From 806d92095295640bee7acf07db763b8094c1aa25 Mon Sep 17 00:00:00 2001 From: vlady Date: Mon, 10 Nov 2025 17:49:39 +0000 Subject: [PATCH 01/11] Update the trigger event and token usage --- .github/workflows/common_dev_image_build.yml | 8 ++++---- .../workflows/common_dev_image_release.yml | 20 +++++++++---------- .github/workflows/dev_image_release.yml | 15 ++++++++------ 3 files changed, 23 insertions(+), 20 deletions(-) diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index 4413d4623..56556f5fe 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -46,7 +46,7 @@ jobs: # This is needed to pull the Docker image. - name: Login to GHCR run: | - echo "${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}" \ + echo "${{ secrets.GITHUB_TOKEN }}" \ | docker login ghcr.io -u ${{ github.actor }} --password-stdin # Make everything accessible by any user to avoid permission errors. @@ -66,7 +66,7 @@ jobs: # make it a default behavior? For certain tests to pass, we need entire # commit history of the repo including sub-modules. fetch-depth: 0 - token: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} # To access modules in `amp` and `helpers_root`, make sure PYTHONPATH includes # them, just as it's set in `setenv.sh`. @@ -99,7 +99,7 @@ jobs: # Setup GitHub CLI authentication for creating issues and PRs. - name: Setup GitHub CLI run: | - echo "${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}" \ + echo "${{ secrets.GITHUB_TOKEN }}" \ | gh auth login --with-token # Run the dev image build and test workflow. @@ -110,5 +110,5 @@ jobs: CSFY_AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} CSFY_AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }} CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }} - GH_ACTION_ACCESS_TOKEN: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }} + GH_ACTION_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: invoke docker_build_test_dev_image diff --git a/.github/workflows/common_dev_image_release.yml b/.github/workflows/common_dev_image_release.yml index d76d59382..d9fa83a6e 100644 --- a/.github/workflows/common_dev_image_release.yml +++ b/.github/workflows/common_dev_image_release.yml @@ -1,12 +1,12 @@ name: Common Dev Image Release on: - workflow_call: - inputs: - container-dir-name: - description: 'Container directory name - directory where Dockerfile and changelog.txt are located.' - required: false - type: string - default: '.' + workflow_call: + inputs: + container-dir-name: + description: 'Container directory name - directory where Dockerfile and changelog.txt are located.' + required: false + type: string + default: '.' env: CSFY_CI: true # CSFY_ECR_BASE_PATH: ${{ vars.CSFY_ECR_BASE_PATH }} @@ -45,7 +45,7 @@ jobs: # This is needed to pull the Docker image. - name: Login to GHCR run: | - echo "${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}" \ + echo "${{ secrets.GITHUB_TOKEN }}" \ | docker login ghcr.io -u ${{ github.actor }} --password-stdin # Make everything accessible by any user to avoid permission errors. @@ -62,7 +62,7 @@ jobs: # make it a default behavior? For certain tests to pass, we need entire # commit history of the repo including sub-modules. fetch-depth: 0 - token: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} # To access modules in `amp` and `helpers_root`, make sure PYTHONPATH includes # them, just as it's set in `setenv.sh`. @@ -89,7 +89,7 @@ jobs: CSFY_AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} CSFY_AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }} CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }} - GH_ACTION_ACCESS_TOKEN: ${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }} + GH_ACTION_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: invoke docker_tag_push_dev_image # Generate release message. diff --git a/.github/workflows/dev_image_release.yml b/.github/workflows/dev_image_release.yml index 2dffe1ac7..ddf00a741 100644 --- a/.github/workflows/dev_image_release.yml +++ b/.github/workflows/dev_image_release.yml @@ -1,5 +1,10 @@ name: Dev image release on: + # Trigger on a merged PR, with restrictions applied at the job level. + pull_request: + types: [closed] + branches: + - master # Run manually. workflow_dispatch: # Set up permissions for OIDC authentication. @@ -14,12 +19,10 @@ concurrency: jobs: dev_image_release: if: > - ${{ - (github.event_name == 'pull_request' - && github.event.pull_request.merged == true - && contains(github.event.pull_request.labels.*.name, 'Automated release')) || - github.event_name == 'workflow_dispatch' - }} + ( + github.event.pull_request.merged == true + && contains(github.event.pull_request.labels.*.name, 'Automated release') + ) || github.event_name == 'workflow_dispatch' uses: ./.github/workflows/common_dev_image_release.yml with: container-dir-name: . From ca000f5709fec162af975c9049ad7f42fbac8afa Mon Sep 17 00:00:00 2001 From: dremdem Date: Wed, 12 Nov 2025 23:06:23 +0700 Subject: [PATCH 02/11] Update comment --- .github/workflows/common_dev_image_release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/common_dev_image_release.yml b/.github/workflows/common_dev_image_release.yml index d9fa83a6e..6bdc9db36 100644 --- a/.github/workflows/common_dev_image_release.yml +++ b/.github/workflows/common_dev_image_release.yml @@ -3,6 +3,8 @@ on: workflow_call: inputs: container-dir-name: + # Repo root or runnable dir to release the image from (must have devops/ and changelog.txt). + # Examples: '.' (repo root, default) or 'subdir_name' (runnable dir) description: 'Container directory name - directory where Dockerfile and changelog.txt are located.' required: false type: string @@ -90,7 +92,7 @@ jobs: CSFY_AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }} CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }} GH_ACTION_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: invoke docker_tag_push_dev_image + run: invoke docker_tag_push_dev_image --container-dir-name="${{ inputs.container-dir-name }}" # Generate release message. - name: Generate release message From e464fa223466b50faeffef5978488914314bcc2a Mon Sep 17 00:00:00 2001 From: dremdem Date: Fri, 14 Nov 2025 16:12:52 +0700 Subject: [PATCH 03/11] Testing --- .github/workflows/common_dev_image_build.yml | 10 +++++++++- helpers/lib_tasks_docker_release.py | 7 ++++--- repo_config.yaml | 2 +- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index 56556f5fe..0a547ad7b 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -28,6 +28,14 @@ jobs: runs-on: ubuntu-latest steps: + - name: Generate GitHub App token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.GH_APP_ID }} + private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + # Pass AWS credentials via GH secrets. This is needed to pull the Docker # image and in case the workflow needs to access AWS resources. - name: Configure AWS credentials @@ -110,5 +118,5 @@ jobs: CSFY_AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }} CSFY_AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }} CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }} - GH_ACTION_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_ACTION_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} run: invoke docker_build_test_dev_image diff --git a/helpers/lib_tasks_docker_release.py b/helpers/lib_tasks_docker_release.py index b98fbcb29..619cd538d 100644 --- a/helpers/lib_tasks_docker_release.py +++ b/helpers/lib_tasks_docker_release.py @@ -1723,9 +1723,10 @@ def docker_build_test_dev_image( # type: ignore stage, dev_version, skip_tests=False, - fast_tests=True, - slow_tests=True, - superslow_tests=True, + # TODO(Vlad): Just for testing purposes, need to set to True before merging. + fast_tests=False, + slow_tests=False, + superslow_tests=False, qa_tests=False, ) # 6) Add changelog entry. diff --git a/repo_config.yaml b/repo_config.yaml index 822dd9cad..889c1ed96 100644 --- a/repo_config.yaml +++ b/repo_config.yaml @@ -16,7 +16,7 @@ docker_info: # Base name of the docker image, e.g., `helpers`. docker_image_name: helpers use_sibling_container_in_unit_tests: True - release_team: dev_system + release_team: dev_releasers s3_bucket_info: unit_test_bucket_name: s3://cryptokaizen-unit-test From e72485d39effdd8f45da029b156acb27c14ff30b Mon Sep 17 00:00:00 2001 From: dremdem Date: Fri, 14 Nov 2025 22:56:54 +0700 Subject: [PATCH 04/11] Change token everythere --- .github/workflows/common_dev_image_build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index 0a547ad7b..a985335c2 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -54,7 +54,7 @@ jobs: # This is needed to pull the Docker image. - name: Login to GHCR run: | - echo "${{ secrets.GITHUB_TOKEN }}" \ + echo "${{ steps.app-token.outputs.token }}" \ | docker login ghcr.io -u ${{ github.actor }} --password-stdin # Make everything accessible by any user to avoid permission errors. @@ -74,7 +74,7 @@ jobs: # make it a default behavior? For certain tests to pass, we need entire # commit history of the repo including sub-modules. fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} # To access modules in `amp` and `helpers_root`, make sure PYTHONPATH includes # them, just as it's set in `setenv.sh`. @@ -107,7 +107,7 @@ jobs: # Setup GitHub CLI authentication for creating issues and PRs. - name: Setup GitHub CLI run: | - echo "${{ secrets.GITHUB_TOKEN }}" \ + echo "${{ steps.app-token.outputs.token }}" \ | gh auth login --with-token # Run the dev image build and test workflow. From d3020f3d2eb5b6c00d196eab0d9b0d8b6824cacd Mon Sep 17 00:00:00 2001 From: dremdem Date: Fri, 14 Nov 2025 23:09:26 +0700 Subject: [PATCH 05/11] Force reviewer --- .github/workflows/common_dev_image_build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index a985335c2..068f977b1 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -119,4 +119,5 @@ jobs: CSFY_AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }} CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }} GH_ACTION_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} - run: invoke docker_build_test_dev_image + # TODO(Vlad): Reviewer for testing puprose, remove before merge. + run: invoke docker_build_test_dev_image --reviewers=dremdem From 4e5b56fa5bea8f175142c4608d0c9a27ee45a2aa Mon Sep 17 00:00:00 2001 From: dremdem Date: Fri, 14 Nov 2025 23:20:51 +0700 Subject: [PATCH 06/11] Branch naming changed for tesing --- helpers/lib_tasks_docker_release.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/helpers/lib_tasks_docker_release.py b/helpers/lib_tasks_docker_release.py index 619cd538d..345a26824 100644 --- a/helpers/lib_tasks_docker_release.py +++ b/helpers/lib_tasks_docker_release.py @@ -1700,7 +1700,9 @@ def docker_build_test_dev_image( # type: ignore _LOG.info("Step 3: Creating branch with date-based name") issue_prefix = hrecouti.get_repo_config().get_issue_prefix() # Get current date in YYYYMMDD format. - today = datetime.date.today().strftime("%Y%m%d") + # TODO(Vlad): For testing, need revert back before merging. + today = datetime.datetime.now().strftime("%Y%m%d_%H%M%S") + # today = datetime.date.today().strftime("%Y%m%d") branch_name = f"{issue_prefix}_Periodic_image_release_{today}" _LOG.info("Branch name: %s", branch_name) cmd = f"git checkout -b {branch_name}" From c30ff7de7fb9f8a086b1f4532a558561f43fab0d Mon Sep 17 00:00:00 2001 From: dremdem Date: Sat, 15 Nov 2025 00:42:41 +0700 Subject: [PATCH 07/11] Back to token --- .github/workflows/common_dev_image_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index 068f977b1..0bcb517bf 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -54,7 +54,7 @@ jobs: # This is needed to pull the Docker image. - name: Login to GHCR run: | - echo "${{ steps.app-token.outputs.token }}" \ + echo "${{ secrets.GITHUB_TOKEN }}" \ | docker login ghcr.io -u ${{ github.actor }} --password-stdin # Make everything accessible by any user to avoid permission errors. From dea3d619afded2ca6c89e9706ecd172377cc8f1b Mon Sep 17 00:00:00 2001 From: dremdem Date: Sat, 15 Nov 2025 00:56:45 +0700 Subject: [PATCH 08/11] Fix perm --- .github/workflows/common_dev_image_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index 0bcb517bf..8d7b91ff1 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -15,7 +15,7 @@ permissions: # This is required for actions/checkout. contents: write # This is required for pulling the Docker image from GHCR. - packages: read + packages: write # This is required for GitHub App to create issues and PRs. pull-requests: write issues: write From f402445797a7641ad3f77015af156af8ecc14a52 Mon Sep 17 00:00:00 2001 From: dremdem Date: Sat, 15 Nov 2025 01:13:17 +0700 Subject: [PATCH 09/11] Fix perm --- .github/workflows/common_dev_image_build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index 8d7b91ff1..622a60239 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -74,7 +74,7 @@ jobs: # make it a default behavior? For certain tests to pass, we need entire # commit history of the repo including sub-modules. fetch-depth: 0 - token: ${{ steps.app-token.outputs.token }} + token: ${{ secrets.GITHUB_TOKEN }} # To access modules in `amp` and `helpers_root`, make sure PYTHONPATH includes # them, just as it's set in `setenv.sh`. @@ -107,7 +107,7 @@ jobs: # Setup GitHub CLI authentication for creating issues and PRs. - name: Setup GitHub CLI run: | - echo "${{ steps.app-token.outputs.token }}" \ + echo "${{ secrets.GITHUB_TOKEN }}" \ | gh auth login --with-token # Run the dev image build and test workflow. From fa18b6f8c1568d0e2511d81cbf7ccd828d529246 Mon Sep 17 00:00:00 2001 From: dremdem Date: Mon, 17 Nov 2025 15:17:58 +0700 Subject: [PATCH 10/11] Ssh --- .github/workflows/common_dev_image_build.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index 622a60239..c1ccc1c9d 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -112,6 +112,7 @@ jobs: # Run the dev image build and test workflow. - name: Run 'docker_build_test_dev_image' workflow + uses: lhotari/action-upterm@v1 env: CSFY_AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} CSFY_AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} @@ -120,4 +121,4 @@ jobs: CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }} GH_ACTION_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} # TODO(Vlad): Reviewer for testing puprose, remove before merge. - run: invoke docker_build_test_dev_image --reviewers=dremdem + # run: invoke docker_build_test_dev_image --reviewers=dremdem From 11b8ddc6d52cb8ec74848f6f11c242c42d31827b Mon Sep 17 00:00:00 2001 From: dremdem Date: Mon, 17 Nov 2025 16:11:22 +0700 Subject: [PATCH 11/11] Debug --- .github/workflows/common_dev_image_build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/common_dev_image_build.yml b/.github/workflows/common_dev_image_build.yml index c1ccc1c9d..3c0035861 100644 --- a/.github/workflows/common_dev_image_build.yml +++ b/.github/workflows/common_dev_image_build.yml @@ -120,5 +120,6 @@ jobs: CSFY_AWS_DEFAULT_REGION: ${{ env.AWS_DEFAULT_REGION }} CSFY_AWS_S3_BUCKET: ${{ vars.CSFY_AWS_S3_BUCKET }} GH_ACTION_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }} + GH_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # TODO(Vlad): Reviewer for testing puprose, remove before merge. # run: invoke docker_build_test_dev_image --reviewers=dremdem