New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update EKS conformance tests to use both amd64 and arm64 hosts. #24853
Conversation
b9bc538
to
d3e61bb
Compare
So far it's passing on all but |
b1be0c9
to
f15970e
Compare
Okay, I got it passing all the conformance tests with the two Just in case I end up removing the commits, here's the commit with all EKS/AWS conformance tests passing: f15970e |
I'm gonna leave the |
uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 | ||
with: | ||
ref: ${{ github.event.repository.default_branch }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain why that is required? I'm concerned over the potential security impact of this change since we are now checking out untrusted user code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was needed to actually test my changes to the CI workflows, otherwise it would fail to checkout the setup-eks-cluster action I created.
Beyond that, I'm not sure if this change makes sense beyond testing. I had thought that since we only run these CI jobs via issue comments it would be safe, but I realize that anyone can make these comments on their own PRs, so that change should probably be a "DO NOT MERGE" commit. I can make sure to remove these changes before we merge the PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the reason we have this step is to protect against a malicious user checking out their malicious PR in the CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM as long as temp commit and the checkout step change are dropped :)
effect: "NoExecute" | ||
- name: ng-arm64 | ||
instanceTypes: | ||
- t4g.medium |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these instances available in enough capacity in your experience? I've had bad experiences on my end with arm64 hosts availability, but maybe it changed since then...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I honestly haven't used them a ton, but I've not really heard of too many issues with capacity. I suspect it's a lot better than it used to be. We could also add other instance ARM types if it becomes a problem. This is just the cheapest option.
Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>
Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>
Rebasing to fix conflicts, keeping DO NOT MERGE commits to re-test and make sure it still works. |
f15970e
to
2a6067e
Compare
All the conformance CI passed for 2a6067e. I'm going to remove the |
2a6067e
to
559ce0f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good from my side, thanks!
Okay, I think this is waiting on a few more "required" tests. Since this is literally just updating AWS/EKS CI workflows themselves, I don't think that's necessary. So I'm going to mark it as ready-to-merge. |
Update EKS conformance tests to use both amd64 and arm64 hosts.