From 45b4ddd728db045c10a58e0434a54801b182966b Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Fri, 20 Dec 2024 08:17:19 +0100 Subject: [PATCH 1/2] .github/workflows: backport e2e workflows This commit backports the e2e workflows from the mani branch as we move from prow jobs to these. Signed-off-by: Vincent Demeester --- .github/workflows/chatops_retest.yaml | 81 +++++++++++++++++ .github/workflows/dependency-review.yml | 29 +++++++ .github/workflows/e2e-matrix.yml | 110 ++++++++++++++++++++++++ .github/workflows/slash.yml | 41 +++++++++ 4 files changed, 261 insertions(+) create mode 100644 .github/workflows/chatops_retest.yaml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/e2e-matrix.yml create mode 100644 .github/workflows/slash.yml diff --git a/.github/workflows/chatops_retest.yaml b/.github/workflows/chatops_retest.yaml new file mode 100644 index 00000000000..8a2462b7b16 --- /dev/null +++ b/.github/workflows/chatops_retest.yaml @@ -0,0 +1,81 @@ +# The _chatops_retest workflow reruns failed GHA for a PR +# +# This workflow is triggered by leaving a "/retest" comment on +# a pull request. If the required preconditions are met, it will +# rerun failed GitHub actions checks on that PR +# +# Condition for the "/retest" command are: +# - either the issuer is a maintainer +# - or the issuer is the owner the PR + +name: Rerun Failed Actions +on: + repository_dispatch: + types: [retest-command] + +jobs: + retest: + name: Rerun Failed Actions + runs-on: ubuntu-latest + steps: + - name: Show Environment Variables + run: env + - name: Show Github Object + run: | + cat <<'EOF' + ${{ toJson(github) }} + EOF + - name: Show Github Event Path Json + run: 'cat $GITHUB_EVENT_PATH || true' + - name: Rerun Failed Actions + run: | + echo '::group:: Get the PR commit sha' + # Get the sha of the HEAD commit in the PR + GITHUB_COMMIT_SHA=$(gh api $(echo ${GITHUB_PULL_URL#https://api.github.com/}) | \ + jq -r .head.sha) + echo GITHUB_COMMIT_SHA=${GITHUB_COMMIT_SHA} + echo '::endgroup::' + + echo '::group:: Get the list of run IDs' + # Get a list of run IDs + RUN_IDS=$(gh api repos/${GITHUB_REPO}/commits/${GITHUB_COMMIT_SHA}/check-runs | \ + jq -r '.check_runs[] | select(.name != "Rerun Failed Actions") | .html_url | capture("/runs/(?[0-9]+)/job") | .number' | \ + sort -u) + echo RUN_IDS=${RUN_IDS} + echo '::endgroup::' + + echo '::group:: Rerun failed runs' + # For each run, retrigger faild jobs + for runid in ${RUN_IDS}; do + echo Restarting run ${runid} for commit ${GITHUB_COMMIT_SHA} + gh run \ + --repo ${GITHUB_REPO} \ + rerun ${runid} \ + --failed || true + done + echo '::endgroup::' + env: + GITHUB_TOKEN: ${{ secrets.CHATOPS_TOKEN }} + GITHUB_REPO: ${{ github.event.client_payload.github.payload.repository.full_name }} + GITHUB_PULL_URL: ${{ github.event.client_payload.github.payload.issue.pull_request.url }} + + - name: Create comment + if: ${{ failure() && steps.landStack.outcome == 'failure' }} + uses: peter-evans/create-or-update-comment@v4 + with: + token: ${{ secrets.CHATOPS_TOKEN }} + repository: ${{ github.event.client_payload.github.payload.repository.full_name }} + issue-number: ${{ github.event.client_payload.github.payload.issue.number }} + body: | + Something went wrong with your `/${{ github.event.client_payload.slash_command.command }}` command: [please check the logs][1]. + + [1]: ${{ steps.vars.outputs.run-url }} + + - name: Add reaction + if: ${{ success() }} + uses: peter-evans/create-or-update-comment@v4 + with: + token: ${{ secrets.CHATOPS_TOKEN }} + repository: ${{ github.event.client_payload.github.payload.repository.full_name }} + comment-id: ${{ github.event.client_payload.github.payload.comment.id }} + reactions: hooray \ No newline at end of file diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000000..bb377e05999 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,29 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 + with: + fail-on-severity: low diff --git a/.github/workflows/e2e-matrix.yml b/.github/workflows/e2e-matrix.yml new file mode 100644 index 00000000000..2b56a80029a --- /dev/null +++ b/.github/workflows/e2e-matrix.yml @@ -0,0 +1,110 @@ +name: Tekton Integration +# Adapted from https://github.com/mattmoor/mink/blob/master/.github/workflows/minkind.yaml + +on: + pull_request: + branches: [ main ] + +defaults: + run: + shell: bash + +jobs: + e2e-tests: + name: e2e tests + runs-on: ubuntu-latest + strategy: + fail-fast: false # Keep running if one leg fails. + matrix: + k8s-name: + - k8s-oldest + - k8s-plus-one + + feature-flags: + - stable + - beta + - alpha + # - prow-feature-flags - this is tested today as a periodic job, but we could integrate it here + + include: + - k8s-name: k8s-oldest + k8s-version: v1.28.x + - k8s-name: k8s-plus-one + k8s-version: v1.29.x + - feature-flags: stable + env-file: prow + - feature-flags: alpha + env-file: prow-alpha + - feature-flags: beta + env-file: prow-beta + env: + GOPATH: ${{ github.workspace }} + GO111MODULE: on + KO_DOCKER_REPO: registry.local:5000/tekton + CLUSTER_DOMAIN: c${{ github.run_id }}.local + ARTIFACTS: ${{ github.workspace }}/artifacts + + steps: + - name: Check out code onto GOPATH + uses: actions/checkout@v4 + with: + path: ${{ github.workspace }}/src/github.com/tektoncd/pipeline + + + - name: Set up Go 1.22 + uses: actions/setup-go@v5 + with: + go-version: 1.22.5 + + - name: Install Dependencies + working-directory: ./ + run: | + echo '::group:: install ko' + curl -L https://github.com/ko-build/ko/releases/download/v0.15.4/ko_0.15.4_Linux_x86_64.tar.gz | tar xzf - ko + chmod +x ./ko + sudo mv ko /usr/local/bin + echo '::endgroup::' + + echo '::group:: install go-junit-report' + go install github.com/jstemmer/go-junit-report@v0.9.1 + echo '::endgroup::' + + echo '::group:: created required folders' + mkdir -p "${ARTIFACTS}" + echo '::endgroup::' + + echo "${GOPATH}/bin" >> "$GITHUB_PATH" + + - name: Run tests + working-directory: ${{ github.workspace }}/src/github.com/tektoncd/pipeline + run: | + ./hack/setup-kind.sh \ + --registry-url $(echo ${KO_DOCKER_REPO} | cut -d'/' -f 1) \ + --cluster-suffix c${{ github.run_id }}.local \ + --nodes 3 \ + --k8s-version ${{ matrix.k8s-version }} \ + --e2e-script ./test/e2e-tests.sh \ + --e2e-env ./test/e2e-tests-kind-${{ matrix.env-file }}.env + + - name: Upload test results + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }} + path: ${{ env.ARTIFACTS }} + + - uses: chainguard-dev/actions/kind-diag@main + if: ${{ failure() }} + with: + artifact-name: ${{ matrix.k8s-version }}-${{ matrix.feature-flags }}-logs + + - name: Dump Artifacts + if: ${{ failure() }} + run: | + if [[ -d ${{ env.ARTIFACTS }} ]]; then + cd ${{ env.ARTIFACTS }} + for x in $(find . -type f); do + echo "::group:: artifact $x" + cat $x + echo '::endgroup::' + done + fi \ No newline at end of file diff --git a/.github/workflows/slash.yml b/.github/workflows/slash.yml new file mode 100644 index 00000000000..d8b7ae2657c --- /dev/null +++ b/.github/workflows/slash.yml @@ -0,0 +1,41 @@ +# The slash workflow handles slash commands +# +# Slash commands are given through comments on pull requests +# and may be used only by individuals with "write" access to +# the repository (i.e. maintainers). +# +# Slash commands must be placed at the very beginning of the +# first line of a comment. More details are available in the +# action docs: https://github.com/peter-evans/slash-command-dispatch/tree/main?tab=readme-ov-file#how-comments-are-parsed-for-slash-commands +# +# The workflow looks for and dispatches to another workflow +# named -command which must exist in the repository. +# +# Supported commands: +# - /land: invokes the land-command workflow, to land (merge) PRs +# stacked through ghstack +# +# When a command is recognised, the rocket and eyes emojis are added + +name: Slash Command Routing +on: + issue_comment: + types: [created] + +jobs: + check_comments: + runs-on: ubuntu-latest + steps: + - name: route-land + uses: peter-evans/slash-command-dispatch@v4 + with: + token: ${{ secrets.CHATOPS_TOKEN }} + config: > + [ + { + "command": "retest", + "permission": "write", + "issue_type": "pull-request", + "repository": "tektoncd/pipeline" + } + ] \ No newline at end of file From a49a7c0b62b1e9bdbcc6237e5818e95ee4964548 Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Fri, 3 Jan 2025 12:50:04 +0100 Subject: [PATCH 2/2] .github/workflows: run on the "current" pull_request Signed-off-by: Vincent Demeester --- .github/workflows/e2e-matrix.yml | 6 +- hack/setup-kind.sh | 328 +++++++++++++++++++++++++++++++ 2 files changed, 330 insertions(+), 4 deletions(-) create mode 100755 hack/setup-kind.sh diff --git a/.github/workflows/e2e-matrix.yml b/.github/workflows/e2e-matrix.yml index 2b56a80029a..06d6d759500 100644 --- a/.github/workflows/e2e-matrix.yml +++ b/.github/workflows/e2e-matrix.yml @@ -1,9 +1,7 @@ name: Tekton Integration # Adapted from https://github.com/mattmoor/mink/blob/master/.github/workflows/minkind.yaml -on: - pull_request: - branches: [ main ] +on: [ pull_request ] defaults: run: @@ -107,4 +105,4 @@ jobs: cat $x echo '::endgroup::' done - fi \ No newline at end of file + fi diff --git a/hack/setup-kind.sh b/hack/setup-kind.sh new file mode 100755 index 00000000000..e6948140883 --- /dev/null +++ b/hack/setup-kind.sh @@ -0,0 +1,328 @@ +#!/usr/bin/env bash + +# Copyright 2021 The Tekton Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Attribution: +# Adapted for Tekton from https://github.com/mattmoor/mink/blob/master/hack/setup-kind.sh + +set -o errexit +set -o nounset +set -o pipefail +set -x + +# Print error message and exit 1 +# Parameters: $1..$n - error message to be displayed +function abort() { + echo "error: $*" + exit 1 +} + +# Defaults +K8S_VERSION="v1.28.x" +REGISTRY_NAME="registry.local" +REGISTRY_PORT="5000" +CLUSTER_SUFFIX="cluster.local" +NODE_COUNT="1" +REGISTRY_AUTH="0" +ESTARGZ_SUPPORT="0" +E2E_SCRIPT="test/e2e-tests.sh" +E2E_ENV="" + +while [[ $# -ne 0 ]]; do + parameter="$1" + case "${parameter}" in + --k8s-version) + shift + K8S_VERSION="$1" + ;; + --registry-url) + shift + REGISTRY_NAME="$(echo "$1" | cut -d':' -f 1)" + REGISTRY_PORT="$(echo "$1" | cut -d':' -f 2)" + ;; + --cluster-suffix) + shift + CLUSTER_SUFFIX="$1" + ;; + --nodes) + shift + NODE_COUNT="$1" + ;; + --authenticated-registry) + REGISTRY_AUTH="1" + ;; + --e2e-script) + shift + E2E_SCRIPT="$1" + ;; + --e2e-env) + shift + E2E_ENV="$1" + ;; + *) abort "unknown option ${parameter}" ;; + esac + shift +done + +# If E2E_ENV is set but the file doesn't exist, fall back on the old approach of invoking presubmit-tests.sh directly. +if [[ "${E2E_ENV}" != "" && ! -f "${E2E_ENV}" ]]; then + ./test/presubmit-tests.sh --integration-tests + exit $? +fi + +# The version map correlated with this version of KinD +case ${K8S_VERSION} in + v1.25.x) + K8S_VERSION="1.25.16" + KIND_IMAGE_SHA="sha256:5da57dfc290ac3599e775e63b8b6c49c0c85d3fec771cd7d55b45fae14b38d3b" + KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}" + ;; + v1.26.x) + K8S_VERSION="1.26.15" + KIND_IMAGE_SHA="sha256:84333e26cae1d70361bb7339efb568df1871419f2019c80f9a12b7e2d485fe19" + KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}" + ;; + v1.27.x) + K8S_VERSION="1.27.13" + KIND_IMAGE_SHA="sha256:17439fa5b32290e3ead39ead1250dca1d822d94a10d26f1981756cd51b24b9d8" + KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}" + ;; + v1.28.x) + K8S_VERSION="1.28.9" + KIND_IMAGE_SHA="sha256:dca54bc6a6079dd34699d53d7d4ffa2e853e46a20cd12d619a09207e35300bd0" + KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}" + ;; + v1.29.x) + K8S_VERSION="1.29.4" + KIND_IMAGE_SHA="sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8" + KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}" + ;; + v1.30.x) + K8S_VERSION="1.30.0" + KIND_IMAGE_SHA="sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e" + KIND_IMAGE="kindest/node:${K8S_VERSION}@${KIND_IMAGE_SHA}" + ;; + *) abort "Unsupported version: ${K8S_VERSION}" ;; +esac + +############################################################# +# +# Setup KinD cluster. +# +############################################################# +echo '--- Setup KinD Cluster' + +cat > kind.yaml <> kind.yaml <> kind.yaml < "${AUTH_DIR}/htpasswd" + + # Run a registry protected with htpasswd + EXTRA_ARGS=( + -v "${AUTH_DIR}:/auth" + -e "REGISTRY_AUTH=htpasswd" + -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" + -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" + ) + +fi + +docker run -d --restart=always \ + "${EXTRA_ARGS[@]}" \ + -p "$REGISTRY_PORT:$REGISTRY_PORT" --name "$REGISTRY_NAME" registry:2 + +# Connect the registry to the KinD network. +docker network connect "kind" "$REGISTRY_NAME" + +# Make the $REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to +# local reigstry, even when pushing $REGISTRY_NAME:$REGISTRY_PORT/some/image +echo "127.0.0.1 $REGISTRY_NAME" | sudo tee -a /etc/hosts + +# Create a registry-credentials secret and attach it to the list of service accounts in the namespace. +function sa_ips() { + local ns="${1}" + shift + + # Create a secret resource with the contents of the docker auth configured above. + kubectl -n "${ns}" create secret generic registry-credentials \ + --from-file=.dockerconfigjson=${HOME}/.docker/config.json \ + --type=kubernetes.io/dockerconfigjson + + for sa in "${@}" ; do + # Ensure the service account exists. + kubectl -n "${ns}" create serviceaccount "${sa}" || true + + # Attach the secret resource to the service account in the namespace. + kubectl -n "${ns}" patch serviceaccount "${sa}" -p '{"imagePullSecrets": [{"name": "registry-credentials"}]}' + done +} + +if [[ "${REGISTRY_AUTH}" == "1" ]]; then + + # This will create ~/.docker/config.json + docker login "http://$REGISTRY_NAME:$REGISTRY_PORT/v2/" -u "${USERNAME}" -p "${PASSWORD}" + + sa_ips "default" "default" +fi + +export KO_DOCKER_REPO=kind.local + +echo '--- Debug file system' +pwd +ls -al + + +if [[ "${E2E_SCRIPT}" == "" ]]; then + echo "Nothing else to do" + exit 0 +else + if [[ "${E2E_ENV}" != "" ]]; then + set -o allexport + source "${E2E_ENV}" + set +o allexport + fi + "${E2E_SCRIPT}" +fi