Migrate to GitHub actions

This includes some refactors to the build steps. High level items: * Add variables for DOCKER_IMAGE, S3_RELEASE_BUCKET to allow for forks of OPA to re-use the GitHub actions with their own s3 buckets and docker orgs/image names. * Unify the release build steps to use `make release` and the binaries being located under `_release/$(VERSION)`. All CI targets now rely on binaries being in that `RELEASE_DIR`, including image building steps The `make build` target is unaffected. * Add a wrapper to allow the CI to run the various golang target stages separately, but sharing the same docker configuration. * Conditionally specify `-it` for docker run commands based on whether A tty is available. * Added scripts to automate drafting a release with binary assets vi the `hub` CLI. * The release process triggered on a tag being pushed will now use the same binaries from `make release` for the docker images as well as the ones attached to the release (which are available under https://openpolicyagent.org/downloads/). The actions themselves are split into 3 workflows: pull-request.yaml: Triggers on pull requests. This will run all the normal tests/checks as before on Travis, however they are now split into separate jobs. In addition to what was done on Travis we will now have Codecov results included. post-merge.yaml: Triggers after a change is pushed to master. This will run tests and build+publish the `edge` and `dev` artifacts to dockerhub and s3. post-tag.yaml: Triggers after a tag has been pushed. Similar to post-merge.yaml it will run tests and build+publish release artifacts (for the tagged version). It will also create a draft release on GitHub with the same artifacts and notes from the CHANGELOG.md. If a release already exists it will be updated to include the assets, however the release notes will _not_ be added. The RELEASE.md steps have been updated and include notes on the new steps. Signed-off-by: Patrick East <east.patrick@gmail.com>
open-policy-agent · Jul 8, 2020 · fb5ff78 · fb5ff78
1 parent a5e5808
commit fb5ff78
Show file tree

Hide file tree

Showing 14 changed files with 425 additions and 99 deletions.
diff --git a/.github/workflows/post-merge.yaml b/.github/workflows/post-merge.yaml
@@ -0,0 +1,31 @@
+name: Post Merge
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  deploy-edge:
+    name: Push Edge Release
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Test
+        run: make travis-release-test
+        timeout-minutes: 60
+
+      - name: Build Release Binaries
+        run: make release-local
+
+      - name: Deploy OPA Edge
+        env:
+          DOCKER_USER: ${{ secrets.DOCKER_USER }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          DOCKER_IMAGE: ${{ secrets.DOCKER_IMAGE }}
+          S3_RELEASE_BUCKET: ${{ secrets.S3_RELEASE_BUCKET }}
+        run: make deploy-travis
diff --git a/.github/workflows/post-tag.yaml b/.github/workflows/post-tag.yaml
@@ -0,0 +1,38 @@
+name: Post Tag
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  build:
+    name: Push Latest Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Set TAG_NAME in Environment
+        # Subsequent jobs will be have the computed tag name
+        run: echo ::set-env name=TAG_NAME::"${GITHUB_REF##*/}"
+
+      - name: Test
+        run: make travis-release-test
+        timeout-minutes: 60
+
+      - name: Build Release Binaries
+        run: make release
+
+      - name: Build and Deploy OPA Docker Images
+        env:
+          DOCKER_USER: ${{ secrets.DOCKER_USER }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_IMAGE: ${{ secrets.DOCKER_IMAGE }}
+        run: make release-travis
+
+      - name: Create or Update Release
+        env:
+          # Required for the `hub` CLI
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: ./build/github-release.sh --asset-dir=./_release/${TAG_NAME#v}/ --tag=${TAG_NAME}
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -0,0 +1,79 @@
+name: PR Check
+
+on: [pull_request]
+
+jobs:
+  # All jobs essentially re-create the `travis-release-build` make target, but are split
+  # up for parallel runners for faster PR feedback and a nicer UX.
+
+  go-build:
+    name: Go Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Build Golang
+        run: make travis-go-build-all-platforms
+        timeout-minutes: 30
+
+  go-test:
+    name: Go Test
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Unit Test Golang
+        run: make travis-go-test-coverage
+        timeout-minutes: 30
+
+      - name: Codecov Upload
+        uses: codecov/codecov-action@v1
+        with:
+          tags: unittests
+          file: ./coverage.txt
+
+  go-perf:
+    name: Go Perf
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Benchmark Test Golang
+        run: make travis-go-perf
+        timeout-minutes: 30
+
+  go-lint:
+    name: Go Lint
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Golang Style and Lint Check
+        run: make travis-go-check
+        timeout-minutes: 30
+
+  wasm:
+    name: WASM
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Build and Test WASM
+        run: make travis-wasm
+        timeout-minutes: 15
+
+  check-generated:
+    name: Check Generated
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Check Working Copy
+        run: make travis-check-working-copy
+        timeout-minutes: 15
diff --git a/.gitignore b/.gitignore
@@ -5,7 +5,7 @@
 *~
 
 # build artifacts
-coverage
+coverage.txt
 opa_*
 .Dockerfile_*
 _release
@@ -16,6 +16,7 @@ policy.wasm
 .npm
 .gitbook
 .go
+release-notes.md
 
 # ci artifacts
 fuzzit

diff --git a/Dockerfile b/Dockerfile
@@ -16,7 +16,13 @@ ARG USER=0
 
 MAINTAINER Torin Sandall <torinsandall@gmail.com>
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY opa_linux_amd64 /opa
+
+# Hack.. https://github.com/moby/moby/issues/37965
+# _Something_ needs to be between the two COPY steps.
 USER ${USER}
+
+ARG BIN_DIR=.
+COPY ${BIN_DIR}/opa_linux_amd64 /opa
+
 ENTRYPOINT ["/opa"]
 CMD ["run"]