Migrate to new infrastructure, use OIDC authentication, use sub-workf…

…lows
fullstaq-ruby · Aug 9, 2024 · a1d3a1f · a1d3a1f
1 parent af4de40
commit a1d3a1f
Show file tree

Hide file tree

Showing 20 changed files with 12,407 additions and 9,411 deletions.
diff --git a/.github/workflows/ci-cd-build-packages-1.yml b/.github/workflows/ci-cd-build-packages-1.yml
diff --git a/.github/workflows/ci-cd-build-packages-2.yml b/.github/workflows/ci-cd-build-packages-2.yml
diff --git a/.github/workflows/ci-cd-build-packages-3.yml b/.github/workflows/ci-cd-build-packages-3.yml
diff --git a/.github/workflows/ci-cd-build-packages-4.yml b/.github/workflows/ci-cd-build-packages-4.yml
diff --git a/.github/workflows/ci-cd-build-packages.yml.erb b/.github/workflows/ci-cd-build-packages.yml.erb
diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml
diff --git a/.github/workflows/ci-cd-main.yml.erb b/.github/workflows/ci-cd-main.yml.erb
diff --git a/.github/workflows/ci-cd-prepare.yml b/.github/workflows/ci-cd-prepare.yml
diff --git a/.github/workflows/ci-cd-prepare.yml.erb b/.github/workflows/ci-cd-prepare.yml.erb
diff --git a/.github/workflows/ci-cd-publish-test-production.yml b/.github/workflows/ci-cd-publish-test-production.yml
diff --git a/.github/workflows/ci-cd-publish-test-production.yml.erb b/.github/workflows/ci-cd-publish-test-production.yml.erb
@@ -3,95 +3,48 @@
 name: 'CI/CD: publish & test against production repos'
 
 on:
-  workflow_dispatch:
+  workflow_call:
     inputs:
       ci_artifacts_run_number:
-        required: false
-      check_id:
-        required: false
+        required: true
+        type: string
+      necessary_jobs:
+        required: true
+        type: string
 
 env:
-  GCLOUD_PROJECT: fullstaq-ruby
-  CI_ARTIFACTS_BUCKET: fullstaq-ruby-server-edition-ci-artifacts
-  CI_ARTIFACTS_RUN_NUMBER: ${{ github.event.inputs.ci_artifacts_run_number || github.run_number }}
+  CI_ARTIFACTS_RUN_NUMBER: ${{ inputs.ci_artifacts_run_number || github.run_number }}
 
 jobs:
-  # Determines which jobs should be run, or (in case this is a re-run)
-  # which jobs can be skipped this time because the last run succeeded.
-  # We determine this by checking whether the artifacts produced by jobs
-  # exist in this run.
-  determine_necessary_jobs:
-    name: Determine necessary jobs
-    runs-on: ubuntu-22.04
-    permissions:
-      checks: write
-      packages: read
-    outputs:
-      necessary_jobs: ${{ steps.check.outputs.necessary_jobs }}
-    steps:
-      - name: Dump inputs
-        run: echo "$INPUTS"
-        env:
-          INPUTS: ${{ toJSON(github.event.inputs) }}
-
-      - name: Mark check as 'in progress'
-        uses: LouisBrunner/checks-action@3d24d4813a797720cc4e2080a50bdafb3373aef1
-        if: github.event.inputs.check_id
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          check_id: ${{ github.event.inputs.check_id }}
-          status: in_progress
-          details_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
-          output: |
-            {
-              "summary": "Packages are tested in another workflow.\n[**➜ See workflow run #${{ github.run_id }} for logs**](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})"
-            }
-
-      - uses: actions/checkout@v3
-      - name: Login to Google Cloud
-        uses: ./.github/actions/gcloud-login
-        with:
-          private_key: ${{ secrets.GCLOUD_KEY }}
-
-      - name: List artifacts built in previous try of same CI run
-        run: ./internal-scripts/ci-cd/determine-necessary-jobs/list-artifacts.sh
-
-      - name: Determine necessary jobs
-        id: check
-        run: ./internal-scripts/ci-cd/determine-necessary-jobs/determine-necessary-jobs.rb
-        env:
-          GITHUB_ACTOR: ${{ github.actor }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-
   ### Publish ###
 
   publish:
     name: Publish packages
-    # Ubuntu 24.04 runner has more free disk space than 22.04
     runs-on: ubuntu-24.04
-    environment: Production repos
+    environment: deploy
     timeout-minutes: 30
     permissions:
+      id-token: write
       packages: read
-    needs:
-      - determine_necessary_jobs
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Clean disk space
         run: ./internal-scripts/ci-cd/publish/clean-disk-space.sh
-      - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@v2'
+      - uses: azure/login@v2
         with:
-          version: '>= 363.0.0'
-      - name: Login to Google Cloud
-        uses: ./.github/actions/gcloud-login
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: ${{ vars.GCLOUD_PROJECT_ID }}
+          workload_identity_provider: projects/${{ vars.GCLOUD_PROJECT_NUM }}/locations/global/workloadIdentityPools/github-ci-deploy/providers/github-ci-deploy
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
         with:
-          private_key: ${{ secrets.GCLOUD_KEY }}
-      - name: Set Google Cloud project
-        run: gcloud config set core/project ${{ env.GCLOUD_PROJECT }}
+          version: '>= 363.0.0'
       - name: Login to Github Container Registry
         run: docker login ghcr.io -u ${{ github.actor }} --password-stdin <<<"$GITHUB_TOKEN"
         env:
@@ -107,16 +60,18 @@ jobs:
             <%= rbenv_rpm_artifact_name %>
             <%= ruby_package_artifact_names.join(' ') %>
           ARTIFACT_PATH: pkgs
+          CI_ARTIFACTS_BUCKET: ${{ vars.CI_ARTIFACTS_BUCKET }}
 
       - name: Download Docker image necessary for publishing
         run: ./internal-scripts/ci-cd/download-artifact.sh
-        if: contains(needs.determine_necessary_jobs.outputs.necessary_jobs, ';Use locally-built Docker image utility;')
+        if: contains(inputs.necessary_jobs, ';Use locally-built Docker image utility;')
         env:
           ARTIFACT_NAME: <%= docker_image_artifact_name('utility') %>
           ARTIFACT_PATH: .
+          CI_ARTIFACTS_BUCKET: ${{ vars.CI_ARTIFACTS_BUCKET }}
       - name: Load Docker image necessary for publishing
         run: ./internal-scripts/ci-cd/load-docker-image.sh
-        if: contains(needs.determine_necessary_jobs.outputs.necessary_jobs, ';Use locally-built Docker image utility;')
+        if: contains(inputs.necessary_jobs, ';Use locally-built Docker image utility;')
         env:
           TARBALL: image.tar.zst
       - name: Install Aptly
@@ -129,8 +84,8 @@ jobs:
       - name: Upload DEBs to repo
         run: ./internal-scripts/ci-cd/publish/publish-debs.rb pkgs/*/*.deb
         env:
-          PRODUCTION_REPO_BUCKET_NAME: fullstaq-ruby-server-edition-apt-repo
-          CI_ARTIFACTS_BUCKET_NAME: ${{ env.CI_ARTIFACTS_BUCKET }}
+          PRODUCTION_REPO_BUCKET_NAME: fsruby-server-edition-apt-repo
+          CI_ARTIFACTS_BUCKET_NAME: ${{ vars.CI_ARTIFACTS_BUCKET }}
           TESTING: false
           OVERWRITE_EXISTING: false
           DRY_RUN: ${{ github.ref != 'refs/heads/main' }}
@@ -139,12 +94,31 @@ jobs:
       - name: Upload RPMs to repo
         run: ./internal-scripts/ci-cd/publish/publish-rpms.rb pkgs/*/*.rpm
         env:
-          PRODUCTION_REPO_BUCKET_NAME: fullstaq-ruby-server-edition-yum-repo
-          CI_ARTIFACTS_BUCKET_NAME: ${{ env.CI_ARTIFACTS_BUCKET }}
+          PRODUCTION_REPO_BUCKET_NAME: fsruby-server-edition-yum-repo
+          CI_ARTIFACTS_BUCKET_NAME: ${{ vars.CI_ARTIFACTS_BUCKET }}
           TESTING: false
           OVERWRITE_EXISTING: false
           DRY_RUN: ${{ github.ref != 'refs/heads/main' }}
 
+      - uses: actions/github-script@v7
+        id: get-id-token
+        if: github.ref == 'refs/heads/main'
+        with:
+          script: |
+            const fs = require('fs');
+            const token = await core.getIDToken('backend.fullstaqruby.org');
+            fs.writeFileSync(
+              process.env.GITHUB_OUTPUT,
+              `id_token<<EOF\n${token}\nEOF\n`,
+              { flag: 'a' }
+            );
+
+      - name: Restart web server
+        run: ./internal-scripts/ci-cd/publish/restart-web-server.rb
+        if: github.ref == 'refs/heads/main'
+        env:
+          ID_TOKEN: ${{ steps.get-id-token.outputs.id_token }}
+
 
   ### Run tests ###
 
@@ -154,20 +128,26 @@ jobs:
   <%- unindent(2) do %>
     test_<%= slug(distribution[:name]) %>-<%= slug(ruby_package_version[:id]) %>-<%= slug(variant[:name]) %>:
       name: 'Test [<%= distribution[:name] %>/<%= ruby_package_version[:id] %>/<%= variant[:name] %>]'
-      runs-on: ubuntu-22.04
-      timeout-minutes: 30
       needs:
-        - determine_necessary_jobs
         - publish
+      runs-on: ubuntu-22.04
+      environment: test
+      timeout-minutes: 30
       if: |
         github.ref == 'refs/heads/main'
-        && contains(needs.determine_necessary_jobs.outputs.necessary_jobs, ';Test against production repo [<%= distribution[:name] %>/<%= ruby_package_version[:id] %>/<%= variant[:name] %>];')
+        && contains(inputs.necessary_jobs, ';Test against production repo [<%= distribution[:name] %>/<%= ruby_package_version[:id] %>/<%= variant[:name] %>];')
+      permissions:
+        id-token: write
       steps:
         - uses: actions/checkout@v3
-        - name: Login to Google Cloud
-          uses: ./.github/actions/gcloud-login
+        - uses: google-github-actions/auth@v2
           with:
-            private_key: ${{ secrets.GCLOUD_KEY }}
+            project_id: ${{ vars.GCLOUD_PROJECT_ID }}
+            workload_identity_provider: projects/${{ vars.GCLOUD_PROJECT_NUM }}/locations/global/workloadIdentityPools/github-ci-test/providers/github-ci-test
+        - name: Set up Cloud SDK
+          uses: google-github-actions/setup-gcloud@v2
+          with:
+            version: '>= 363.0.0'
 
         - name: Run tests
           run: ./internal-scripts/ci-cd/test-packages/run-tests.sh
@@ -188,6 +168,7 @@ jobs:
           env:
             ARTIFACT_NAME: tested-against-production-<%= distribution[:name] %>_<%= ruby_package_version[:id] %>_<%= variant[:name] %>
             ARTIFACT_PATH: mark-<%= variant[:name] %>
+            CI_ARTIFACTS_BUCKET: ${{ vars.CI_ARTIFACTS_BUCKET }}
   <%- end -%>
   <%- end -%>
   <%- end -%>
@@ -198,13 +179,11 @@ jobs:
 
   finalize:
     name: Finalize
-    runs-on: ubuntu-22.04
     environment: Github releases
     permissions:
+      id-token: write
       contents: write
-      checks: write
     needs:
-      - determine_necessary_jobs
       - publish
       <%- distributions.each do |distribution| -%>
       <%- ruby_package_versions_for_distro(distribution).each do |ruby_package_version| -%>
@@ -213,19 +192,19 @@ jobs:
       <%- end -%>
       <%- end -%>
       <%- end -%>
+    runs-on: ubuntu-24.04
     if: 'always()'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
 
       ### Check whether dependent jobs failed ###
-      # Only trigger next workflow if there are no failures.
 
-      - name: Check whether 'Determine necessary jobs' succeeded
+      - name: Check whether 'Publish packages' succeeded
         run: 'false'
-        if: needs.determine_necessary_jobs.result != 'success'
+        if: needs.publish.result != 'success'
 
       <%- distributions.each do |distribution| -%>
       <%- ruby_package_versions_for_distro(distribution).each do |ruby_package_version| -%>
@@ -236,7 +215,7 @@ jobs:
           github.ref == 'refs/heads/main'
           && needs.test_<%= slug(distribution[:name]) %>-<%= slug(ruby_package_version[:id]) %>-<%= slug(variant[:name]) %>.result != 'success'
           && (needs.test_<%= slug(distribution[:name]) %>-<%= slug(ruby_package_version[:id]) %>-<%= slug(variant[:name]) %>.result != 'skipped'
-            || contains(needs.determine_necessary_jobs.outputs.necessary_jobs, ';Test against production repo [<%= distribution[:name] %>/<%= ruby_package_version[:id] %>/<%= variant[:name] %>];'))
+            || contains(inputs.necessary_jobs, ';Test against production repo [<%= distribution[:name] %>/<%= ruby_package_version[:id] %>/<%= variant[:name] %>];'))
       <%- end -%>
       <%- end -%>
       <%- end -%>
@@ -258,30 +237,3 @@ jobs:
       - name: Push Git tag
         if: github.ref == 'refs/heads/main'
         run: git push origin epic-${{ env.NEXT_RELEASE_VERSION }}
-
-
-      ### Update own check status ###
-
-      - name: Mark check as 'success'
-        uses: LouisBrunner/checks-action@3d24d4813a797720cc4e2080a50bdafb3373aef1
-        if: 'github.event.inputs.check_id && success()'
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          check_id: ${{ github.event.inputs.check_id }}
-          conclusion: success
-
-      - name: Mark check as 'failure'
-        uses: LouisBrunner/checks-action@3d24d4813a797720cc4e2080a50bdafb3373aef1
-        if: 'github.event.inputs.check_id && failure()'
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          check_id: ${{ github.event.inputs.check_id }}
-          conclusion: failure
-
-      - name: Mark check as 'cancelled'
-        uses: LouisBrunner/checks-action@3d24d4813a797720cc4e2080a50bdafb3373aef1
-        if: 'github.event.inputs.check_id && cancelled()'
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          check_id: ${{ github.event.inputs.check_id }}
-          conclusion: cancelled