New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GH actions to CI #383

Merged

SilleBille merged 2 commits into dogtagpki:master from SilleBille:gh-actions

Apr 23, 2020

Member

SilleBille commented Apr 22, 2020 •

edited

Loading

This patch adds GH actions as part of the CI. This patch reuses scripts from travis/

Pros

A clean workflow: build -> test (ie) test only if build passes, unlike Travis where we execute same scripts in every job.
Removes dependency on Travis and transfer.sh service
Uploads rpms and logs as part of the CI workflow
Targets only master and gh-actions (will be removed in future) branches
Instead of one huge log console, every step is now readable. Search feature available for logs
Possibility to include multiple workflows, that execute in parallel. This patch uses only 1 workflow at the moment.
Possibility to exclude CI execution against certain files/dirs. Eg: commits to docs/ can be ignored.

Cons

Individual jobs cannot be restarted
Security risks with downstream runners
Artifacts can be shared by jobs within a workflow but not with jobs from different workflow
Due to stage-wise workflow execution, increased length/complexity of .yaml file

Future improvements

Remove Travis from our CI and make GH actions as our primary upstream CI
Move linting/unit tests from rpm build to a separate job: lint -> unit test -> build -> functional test
Possibility for multi-node testing using service containers
Build container image using Docker container action and use it as the base image for service containers. Related question posted on GH community
Include downstream runners


          Migrate PKI tests to GH actions

8392a63

This Patch:

- Adds Github Actions to CI
- reuses scripts under ./travis/ (requires improvement)
- Uploads artifacts to GH by removing dependency on transfer.sh
- Uploads built rpms (auto-deleted every 90 days)
- Runs build job on container provisioned by GH actions (ie)
  not necessary to meddle with docker/podman commands manually
- Run PKI test job on self-provisioned container (room for improvement
  by running on service containers by combining with Docker GH actions)

Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>

SilleBille force-pushed the gh-actions branch from 690b9b7 to 931d9a9 Compare

April 22, 2020 00:12

SilleBille requested review from 06shalini, bhavikbhavsar, cipherboy and edewata

April 22, 2020 00:14

SilleBille self-assigned this

SilleBille added CI Enhancement labels

Member Author

SilleBille commented Apr 22, 2020

Hmm. The new GH actions CI doesn't run in this repo until merged. But, you can browse through the CI job that ran in my personal repo: https://github.com/SilleBille/pki/actions/runs/84282813

Member

cipherboy commented Apr 22, 2020

Security risks with downstream runners

I don't think we're really worried about that right now -- we're running on upstream (Azure hosted) hardware with this PR right?

edewata reviewed

View reviewed changes

Contributor

edewata left a comment

I think it looks good, but please see my comments/questions below. Is there anything that we need to set up in order to run the GH actions in our own repo before submitting the PR? If so, could you please provide a link to the instruction? Thanks!

.github/workflows/required-tests.yml Show resolved Hide resolved

.github/workflows/required-tests.yml

+                      #  run: docker exec -i ${CONTAINER} dnf copr enable -y ${COPR_REPO}
+                      - name: Install DS
+                        run: docker exec -i ${CONTAINER} ${PKIDIR}/travis/ds-create.sh

Contributor

edewata Apr 22, 2020

Eventually we want to run the test scripts from pki-tests package that we just built instead of from the source repository, but this is fine for now.

Member Author

SilleBille Apr 22, 2020

Right. Currently, I used the existing scripts. Since the artifacts are shared, it is possible to use the tests from the pki-tests package

.github/workflows/required-tests.yml Show resolved Hide resolved

travis/runner-init.sh Show resolved Hide resolved

.github/workflows/required-tests.yml

+                        run: docker exec -i ${CONTAINER} bash -c "journalctl -u pki-tomcatd@pkitest > /var/log/pki/pki-journalctl.log"
+                      - name: Compress logs
+                        if: always()

Contributor

edewata Apr 22, 2020

Just curious, what is the purpose of if: always()?

Member Author

SilleBille Apr 22, 2020

always() makes sure that this step gets executed even if any of the previous step fails. By default, all the steps after a failed step are skipped. In future, we can change this to failure() which will run only when one of the previous step fails. More information

.github/workflows/required-tests.yml Outdated Show resolved Hide resolved

.github/workflows/required-tests.yml

+                        run: docker exec -i ${CONTAINER} ${PKIDIR}/travis/ds-create.sh
+                      - name: Install CA
+                        run: docker exec -i ${CONTAINER} ${PKIDIR}/travis/ca-create.sh

Contributor

edewata Apr 22, 2020

If the installation fails we have code in ca-create.sh to upload the logs to transfer.sh for troubleshooting. Can that code be changed to upload to GH instead eventually?

Member Author

SilleBille Apr 22, 2020

Yes. That's possible and easier too.

Since this patch uploads all the logs in /var/log/pki, we can do a minor change in future to [subsystem]-create.sh:
SYSTEMD_LOG=/var/log/pki/pkitest-systemd-[subsystem].log

FWIW, this patch includes PKI journalctl logs as an artifact

.github/workflows/required-tests.yml Show resolved Hide resolved

.github/workflows/required-tests.yml

+                      PKIDIR: /tmp/workdir/pki
+                      LOGS: ${GITHUB_WORKSPACE}/logs.txt
+                      COPR_REPO: "@pki/master"
+                      test_set: "test_caacl_plugin.py test_caacl_profile_enforcement.py test_cert_plugin.py test_certprofile_plugin.py test_ca_plugin.py test_vault_plugin.py"

Contributor

edewata Apr 22, 2020

Since the build is now only done once, maybe we can split some of the IPA tests to run concurrently to reduce the execution time.

Member Author

SilleBille Apr 22, 2020

Yes, that's possible too \o/ May be in a future PR?

Contributor

bhavikbhavsar commented Apr 22, 2020

For the tests after installation can we verify if the services ca, kra, etc are running?

Member Author

SilleBille commented Apr 22, 2020

I don't think we're really worried about that right now -- we're running on upstream (Azure hosted) hardware with this PR right?

@cipherboy yes, this patch runs on Github provided runners

For the tests after installation can we verify if the services ca, kra, etc are running?

@bhavikbhavsar This patch does the same thing as we do in Travis (in fact, uses the same scripts). Going forward, I'll be working with @06shalini to run actual test playbooks.


          Add IPA test job and cleanup

80a47eb

This commit:

- Adds IPA tests to the GH actions matrix
- Gathers logs of IPA and PKI and corresponding journalctl
  logs and uploads it as a GH action artifact
- Minor cleanups to previous jobs

Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>

SilleBille force-pushed the gh-actions branch from 931d9a9 to 80a47eb Compare

April 22, 2020 21:23

edewata approved these changes

View reviewed changes

Contributor

edewata left a comment

LGTM

SilleBille merged commit 7af607b into dogtagpki:master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels