Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.12: manual backport of #27193 #28227

Merged
merged 3 commits into from
Sep 21, 2023
Merged

v1.12: manual backport of #27193 #28227

merged 3 commits into from
Sep 21, 2023

Conversation

nbusseneau
Copy link
Member

This is a manual backport of #27193.

@nbusseneau
ci: fix new Ariane-based workflows not using correct context
279bfcd 
[ upstream commit eb80fb1 ]

In 7a9447d we reworked a few workflows
to now be triggered by Ariane, however we missed some changes to make
sure that they checkout actions and code from the correct contexts.

In particular:

- Gateway API / Ingress / Integration tests were checking out
  environment variables from the default branch instead of the
  appropriate context ref (all in all not a big deal and still safe, but
  could be annoying to troubleshoot later down the road).
- Runtime tests were checking out environment variables from the PR
  branch instead of the appropriate context ref (this was a potential
  security issue), and then incorrectly pulling the default branch for
  executing tests instead of the appropriate PR branch context (so we
  were not testing what we expected).

Fixes: 7a9447d

Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
@nbusseneau
ci: fix incorrect indentation in various workflows
45c789c 
[ upstream commit b471f4f ]

No idea why but the steps were not aligned properly here.

Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
@nbusseneau
ci: standardize / clarify comments around privileged checkouts
1f3fa32 
[ upstream commit 96f3fd7 ]

Workflows running on PRs and based on `pull_request_target` and
`workflow_dispatch` are executed in a privileged context (e.g. access to
repository secrets), hence we take extra care not to execute anything
coming from the PR directly in the context of the workflow steps, but
instead always in a sandboxed or controlled environment (e.g. a managed
Kubernetes cluster or LVH VMs).

This commit standardizes and adds some context around which checkouts
are trusted and which are not, and where to be start being careful with
what the workflow steps are doing.

Signed-off-by: Nicolas Busseneau <nicolas@isovalent.com>
@nbusseneau nbusseneau added kind/backports This PR provides functionality previously merged into master. area/CI-improvement Topic or proposal to improve the Continuous Integration workflow release-note/ci This PR makes changes to the CI. backport/1.12 This PR represents a backport for Cilium 1.12.x of a PR that was merged to main. labels Sep 19, 2023
@nbusseneau nbusseneau requested review from a team as code owners September 19, 2023 16:08
@nbusseneau nbusseneau changed the title Pr/manual backport 27193 v1.12: manual backport of #27193 Sep 19, 2023
@nbusseneau
Copy link
Member Author

nbusseneau commented Sep 19, 2023
edited by maintainer-s-little-helper bot

/test-backport-1.12

Job 'Cilium-PR-K8s-1.16-kernel-4.9' failed:

Click to show.

Test Name

K8sDatapathConfig MonitorAggregation Checks that monitor aggregation flags send notifications

Failure Output

FAIL: Timed out after 240.001s.

Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.9/163/

If it is a flake and a GitHub issue doesn't already exist to track it, comment /mlh new-flake Cilium-PR-K8s-1.16-kernel-4.9 so I can create one.

Then please upload the Jenkins artifacts to that issue.

@nbusseneau
Copy link
Member Author

https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.9/163/ hit #24840. Marking ready-to-merge.

@nbusseneau nbusseneau added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 20, 2023
@nbusseneau nbusseneau mentioned this pull request Sep 20, 2023
Closed
@ldelossa
Copy link
Contributor

/test-1.16-4.9

@nbusseneau
Copy link
Member Author

@ldelossa This change cannot have any impact on k8s-1.16-kernel-4.9 (test-1.16-4.9), I've only flagged the flake because it was ran as part of the regular CI but there is no need to get it green ;)

@nbusseneau nbusseneau merged commit 445474f into v1.12 Sep 21, 2023
96 checks passed
@nbusseneau nbusseneau deleted the pr/manual-backport-27193 branch September 21, 2023 12:00
@jrajahalme jrajahalme mentioned this pull request Oct 17, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viktor-kurchenko viktor-kurchenko viktor-kurchenko approved these changes

Assignees
No one assigned
Labels
area/CI-improvement Topic or proposal to improve the Continuous Integration workflow backport/1.12 This PR represents a backport for Cilium 1.12.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nbusseneau @ldelossa @viktor-kurchenko