Various daily checks #775
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Various daily checks" | |
on: | |
schedule: | |
- cron: '34 4 * * *' | |
permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | |
contents: read | |
env: | |
CLANG_VERSION: '12' | |
jobs: | |
el7-devtoolset: | |
if: ${{ vars.SCHEDULED_MISC_DAILIES }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Check whether a newer devtoolset exists | |
run: | | |
if docker run --rm centos:7 bash -c 'yum install -y centos-release-scl-rh && yum info devtoolset-12-gcc-c++' | |
then | |
echo "::warning file=builder-support/dockerfiles/Dockerfile.rpmbuild::A newer devtoolset exists. Please edit builder-support/dockerfiles/Dockerfile.rpmbuild, builder-support/dockerfiles/Dockerfile.rpmbuild, and .github/workflows/dailies.yml" | |
exit 1 | |
else | |
echo "::notice ::No newer devtoolset exists (good)" | |
exit 0 | |
fi | |
check-debian-autoremovals: | |
if: ${{ vars.SCHEDULED_MISC_DAILIES }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 5 | |
submodules: recursive | |
- name: Check if Debian is about to toss us off a balcony | |
run: ./build-scripts/check-debian-autoremovals.py | |
coverity-auth: | |
name: coverity scan of the auth | |
if: ${{ vars.SCHEDULED_MISC_DAILIES }} | |
uses: PowerDNS/pdns/.github/workflows/coverity.yml@master | |
with: | |
product: 'authoritative' | |
secrets: | |
COVERITY_TOKEN: ${{ secrets.coverity_auth_token }} | |
COVERITY_EMAIL: ${{ secrets.coverity_email }} | |
coverity-dnsdist: | |
name: coverity scan of dnsdist | |
if: ${{ vars.SCHEDULED_MISC_DAILIES }} | |
uses: PowerDNS/pdns/.github/workflows/coverity.yml@master | |
with: | |
product: 'dnsdist' | |
secrets: | |
COVERITY_TOKEN: ${{ secrets.coverity_dnsdist_token }} | |
COVERITY_EMAIL: ${{ secrets.coverity_email }} | |
coverity-rec: | |
name: coverity scan of the rec | |
if: ${{ vars.SCHEDULED_MISC_DAILIES }} | |
uses: PowerDNS/pdns/.github/workflows/coverity.yml@master | |
with: | |
product: 'recursor' | |
secrets: | |
COVERITY_TOKEN: ${{ secrets.coverity_rec_token }} | |
COVERITY_EMAIL: ${{ secrets.coverity_email }} | |
# The jobs below check that only the pinned version of Python3 packages are installed with pip. Running in a container, a | |
# pip proxy registers all requests for installing packages with pip. Then, the downloaded packages and their versions are compared | |
# with the list used for the installation (i.e. docs/requirements.txt, pdns/recursordist/docs/requirements.txt, etc). If a package | |
# is missing or a version does not match the one expected, this job fails, which makes the workflow fail. | |
# | |
# The pinned version plus hashes are generated using pip-compile using an input file that includes the original list of packages | |
# (pip-compile --generate-hashes -U requirements.in). "pip-compile" can be installed via pip-tools with Python 3.11, which is the version | |
# used in the CI. Any other Python version would end up with different versions for packages and could result in workflow failures. | |
# | |
# One recurring error thrown by this validation is when a new version of a pinned package is released for a "setup-requires" dependency | |
# of one of the packages in the list (see https://github.com/PowerDNS/pdns/pull/14596). The package version in “requirements.in” should | |
# be modified to solve this issue. In some cases, it is enough to generate again the list of packages, making sure to add the -U flag | |
# to force the upgrade: "pip-compile --generate-hashes -U requirements.in" (this could include upgrading other packages). | |
list-pip-requirement-files: | |
if: ${{ vars.SCHEDULED_MISC_DAILIES }} | |
runs-on: ubuntu-22.04 | |
outputs: | |
req-files: ${{ steps.get-list-requirements.outputs.files }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get all requirements.txt files and export them as outputs | |
id: get-list-requirements | |
run: | | |
echo "files=$(find . -name 'requirements.txt' | jq -R -s -c 'split("\n")[:-1]')" >> "$GITHUB_OUTPUT" | |
validate-pip-hashes: | |
if: ${{ vars.SCHEDULED_MISC_DAILIES }} | |
name: ${{ matrix.requirements-file }} - Validate list of packages and hashes | |
runs-on: ubuntu-22.04 | |
needs: list-pip-requirement-files | |
env: | |
SERVICE_IP_ADDR: 127.0.0.1 | |
services: | |
database: | |
image: epicwink/proxpi | |
ports: | |
- 5000:5000 | |
options: >- | |
--restart always | |
strategy: | |
fail-fast: false | |
matrix: | |
requirements-file: ${{ fromJson(needs.list-pip-requirement-files.outputs.req-files) }} | |
steps: | |
- run: echo "${{ matrix.requirements-file }}" | |
- uses: PowerDNS/pdns/set-ubuntu-mirror@meta | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: '3.11' | |
# Configure pip index-url set to proxpi | |
- run: pip config set global.index-url http://${{ env.SERVICE_IP_ADDR }}:5000/index/ | |
- run: pip config set global.trusted-host ${{ env.SERVICE_IP_ADDR }} | |
- id: proxpi-docker | |
run: echo "id=$(docker ps | grep "epicwink/proxpi" | awk '{print $1}')" >> "$GITHUB_OUTPUT" | |
- run: pip install -r ${{ matrix.requirements-file }} | |
- name: Get the list of packages requested to the pip proxy | |
run: | | |
docker logs ${{ steps.proxpi-docker.outputs.id }} 2>&1 | grep whl | awk '{print $8}' | cut -d "/" -f 4 | awk -F'-' '{print $1"=="$2}' | sort -u --ignore-case | sed 's/_/-/' | egrep -v "pip==|setuptools==|wheel==|setuptools-git==" > /tmp/proxpi.log | |
cat /tmp/proxpi.log | |
- name: check only listed packages were installed | |
run: for i in `cat /tmp/proxpi.log`; do grep -qq -i $i ${{ matrix.requirements-file }} || ( echo "$i not found" && exit 1 ); done |