🔒 Resolve all failed zizmor checks #4693
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CICD | |
on: | |
workflow_dispatch: | |
inputs: | |
run-reset-deployments: | |
description: "Reset deployment: Clean start" | |
required: false | |
default: false | |
type: boolean | |
run-tests: | |
description: "Run tests step" | |
required: false | |
default: true | |
type: boolean | |
run-regression-tests: | |
description: "Run regression tests step" | |
required: false | |
default: true | |
type: boolean | |
push: | |
branches: | |
- "master" | |
tags: | |
- "v*" | |
pull_request: | |
branches: | |
- "master" | |
types: | |
- opened | |
- reopened | |
- synchronize | |
- ready_for_review | |
concurrency: | |
group: cicd | |
cancel-in-progress: false | |
env: | |
TAILSCALE_VERSION: 1.76.6 | |
HELMFILE_VERSION: v0.169.1 | |
HELM_VERSION: v3.16.3 | |
MISE_VERSION: 2024.12.0 | |
jobs: | |
build: | |
if: github.event.pull_request.draft == false | |
name: Build | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
packages: write # To push to GHCR.io | |
runs-on: ubuntu-latest | |
outputs: | |
image_version: ${{ steps.meta.outputs.version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
[ | |
d-cloud/ledger-nodes, | |
d-cloud/ledger-browser, | |
d-cloud/tails-server, | |
d-cloud/governance-agent, | |
d-cloud/trust-registry, | |
d-cloud/multitenant-web, | |
d-cloud/governance-web, | |
d-cloud/tenant-web, | |
d-cloud/public-web, | |
d-cloud/multitenant-agent, | |
d-cloud/endorser, | |
d-cloud/pytest, | |
d-cloud/waypoint | |
] | |
include: | |
- image: d-cloud/governance-agent | |
context: . | |
file: dockerfiles/agents/Dockerfile.agent | |
platforms: linux/amd64 # Pending BBS linux/arm64 | |
- image: d-cloud/trust-registry | |
context: . | |
file: dockerfiles/trustregistry/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
- image: d-cloud/multitenant-web | |
context: . | |
file: dockerfiles/fastapi/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
- image: d-cloud/governance-web | |
context: . | |
file: dockerfiles/fastapi/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
- image: d-cloud/tenant-web | |
context: . | |
file: dockerfiles/fastapi/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
- image: d-cloud/public-web | |
context: . | |
file: dockerfiles/fastapi/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
- image: d-cloud/multitenant-agent | |
context: . | |
file: dockerfiles/agents/Dockerfile.author.agent | |
platforms: linux/amd64 # Pending BBS linux/arm64 | |
- image: d-cloud/ledger-browser | |
context: https://github.com/bcgov/von-network.git#v1.8.0 | |
file: Dockerfile | |
platforms: linux/amd64 | |
- image: d-cloud/ledger-nodes | |
context: https://github.com/bcgov/von-network.git#v1.8.0 | |
file: Dockerfile | |
platforms: linux/amd64 | |
- image: d-cloud/endorser | |
context: . | |
file: dockerfiles/endorser/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
- image: d-cloud/tails-server | |
context: https://github.com/bcgov/indy-tails-server.git#v1.1.0 | |
file: docker/Dockerfile.tails-server | |
platforms: linux/amd64,linux/arm64 | |
- image: d-cloud/pytest | |
context: . | |
file: dockerfiles/tests/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
- image: d-cloud/waypoint | |
context: . | |
file: dockerfiles/waypoint/Dockerfile | |
platforms: linux/amd64,linux/arm64 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ github.token }} | |
- name: Docker Metadata | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ghcr.io/${{ github.repository_owner }}/${{ matrix.image }} | |
tags: | | |
type=raw,value=latest,enable=${{ github.event.repository.default_branch == github.ref_name }} | |
type=sha,prefix=pr-${{ github.event.pull_request.number }}-,priority=601,enable=${{ github.event_name == 'pull_request' }} | |
type=sha,prefix={{branch}}-,priority=601,enable=${{ github.event_name == 'push' && github.ref_type == 'branch' }} | |
type=ref,event=branch,priority=600 | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
- name: Build and push Docker images | |
uses: docker/build-push-action@v6 | |
with: | |
context: ${{ matrix.context }} | |
file: ${{ matrix.file }} | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: | | |
type=gha,scope=build-${{ matrix.image }} | |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}:latest | |
cache-to: type=gha,mode=max,scope=build-${{ matrix.image }} | |
platforms: ${{ matrix.platforms }} | |
lint: | |
name: Lint | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
persist-credentials: false | |
- name: Set up Mise | |
uses: jdx/mise-action@v2 | |
with: | |
version: ${{ env.MISE_VERSION }} | |
cache: true | |
experimental: true # Required for mise tasks | |
install: true | |
- name: Load Mise env | |
run: | | |
mise env -s bash \ | |
| grep -v 'export PATH=' \ | |
| cut -d' ' -f2 \ | |
>> "$GITHUB_ENV" | |
- name: Install dependencies with Poetry | |
run: mise run poetry:install | |
- name: Run Pylint | |
run: | | |
poetry run pylint app/ endorser/ shared/ trustregistry/ waypoint/ --rcfile=.pylintrc -r n --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" --exit-zero > pylintreport.txt | |
test: | |
if: github.event.pull_request.draft == false | |
name: Test | |
needs: | |
- build | |
runs-on: ubuntu-latest | |
outputs: | |
test_success: ${{ steps.test.outputs.test_success }} | |
strategy: | |
fail-fast: true | |
matrix: | |
module: | |
- { test: "app/tests/ endorser trustregistry waypoint --ignore=app/tests/e2e/", id: "1" } # fast tests, ignore e2e | |
- { test: "app/tests/e2e/issuer/", id: "2" } # then some individual, slower e2e tests | |
- { test: "app/tests/e2e/verifier/", id: "3" } | |
- { test: "app/tests/e2e/test_definitions.py app/tests/e2e/test_revocation.py", id: "4" } | |
- { test: "app/tests/e2e/ \ | |
--ignore=app/tests/e2e/issuer/ \ | |
--ignore=app/tests/e2e/verifier/ \ | |
--ignore=app/tests/e2e/test_definitions.py \ | |
--ignore=app/tests/e2e/test_revocation.py", id: "5" } # all other e2e tests | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
persist-credentials: false | |
- name: Set up Mise | |
uses: jdx/mise-action@v2 | |
with: | |
version: ${{ env.MISE_VERSION }} | |
cache: true | |
experimental: true # Required for mise tasks | |
install: true | |
- name: Load Mise env | |
run: | | |
mise env -s bash \ | |
| grep -v 'export PATH=' \ | |
| cut -d' ' -f2 \ | |
>> "$GITHUB_ENV" | |
- name: Install dependencies with Poetry | |
run: mise run poetry:install | |
- uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ github.token }} | |
- name: Authenticate GitHub CLI | |
run: echo "${{ secrets.CHARTS_PAT }}" | gh auth login --with-token | |
- name: Set branch name | |
id: set_branch_name | |
run: | | |
if [[ "${EVENT_NAME}" == "pull_request" ]]; then | |
echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV | |
else | |
echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV | |
fi | |
env: | |
EVENT_NAME: ${{ github.event_name }} | |
HEAD_REF: ${{ github.head_ref }} | |
- name: Check if branch exists | |
id: check_branch | |
run: | | |
DEFAULT_BRANCH=master | |
SANITIZED_BRANCH_NAME=$(echo "$BRANCH_NAME" | sed 's/\//%2F/g') | |
if gh api "repos/didx-xyz/charts/git/ref/heads/$SANITIZED_BRANCH_NAME" &> /dev/null; then | |
echo "branch_exists=true" >> $GITHUB_ENV | |
echo "branch_name=$BRANCH_NAME" >> $GITHUB_ENV | |
else | |
echo "branch_exists=false" >> $GITHUB_ENV | |
echo "branch_name=$DEFAULT_BRANCH" >> $GITHUB_ENV | |
fi | |
- name: Checkout Charts | |
uses: actions/checkout@v4 | |
with: | |
repository: didx-xyz/charts | |
token: ${{ secrets.CHARTS_PAT }} | |
path: tilt/.charts | |
ref: ${{ env.branch_name }} | |
persist-credentials: false | |
- name: Start Test Harness | |
run: mise run tilt:ci | |
shell: bash | |
env: | |
REGISTRY: ghcr.io/${{ github.repository_owner }} | |
IMAGE_TAG: ${{ needs.build.outputs.image_version }} | |
- name: Test with pytest | |
id: test | |
run: | | |
source .venv/bin/activate | |
set +e | |
cp .env.example .env | |
source .env | |
poetry run pytest --durations=0 ${{ matrix.module.test }} --cov | tee test_output.txt | |
EXIT_CODE=${PIPESTATUS[0]} | |
set -e | |
echo "Exit code: $EXIT_CODE" | |
mkdir -p coverage-files | |
mv .coverage coverage-files/.coverage.${{ matrix.module.id }} | |
# very hacky way to get around the fact that teardown fails even if tests pass | |
TEARDOWN_ERROR=false | |
SINGLE_ERROR=false | |
TEST_FAILURES=0 | |
if grep -q "ERROR at teardown" test_output.txt; then | |
echo "ERROR at teardown" | |
TEARDOWN_ERROR=true | |
fi | |
if grep -q ", 1 error in" test_output.txt; then | |
echo "Only 1 error total" | |
SINGLE_ERROR=true | |
fi | |
# Count the number of test failures | |
TEST_FAILURES=$(grep -c "^FAILED" test_output.txt || true) | |
echo "Number of test failures: $TEST_FAILURES" | |
if [ "$TEARDOWN_ERROR" = true ] && [ "$SINGLE_ERROR" = true ] && [ "$TEST_FAILURES" -eq 0 ]; then | |
echo "Tests passed with teardown error" | |
exit 0 | |
else | |
if [ "$EXIT_CODE" -ne 0 ]; then | |
echo "test_success=false" >> $GITHUB_OUTPUT | |
else | |
echo "test_success=true" >> $GITHUB_OUTPUT | |
fi | |
exit $EXIT_CODE | |
fi | |
pwd | |
- name: Upload .coverage files as artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: coverage-files-${{ matrix.module.id }} | |
path: coverage-files/.coverage.${{ matrix.module.id }} | |
include-hidden-files: true | |
- name: Get Docker Containers | |
if: always() | |
run: docker ps -a | |
- name: Get Pods | |
if: always() | |
run: kubectl get pods --all-namespaces | |
# Benthos generates a lot of logs... | |
- name: Benthos Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=benthos --tail 10000 | |
- name: Docker Cache Logs | |
if: always() | |
run: docker logs cache-docker | |
- name: Endorser Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=endorser --tail 10000 | |
- name: Governance Agent Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=governance-agent --tail 10000 | |
- name: Governance Web Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=governance-web --tail 10000 | |
- name: Ingress Nginx Logs | |
if: always() | |
run: kubectl logs -n ingress-system -l app.kubernetes.io/instance=ingress-nginx --tail 10000 | |
- name: Ledger Browser Logs (kind) | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=ledger-browser --tail 10000 | |
- name: Ledger Browser Logs (docker) | |
if: always() | |
run: docker logs ledger-browser | |
- name: Ledger Nodes Logs (kind) | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=ledger-nodes --tail 10000 | |
- name: Ledger Nodes Logs (docker) | |
if: always() | |
run: docker logs ledger-nodes | |
- name: Mediator Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=mediator --tail 10000 | |
- name: Multitenant Agent Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=multitenant-agent --tail 10000 | |
- name: Multitenant Web Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=multitenant-web --tail 10000 | |
- name: NATS Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=nats --tail 10000 | |
- name: PGPool Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=postgres,app.kubernetes.io/component=pgpool --tail 10000 | |
- name: PostgreSQL Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=postgres,app.kubernetes.io/component=postgresql --tail 10000 | |
- name: Public Web Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=public-web --tail 10000 | |
- name: Tails Server Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=tails-server --tail 10000 | |
- name: Tenant Web Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=tenant-web --tail 10000 | |
- name: Trust Registry Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=trust-registry --tail 10000 | |
- name: Waypoint Logs | |
if: always() | |
run: kubectl logs -n cloudapi -l app.kubernetes.io/instance=waypoint --tail 10000 | |
- name: Tilt Down Destroy | |
if: always() | |
run: mise run tilt:down:destroy | |
status-check: | |
name: Status Check | |
runs-on: ubuntu-latest | |
needs: test | |
if: always() | |
steps: | |
- name: Check if any test failed | |
run: exit 1 | |
if: needs.test.outputs.test_success == 'false' | |
combine-coverage: | |
if: github.event.pull_request.draft == false | |
name: Coverage | |
runs-on: ubuntu-latest | |
needs: status-check | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
persist-credentials: false | |
- name: Install dependencies | |
run: pip install coverage | |
- name: Download all .coverage artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: coverage-files | |
pattern: "coverage-*" | |
- name: Move coverage files to top-level directory | |
run: | | |
for dir in coverage-files/coverage-files-*; do | |
mv "$dir"/.coverage.* . | |
done | |
- name: Combine coverage files | |
run: | | |
coverage combine | |
coverage report | |
- name: Generate XML coverage report | |
run: | | |
coverage xml | |
- name: Upload coverage to Codacy | |
run: bash <(curl -Ls https://coverage.codacy.com/get.sh) report -r coverage.xml | |
env: | |
CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} | |
deploy: | |
if: github.actor != 'dependabot[bot]' && github.event.pull_request.draft == false | |
name: Deploy to EKS | |
environment: | |
name: dev | |
needs: | |
- build | |
permissions: | |
id-token: write # Required to authenticate with AWS | |
contents: read # Required to clone this repository | |
checks: write # Required for action-junit-report | |
pull-requests: write # Required to comment on PRs for Pytest coverage comment | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
outputs: | |
output: ${{ steps.updated_deployments.outputs.success }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Set up Mise | |
uses: jdx/mise-action@v2 | |
with: | |
version: ${{ env.MISE_VERSION }} | |
cache: true | |
experimental: true # Required for mise tasks | |
install: true | |
- name: Load Mise env | |
run: | | |
mise env -s bash \ | |
| grep -v 'export PATH=' \ | |
| cut -d' ' -f2 \ | |
>> "$GITHUB_ENV" | |
- name: Authenticate GitHub CLI | |
run: echo "${{ secrets.CHARTS_PAT }}" | gh auth login --with-token | |
- name: Set branch name | |
id: set_branch_name | |
run: | | |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV | |
else | |
echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV | |
fi | |
env: | |
HEAD_REF: ${{ github.head_ref }} | |
- name: Check if branch exists | |
id: check_branch | |
run: | | |
DEFAULT_BRANCH=master | |
SANITIZED_BRANCH_NAME=$(echo "$BRANCH_NAME" | sed 's/\//%2F/g') | |
if gh api "repos/didx-xyz/charts/git/ref/heads/$SANITIZED_BRANCH_NAME" &> /dev/null; then | |
echo "branch_exists=true" >> $GITHUB_ENV | |
echo "branch_name=$BRANCH_NAME" >> $GITHUB_ENV | |
else | |
echo "branch_exists=false" >> $GITHUB_ENV | |
echo "branch_name=$DEFAULT_BRANCH" >> $GITHUB_ENV | |
fi | |
- name: Checkout Charts | |
uses: actions/checkout@v4 | |
with: | |
repository: didx-xyz/charts | |
token: ${{ secrets.CHARTS_PAT }} | |
path: charts | |
ref: ${{ env.branch_name }} | |
persist-credentials: false | |
- name: Install dependencies | |
run: sudo apt-get install -y postgresql-client | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: af-south-1 | |
role-to-assume: arn:aws:iam::402177810328:role/cicd | |
role-session-name: github-cicd | |
- name: Update Kubeconfig | |
run: aws eks update-kubeconfig --name cloudapi-dev | |
- uses: tailscale/github-action@main | |
with: | |
authkey: ${{ secrets.TAILSCALE_AUTHKEY }} | |
version: ${{ env.TAILSCALE_VERSION }} | |
- name: Helmfile Destroy | |
id: destroy_deployments | |
if: github.event.inputs.run-reset-deployments == 'true' | |
uses: helmfile/helmfile-action@v2.0.2 | |
with: | |
helmfile-args: | | |
destroy \ | |
--environment ${{ vars.ENVIRONMENT }} \ | |
-f ./charts/helmfiles/aries-cloudapi-python.yaml.gotmpl | |
helm-plugins: | | |
https://github.com/databus23/helm-diff | |
helmfile-version: ${{ env.HELMFILE_VERSION }} | |
helm-version: ${{ env.HELM_VERSION }} | |
env: | |
IMAGE_TAG: ${{ needs.build.outputs.image_version }} | |
- name: Drop DBs | |
id: drop_dbs | |
if: github.event.inputs.run-reset-deployments == 'true' | |
env: | |
DB_PASSWORD: ${{ secrets.DB_PASSWORD }} | |
DB_HOST: ${{ secrets.DB_HOST }} | |
DB_USER: ${{ secrets.DB_USER}} | |
DB_PORT: ${{ secrets.DB_PORT }} | |
DB_EXCLUDE: ${{ secrets.DB_EXCLUDE }} | |
GA_ACAPY_WALLET_NAME: ${{ secrets.GA_ACAPY_WALLET_NAME }} | |
MT_ACAPY_WALLET_NAME: ${{ secrets.MT_ACAPY_WALLET_NAME }} | |
TRUST_REGISTRY_DB_OWNER: ${{ secrets.TRUST_REGISTRY_DB_OWNER }} | |
run: | | |
bash ./scripts/aurora-delete.sh -o $GA_ACAPY_WALLET_NAME -d | |
bash ./scripts/aurora-delete.sh -o $MT_ACAPY_WALLET_NAME -d | |
bash ./scripts/aurora-delete.sh -o $TRUST_REGISTRY_DB_OWNER -d | |
bash ./scripts/aurora-delete.sh -o $TRUST_REGISTRY_DB_OWNER -c | |
- name: Reset NATS | |
if: github.event.inputs.run-reset-deployments == 'true' | |
env: | |
NAMESPACE: dev-cloudapi | |
run: | | |
kubectl get secret \ | |
-n ${NAMESPACE} \ | |
${{ secrets.NATS_SECRET_NAME }} \ | |
-o jsonpath='{.data.cloudapi-nats-admin\.creds}' \ | |
| base64 -d > nats.creds | |
nats --creds ./nats.creds \ | |
--server ${{ secrets.NATS_URL }} \ | |
stream rm cloudapi_aries_events -f | |
nats --creds ./nats.creds \ | |
--server ${{ secrets.NATS_URL }} \ | |
stream rm acapy_events -f | |
nats --creds ./nats.creds \ | |
--server ${{ secrets.NATS_URL }} \ | |
stream rm cloudapi_aries_state_monitoring -f | |
nats --creds ./nats.creds \ | |
--server ${{ secrets.NATS_URL }} \ | |
stream add cloudapi_aries_events --subjects "cloudapi.aries.events.*.*" \ | |
--defaults \ | |
--storage file \ | |
--replicas 3 \ | |
--compression s2 | |
nats --creds ./nats.creds \ | |
--server ${{ secrets.NATS_URL }} \ | |
stream add acapy_events --subjects "acapy.>" \ | |
--defaults \ | |
--storage file \ | |
--replicas 3 \ | |
--compression s2 | |
nats --creds ./nats.creds \ | |
--server ${{ secrets.NATS_URL }} \ | |
stream add cloudapi_aries_state_monitoring --subjects "cloudapi.aries.state_monitoring.*.*.>" \ | |
--defaults \ | |
--storage file \ | |
--replicas 3 \ | |
--compression s2 \ | |
--retention limits \ | |
--discard old \ | |
--max-age 1m \ | |
--dupe-window 1m \ | |
--max-msgs-per-subject 1000 | |
rm -f ./nats.creds | |
- name: Helmfile Apply # Apply default Helmfile (without RDS proxy) when resetting deployments. | |
if: github.event.inputs.run-reset-deployments == 'true' | |
uses: helmfile/helmfile-action@v2.0.2 | |
with: | |
helmfile-args: | | |
apply \ | |
--environment ${{ vars.ENVIRONMENT }} \ | |
-f ./charts/helmfiles/aries-cloudapi-python.yaml.gotmpl \ | |
--state-values-set image.tag=${{ env.IMAGE_TAG }} \ | |
--state-values-set image.registry=ghcr.io/${{ github.repository_owner }} | |
helm-plugins: | | |
https://github.com/databus23/helm-diff | |
helmfile-version: ${{ env.HELMFILE_VERSION }} | |
helm-version: ${{ env.HELM_VERSION }} | |
env: | |
IMAGE_TAG: ${{ needs.build.outputs.image_version }} | |
- name: Helmfile Apply (RDS Proxy) | |
if: github.event.inputs.run-reset-deployments != 'true' | |
uses: helmfile/helmfile-action@v2.0.2 | |
with: | |
helmfile-args: | | |
apply \ | |
--environment ${{ vars.ENVIRONMENT }} \ | |
-f ./charts/helmfiles/aries-cloudapi-python.yaml.gotmpl \ | |
--state-values-set image.tag=${{ env.IMAGE_TAG }} \ | |
--state-values-set image.registry=ghcr.io/${{ github.repository_owner }} \ | |
--state-values-set rdsProxyEnabled=true | |
helm-plugins: | | |
https://github.com/databus23/helm-diff | |
helmfile-version: ${{ env.HELMFILE_VERSION }} | |
helm-version: ${{ env.HELM_VERSION }} | |
env: | |
IMAGE_TAG: ${{ needs.build.outputs.image_version }} | |
test-eks: | |
if: github.actor != 'dependabot[bot]' && github.event.pull_request.draft == false | |
name: Run Pytest on EKS | |
environment: | |
name: dev | |
needs: | |
- build | |
- deploy | |
permissions: | |
id-token: write # Required to authenticate with AWS | |
contents: read # Required to clone this repository | |
checks: write # Required for action-junit-report | |
pull-requests: write # Required to comment on PRs for Pytest coverage comment | |
runs-on: ubuntu-latest | |
timeout-minutes: 20 | |
env: | |
OUTPUT_FILE: test_output.xml | |
COVERAGE_FILE: test_coverage.txt | |
PYTEST_COMPLETIONS: 1 | |
outputs: | |
output: ${{ steps.updated_deployments.outputs.success }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Set up Mise | |
uses: jdx/mise-action@v2 | |
with: | |
version: ${{ env.MISE_VERSION }} | |
cache: true | |
experimental: true # Required for mise tasks | |
install: true | |
- name: Authenticate GitHub CLI | |
run: echo "${PAT}" | gh auth login --with-token | |
env: | |
PAT: ${{ secrets.CHARTS_PAT }} | |
- name: Set branch name | |
id: set_branch_name | |
run: | | |
if [[ "${{ github.event_name }}" == "pull_request" ]]; then | |
echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV | |
else | |
echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV | |
fi | |
env: | |
HEAD_REF: ${{ github.head_ref }} | |
- name: Check if branch exists | |
id: check_branch | |
run: | | |
DEFAULT_BRANCH=master | |
if gh api repos/didx-xyz/charts/git/ref/heads/$BRANCH_NAME; then | |
echo "branch_exists=true" >> $GITHUB_ENV | |
echo "branch_name=$BRANCH_NAME" >> $GITHUB_ENV | |
else | |
echo "branch_exists=false" >> $GITHUB_ENV | |
echo "branch_name=$DEFAULT_BRANCH" >> $GITHUB_ENV | |
fi | |
- name: Checkout Charts | |
uses: actions/checkout@v4 | |
with: | |
repository: didx-xyz/charts | |
token: ${{ secrets.CHARTS_PAT }} | |
path: charts | |
ref: ${{ env.branch_name }} | |
persist-credentials: false | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: af-south-1 | |
role-to-assume: arn:aws:iam::402177810328:role/cicd | |
role-session-name: github-cicd | |
- name: Update Kubeconfig | |
run: aws eks update-kubeconfig --name cloudapi-dev | |
- uses: tailscale/github-action@main | |
with: | |
authkey: ${{ secrets.TAILSCALE_AUTHKEY }} | |
version: ${{ env.TAILSCALE_VERSION }} | |
- name: Helmfile init regression pytest | |
if: github.event.inputs.run-reset-deployments == 'true' && github.event.inputs.run-regression-tests == 'true' | |
id: pytest-init-regression | |
uses: helmfile/helmfile-action@v2.0.2 | |
with: | |
helmfile-args: | | |
apply \ | |
--environment ${{ vars.ENVIRONMENT }} \ | |
-f ./charts/helmfiles/aries-capi-test.yaml \ | |
--set image.tag=${{ env.IMAGE_TAG }} \ | |
--set image.registry=ghcr.io/${{ github.repository_owner }} \ | |
--set completions=${{ env.PYTEST_COMPLETIONS }} \ | |
--state-values-set release=cloudapi-pytest-regression \ | |
--set fullnameOverride=cloudapi-pytest-regression \ | |
--set env.RUN_REGRESSION_TESTS="true" \ | |
--state-values-set regressionEnabled=true | |
helm-plugins: | | |
https://github.com/databus23/helm-diff | |
helmfile-version: ${{ env.HELMFILE_VERSION }} | |
helm-version: ${{ env.HELM_VERSION }} | |
env: | |
IMAGE_TAG: ${{ needs.build.outputs.image_version }} | |
- name: Helmfile run regression pytest | |
if: ${{ github.event_name != 'workflow_dispatch' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run-reset-deployments == 'false' && github.event.inputs.run-regression-tests == 'true') }} | |
id: pytest-run-regression | |
uses: helmfile/helmfile-action@v2.0.2 | |
with: | |
helmfile-args: | | |
apply \ | |
--environment ${{ vars.ENVIRONMENT }} \ | |
-f ./charts/helmfiles/aries-capi-test.yaml \ | |
--set image.tag=${{ env.IMAGE_TAG }} \ | |
--set image.registry=ghcr.io/${{ github.repository_owner }} \ | |
--set completions=${{ env.PYTEST_COMPLETIONS }} \ | |
--state-values-set release=cloudapi-pytest-regression \ | |
--set fullnameOverride=cloudapi-pytest-regression \ | |
--set env.RUN_REGRESSION_TESTS="true" \ | |
--set env.FAIL_ON_RECREATING_FIXTURES="true" \ | |
--state-values-set regressionEnabled=true | |
helm-plugins: | | |
https://github.com/databus23/helm-diff | |
helmfile-version: ${{ env.HELMFILE_VERSION }} | |
helm-version: ${{ env.HELM_VERSION }} | |
env: | |
IMAGE_TAG: ${{ needs.build.outputs.image_version }} | |
- name: Helmfile run pytest | |
if: ${{ github.event_name != 'workflow_dispatch' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run-tests != 'false') }} | |
id: pytest | |
uses: helmfile/helmfile-action@v2.0.2 | |
with: | |
helmfile-args: | | |
apply \ | |
--environment ${{ vars.ENVIRONMENT }} \ | |
-f ./charts/helmfiles/aries-capi-test.yaml \ | |
--set image.tag=${{ env.IMAGE_TAG }} \ | |
--set image.registry=ghcr.io/${{ github.repository_owner }} \ | |
--set completions=${{ env.PYTEST_COMPLETIONS }} \ | |
--state-values-set release=cloudapi-pytest \ | |
--set fullnameOverride=cloudapi-pytest | |
helm-plugins: | | |
https://github.com/databus23/helm-diff | |
helmfile-version: ${{ env.HELMFILE_VERSION }} | |
helm-version: ${{ env.HELM_VERSION }} | |
env: | |
IMAGE_TAG: ${{ needs.build.outputs.image_version }} | |
- name: Wait for pytest and print logs | |
if: steps.pytest.outcome == 'success' | |
run: | | |
while true; do | |
# Check if the job is complete or failed | |
COMPLETION_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.succeeded}') | |
FAILURE_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.failed}') | |
if [ "$COMPLETION_STATUS" == "${PYTEST_COMPLETIONS}" ] || [ "$FAILURE_STATUS" == "1" ]; then | |
echo "Job $JOB_NAME has completed." | |
break | |
else | |
echo "Waiting for job to complete..." | |
sleep 10 | |
fi | |
done | |
# Get all pods for the job | |
pods=$(kubectl get pods -n $NAMESPACE --selector=job-name=$JOB_NAME -o jsonpath='{.items[*].metadata.name}') | |
# Loop through the pods and get logs | |
for pod in $pods | |
do | |
echo "Logs for Pod: $pod" | |
kubectl logs -n $NAMESPACE $pod | |
done | |
env: | |
JOB_NAME: cloudapi-pytest | |
NAMESPACE: dev-cloudapi | |
PYTEST_COMPLETIONS: ${{ env.PYTEST_COMPLETIONS }} | |
- name: Wait for pytest regression and print logs | |
if: steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success' | |
run: | | |
while true; do | |
# Check if the job is complete or failed | |
COMPLETION_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.succeeded}') | |
FAILURE_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.failed}') | |
if [ "$COMPLETION_STATUS" == "$PYTEST_COMPLETIONS}" ] || [ "$FAILURE_STATUS" == "1" ]; then | |
echo "Job $JOB_NAME has completed." | |
break | |
else | |
echo "Waiting for job to complete..." | |
sleep 10 | |
fi | |
done | |
# Get all pods for the job | |
pods=$(kubectl get pods -n $NAMESPACE --selector=job-name=$JOB_NAME -o jsonpath='{.items[*].metadata.name}') | |
# Loop through the pods and get logs | |
for pod in $pods | |
do | |
echo "Logs for Pod: $pod" | |
kubectl logs -n $NAMESPACE $pod | |
done | |
env: | |
JOB_NAME: cloudapi-pytest-regression | |
NAMESPACE: dev-cloudapi | |
PYTEST_COMPLETIONS: ${{ env.PYTEST_COMPLETIONS }} | |
- name: Copy k8s pytest results | |
if: steps.pytest.outcome == 'success' || steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success' | |
run: | | |
echo "apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: $POD_NAME | |
namespace: $NAMESPACE | |
labels: | |
sidecar.istio.io/inject: \"false\" | |
spec: | |
containers: | |
- name: $POD_NAME | |
image: $CONTAINER_IMAGE | |
command: [\"sleep\", \"3600\"] | |
volumeMounts: | |
- name: pytest-volume | |
mountPath: $MOUNT_PATH/pytest | |
- name: pytest-regression-volume | |
mountPath: $MOUNT_PATH/pytest-regression | |
volumes: | |
- name: pytest-volume | |
persistentVolumeClaim: | |
claimName: $PVC_NAME | |
- name: pytest-regression-volume | |
persistentVolumeClaim: | |
claimName: $PVC_NAME_REGRESSION | |
restartPolicy: Never" > pytest-results-pod.yaml | |
kubectl apply -f pytest-results-pod.yaml | |
# Wait for the pod to be ready | |
echo "Waiting for pod to be ready..." | |
kubectl -n $NAMESPACE wait --for=condition=ready pod/$POD_NAME --timeout=60s | |
# Copy the files from the pod to your local system | |
echo "Copying files from pod..." | |
mkdir -p $LOCAL_PATH $LOCAL_PATH_REGRESSION | |
kubectl -n $NAMESPACE cp $POD_NAME:$MOUNT_PATH/pytest/$OUTPUT_FILE $LOCAL_PATH/$OUTPUT_FILE | |
kubectl -n $NAMESPACE cp $POD_NAME:$MOUNT_PATH/pytest/$COVERAGE_FILE $LOCAL_PATH/$COVERAGE_FILE | |
kubectl -n $NAMESPACE cp $POD_NAME:$MOUNT_PATH/pytest-regression/$OUTPUT_FILE $LOCAL_PATH_REGRESSION/$OUTPUT_FILE | |
kubectl -n $NAMESPACE cp $POD_NAME:$MOUNT_PATH/pytest-regression/$COVERAGE_FILE $LOCAL_PATH_REGRESSION/$COVERAGE_FILE | |
# Clean up: delete the temporary pod | |
echo "Cleaning up..." | |
kubectl -n $NAMESPACE delete pod $POD_NAME | |
echo "Done!" | |
env: | |
PVC_NAME: cloudapi-pytest | |
PVC_NAME_REGRESSION: cloudapi-pytest-regression | |
POD_NAME: pytest-results-pod | |
CONTAINER_IMAGE: busybox | |
MOUNT_PATH: /mnt | |
LOCAL_PATH: ./pytest | |
LOCAL_PATH_REGRESSION: ./pytest-regression | |
NAMESPACE: dev-cloudapi | |
OUTPUT_FILE: test_output.xml | |
COVERAGE_FILE: test_coverage.txt | |
- name: Pytest coverage comment | |
if: steps.pytest.outcome == 'success' | |
uses: MishaKav/pytest-coverage-comment@v1.1.53 | |
with: | |
pytest-coverage-path: ./pytest/test_coverage.txt | |
junitxml-path: ./pytest/test_output.xml | |
create-new-comment: true | |
title: "K8s Test Coverage" | |
# Resolves `Warning: Your comment is too long (maximum is 65536 characters), coverage report will not be added.` | |
hide-report: ${{ github.event_name != 'pull_request' }} | |
hide-comment: ${{ github.event_name != 'pull_request' }} | |
- name: Pytest regression coverage comment | |
if: steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success' | |
uses: MishaKav/pytest-coverage-comment@v1.1.53 | |
with: | |
pytest-coverage-path: ./pytest-regression/test_coverage.txt | |
junitxml-path: ./pytest-regression/test_output.xml | |
create-new-comment: true | |
title: "K8s Regression Test Coverage" | |
# Resolves `Warning: Your comment is too long (maximum is 65536 characters), coverage report will not be added.` | |
hide-report: ${{ github.event_name != 'pull_request' }} | |
hide-comment: ${{ github.event_name != 'pull_request' }} | |
- name: Publish Pytest Report | |
uses: mikepenz/action-junit-report@v5 | |
if: steps.pytest.outcome == 'success' | |
with: | |
check_name: JUnit Test Report | |
report_paths: "./pytest/test_output.xml" | |
fail_on_failure: true | |
detailed_summary: true | |
require_passed_tests: true | |
- name: Publish Pytest Regression Report | |
uses: mikepenz/action-junit-report@v5 | |
if: steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success' | |
with: | |
check_name: JUnit Test Report Regression | |
report_paths: "./pytest-regression/test_output.xml" | |
fail_on_failure: true | |
detailed_summary: true | |
require_passed_tests: true | |
- name: Helmfile destroy pytest | |
uses: helmfile/helmfile-action@v2.0.2 | |
if: always() | |
with: | |
helmfile-args: | | |
destroy \ | |
--environment ${{ vars.ENVIRONMENT }} \ | |
-f ./charts/helmfiles/aries-capi-test.yaml \ | |
--state-values-set release=cloudapi-pytest | |
helm-plugins: | | |
https://github.com/databus23/helm-diff | |
helmfile-version: ${{ env.HELMFILE_VERSION }} | |
helm-version: ${{ env.HELM_VERSION }} | |
env: | |
IMAGE_TAG: ${{ needs.build.outputs.image_version }} | |
- name: Helmfile destroy pytest regression | |
uses: helmfile/helmfile-action@v2.0.2 | |
if: always() | |
with: | |
helmfile-args: | | |
destroy \ | |
--environment ${{ vars.ENVIRONMENT }} \ | |
-f ./charts/helmfiles/aries-capi-test.yaml \ | |
--state-values-set release=cloudapi-pytest-regression | |
helm-plugins: | | |
https://github.com/databus23/helm-diff | |
helmfile-version: ${{ env.HELMFILE_VERSION }} | |
helm-version: ${{ env.HELM_VERSION }} | |
env: | |
IMAGE_TAG: ${{ needs.build.outputs.image_version }} | |
k6: | |
if: github.actor != 'dependabot[bot]' && github.event.pull_request.draft == false | |
name: K6 | |
environment: | |
name: dev | |
needs: | |
- build | |
- deploy | |
permissions: | |
id-token: write | |
packages: write | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
outputs: | |
image_version: ${{ steps.meta.outputs.version }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ github.token }} | |
- name: Docker Metadata | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ghcr.io/${{ github.repository_owner }}/xk6 | |
tags: | | |
type=raw,value=latest,enable=${{ github.event.repository.default_branch == github.ref_name }} | |
type=sha,prefix=pr-${{ github.event.pull_request.number }}-,priority=601,enable=${{ github.event_name == 'pull_request' }} | |
type=sha,prefix={{branch}}-,priority=601,enable=${{ github.event_name == 'push' && github.ref_type == 'branch' }} | |
type=ref,event=branch,priority=600 | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
- name: Build and push Docker images | |
id: build_image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./scripts/k6/Dockerfile | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: | | |
type=gha,scope=build-xk6 | |
type=registry,ref=ghcr.io/${{ github.repository_owner }}/xk6:latest | |
cache-to: type=gha,mode=max,scope=build-xk6 | |
- name: Prepare output directory | |
run: mkdir -p ${{ github.workspace }}/scripts/k6/output && chmod 777 ${{ github.workspace }}/scripts/k6/output | |
- name: Run k6 tests | |
run: | | |
docker run --rm \ | |
-v ${{ github.workspace }}/scripts/k6:/scripts \ | |
-e CLIENT_ID=${{ secrets.CLIENT_ID }} \ | |
-e GOVERNANCE_CLIENT_ID=${{ secrets.GOVERNANCE_CLIENT_ID }} \ | |
-e CLIENT_SECRET=${{ secrets.CLIENT_SECRET }} \ | |
-e GOVERNANCE_CLIENT_SECRET=${{ secrets.GOVERNANCE_CLIENT_SECRET }} \ | |
-e CLOUDAPI_URL=${{ secrets.CLOUDAPI_URL }} \ | |
-e OAUTH_ENDPOINT=${{ secrets.OAUTH_ENDPOINT }} \ | |
-e GOVERNANCE_OAUTH_ENDPOINT=${{ secrets.GOVERNANCE_OAUTH_ENDPOINT }} \ | |
--workdir /scripts \ | |
--entrypoint /bin/sh \ | |
ghcr.io/${{ github.repository_owner }}/xk6:${VERSION} \ | |
/scripts/run_tests.sh | |
shell: bash | |
env: | |
VERSION: ${{ steps.meta.outputs.version }} |