helpers/.github/workflows/common_dev_image_build.yml at master · causify-ai/helpers · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Common Dev Image Build
on:
    workflow_call:
env:
  CSFY_CI: true
  # CSFY_ECR_BASE_PATH: ${{ vars.CSFY_ECR_BASE_PATH }}
  # CSFY_ECR_BASE_PATH is the source path for fetching the image.
  # If you prefer pulling the image from ECR, comment out the following
  # line and uncomment the one above.
  # TODO(Vlad): Rename the variable to CSFY_CR_BASE_PATH since it can be
  # either GHCR or ECR.
  CSFY_ECR_BASE_PATH: ghcr.io/${{ github.repository_owner }}
# Set up permissions for OIDC authentication.
permissions:
  # This is required for actions/checkout.
  contents: write
  # This is required for pulling the Docker image from GHCR.
  packages: read
  # This is required for GitHub App to create issues and PRs.
  pull-requests: write
  issues: write
jobs:
  dev_image_build:
    # We expect user to not execute manual run in a draft PR.
    # The reason is `github.event.pull_request.draft` is evaluated as empty
    # string and the condition is always true which is not the right state.
    if: ${{ github.event.pull_request.draft == false }}
    runs-on: ubuntu-latest

    steps:
      # Pass AWS credentials via GH secrets. This is needed to pull the Docker
      # image and in case the workflow needs to access AWS resources.
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.CSFY_AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.CSFY_AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ vars.CSFY_AWS_DEFAULT_REGION }}

      # # To optimize costs, the image is fetched from GHCR registry by default.
      # # If you prefer pulling the image from ECR, enable this.
      # - name: Login to AWS ECR
      #   id: login-ecr
      #   uses: aws-actions/amazon-ecr-login@v1

      # This is needed to pull the Docker image.
      - name: Login to GHCR
        run: |
          echo "${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}" \
            | docker login ghcr.io -u ${{ github.actor }} --password-stdin

      # Make everything accessible by any user to avoid permission errors.
      - name: Cleanup
        run: sudo chmod 777 -R .

      # Check out the code from GitHub so that we can run the action inside
      # the Docker container.
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          # For PRs: checkout the PR branch (head_ref).
          # For other events: checkout master.
          ref: ${{ github.event_name == 'pull_request' && github.head_ref || 'master' }}
          submodules: true
          # TODO(Samarth): Do we need to propagate this to other `repos/workflow`
          # make it a default behavior? For certain tests to pass, we need entire
          # commit history of the repo including sub-modules.
          fetch-depth: 0
          token: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}

      # To access modules in `amp` and `helpers_root`, make sure PYTHONPATH includes
      # them, just as it's set in `setenv.sh`.
      - name: Update PYTHONPATH
        run: |
          PYTHONPATH="$(realpath .)"
          # Add all submodule paths (recursively).
          SUBMODULES_PATHS=$(git submodule foreach --quiet --recursive 'echo $(pwd)' | paste -sd:)
          PYTHONPATH="$PYTHONPATH:$SUBMODULES_PATHS"
          # Export final PYTHONPATH to the environment.
          echo "PYTHONPATH=$PYTHONPATH" >> $GITHUB_ENV

      # Configure git for commits.
      - name: Configure git
        run: |
          git config --global user.name 'CK Bot'
          git config --global user.email 'ckbot@noreply.github.com'

      # Install packages that are required to run the job via GH.
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r .github/gh_requirements.txt

      # Pull the latest Docker image from the GHCR registry instead of ECR for
      # cost saving purposes to run the regressions on.
      - name: Pull image from GHCR
        run: docker pull ghcr.io/${{ github.repository }}:dev

      # Setup GitHub CLI authentication for creating issues and PRs.
      - name: Setup GitHub CLI
        run: |
          echo "${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}" \
            | gh auth login --with-token

      # Run the dev image build and test workflow.
      - name: Run 'docker_build_test_dev_image' workflow
        env:
          CSFY_AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
          CSFY_AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
          CSFY_AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
          CSFY_AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }}
          CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }}
          GH_ACTION_ACCESS_TOKEN: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
        run: invoke docker_build_test_dev_image