Migrate CircleCI workflows to GitHub Actions (3/3) #3368
Conversation
AzfaarQureshi
changed the title
|
@AzfaarQureshi I've merged the part 2 PR. Could you rebase |
There was a problem hiding this comment.
Thanks for working on it! I left few minor comments, but overall LGTM (good job!). Please remember to rebase master.
As soon as we merge this, the deploy and deploy_website jobs will both run in CircleCI and GitHub actions, effectively deploying the same thing twice. I would suggest to comment out (not remove for now) the deploy and deploy_website trigger from CircleCI so that we'll only run the GitHub actions once (and we'll soon realise if there's any issue, and in case we'll reiterate on it to fix it).
| - name: Checkout Repo | ||
| uses: actions/checkout@v2 | ||
| with: | ||
| ssh-key: ${{ secrets.SSH_PRIVATE_KEY }} |
There was a problem hiding this comment.
Why is this required, contrary to other jobs?
There was a problem hiding this comment.
I'll add a comment for further clarity but to answer your question:
The web-deploy script assumes the repo to be cloned with .git rather than https or else lines like this will return wrong urls. So the ssh key here is required so that web-deploy can correctly interact with github 😄
| SSH_AUTH_SOCK: /tmp/ssh_agent.sock | ||
| GIT_SSH_COMMAND: "ssh -o StrictHostKeyChecking=no" |
There was a problem hiding this comment.
I would add a code comment to explain that the web-deploy script use git to checkout and push to the github pages repository and we use ssh to authenticate to github.
| with: | ||
| name: website public | ||
| path: website/public | ||
| - name: Setup SSH Keys and known_hosts |
There was a problem hiding this comment.
| - name: Setup SSH Keys and known_hosts | |
| - name: Setup SSH Keys and known_hosts used to authenticated to GitHub to deploy website |
| mkdir -p ~/.ssh | ||
| ssh-keyscan github.com >> ~/.ssh/known_hosts | ||
| ssh-agent -a $SSH_AUTH_SOCK > /dev/null | ||
| ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}" |
There was a problem hiding this comment.
May be worth renaming SSH_PRIVATE_KEY to WEBSITE_DEPLOY_SSH_PRIVATE_KEY for clarity?
| QUAY_PASSWORD: ${{secrets.QUAY_PASSWORD}} | ||
| QUAY_USER: ${{secrets.QUAY_USER}} |
There was a problem hiding this comment.
Similarly to DOCKER_REGISTRY_* I would call these env variables QUAY_REGISTRY_PASSWORD and QUAY_REGISTRY_USER for clarity.
I know you used the same env variable names from CircleCI pipeline, but since they're just used here we can afford to change them for a better consistency without introducing any breaking change on CircleCI.
There was a problem hiding this comment.
Standardized registry env variable naming
|
Assuming you will pick my suggestions, I've already setup the following secrets:
I've intentionally not defined |
shovnik
force-pushed
the
gha-migration-3
branch
from
f9f2597 to
c05fff2
Compare
shovnik
force-pushed
the
gha-migration-3
branch
from
c05fff2 to
a00ea5f
Compare
|
Rebased and made all suggested changes @pracucci . I commented out the deploy and deploy-website workflows in CircleCI to avoid deploying twice since they were using the default triggers with restrictions. Let us know if there is anything else we need to change. Thanks for all three reviews! |
AzfaarQureshi
force-pushed
the
gha-migration-3
branch
from
a00ea5f to
5adbc9d
Compare
There was a problem hiding this comment.
LGTM, thanks! Pinging @pstibrany for the 2nd (required) review and then we can merge. In case of any issue, we can easily disable GitHub actions and de-comment CircleCI.
|
Sounds good, thanks for the update. |
| - name: Checkout Repo | ||
| uses: actions/checkout@v2 | ||
| with: | ||
| # web-deploy script requires repo to be cloned with ssh for some commands to work |
There was a problem hiding this comment.
Just curious, which commands require ssh?
I don't see anything ssh-specific in web-deploy script, and I think that using HTTPS with token for pushing should work, but I admit that I only gave it a quick look as this comment piqued my interest.
There was a problem hiding this comment.
The current CircleCI workflow also adds a ssh key because git push expects to communicate over ssh (because of how remote is set here. You are right, we could use HTTPS with a token but that would require modifying web-deploy.sh to set the remote url with https://cortexproject<TOKEN>@github.com/cortexproject/cortex.git which would break CircleCI the way it is currently.
As I type this out I realize require might be a strong word because we could do it over https. Maybe rephrasing the comment as "web-deploy script expects repo to be cloned with" would be better?
There was a problem hiding this comment.
updated comment!
| - name: Setup SSH Keys and known_hosts for Github Authentication to Deploy Website | ||
| run: | | ||
| mkdir -p ~/.ssh | ||
| ssh-keyscan github.com >> ~/.ssh/known_hosts |
There was a problem hiding this comment.
Do we need to do this, since StrictHostKeyChecking=no is used below?
There was a problem hiding this comment.
Yeah I thought so too but removing this section causes a could not resolve host: GitHub.com 😞
| docker login -u "$DOCKER_REGISTRY_USER" -p "$DOCKER_REGISTRY_PASSWORD" | ||
| fi | ||
| if [ -n "$QUAY_PASSWORD" ]; then | ||
| docker login -u "$QUAY_REGISTRY_USER" -p "$QUAY_REGISTRY_PASSWORD" quay.io; |
There was a problem hiding this comment.
Looks like extra semicolon at the end.
There was a problem hiding this comment.
I included it here because it's in the circleci config as well: https://github.com/cortexproject/cortex/blob/master/.circleci/config.yml#L247
Do you want me to remove the semicolon in GHA?
There was a problem hiding this comment.
Let's keep it for consistency for now.
… changes Signed-off-by: Shovnik Bhattacharya <shovnik@amazon.com> adding comment explaining ssh in web_deploy job Signed-off-by: Azfaar Qureshi <azfaarq@amazon.com>
AzfaarQureshi
force-pushed
the
gha-migration-3
branch
from
5adbc9d to
91500cf
Compare
What this PR does
This is PR 3/3 of migrating Cortex's CI from CircleCI to GitHub Actions:
Part 1/3
test-build-deployworkflow under.github/workflowslinttestbuildmasteror when any PR is opened. However CD jobs will only run on the master branch and will be skipped otherwisePart 2/3
buildintegrationintegration-config-dbPart 3/3 👈
deploy_websiteis dependant onbuild, testdeployis dependant onbuild, test, lint, integration, integration-config-dbWhich issue(s) this PR fixes:
fixes #3274
Checklist
CHANGELOG.mdupdated - the order of entries should be[CHANGE],[FEATURE],[ENHANCEMENT],[BUGFIX]