Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build and push full release in CI on [upload] #288

Merged
merged 7 commits into from
Aug 11, 2024
Merged

build and push full release in CI on [upload] #288

merged 7 commits into from
Aug 11, 2024

Conversation

andiradulescu
Copy link
Collaborator

No description provided.

@andiradulescu
Copy link
Collaborator Author

@adeebshihadeh same permission error: https://github.com/commaai/agnos-builder/actions/runs/10293101463/job/28488769124

@andiradulescu
Copy link
Collaborator Author

ok, so comparing an openpilot run https://github.com/commaai/openpilot/actions/runs/10289970225/job/28478858166 shows that it has a "ssh-key":
image
vs here where there is no "ssh-key":
image
I'm thinking of two possibilities:

  • there is some environment set in openpilot or something special here or here - can you check (yet again) @adeebshihadeh ?
  • this secret doesn't work on namespace.so runners - I will ask on Namespace Discord

@andiradulescu
Copy link
Collaborator Author

andiradulescu commented Aug 8, 2024
edited
Loading

Namespace responded, they don’t influence secrets at all, which makes sense. They suggested we check the repos whitelist here: https://github.com/organizations/commaai/settings/secrets/actions/CI_ARTIFACTS_DEPLOY_KEY

@andiradulescu andiradulescu mentioned this pull request Aug 8, 2024
Merged
@andiradulescu
Copy link
Collaborator Author

Found the problem, we need two workflows..

  • one workflow that runs on "pull_request" - building (this does not have access to secrets)
  • another workflow on completion of the previous - uploads to ci-artifacts and comments in PR (this one has access to secrets)

This means that we still need to upload and download artifacts between these two workflows..

Explained here (ReceivePR.yml and CommentPR.yml): https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

@adeebshihadeh
Copy link
Contributor

Added CI_ARTIFACTS_GITLAB_DEPLOY_KEY for https://gitlab.com/commaai/ci-artifacts. We can push big LFS stuff there.

@andiradulescu
Copy link
Collaborator Author

  • pushes to GitHub
  • 14min xz both images
  • 14sec artifact upload with 0 compression

doing the xz in the first workflow which uses namespace for heavy lifting. the second workflow uses GH ubuntu-latest.

next thing switch to GitLab.

should we merge this and see if the workflow works and make a separate PR for GitLab?

or finish it here?

@adeebshihadeh adeebshihadeh marked this pull request as ready for review August 11, 2024 23:23
@adeebshihadeh
Copy link
Contributor

Let's merge, then we can optimize if needed later.

@adeebshihadeh adeebshihadeh merged commit f125aee into commaai:master Aug 11, 2024
2 checks passed
@adeebshihadeh
Copy link
Contributor

Failed for #304: https://github.com/commaai/agnos-builder/actions/runs/10343772270/job/28628349425

@andiradulescu andiradulescu deleted the ci-artifacts-on branch August 12, 2024 11:31
@andiradulescu
Copy link
Collaborator Author

I ran it in another testing repo, meanwhile, and it had a lot of issues. It was pretty impossible to get this right blindly.

When I'm done testing, I'll tag in you in the new PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andiradulescu @adeebshihadeh