From 141ca3c1228a9aec29f5a56733650a3922ad4c14 Mon Sep 17 00:00:00 2001 From: Heba Elayoty Date: Tue, 26 Mar 2024 13:22:30 -0700 Subject: [PATCH] Update release workflow Signed-off-by: Heba Elayoty --- .github/workflows/build-publish-image.yml | 39 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/create-release.yml | 10 +- .github/workflows/e2e-workflow.yaml | 205 ++++++++++++++++++++++ .github/workflows/helm-chart.yml | 2 +- .github/workflows/kaito-e2e.yaml | 182 ++----------------- .github/workflows/lint-go.yaml | 14 +- .github/workflows/publish-image-acr.yml | 27 ++- .github/workflows/test-approval.yml | 28 +++ .github/workflows/tests.yml | 12 +- Makefile | 8 +- 11 files changed, 327 insertions(+), 202 deletions(-) create mode 100644 .github/workflows/e2e-workflow.yaml create mode 100644 .github/workflows/test-approval.yml diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index eb430341f..7ce04988e 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -16,30 +16,19 @@ env: IMAGE_NAME: 'workspace' jobs: - export-registry: + publish-images: if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts') - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest environment: preset-env - outputs: - registry: ${{ steps.export.outputs.registry }} steps: - - id: export + - id: get-registry run: | # registry must be in lowercase - echo "registry=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_OUTPUT - - publish-images: - if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts') - needs: - - export-registry - env: - REGISTRY: ${{ needs.export-registry.outputs.registry }} - runs-on: ubuntu-20.04 - environment: preset-env - steps: + echo " b=$(echo "${{ env.REGISTRY }}/${{ github.repository }}" | tr [:upper:] [:lower:])" >> $GITHUB_ENV - id: get-tag name: Get tag run: echo "IMG_TAG=$(echo ${{ github.event.pull_request.head.ref }} | tr -d release-)" >> $GITHUB_ENV + - uses: actions/checkout@v4 with: submodules: true @@ -52,6 +41,7 @@ jobs: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Set Image tag run: | ver=${{ env.IMG_TAG }} @@ -76,9 +66,16 @@ jobs: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - name: 'Dispatch release tag' - uses: peter-evans/repository-dispatch@v3 + - uses: ./.github/workflows/e2e-workflow.yaml with: - token: ${{ secrets.GITHUB_TOKEN }} - event-type: release-tag - client-payload: '{"isRelease": true,"registry": "$${{ env.REGISTRY }}","tag": "v${{ env.IMG_TAG }}"}' + git_sha: {{ github.event.pull_request.head.ref }} + isRelease: true + registry: ${{ env.REGISTRY }} + tag: ${{ env.IMG_TAG }} + secrets: + E2E_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + E2E_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + E2E_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + E2E_AMRT_SECRET_NAME: ${{ secrets.AMRT_SECRET_NAME }} + E2E_ACR_AMRT_USERNAME: ${{ secrets.ACR_AMRT_USERNAME }} + E2E_ACR_AMRT_PASSWORD: ${{ secrets.ACR_AMRT_PASSWORD }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b918270bc..1651267c0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index 935a88779..d0cfdf306 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -1,7 +1,8 @@ name: Create release on: - repository_dispatch: - types: [ release-tag ] + workflow_run: + workflows: [ "Create, Scan and Publish KAITO image" ] + types: [ completed ] branches: [ release-** ] permissions: @@ -14,18 +15,19 @@ env: jobs: create-release: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit + - name: Set up Go ${{ env.GO_VERSION }} uses: actions/setup-go@v5 with: go-version: ${{ env.GO_VERSION }} - name: Checkout the repository at the given SHA from the artifact - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 diff --git a/.github/workflows/e2e-workflow.yaml b/.github/workflows/e2e-workflow.yaml new file mode 100644 index 000000000..86979b41a --- /dev/null +++ b/.github/workflows/e2e-workflow.yaml @@ -0,0 +1,205 @@ +name: kaito-e2e-workflow + +on: + workflow_call: + inputs: + git_sha: + type: string + required: true + tag: + type: string + isRelease: + type: boolean + default: false + registry: + type: string + region: + type: string + description: "the azure location to run the e2e test in" + default: "eastus" + k8s_version: + type: string + default: "1.27" + secrets: + E2E_CLIENT_ID: + required: true + E2E_TENANT_ID: + required: true + E2E_SUBSCRIPTION_ID: + required: true + E2E_AMRT_SECRET_NAME: + required: true + E2E_ACR_AMRT_USERNAME: + required: true + E2E_ACR_AMRT_PASSWORD: + required: true + +permissions: + contents: read # This is required for actions/checkout + +jobs: + e2e-tests: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # This is required for requesting the JWT + environment: e2e-test + env: + GO_VERSION: "1.20" + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ inputs.git_sha }} + + - name: Set e2e Resource and Cluster Name + run: | + rand=$(git rev-parse --short ${{ inputs.git_sha }}) + + if [ "$rand" = "" ]; then + rand=$RANDOM + fi + + echo "VERSION=${rand}" >> $GITHUB_ENV + echo "CLUSTER_NAME=kaito${rand}" >> $GITHUB_ENV + echo "RUN_LLAMA_13B=false" >> $GITHUB_ENV + echo "REGISTRY=kaito${rand}.azurecr.io" >> $GITHUB_ENV + + - name: Set Registry + if: ${{ inputs.isRelease }} + run: | + echo "REGISTRY=${{ inputs.registry }}" >> $GITHUB_ENV + echo "VERSION=$(echo ${{ inputs.tag }} | tr -d v)" >> $GITHUB_ENV + + - name: Set up Go ${{ env.GO_VERSION }} + uses: actions/setup-go@v5 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Az login + uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0 + with: + client-id: ${{ secrets.E2E_CLIENT_ID }} + tenant-id: ${{ secrets.E2E_TENANT_ID }} + subscription-id: ${{ secrets.E2E_SUBSCRIPTION_ID }} + + - uses: azure/setup-helm@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + id: install + + - name: Create Resource Group + shell: bash + run: | + make create-rg + env: + AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} + + - name: Create ACR + shell: bash + run: | + make create-acr + env: + AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} + AZURE_ACR_NAME: ${{ env.CLUSTER_NAME }} + + - name: Create Azure Identity + uses: azure/CLI@v1.0.9 + with: + inlineScript: | + az identity create --name gpuIdentity --resource-group ${{ env.CLUSTER_NAME }} + + - name: build KAITO image + if: ${{ !inputs.isRelease }} + shell: bash + run: | + make docker-build-kaito + env: + REGISTRY: ${{ env.REGISTRY }} + VERSION: ${{ env.VERSION }} + + - name: create cluster + shell: bash + run: | + make create-aks-cluster + env: + AZURE_ACR_NAME: ${{ env.CLUSTER_NAME }} + AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} + AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }} + AZURE_LOCATION: ${{ inputs.region }} + AKS_K8S_VERSION: ${{ inputs.k8s_version }} + + - name: Install gpu-provisioner helm chart + shell: bash + run: | + make gpu-provisioner-helm + kubectl wait --for=condition=available deploy "kaito-gpu-provisioner" -n gpu-provisioner --timeout=300s + env: + AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} + AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }} + + - uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0 + with: + client-id: ${{ secrets.E2E_CLIENT_ID }} + tenant-id: ${{ secrets.E2E_TENANT_ID }} + subscription-id: ${{ secrets.E2E_SUBSCRIPTION_ID }} + + - name: Create Role Assignment + uses: azure/CLI@v1.0.9 + with: + inlineScript: | + IDENTITY_PRINCIPAL_ID="$(az identity show --name gpuIdentity --resource-group ${{ env.CLUSTER_NAME }} --query 'principalId' -otsv)" + az role assignment create --assignee ${IDENTITY_PRINCIPAL_ID} --scope "/subscriptions/${{ secrets.E2E_SUBSCRIPTION_ID }}/resourceGroups/${{ env.CLUSTER_NAME }}" --role "Contributor" + + - name: Create Azure Federated Identity + uses: azure/CLI@v1.0.9 + with: + inlineScript: | + AKS_OIDC_ISSUER="$(az aks show -n "${{ env.CLUSTER_NAME }}" -g "${{ env.CLUSTER_NAME }}" --query 'oidcIssuerProfile.issuerUrl' -otsv)" + az identity federated-credential create --name gpu-fed-credential --identity-name gpuIdentity --resource-group "${{ env.CLUSTER_NAME }}" \ + --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"gpu-provisioner:gpu-provisioner" --audience api://AzureADTokenExchange + + - name: Install KAITO Workspace helm chart + shell: bash + run: | + make az-patch-install-helm + kubectl wait --for=condition=available deploy "kaito-workspace" -n kaito-workspace --timeout=300s + env: + AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} + AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }} + REGISTRY: ${{ env.REGISTRY }} + VERSION: ${{ env.VERSION }} + + - name: Add Secret Credentials + run: | + kubectl create secret docker-registry ${{ secrets.E2E_AMRT_SECRET_NAME }} \ + --docker-server=${{ secrets.E2E_ACR_AMRT_USERNAME }}.azurecr.io \ + --docker-username=${{ secrets.E2E_ACR_AMRT_USERNAME }} \ + --docker-password=${{ secrets.E2E_ACR_AMRT_PASSWORD }} + + - name: Log kaito-workspace + run: | + kubectl get pods -n kaito-workspace -o name | grep "^pod/kaito-workspace" | sed 's/^pod\///' | xargs -I {} kubectl logs -n kaito-workspace {} + + - name: Run e2e test + run: | + make kaito-workspace-e2e-test + env: + AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }} + RUN_LLAMA_13B: ${{ env.RUN_LLAMA_13B }} + AI_MODELS_REGISTRY: ${{ secrets.E2E_ACR_AMRT_USERNAME }}.azurecr.io + AI_MODELS_REGISTRY_SECRET: ${{ secrets.E2E_AMRT_SECRET_NAME }} + + - name: Cleanup e2e resources + if: ${{ always() }} + uses: azure/CLI@v1.0.9 + with: + inlineScript: | + set +e + az group delete --name "${{ env.CLUSTER_NAME }}" --yes --no-wait || true diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index 2666cd92f..573dd78a4 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -20,7 +20,7 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 diff --git a/.github/workflows/kaito-e2e.yaml b/.github/workflows/kaito-e2e.yaml index 120df9f80..ca2afafdd 100644 --- a/.github/workflows/kaito-e2e.yaml +++ b/.github/workflows/kaito-e2e.yaml @@ -5,16 +5,8 @@ concurrency: cancel-in-progress: true on: - push: - branches: [main] - paths-ignore: ['docs/**', '**.md', '**.mdx', '**.png', '**.jpg'] pull_request: - branches: [main] - paths-ignore: ['docs/**', '**.md', '**.mdx', '**.png', '**.jpg'] - repository_dispatch: - types: [ release-tag ] - branches: [ release-** ] - + types: [labeled, unlabeled] env: GO_VERSION: "1.20" @@ -23,169 +15,33 @@ permissions: contents: read # This is required for actions/checkout jobs: - e2e-tests: + run-e2e: runs-on: ubuntu-latest environment: e2e-test steps: - - name: Shorten SHA - if: ${{ !github.event.client_payload.isRelease }} - id: vars - run: echo "pr_sha_short=$(git rev-parse --short ${{ github.event.pull_request.head.sha }})" >> $GITHUB_OUTPUT - - - name: Set e2e Resource and Cluster Name - run: | - rand=${{ steps.vars.outputs.pr_sha_short }} - - if [ "$rand" = "" ]; then - rand=$RANDOM - fi - - echo "VERSION=${rand}" >> $GITHUB_ENV - echo "CLUSTER_NAME=kaito${rand}" >> $GITHUB_ENV - echo "RUN_LLAMA_13B=false" >> $GITHUB_ENV - echo "REGISTRY=kaito${rand}.azurecr.io" >> $GITHUB_ENV - - - name: Set Registry - if: ${{ github.event.client_payload.isRelease }} - run: | - echo "REGISTRY=${{ github.event.client_payload.registry }}" >> $GITHUB_ENV - echo "VERSION=$(echo ${{ github.event.client_payload.tag }} | tr -d v)" >> $GITHUB_ENV + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit - - name: Set up Go ${{ env.GO_VERSION }} - uses: actions/setup-go@v5 + - uses: ./.github/workflows/test-approval.yml with: - go-version: ${{ env.GO_VERSION }} + labels: ${{ github.event.pull_request.labels.*.name }} + git_sha: ${{ github.event.pull_request.head.sha }} - name: Checkout - if: ${{ !github.event.client_payload.isRelease }} - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 - - - name: Checkout - uses: actions/checkout@v4 - if: ${{ github.event.client_payload.isRelease }} - with: - fetch-depth: 0 - submodules: true - ref: ${{ env.REPO_TAG }} - - - uses: azure/login@v1.6.1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - uses: azure/setup-helm@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - id: install - - - name: Create Resource Group - shell: bash - run: | - make create-rg - env: - AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} - - - name: Create ACR - shell: bash - run: | - make create-acr - env: - AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} - AZURE_ACR_NAME: ${{ env.CLUSTER_NAME }} - - - name: Create Azure Identity - uses: azure/CLI@v1.0.9 - with: - inlineScript: | - az identity create --name gpuIdentity --resource-group ${{ env.CLUSTER_NAME }} - - - name: build KAITO image - if: ${{ !github.event.client_payload.isRelease }} - shell: bash - run: | - make docker-build-kaito - env: - REGISTRY: ${{ env.REGISTRY }} - VERSION: ${{ env.VERSION }} - - - name: create cluster - shell: bash - run: | - make create-aks-cluster - env: - AZURE_ACR_NAME: ${{ env.CLUSTER_NAME }} - AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} - AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }} - - - name: Install gpu-provisioner helm chart - shell: bash - run: | - make gpu-provisioner-helm - kubectl wait --for=condition=available deploy "kaito-gpu-provisioner" -n gpu-provisioner --timeout=300s - env: - AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} - AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }} - - - uses: azure/login@v1.6.1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Create Role Assignment - uses: azure/CLI@v1.0.9 - with: - inlineScript: | - IDENTITY_PRINCIPAL_ID="$(az identity show --name gpuIdentity --resource-group ${{ env.CLUSTER_NAME }} --query 'principalId' -otsv)" - az role assignment create --assignee ${IDENTITY_PRINCIPAL_ID} --scope "/subscriptions/${{ secrets.AZURE_SUBSCRIPTION_ID }}/resourceGroups/${{ env.CLUSTER_NAME }}" --role "Contributor" - - - name: Create Azure Federated Identity - uses: azure/CLI@v1.0.9 - with: - inlineScript: | - AKS_OIDC_ISSUER="$(az aks show -n "${{ env.CLUSTER_NAME }}" -g "${{ env.CLUSTER_NAME }}" --query 'oidcIssuerProfile.issuerUrl' -otsv)" - az identity federated-credential create --name gpu-fed-credential --identity-name gpuIdentity --resource-group "${{ env.CLUSTER_NAME }}" \ - --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"gpu-provisioner:gpu-provisioner" --audience api://AzureADTokenExchange - - - name: Install KAITO Workspace helm chart - shell: bash - run: | - make az-patch-install-helm - kubectl wait --for=condition=available deploy "kaito-workspace" -n kaito-workspace --timeout=300s - env: - AZURE_RESOURCE_GROUP: ${{ env.CLUSTER_NAME }} - AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }} - REGISTRY: ${{ env.REGISTRY }} - VERSION: ${{ env.VERSION }} - - - name: Add Secret Credentials - run: | - kubectl create secret docker-registry ${{secrets.AMRT_SECRET_NAME}} \ - --docker-server=${{secrets.ACR_AMRT_USERNAME}}.azurecr.io \ - --docker-username=${{secrets.ACR_AMRT_USERNAME}} \ - --docker-password=${{secrets.ACR_AMRT_PASSWORD}} - - - name: Log kaito-workspace - run: | - kubectl get pods -n kaito-workspace -o name | grep "^pod/kaito-workspace" | sed 's/^pod\///' | xargs -I {} kubectl logs -n kaito-workspace {} - - - name: Run e2e test - run: | - make kaito-workspace-e2e-test - env: - AZURE_CLUSTER_NAME: ${{ env.CLUSTER_NAME }} - RUN_LLAMA_13B: ${{ env.RUN_LLAMA_13B }} - AI_MODELS_REGISTRY: ${{secrets.ACR_AMRT_USERNAME}}.azurecr.io - AI_MODELS_REGISTRY_SECRET: ${{secrets.AMRT_SECRET_NAME}} - - name: Cleanup e2e resources - if: ${{ always() }} - uses: azure/CLI@v1.0.9 + - uses: ./.github/workflows/e2e-workflow.yaml with: - inlineScript: | - set +e - az group delete --name "${{ env.CLUSTER_NAME }}" --yes --no-wait || true + git_sha: ${{ github.event.pull_request.head.sha }} + secrets: + E2E_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + E2E_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + E2E_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + E2E_AMRT_SECRET_NAME: ${{ secrets.AMRT_SECRET_NAME }} + E2E_ACR_AMRT_USERNAME: ${{ secrets.ACR_AMRT_USERNAME }} + E2E_ACR_AMRT_PASSWORD: ${{ secrets.ACR_AMRT_PASSWORD }} diff --git a/.github/workflows/lint-go.yaml b/.github/workflows/lint-go.yaml index 50b1d90b6..224332779 100644 --- a/.github/workflows/lint-go.yaml +++ b/.github/workflows/lint-go.yaml @@ -17,11 +17,21 @@ env: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: contents: read steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: ./.github/workflows/test-approval.yml + with: + labels: ${{ github.event.pull_request.labels.*.name }} + git_sha: ${{ github.event.pull_request.head.sha }} + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 diff --git a/.github/workflows/publish-image-acr.yml b/.github/workflows/publish-image-acr.yml index a307bd942..d5235e728 100644 --- a/.github/workflows/publish-image-acr.yml +++ b/.github/workflows/publish-image-acr.yml @@ -1,10 +1,14 @@ name: Push image to ACR on: - workflow_dispatch: + workflow_dispatch: inputs: release_version: description: 'tag to be created for this image (i.e. vxx.xx.xx)' required: true + pull_request: + branches: [ main, release-** ] + types: [ closed ] + permissions: id-token: write @@ -14,9 +18,11 @@ permissions: env: GO_VERSION: '1.20' IMAGE_NAME: 'workspace' + MCR_REGISTRY: "mcr.microsoft.com/aks/kaito" jobs: check-tag: + if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts') runs-on: labels: [ "self-hosted", "1ES.Pool=1es-aks-kaito-agent-pool-ubuntu" ] environment: publish-mcr @@ -56,6 +62,7 @@ jobs: }) publish: + if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts') runs-on: labels: [ "self-hosted", "1ES.Pool=1es-aks-kaito-agent-pool-ubuntu" ] environment: publish-mcr @@ -98,12 +105,20 @@ jobs: TRIVY_USERNAME: ${{ github.actor }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - name: 'Dispatch tag to e2e test' - uses: peter-evans/repository-dispatch@v3 + - name: 'Run e2e test toward new MCR image' + uses: ./.github/workflows/e2e-workflow.yaml with: - token: ${{ secrets.GITHUB_TOKEN }} - event-type: release-tag - client-payload: '{"isRelease": true,"registry": "mcr.microsoft.com/aks/kaito","tag": "${{ needs.check-tag.outputs.tag }}"}' + git_sha: ${{ github.event.pull_request.head.sha }} + isRelease: true + registry: ${{ env.MCR_REGISTRY }} + tag: ${{ env.IMG_TAG }} + secrets: + E2E_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + E2E_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + E2E_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + E2E_AMRT_SECRET_NAME: ${{ secrets.AMRT_SECRET_NAME }} + E2E_ACR_AMRT_USERNAME: ${{ secrets.ACR_AMRT_USERNAME }} + E2E_ACR_AMRT_PASSWORD: ${{ secrets.ACR_AMRT_PASSWORD }} - name: Authenticate to ACR run: | diff --git a/.github/workflows/test-approval.yml b/.github/workflows/test-approval.yml new file mode 100644 index 000000000..fcb37f2e8 --- /dev/null +++ b/.github/workflows/test-approval.yml @@ -0,0 +1,28 @@ +name: test-approval +on: + workflow_call: + inputs: + labels: + type: string + git_sha: + type: string + +permissions: + contents: read + +jobs: + approval-comment: + if: contains(${{ inputs.labels }}, 'ok-to-test') + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + submodules: true + fetch-depth: 0 + ref: ${{ inputs.git_sha }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 03be3669c..7abf01942 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -24,13 +24,23 @@ jobs: runs-on: ubuntu-latest environment: unit-tests steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: ./.github/workflows/test-approval.yml + with: + labels: ${{ github.event.pull_request.labels.*.name }} + git_sha: ${{ github.event.pull_request.head.sha }} + - name: Set up Go ${{ env.GO_VERSION }} uses: actions/setup-go@v5 with: go-version: ${{ env.GO_VERSION }} - name: Check out the code in the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 diff --git a/Makefile b/Makefile index f02db04bf..4017d6437 100644 --- a/Makefile +++ b/Makefile @@ -24,6 +24,7 @@ GINKGO := $(TOOLS_BIN_DIR)/$(GINKGO_BIN)-$(GINKGO_VER) AZURE_SUBSCRIPTION_ID ?= $(AZURE_SUBSCRIPTION_ID) AZURE_LOCATION ?= eastus +AKS_K8S_VERSION ?= 1.27.2 AZURE_RESOURCE_GROUP ?= demo AZURE_CLUSTER_NAME ?= kaito-demo AZURE_RESOURCE_GROUP_MC=MC_$(AZURE_RESOURCE_GROUP)_$(AZURE_CLUSTER_NAME)_$(AZURE_LOCATION) @@ -118,12 +119,13 @@ create-acr: ## Create test ACR .PHONY: create-aks-cluster create-aks-cluster: ## Create test AKS cluster (with msi, oidc, and workload identity enabled) - az aks create --name $(AZURE_CLUSTER_NAME) --resource-group $(AZURE_RESOURCE_GROUP) --attach-acr $(AZURE_ACR_NAME) \ - --node-count 1 --generate-ssh-keys --enable-managed-identity --enable-workload-identity --enable-oidc-issuer -o none + az aks create --name $(AZURE_CLUSTER_NAME) --resource-group $(AZURE_RESOURCE_GROUP) --location $(AZURE_LOCATION) \ + --attach-acr $(AZURE_ACR_NAME) --kubernetes-version $(AKS_K8S_VERSION) --node-count 1 --generate-ssh-keys \ + --enable-managed-identity --enable-workload-identity --enable-oidc-issuer -o none .PHONY: create-aks-cluster-with-kaito create-aks-cluster-with-kaito: ## Create test AKS cluster (with msi, oidc and kaito enabled) - az aks create --name $(AZURE_CLUSTER_NAME) --resource-group $(AZURE_RESOURCE_GROUP) --node-count 1 \ + az aks create --name $(AZURE_CLUSTER_NAME) --resource-group $(AZURE_RESOURCE_GROUP) --location $(AZURE_LOCATION) --node-count 1 \ --generate-ssh-keys --enable-managed-identity --enable-oidc-issuer --enable-ai-toolchain-operator -o none az aks get-credentials --name $(AZURE_CLUSTER_NAME) --resource-group $(AZURE_RESOURCE_GROUP)