >> $GITHUB_ENV
+      - name: Upload inspection report artifact
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.artifact_name }}
+          path: ${{ github.workspace }}/inspection-reports.tar.gz
diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml
@@ -1,19 +1,7 @@
-name: Go
+name: Go lint and unit tests
 
 on:
-  push:
-    paths-ignore:
-      - 'docs/**'
-    branches:
-      - main
-      - autoupdate/strict
-      - autoupdate/moonray
-      - 'release-[0-9]+.[0-9]+'
-      - 'autoupdate/release-[0-9]+.[0-9]+-strict'
-      - 'autoupdate/sync/**'
-  pull_request:
-    paths-ignore:
-      - 'docs/**'
+  workflow_call:
 
 permissions:
   contents: read

diff --git a/.github/workflows/integration-informing.yaml b/.github/workflows/integration-informing.yaml