Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

github actions for releases and code scanning #26

Merged
merged 3 commits into from
Sep 12, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 9 additions & 99 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,7 @@ test_containers:
- COVERAGE_BASE_DIR: coverage
- &container_base
image: <<parameters.image>>
environment:
*container_parameters_environment
environment: *container_parameters_environment
- &test_job_default
<<: *job_defaults
<<: *job_parameters
Expand Down Expand Up @@ -123,20 +122,16 @@ step_run_all_tests: &step_run_all_tests
run:
name: Run tests
command: |
# Ensures it's possible to debug hung tests in CI
echo "--format=documentation" >> .rspec-local
# Ensures it's possible to debug hung tests in CI
echo "--format=documentation" >> .rspec-local

# Configure RSpec metadata exporter
echo "
--format=RspecJunitFormatter
--out='/tmp/rspec/-<%= ARGV.join.gsub('/', '-') %>.xml'
" >> .rspec-local
# Configure RSpec metadata exporter
echo "
--format=RspecJunitFormatter
--out='/tmp/rspec/-<%= ARGV.join.gsub('/', '-') %>.xml'
" >> .rspec-local

bundle exec rake ci
# step_release_docs: &step_release_docs
# run:
# name: Upload release docs
# command: S3_DIR=trace bundle exec rake release:docs
bundle exec rake ci

filters_all_branches_and_tags: &filters_all_branches_and_tags
filters:
Expand Down Expand Up @@ -280,68 +275,6 @@ orbs:
docker:
- image: circleci/buildpack-deps:stretch

# jobs:
# "deploy release":
# <<: *job_defaults
# docker:
# - environment:
# *container_base_environment
# image: ghcr.io/datadog/dd-trace-rb/ruby:2.5.9-dd
# resource_class: small
# steps:
# - checkout
# - run:
# name: Install AWS CLI
# command: |
# apt-get -y -qq update
# apt-get -y -qq install awscli
# - *step_bundle_install
# - *step_release_docs
# - run:
# name: Upload release Gem and rebuild index
# command: S3_DIR=release bundle exec rake release:gem
# - store_artifacts:
# path: pkg/
# destination: gem
# "deploy prerelease Gem":
# <<: *job_defaults
# docker:
# - environment:
# *container_base_environment
# image: ghcr.io/datadog/dd-trace-rb/ruby:2.5.9-dd
# resource_class: small
# steps:
# - run:
# name: Check if this commit author has publishing credentials
# command: |
# if [[ -z "${AWS_ACCESS_KEY_ID}" ]]
# then
# echo 'No AWS credentials, skipping publish of pre-release build.'
# circleci task halt
# fi
# - checkout
# - run:
# name: Install AWS CLI
# command: |
# apt-get -y -qq update
# apt-get -y -qq install awscli
# - *step_bundle_install
# - run:
# name: Rename to pre-release version based on branch name and build number
# command: |
# # create safe version string
# PRE=$(echo "${CIRCLE_BRANCH:-unknown}.${CIRCLE_BUILD_NUM:-R$RANDOM}" | sed -e 's/[^a-zA-Z0-9+]\{1,\}/./g')
# echo PRE=$PRE
# sed lib/datadog/ci/version.rb -i -e "s/^\([\t ]*PRE\) *=*/\1 = \'${PRE}\' #/g"
# - run:
# name: Upload prerelease Gem and rebuild index
# # This was bumped from prerelease to prerelease-v2 to avoid the issue documented in
# # https://github.com/DataDog/dd-trace-rb/pull/1358
# command: S3_DIR=prerelease-v2 bundle exec rake release:gem
# - store_artifacts:
# path: pkg/
# destination: gem

job_configuration:
# MRI
- &config-2_7
Expand Down Expand Up @@ -456,26 +389,3 @@ workflows:
name: test-jruby-9.4
requires:
- build-jruby-9.4
# Release jobs
# - "deploy prerelease Gem":
# <<: *filters_all_branches_and_tags
# requires:
# - lint
# - test-2.7
# - test-3.0
# - test-3.1
# - test-3.2
# - test-3.3
# # ADD NEW RUBIES HERE
# - test-jruby-9.4
# - "deploy release":
# <<: *filters_only_release_tags
# requires:
# - lint
# - test-2.7
# - test-3.0
# - test-3.1
# - test-3.2
# - test-3.3
# # ADD NEW RUBIES HERE
# - test-jruby-9.4
42 changes: 42 additions & 0 deletions .github/workflows/add-milestone-to-pull-requests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Add milestone to pull requests
on:
pull_request_target:
types: [closed]
branches:
- main

jobs:
add_milestone_to_merged:
if: github.event.pull_request.merged && github.event.pull_request.milestone == null
name: Add milestone to merged pull requests
runs-on: ubuntu-latest
steps:
- name: Get project milestones
id: milestones
uses: actions/github-script@0.9.0
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const list = await github.issues.listMilestonesForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open'
})
// Need to manually sort because "sort by number" isn't part of the api
// highest number first
const milestones = list.data.sort((a,b) => (b.number - a.number))

return milestones.length == 0 ? null : milestones[0].number
- name: Update Pull Request
if: steps.milestones.outputs.result != null
uses: actions/github-script@0.9.0
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
// Confusingly, the issues api is used because pull requests are issues
await github.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ github.event.pull_request.number }},
milestone: ${{ steps.milestones.outputs.result }},
});
165 changes: 165 additions & 0 deletions .github/workflows/build-gem.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
name: Build gem

on:
workflow_dispatch:
inputs:
push:
description: Push gem
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where does this input come from? under what conditions the gem is pushed to github packages?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workflow_dispatch means that it can be manually triggered from Github UI

required: true
type: boolean
default: true
push:
branches:
- '**'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it necessary to build the gem on every push on any branch? Wonder what's would be your thoughts on this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea that every push produces artifact that is built and can be downloaded and tested somewhere, I could use it to automate https://github.com/DataDog/test-environment tests for example. I see no harm in it for now, this won't create any issues for us.


env:
GEM_HOST: 'https://rubygems.pkg.github.com/DataDog'

jobs:
build:
strategy:
fail-fast: false
matrix:
type:
- final
- dev
runs-on: ubuntu-latest
name: Build gem (${{ matrix.type }})
steps:
- name: Checkout
uses: actions/checkout@v3
- uses: ruby/setup-ruby@31a7f6d628878b80bc63375a93ae079ec50a1601 # v1.143.0
with:
ruby-version: '3.2'
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
- name: Patch version
if: ${{ matrix.type != 'final' }}
run: |
# Obtain context information
git_ref='${{ github.ref }}'
git_branch="$(echo "${git_ref}" | sed -e 's#^refs/heads/##')"
git_sha='${{ github.sha }}'
gha_run_id='${{ github.run_id }}'

# Output info for CI debug
echo git_ref="${git_ref}"
echo git_branch="${git_branch}"
echo git_sha="${git_sha}"
echo gha_run_id="${gha_run_id}"

# Sanitize for ruby version usage
git_branch_sanitized="$(echo "$git_branch" | sed -e 's/[^a-zA-Z0-9+]\{1,\}/./g')"
echo git_branch_sanitized="${git_branch_sanitized}"

# Shorten commit sha
git_sha_short="${git_sha:0:12}"
echo git_sha_short="${git_sha_short}"

# Set component values:
# - PRE is `dev` to denote being a development version and
# act as a categorizer.
# - BUILD starts with CI run id for ordering.
# - BUILD has CI run id for traceability, prefixed by `gha`
# for identification.
# - BUILD has commit next for traceability, prefixed git-describe
# style by `g` for identification.
# - BUILD has branch name last since it has to be separated
# by dots and thus has variable version segment size and
# unpredictable ordering; it can thus be reliably extracted
# and does not impair readability in lists
PRE='${{ matrix.type }}'
BUILD="gha${gha_run_id}.g${git_sha_short}.${git_branch_sanitized}"

# Output info for CI debug
echo PRE="${PRE}"
echo BUILD="${BUILD}"

# Patch in components
sed lib/datadog/ci/version.rb -i -e "s/^\([\t ]*PRE\) *= */\1 = \'${PRE}\' # /"
sed lib/datadog/ci/version.rb -i -e "s/^\([\t ]*BUILD\) *= */\1 = \'${BUILD}\' # /"

# Test result
cat lib/datadog/ci/version.rb | grep -e PRE -e BUILD
ruby -Ilib -rdatadog/ci/version -e 'puts Datadog::CI::VERSION::STRING'
ruby -Ilib -rdatadog/ci/version -e 'puts Gem::Version.new(Datadog::CI::VERSION::STRING).to_s'
- name: Patch gem host
if: ${{ matrix.type != 'final' }}
run: |
# Patch in GEM_HOST
sed datadog-ci.gemspec -i -e "s,^\([\t ]*spec\.metadata\['allowed_push_host'\]\) *= *,\1 = \'${GEM_HOST}\' # ,"

# Test result
cat datadog-ci.gemspec | grep -e allowed_push_host
- name: Build gem
run: bundle exec rake build
- name: List gem
run: |
find pkg
- name: Upload artifact
uses: actions/upload-artifact@v3
with:
name: 'datadog-ci-gem-${{ matrix.type }}-gha${{ github.run_id }}-g${{ github.sha }}'
path: 'pkg/*.gem'
test:
strategy:
fail-fast: false
matrix:
type:
- final
- dev
runs-on: ubuntu-latest
name: Test gem
needs:
- build
steps:
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: 'datadog-ci-gem-${{ matrix.type }}-gha${{ github.run_id }}-g${{ github.sha }}'
path: 'pkg'
- name: List gem
run: |
find pkg
- uses: ruby/setup-ruby@31a7f6d628878b80bc63375a93ae079ec50a1601 # v1.143.0
with:
ruby-version: '3.2'
- name: Install gem
run: |
gem install pkg/*.gem
push:
strategy:
fail-fast: false
matrix:
type:
- dev
runs-on: ubuntu-latest
name: Push gem
needs:
- test
if: ${{ inputs.push }}
steps:
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: 'datadog-ci-gem-${{ matrix.type }}-gha${{ github.run_id }}-g${{ github.sha }}'
path: 'pkg'
- name: List gem
run: |
find pkg
- name: Set up GitHub Packages authentication
run: |
mkdir -p ~/.gem
cat > ~/.gem/credentials <<'CREDENTIALS'
---
:github: Bearer ${{ secrets.GITHUB_TOKEN }}
CREDENTIALS
chmod 0600 ~/.gem/credentials
- name: Push gem
run: |
find pkg -name '*.gem' | while read -r gem; do
echo "=== pushing '${gem}'"
gem push --key github --host ${{ env.GEM_HOST }} "${gem}"
done
- name: Clean up credentials
run: |
rm -rvf ~/.gem/credentials
46 changes: 46 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: 'CodeQL'

on:
push:
branches: [main, release]
pull_request:
# The branches below must be a subset of the branches above
branches: [main]

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: ['ruby']
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://git.io/codeql-language-support

steps:
- name: Checkout repository
uses: actions/checkout@v3

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main

# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually
- name: Autobuild
uses: github/codeql-action/autobuild@v2

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
Loading
Loading