Commit 679f45c3 authored by Jean-Philippe Evrard's avatar Jean-Philippe Evrard
Browse files

Cleanup github actions

- Made all the file extensions ".yaml"
- Regrouped actions together to make it easy to see when they
  are useful: on-pr is useful at every PR, on-tag when we are
  ready to tag next image, on-pr-chart when we have a PR to
  modify the chart with the published image, on-release when
  we have released and need to publish the final helm chart
- Regrouped periodic jobs together, to deal with stale prs/issues
  and ensuring that our helm chart always works.
parent de4e9a9b
name: "Check links"
on: [pull_request, push]
jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Link Checker
id: lc
uses: peter-evans/link-checker@v1
with:
args: -r *.md *.yaml */*/*.go -x .cluster.local
- name: Fail if there were link errors
run: exit ${{ steps.lc.outputs.exit_code }}
name: "Go lint"
on: [pull_request, push]
jobs:
code-lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Lint cmd folder
uses: Jerome1337/golint-action@v1.0.2
with:
golint-path: './cmd/...'
- name: Lint pkg folder
uses: Jerome1337/golint-action@v1.0.2
with:
golint-path: './pkg/...'
#This:
#- Periodically ensures our latest releases manifest deploy correctly
#- Ensures that a PR changing any of the manifests (later used for
# producing a release) will not break a deployment of an existing release
# (so we can assume it will not break a new release either)
name: Manifest deploy
on:
pull_request:
paths:
- "**/kured-*.yaml"
schedule:
- cron: '0 0 1 * *'
jobs:
use-manifests:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: "0"
# We need to unpin kind-action so we can test is new versions of kind
# and therefore kubernetes will break with our manifests
# This creates a 1 node cluster.
- name: Create a default kind cluster
uses: helm/kind-action@master
# kind-action already installed kind and kubectl.
# Hard code DH_ORG weaveworks so that all forks point to latest image
# from weaveworks.
- name: Deploy with kubectl
run: |
VERSION=$(curl -s https://api.github.com/repos/weaveworks/kured/releases | jq -r .[0].tag_name)
make DH_ORG=weaveworks VERSION=$VERSION manifest
kubectl apply -f kured-{rbac,ds}.yaml
- name: Show kured is deploying
run: |
sleep 10; kubectl describe ds kured -n kube-system
- name: Ensure kured is up
uses: nick-invision/retry@v1
with:
timeout_minutes: 10
max_attempts: 10
retry_wait_seconds: 60
# DESIRED CURRENT READY UP-TO-DATE AVAILABLE should all be =1
command: "kubectl get ds -n kube-system | grep -E 'kured.*1.*1.*1.*1.*1' "
- name: Show kured is successfully deployed
run: |
kubectl get ds -n kube-system
name: lint-chart
#This is just extra testing, for lint check, and basic installation
#If those fail, no need to test the rest of the PR (github will cancel the rest of the builds)
name: PR - charts
on:
pull_request:
paths:
- "charts/**"
jobs:
lint-test:
lint-chart:
name: Lint helm chart
runs-on: ubuntu-latest
steps:
- name: Checkout
......@@ -14,19 +16,26 @@ jobs:
with:
fetch-depth: "0"
- name: Run chart-testing (lint)
id: lint
- name: Lint charts
uses: helm/chart-testing-action@v2.0.1
with:
command: lint
config: .github/ct.yaml
- name: Create kind cluster
test-chart:
name: Install helm chart
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: "0"
- name: Create default kind cluster
uses: helm/kind-action@v1.1.0
if: steps.lint.outputs.changed == 'true'
- name: Run chart-testing (install)
- name: Install chart with chart-testing-action
uses: helm/chart-testing-action@v2.0.1
with:
command: install
config: .github/ct.yaml
\ No newline at end of file
config: .github/ct.yaml
name: PR
on:
pull_request:
push:
jobs:
pr-shellcheck:
name: Lint bash code with shellcheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run ShellCheck
uses: bewuethr/shellcheck-action@v2
pr-lint-code:
name: Lint golang code
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Lint cmd folder
uses: Jerome1337/golint-action@v1.0.2
with:
golint-path: './cmd/...'
- name: Lint pkg folder
uses: Jerome1337/golint-action@v1.0.2
with:
golint-path: './pkg/...'
pr-check-docs-links:
name: Check docs for incorrect links
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Link Checker
id: lc
uses: peter-evans/link-checker@v1
with:
args: -r *.md *.yaml */*/*.go -x .cluster.local
- name: Fail if there were link errors
run: exit ${{ steps.lc.outputs.exit_code }}
# This should not be made a mandatory test
# It is only used to make us aware of any potential security failure, that
# should trigger a bump of the image in build/.
pr-vuln-scan:
name: Build image and scan it against known vulnerabilities
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
- uses: Azure/container-scan@v0
with:
image-name: docker.io/${{ github.repository_owner }}/kured:${{ github.sha }}
# If the PRs don't break the behaviour in the helm chart, we can simply publish the helm chart at the time of the release.
e2e-helm:
name: "Functional test of helm chart, e2e testing"
runs-on: ubuntu-latest
# only build with oldest and newest supported, it should be good enough.
strategy:
matrix:
kubernetes:
- 1.17
- 1.19
steps:
- uses: actions/checkout@v2
with:
fetch-depth: "0"
- name: Build artifacts
run: |
make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" helm-chart
- name: "Workaround 'Failed to attach 1 to compat systemd cgroup /actions_job/...' on gh actions"
run: |
sudo bash << EOF
cp /etc/docker/daemon.json /etc/docker/daemon.json.old
echo '{}' > /etc/docker/daemon.json
systemctl restart docker || journalctl --no-pager -n 500
systemctl status docker
EOF
# Default name for helm/kind-action kind clusters is "chart-testing"
- name: Create 5 node kind cluster
uses: helm/kind-action@master
with:
config: .github/kind-cluster-${{ matrix.kubernetes }}.yaml
- name: Preload previously built images onto kind cluster
run: kind load docker-image docker.io/${{ github.repository_owner }}/kured:${{ github.sha }} --name chart-testing
- name: Deploy kured on default namespace with its helm chart
run: |
# Documented in official helm doc to live on the edge
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
# Refresh bins
hash -r
helm install kured ./charts/kured/ --set configuration.period=1m
kubectl config set-context kind-chart-testing
kubectl get ds --all-namespaces
kubectl describe ds kured
- name: Ensure kured is ready
uses: nick-invision/retry@v1
with:
timeout_minutes: 10
max_attempts: 10
retry_wait_seconds: 60
# DESIRED CURRENT READY UP-TO-DATE AVAILABLE should all be = 5
command: "kubectl get ds kured | grep -E 'kured.*5.*5.*5.*5.*5' "
- name: Create reboot sentinel files
run: |
./tests/kind/create-reboot-sentinels.sh
- name: Follow reboot until success
env:
DEBUG: true
run: |
./tests/kind/follow-coordinated-reboot.sh
# This workflow is useful when introducing new versions, to ensure our manifests
# still work (even if there might be no manifest 'code' change).
# The version used here is what hasn't been tested with the helm chart
deploy-manifests:
name: Deploy kured with current manifests
runs-on: ubuntu-latest
strategy:
matrix:
kubernetes:
- 1.18
steps:
- uses: actions/checkout@v2
with:
fetch-depth: "0"
- name: Build artifacts
run: |
make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" manifest
- name: Workaround "Failed to attach 1 to compat systemd cgroup /actions_job/..." on gh actions
run: |
sudo bash << EOF
cp /etc/docker/daemon.json /etc/docker/daemon.json.old
echo '{}' > /etc/docker/daemon.json
systemctl restart docker || journalctl --no-pager -n 500
systemctl status docker
EOF
# Default name for helm/kind-action kind clusters is "chart-testing"
- name: Create kind cluster
uses: helm/kind-action@master
with:
config: .github/kind-cluster-${{ matrix.kubernetes }}.yaml
- name: Preload previously built images onto kind cluster
run: kind load docker-image docker.io/${{ github.repository_owner }}/kured:${{ github.sha }} --name chart-testing
- name: Install kured with kubectl
run: |
kubectl apply -f kured-rbac.yaml && kubectl apply -f kured-ds.yaml
- name: Ensure kured is ready
uses: nick-invision/retry@v1
with:
timeout_minutes: 10
max_attempts: 10
retry_wait_seconds: 60
# DESIRED CURRENT READY UP-TO-DATE AVAILABLE should all be = to cluster_size
command: "kubectl get ds -n kube-system kured | grep -E 'kured.*5.*5.*5.*5.*5'"
name: release-chart
name: Publish release
on:
push:
tags:
- "*"
release:
types: published
jobs:
publish:
publish-helm-chart:
name: Publish our chart
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: "0"
- name: Publish Helm chart
uses: stefanprodan/helm-gh-pages@master
with:
......
# when we add a tag to the repo, we should publish the kured image to a public repository
# if it's safe.
# It doesn't mean it's ready for release, but at least it's getting us started.
# The next step is to have a PR with the helm chart, to bump the version of the image used
name: Tag repo
on:
push:
tags:
- "*"
jobs:
tag-scan-and-push-final-image:
name: "Build, scan, and publish tagged image"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- run: |
make DH_ORG="${{ github.repository_owner }}" VERSION="${GITHUB_REF#refs/tags/}" image
- uses: Azure/container-scan@v0
with:
image-name: docker.io/${{ github.repository_owner }}/kured:${GITHUB_REF#refs/tags/}
# We should add a step to publish the image on tag.
# This needs all the previous artifacts to be created:
# the image should be published, the repo should be tagged, the helm
# chart pushed. It's assumed everything is working, and we are doing
# a last final test at the release creation time to _ensure_ we can
# release. At this point it's still time to back off in case of problem,
# not publish the release and iterate on tags.
name: Smoke test
name: Daily jobs
on:
push:
branches:
- '**'
release:
types: created
schedule:
- cron: "30 1 * * *"
jobs:
deploy-manifests:
periodics-mark-stale:
name: Mark stale issues and PRs
runs-on: ubuntu-latest
steps:
# Stale by default waits for 60 days before marking PR/issues as stale, and closes them after 7 days.
# Do not expire the first issues that would allow the community to grow.
- uses: actions/stale@v3.0.14
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).'
stale-pr-message: 'This PR was automatically considered stale due to lack of activity. Please refresh it and/or join our slack channels to highlight it, before it automatically closes (in 7 days).'
stale-issue-label: 'no-issue-activity'
stale-pr-label: 'no-pr-activity'
exempt-issue-labels: 'good-first-issue'
check-docs-links:
name: Check docs for incorrect links
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Link Checker
id: lc
uses: peter-evans/link-checker@v1
with:
args: -r *.md *.yaml */*/*.go -x .cluster.local
- name: Fail if there were link errors
run: exit ${{ steps.lc.outputs.exit_code }}
vuln-scan:
name: Build image and scan it against known vulnerabilities
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- run: make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
- uses: Azure/container-scan@v0
with:
image-name: docker.io/${{ github.repository_owner }}/kured:${{ github.sha }}
deploy-helm:
name: Ensure a kubernetes change didn't break our code
runs-on: ubuntu-latest
# only build with oldest and newest supported, it should be good enough.
strategy:
matrix:
kubernetes-version:
kubernetes:
- 1.17
- 1.18
- 1.19
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/checkout@v2
with:
fetch-depth: "0"
- name: Build artifacts
run: |
make DH_ORG="${{ github.repository_owner }}" VERSION="master" image
make DH_ORG="${{ github.repository_owner }}" VERSION="master" helm-chart
- name: Workaround "Failed to attach 1 to compat systemd cgroup /actions_job/..." on gh actions
- name: "Workaround 'Failed to attach 1 to compat systemd cgroup /actions_job/...' on gh actions"
run: |
sudo bash << EOF
cp /etc/docker/daemon.json /etc/docker/daemon.json.old
......@@ -38,10 +71,14 @@ jobs:
systemctl status docker
EOF
# Default name for helm/kind-action kind clusters is "chart-testing"
- name: Create 5 node kind cluster
uses: helm/kind-action@master
with:
config: .github/kind-cluster-${{ matrix.kubernetes-version}}.yaml
config: .github/kind-cluster-${{ matrix.kubernetes }}.yaml
- name: Preload previously built images onto kind cluster
run: kind load docker-image docker.io/${{ github.repository_owner }}/kured:master --name chart-testing
- name: Deploy kured on default namespace with its helm chart
run: |
......@@ -55,7 +92,7 @@ jobs:
kubectl describe ds kured
- name: Ensure kured is ready
uses: nick-invision/retry@v2.2.0
uses: nick-invision/retry@v1
with:
timeout_minutes: 10
max_attempts: 10
......
name: "Shellcheck"
on: [pull_request]
jobs:
bash-lint:
name: Shellcheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run ShellCheck
uses: bewuethr/shellcheck-action@v2
name: Mark stale issues and pull requests
on:
schedule:
- cron: "30 1 * * *"
jobs:
stale:
runs-on: ubuntu-latest
steps:
# Stale by default waits for 60 days before marking PR/issues as stale, and closes them after 7 days.
# Do not expire the first issues that would allow the community to grow.
- uses: actions/stale@v3.0.14
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue was automatically considered stale due to lack of activity. Please update it and/or join our slack channels to promote it, before it automatically closes (in 7 days).'
stale-pr-message: 'This PR was automatically considered stale due to lack of activity. Please refresh it and/or join our slack channels to highlight it, before it automatically closes (in 7 days).'
stale-issue-label: 'no-issue-activity'
stale-pr-label: 'no-pr-activity'
exempt-issue-labels: 'good-first-issue'
# This should not be made a mandatory test
# It is only used to make us aware of any potential security failure, that
# should trigger a bump of the image in build/.
name: "Image vulnerability scan"
on: [push, pull_request]
jobs:
build-and-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- run: make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
- uses: Azure/container-scan@v0
with:
image-name: docker.io/${{ github.repository_owner }}/kured:${{ github.sha }}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment