-
Notifications
You must be signed in to change notification settings - Fork 1
231 lines (224 loc) · 9.49 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
name: CI
on:
push:
pull_request:
env:
NOMAD_VERSION: '1.9.3'
CNI_VERSION: '1.6.0'
jobs:
compile:
runs-on: ubuntu-latest
env:
CGO_ENABLED: 0
# Enable additional processor optimizations: https://golang.org/wiki/MinimumRequirements#amd64
GOAMD64: v3
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Update last trim for Go build cache
# Go usually trims all builds not used for at least five days. We simulate that the last trim just occurred recently.
# Otherwise, the cache restored in the previous step would not be used for the build resulting in a longer workflow run.
# More details: https://github.com/golang/go/blob/d60ad1e068263832c711aaf17b6ccb1b7f71b000/src/cmd/go/internal/cache/cache.go#L255-L326
run: date +%s > ~/.cache/go-build/trim.txt
continue-on-error: true
- name: Build
run: make build-cover
- name: Upload Poseidon binary
uses: actions/upload-artifact@v4
with:
name: poseidon
path: poseidon
lint:
name: lint
runs-on: ubuntu-latest
permissions:
# Required: allow read access to the content for analysis.
contents: read
# Optional: allow read access to pull request. Use with `only-new-issues` option.
pull-requests: read
# Optional: Allow write access to checks to allow the action to annotate code in the PR.
checks: write
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: latest
args: --timeout=3m
test:
runs-on: ubuntu-latest
needs: [ compile ]
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Update last trim for Go build cache
# Go usually trims all builds not used for at least five days. We simulate that the last trim just occurred recently.
# Otherwise, the cache restored in the previous step would not be used for the build resulting in a longer workflow run.
# More details: https://github.com/golang/go/blob/d60ad1e068263832c711aaf17b6ccb1b7f71b000/src/cmd/go/internal/cache/cache.go#L255-L326
run: date +%s > ~/.cache/go-build/trim.txt
continue-on-error: true
- name: Run tests
run: make coverhtml
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v4
if: ${{ success() || failure() }}
with:
token: ${{ secrets.CODECOV_TOKEN }}
- name: Upload coverage report
uses: actions/upload-artifact@v4
if: ${{ success() || failure() }}
with:
name: coverage_unit
path: coverage/coverage_unit.html
dep-scan:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
needs: [ compile ]
if: github.event_name != 'push' || github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' && github.actor != 'dependabot'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
e2e-test:
runs-on: ubuntu-latest
needs: [ compile, test ]
env:
POSEIDON_AWS_ENABLED: true
POSEIDON_AWS_ENDPOINT: ${{ secrets.POSEIDON_AWS_ENDPOINT }}
POSEIDON_AWS_FUNCTIONS: ${{ secrets.POSEIDON_AWS_FUNCTIONS }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Write secrets to environment file
run: cat ./.github/workflows/resources/.env | envsubst > ./.env
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Update last trim for Go build cache
# Go usually trims all builds not used for at least five days. We simulate that the last trim just occurred recently.
# Otherwise, the cache restored in the previous step would not be used for the build resulting in a longer workflow run.
# More details: https://github.com/golang/go/blob/d60ad1e068263832c711aaf17b6ccb1b7f71b000/src/cmd/go/internal/cache/cache.go#L255-L326
run: date +%s > ~/.cache/go-build/trim.txt
continue-on-error: true
- name: Cache Nomad and CNI binaries
uses: actions/cache@v4
with:
path: |
${{ github.workspace }}/nomad
${{ github.workspace }}/cni/bin
key: ${{ runner.os }}-nomad-${{ env.NOMAD_VERSION }}
restore-keys: |
${{ runner.os }}-nomad-${{ env.NOMAD_VERSION }}
- name: Download Nomad binary
run: |
if [[ -f ./nomad ]]; then exit 0; fi
wget -q "https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_linux_amd64.zip"
wget -q "https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_SHA256SUMS"
grep "nomad_${NOMAD_VERSION}_linux_amd64.zip" nomad_${NOMAD_VERSION}_SHA256SUMS | sha256sum -c -
unzip nomad_${NOMAD_VERSION}_linux_amd64.zip
- name: Download CNI binaries
run: |
if [[ -f ./cni/bin ]]; then exit 0; fi
wget -q "https://github.com/containernetworking/plugins/releases/download/v${CNI_VERSION}/cni-plugins-linux-amd64-v${CNI_VERSION}.tgz"
wget -q "https://github.com/containernetworking/plugins/releases/download/v${CNI_VERSION}/cni-plugins-linux-amd64-v${CNI_VERSION}.tgz.sha256"
grep "cni-plugins-linux-amd64-v${CNI_VERSION}.tgz" cni-plugins-linux-amd64-v${CNI_VERSION}.tgz.sha256 | sha256sum -c -
mkdir -p ./cni/bin
tar zxvf cni-plugins-linux-amd64-v${CNI_VERSION}.tgz -C ./cni/bin
- name: Set Nomad Config
run: |
cp ./docs/resources/secure-bridge.conflist ./cni/secure-bridge.conflist
echo "server { default_scheduler_config { memory_oversubscription_enabled = true } }, client { cni_path = \"${{ github.workspace }}/cni/bin\", cni_config_dir = \"${{ github.workspace }}/cni\" }" > e2e-config.hcl
- name: Download Poseidon binary
uses: actions/download-artifact@v4
with:
name: poseidon
- name: Get current branch name
id: branch-name
uses: tj-actions/branch-names@v8
- name: Checkout matching branch for Dockerfiles (optional)
id: checkout-dockerfiles
if: steps.branch-name.outputs.is_default == 'false'
uses: actions/checkout@v4
continue-on-error: true
with:
repository: openHPI/dockerfiles
path: deploy/dockerfiles
ref: ${{ steps.branch-name.outputs.current_branch }}
- name: Build new e2e test image (optional)
if: steps.checkout-dockerfiles.outcome == 'success'
run: make e2e-test-docker-image
- name: Run e2e tests
run: |
export $(cat ./.env | xargs)
sudo ./nomad agent -dev -log-level=WARN -config e2e-config.hcl &
until curl -s --fail http://localhost:4646/v1/agent/health ; do sleep 1; done
chmod +x ./poseidon
mkdir -p ${GOCOVERDIR}
./poseidon | tee poseidon.log &
until curl -s --fail http://localhost:7200/api/v1/health ; do sleep 1; done
make e2e-test
if: ${{ success() || failure() }}
- name: Setup Poseidon Socket
run: |
export $(cat ./.env | xargs)
killall poseidon
mkdir -p ~/.config/systemd/user
cp ./.github/workflows/resources/poseidon-minimal.socket ~/.config/systemd/user/poseidon.socket
cat ./.github/workflows/resources/poseidon-minimal.service | envsubst > ~/.config/systemd/user/poseidon.service
echo "POSEIDON_SERVER_SYSTEMDSOCKETACTIVATION=TRUE" >> ./.env
systemctl --user daemon-reload
systemctl --user start poseidon.socket
if: ${{ success() || failure() }}
- name: Print Poseidon Failure logs
if: failure()
run: journalctl --user -xen --no-pager
- name: Run e2e recovery tests
run: make e2e-test-recovery
if: ${{ success() || failure() }}
- name: Print systemd Failure logs
run: |
/usr/bin/systemctl --user show poseidon.service -p NRestarts
journalctl --user -xe -u poseidon.service --no-pager
if: failure()
- name: Stop Poseidon to flush the coverage file
run: systemctl --user stop poseidon.service poseidon.socket
if: ${{ success() || failure() }}
- name: Convert coverage reports
run: make convert-run-coverage
if: ${{ success() || failure() }}
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v4
if: ${{ success() || failure() }}
with:
token: ${{ secrets.CODECOV_TOKEN }}
- name: Upload coverage report
uses: actions/upload-artifact@v4
if: ${{ success() || failure() }}
with:
name: coverage_run
path: coverage/coverage_run.html