diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index 4413d4623..3c0035861 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -15,7 +15,7 @@ permissions: # This is required for actions/checkout. contents: write # This is required for pulling the Docker image from GHCR. - packages: read + packages: write # This is required for GitHub App to create issues and PRs. pull-requests: write issues: write @@ -28,6 +28,14 @@ jobs: runs-on: ubuntu-latest steps: + - name: Generate GitHub App token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + # Pass AWS credentials via GH secrets. This is needed to pull the Docker # image and in case the workflow needs to access AWS resources. - name: Configure AWS credentials @@ -46,7 +54,7 @@ jobs: # This is needed to pull the Docker image. - name: Login to GHCR run: | - echo "${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}" \ + echo "${{ secrets.GITHUB_TOKEN }}" \ | docker login ghcr.io -u ${{ github.actor }} --password-stdin # Make everything accessible by any user to avoid permission errors. @@ -66,7 +74,7 @@ jobs: # make it a default behavior? For certain tests to pass, we need entire # commit history of the repo including sub-modules. fetch-depth: 0 - token: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} # To access modules in `amp` and `helpers_root`, make sure PYTHONPATH includes # them, just as it's set in `setenv.sh`. @@ -99,16 +107,19 @@ jobs: # Setup GitHub CLI authentication for creating issues and PRs. - name: Setup GitHub CLI run: | - echo "${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}" \ + echo "${{ secrets.GITHUB_TOKEN }}" \ | gh auth login --with-token # Run the dev image build and test workflow. - name: Run 'docker_build_test_dev_image' workflow + uses: lhotari/action-upterm@v1 env: CSFY_AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} CSFY_AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} CSFY_AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} CSFY_AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }} CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }} - GH_ACTION_ACCESS_TOKEN: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }} - run: invoke docker_build_test_dev_image + GH_ACTION_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} + GH_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # TODO(Vlad): Reviewer for testing puprose, remove before merge. + # run: invoke docker_build_test_dev_image --reviewers=dremdem diff --git a/.github/workflows/common_dev_image_release.yml b/.github/workflows/common_dev_image_release.yml index d76d59382..6bdc9db36 100644 --- a/.github/workflows/common_dev_image_release.yml +++ b/.github/workflows/common_dev_image_release.yml @@ -1,12 +1,14 @@ name: Common Dev Image Release on: - workflow_call: - inputs: - container-dir-name: - description: 'Container directory name - directory where Dockerfile and changelog.txt are located.' - required: false - type: string - default: '.' + workflow_call: + inputs: + container-dir-name: + # Repo root or runnable dir to release the image from (must have devops/ and changelog.txt). + # Examples: '.' (repo root, default) or 'subdir_name' (runnable dir) + description: 'Container directory name - directory where Dockerfile and changelog.txt are located.' + required: false + type: string + default: '.' env: CSFY_CI: true # CSFY_ECR_BASE_PATH: ${{ vars.CSFY_ECR_BASE_PATH }} @@ -45,7 +47,7 @@ jobs: # This is needed to pull the Docker image. - name: Login to GHCR run: | - echo "${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}" \ + echo "${{ secrets.GITHUB_TOKEN }}" \ | docker login ghcr.io -u ${{ github.actor }} --password-stdin # Make everything accessible by any user to avoid permission errors. @@ -62,7 +64,7 @@ jobs: # make it a default behavior? For certain tests to pass, we need entire # commit history of the repo including sub-modules. fetch-depth: 0 - token: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} # To access modules in `amp` and `helpers_root`, make sure PYTHONPATH includes # them, just as it's set in `setenv.sh`. @@ -89,8 +91,8 @@ jobs: CSFY_AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} CSFY_AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }} CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }} - GH_ACTION_ACCESS_TOKEN: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }} - run: invoke docker_tag_push_dev_image + GH_ACTION_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: invoke docker_tag_push_dev_image --container-dir-name="${{ inputs.container-dir-name }}" # Generate release message. - name: Generate release message diff --git a/.github/workflows/dev_image_release.yml b/.github/workflows/dev_image_release.yml index 2dffe1ac7..ddf00a741 100644 --- a/.github/workflows/dev_image_release.yml +++ b/.github/workflows/dev_image_release.yml @@ -1,5 +1,10 @@ name: Dev image release on: + # Trigger on a merged PR, with restrictions applied at the job level. + pull_request: + types: [closed] + branches: + - master # Run manually. workflow_dispatch: # Set up permissions for OIDC authentication. @@ -14,12 +19,10 @@ concurrency: jobs: dev_image_release: if: > - ${{ - (github.event_name == 'pull_request' - && github.event.pull_request.merged == true - && contains(github.event.pull_request.labels.*.name, 'Automated release')) || - github.event_name == 'workflow_dispatch' - }} + ( + github.event.pull_request.merged == true + && contains(github.event.pull_request.labels.*.name, 'Automated release') + ) || github.event_name == 'workflow_dispatch' uses: ./.github/workflows/common_dev_image_release.yml with: container-dir-name: . diff --git a/helpers/lib_tasks_docker_release.py b/helpers/lib_tasks_docker_release.py index b98fbcb29..345a26824 100644 --- a/helpers/lib_tasks_docker_release.py +++ b/helpers/lib_tasks_docker_release.py @@ -1700,7 +1700,9 @@ def docker_build_test_dev_image( # type: ignore _LOG.info("Step 3: Creating branch with date-based name") issue_prefix = hrecouti.get_repo_config().get_issue_prefix() # Get current date in YYYYMMDD format. - today = datetime.date.today().strftime("%Y%m%d") + # TODO(Vlad): For testing, need revert back before merging. + today = datetime.datetime.now().strftime("%Y%m%d_%H%M%S") + # today = datetime.date.today().strftime("%Y%m%d") branch_name = f"{issue_prefix}_Periodic_image_release_{today}" _LOG.info("Branch name: %s", branch_name) cmd = f"git checkout -b {branch_name}" @@ -1723,9 +1725,10 @@ def docker_build_test_dev_image( # type: ignore stage, dev_version, skip_tests=False, - fast_tests=True, - slow_tests=True, - superslow_tests=True, + # TODO(Vlad): Just for testing purposes, need to set to True before merging. + fast_tests=False, + slow_tests=False, + superslow_tests=False, qa_tests=False, ) # 6) Add changelog entry. diff --git a/repo_config.yaml b/repo_config.yaml index 822dd9cad..889c1ed96 100644 --- a/repo_config.yaml +++ b/repo_config.yaml @@ -16,7 +16,7 @@ docker_info: # Base name of the docker image, e.g., `helpers`. docker_image_name: helpers use_sibling_container_in_unit_tests: True - release_team: dev_system + release_team: dev_releasers s3_bucket_info: unit_test_bucket_name: s3://cryptokaizen-unit-test