From 117b9202308389aaaceb7963d0d76df635a5bc54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 18 Nov 2021 12:49:17 +0100 Subject: [PATCH 1/3] kata-deploy: Ensure we test HEAD with `/test_kata_deploy` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Is the past few releases we ended up hitting issues that could be easily avoided if `/test_kata_deploy` would use HEAD instead of a specific tarball. By the end of the day, we want to ensure kata-deploy works, but before we cut a release we also want to ensure that the binaries used in that release are in a good shape. If we don't do that we end up either having to roll a release back, or to cut a second release in a really short time (and that's time consuming). Note: there's code duplication here that could and should be avoided,b but I sincerely would prefer treating it in a different PR. Fixes: #3001 Signed-off-by: Fabiano FidĂȘncio (cherry picked from commit 3c9ae7fb4b93a33a8c2c9b39a99dac541bc859ee) --- .github/workflows/kata-deploy-test.yaml | 111 +++++++++++++++++------- 1 file changed, 78 insertions(+), 33 deletions(-) diff --git a/.github/workflows/kata-deploy-test.yaml b/.github/workflows/kata-deploy-test.yaml index febd4fbee..343fc6701 100644 --- a/.github/workflows/kata-deploy-test.yaml +++ b/.github/workflows/kata-deploy-test.yaml @@ -5,46 +5,91 @@ on: name: test-kata-deploy jobs: - create-and-test-container: - if: | - github.event.issue.pull_request - && github.event_name == 'issue_comment' - && github.event.action == 'created' - && startsWith(github.event.comment.body, '/test_kata_deploy') + build-asset: + runs-on: ubuntu-latest + strategy: + matrix: + asset: + - cloud-hypervisor + - firecracker + - kernel + - qemu + - rootfs-image + - rootfs-initrd + - shim-v2 + steps: + - uses: actions/checkout@v2 + - name: Install docker + run: | + curl -fsSL https://test.docker.com -o test-docker.sh + sh test-docker.sh + + - name: Build ${{ matrix.asset }} + run: | + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v2 + with: + name: kata-artifacts + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + if-no-files-found: error + + create-kata-tarball: + runs-on: ubuntu-latest + needs: build-asset + steps: + - uses: actions/checkout@v2 + - name: get-artifacts + uses: actions/download-artifact@v2 + with: + name: kata-artifacts + path: kata-artifacts + - name: merge-artifacts + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts + - name: store-artifacts + uses: actions/upload-artifact@v2 + with: + name: kata-static-tarball + path: kata-static.tar.xz + + kata-deploy: + needs: create-kata-tarball runs-on: ubuntu-latest steps: - - name: get-PR-ref - id: get-PR-ref - run: | - ref=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.pull_request.url' | sed 's#^.*\/pulls#refs\/pull#' | sed 's#$#\/merge#') - echo "reference for PR: " ${ref} - echo "##[set-output name=pr-ref;]${ref}" - - - name: check out - uses: actions/checkout@v2 + - uses: actions/checkout@v2 + - name: get-kata-tarball + uses: actions/download-artifact@v2 with: - ref: ${{ steps.get-PR-ref.outputs.pr-ref }} - - - name: build-container-image - id: build-container-image + name: kata-static-tarball + - name: build-and-push-kata-deploy-ci + id: build-and-push-kata-deploy-ci run: | - PR_SHA=$(git log --format=format:%H -n1) - VERSION="2.0.0" - ARTIFACT_URL="https://github.com/kata-containers/kata-containers/releases/download/${VERSION}/kata-static-${VERSION}-x86_64.tar.xz" - wget "${ARTIFACT_URL}" -O tools/packaging/kata-deploy/kata-static.tar.xz - docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:${PR_SHA} -t quay.io/kata-containers/kata-deploy-ci:${PR_SHA} ./tools/packaging/kata-deploy - docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }} - docker push katadocker/kata-deploy-ci:$PR_SHA - docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io - docker push quay.io/kata-containers/kata-deploy-ci:$PR_SHA - echo "##[set-output name=pr-sha;]${PR_SHA}" - + tag=$(echo $GITHUB_REF | cut -d/ -f3-) + pushd $GITHUB_WORKSPACE + git checkout $tag + pkg_sha=$(git rev-parse HEAD) + popd + mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz + docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t quay.io/kata-containers/kata-deploy-ci:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy + docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io + docker push quay.io/kata-containers/kata-deploy-ci:$pkg_sha + mkdir -p packaging/kata-deploy + ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action + echo "::set-output name=PKG_SHA::${pkg_sha}" - name: test-kata-deploy-ci-in-aks - uses: ./tools/packaging/kata-deploy/action + uses: ./packaging/kata-deploy/action with: - packaging-sha: ${{ steps.build-container-image.outputs.pr-sha }} + packaging-sha: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} env: - PKG_SHA: ${{ steps.build-container-image.outputs.pr-sha }} + PKG_SHA: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} AZ_APPID: ${{ secrets.AZ_APPID }} AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} From 3542cba8f3f1aec2f5e171aacb2733690953d9d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 22 Nov 2021 18:29:26 +0100 Subject: [PATCH 2/3] workflows: Add back the checks for running test-kata-deploy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 3c9ae7f made /test_kata_deploy run against HEAD, but it also mistakenly removed all the checks that ensure /test_kata_deploy only runs when explicitly called. Mea culpa on this, and let's add the tests back. Fixes: #3101 Signed-off-by: Fabiano FidĂȘncio (cherry picked from commit a7c08aa4b6f3192ebf5e25bf14f79e55139da20e) --- .github/workflows/kata-deploy-test.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/kata-deploy-test.yaml b/.github/workflows/kata-deploy-test.yaml index 343fc6701..548b30959 100644 --- a/.github/workflows/kata-deploy-test.yaml +++ b/.github/workflows/kata-deploy-test.yaml @@ -6,6 +6,11 @@ name: test-kata-deploy jobs: build-asset: + if: | + github.event.issue.pull_request + && github.event_name == 'issue_comment' + && github.event.action == 'created' + && startsWith(github.event.comment.body, '/test_kata_deploy') runs-on: ubuntu-latest strategy: matrix: From 2667e0286a89e566a6818d7ea0c52c4bbc8b83d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 26 Nov 2021 09:08:02 +0100 Subject: [PATCH 3/3] workflows: only allow org members to run `/test_kata_deploy` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's take advantage of the "is-organization-member" action and only allow members who are part of the `kata-containers` organization to trigger `/test_kata_deploy`. One caveat with this approach is that for the user to be considered as part of an organization, they **must** have their "Organization Visibility" configured as Public (and I think the default is Private). This was found out and suggested by @jcvenegas! Fixes: #3130 Signed-off-by: Fabiano FidĂȘncio (cherry picked from commit 5e7c1a290ff27da31201474a3b1b5d19e5bb78e5) --- .github/workflows/kata-deploy-test.yaml | 27 ++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kata-deploy-test.yaml b/.github/workflows/kata-deploy-test.yaml index 548b30959..4dce7b2f3 100644 --- a/.github/workflows/kata-deploy-test.yaml +++ b/.github/workflows/kata-deploy-test.yaml @@ -5,13 +5,38 @@ on: name: test-kata-deploy jobs: - build-asset: + check-comment-and-membership: + runs-on: ubuntu-latest if: | github.event.issue.pull_request && github.event_name == 'issue_comment' && github.event.action == 'created' && startsWith(github.event.comment.body, '/test_kata_deploy') + steps: + - name: Check membership + uses: kata-containers/is-organization-member@1.0.1 + id: is_organization_member + with: + organization: kata-containers + username: ${{ github.event.comment.user.login }} + token: ${{ secrets.GITHUB_TOKEN }} + - name: Fail if not member + run: | + result=${{ steps.is_organization_member.outputs.result }} + if [ $result == false ]; then + user=${{ github.event.comment.user.login }} + echo Either ${user} is not part of the kata-containers organization + echo or ${user} has its Organization Visibility set to Private at + echo https://github.com/orgs/kata-containers/people?query=${user} + echo + echo Ensure you change your Organization Visibility to Public and + echo trigger the test again. + exit 1 + fi + + build-asset: runs-on: ubuntu-latest + needs: check-comment-and-membership strategy: matrix: asset: