dre/.github/workflows/main.yaml at main · dfinity/dre · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Build and test
on:
  push:
    branches:
      - "main"
    paths-ignore:
      - "release-index.yaml"
      - "replica-releases/**"
      - "hostos-releases/**"
      - "release-controller/**"
      - "node-labels/**"
      - "facts-db/**"
  pull_request:
    paths-ignore:
      - "release-index.yaml"
      - "replica-releases/**"
      - "hostos-releases/**"
      - "release-controller/**"
      - "trusted-neurons-alerts/**"
      - "node-labels/**"
      - "facts-db/**"
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  bazel:
    name: Build and test pipeline
    runs-on:
      labels: dre-runner-custom
    # This image is based on ubuntu:20.04
    container: ghcr.io/dfinity/dre/actions-runner:6413f2909a49329ecbf5371ee7ddf07a9799b625
    permissions:
      contents: write
      packages: write
      pages: write
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
        with:
          fetch-depth: 2

      # The GitHub App token is necessary for pushing changed files back to the repository
      # If regular secrets.GITHUB_TOKEN is used instead, the push will not trigger any actions
      # https://github.com/orgs/community/discussions/25702
      - name: Create GitHub App Token
        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
        id: app-token
        with:
          app-id: ${{ vars.PR_AUTOMATION_BOT_PUBLIC_APP_ID }}
          private-key: ${{ secrets.PR_AUTOMATION_BOT_PUBLIC_PRIVATE_KEY }}

      - name: "☁️ Setup runner"
        uses: ./.github/workflows/manage-runner-pre

      ########################################
      # Build and test
      # Will run test as a local subprocess because for some tests
      # create status files on certain locations (like $HOME)
      ########################################
      - name: "🚀 Building"
        uses: ./.github/workflows/build
        with:
          # See above where the token is generated: we can't use regular secrets.GITHUB_TOKEN
          # since the push needs to trigger actions again
          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
          spec: ... except //release-controller/... except //trusted-neurons-alerts/... except attr(name, '.*oci_image.*', //...)
      - name: "🚀 Testing"
        env:
          STAGING_PRIVATE_KEY_PEM: "${{ secrets.STAGING_PRIVATE_KEY_PEM }}"
        run: |
          set -e
          mkdir -p ~/.config/dfx/identity/bootstrap-super-leader/
          echo $STAGING_PRIVATE_KEY_PEM > ~/.config/dfx/identity/bootstrap-super-leader/identity.pem
          t=$(mktemp) ; trap 'rm -f "$t"' EXIT
          bazel query "tests(...) except //release-controller/... except //trusted-neurons-alerts/... except attr(tags, 'manual', //...) except attr(name, '.*oci_image.*', //...)" > "$t"
          if [ "$(stat -c %s "$t")" = "0" ] ; then echo No testing targets found >&2 ; exit 0 ; fi
          set -x
          bazel test --target_pattern_file="$t" --config=ci --test_env=HOME=/home/runner

      ########################################
      # Upload test artifacts
      ########################################

      - name: "🧪 Upload test artifacts"
        if: ${{ github.ref == 'refs/heads/main' }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: test-artifacts
          path: bazel-out/k8-opt/bin/rs/ic-observability/multiservice-discovery/multiservice-discovery

      ########################################
      # Upload container images
      ########################################

      - name: "📦 Push images to GitHub Container Registry"
        id: push-images
        uses: ./.github/workflows/push
        if: ${{ github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' }}
        with:
          spec: kind("oci_push", ...) except //release-controller/...
          push-token: ${{ secrets.GITHUB_TOKEN }}

      ########################################
      # Deploy to github pages
      ########################################
      - name: "🚢 Deploy to GitHub Pages"
        if: ${{ github.ref == 'refs/heads/main' }}
        run: |
          git config --global user.email "actions@github.com"
          git config --global user.name "GitHub Actions"
          bazel run "//:mkdocs" -- gh-deploy --force

      ########################################
      # Update k8s deployments
      ########################################
      - name: "🤖 Update k8s deployments"
        if: ${{ github.ref == 'refs/heads/main' }}
        uses: ./.github/workflows/update-k8s-deployments
        with:
          files-to-update: bases/apps/mainnet-dashboard/backend/base/deployment.yaml bases/apps/mainnet-dashboard/statefulset-slack.yaml bases/apps/service-discovery/service-discovery.yaml .github/workflows/dre-vector-configs.yaml
          push-token: ${{ secrets.K8S_API_TOKEN }}
          component: containers

      ########################################
      # Clean up runner
      ########################################
      - uses: ./.github/workflows/manage-runner-post
        name: "🪓 Tear down runner"
        if: ${{ !startsWith(runner.name, 'dre-runner-custom') }}
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}