-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CI Pipelines, remove references to HashiCorp Infrastructure #168
Conversation
5d7be74
to
a44d498
Compare
Are we going to continue with a single file per change approach instead of a single CHANGELOG file? |
@Gabrielopesantos If I recall correctly, GH actions doesn't provision a privileged token for pull requests from forks... Wonder how other projects handle this? Upstream mostly had contributions from inside the repo, so it wasn't as much of a problem... Hmmm... And to answer your question, yes, I think we're planning on using the changelog builder still. |
Makes sense, I didn't consider that. Something like this might be what we are looking for. As far as I understood, it is possible to set workflows to only run once approved by someone with write permission. |
@Gabrielopesantos said:
I think this page: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token states that the token for pull requests should have write permission. But its not clear to me why it failed:
Unless perhaps
so I'm still suspicious of write permissions, IMO. |
This retains the original HashiCorp upstream build & test pipelines, cleaning them up for OpenBao and removing HashiCorp internal tooling references that aren't necessary for us. The CI pipeline currently fails with test errors and commenting will need to be tested on the main repository with an appropriately scoped token. However, builds pass and produce usable, unsigned artifacts. This can form the basis of a proper (signed) release pipeline eventually, taking actions from the build stage of the tagged release commit and signing and verifying them. In order to fix CI, some changes to the Go modules were done, removing redundant tooling packages and re-adding the kubernetes integration tests. This also fixes CI to correctly run api & sdk tests, fixing openbao#61 again. Removed, unnecessary actions: - actionlint was used to allow-list actions upstream, - add-hashicorp-contributed-label was used to add a label to internal PRs for visibility, - backport was the tool to automatically backport PRs, - milestone-checker was used to ensure PRs had appropriate milestones prior to merge, - oss was used to classify issues against the specified label category - remove-labels was used to clean up issues & PRs - security-scan requires internal tooling not made public - test-ci-bootstrap & test-ci-cleanup are both part of the complex Enos integration tests, which were removed in 85455fb due to resource requirements. Resolves: openbao#31 Resolves: openbao#42 Resolves: openbao#152 Related: openbao#153 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
a44d498
to
37a0b1b
Compare
This fixes many pipelines and removes others that aren't necessary any more. In doing so, we had to:
I also added RISC-V 64-bit support while I was here. :-)
This pipeline can be seen in action on my fork: cipherboy#1 --> https://github.com/cipherboy/openbao/pull/1/checks
TODO:
Check that builds work-->Builds do not work as they rely onI've fixed the build pipelines as part of this. Releasing is a different story; these builds aren't signed (for obvious reasons); I'm not sure if the Linux Foundation handles this for us or not.dist/vault
andhashicorp/actions-packaging-linux
-- as part of Fork - Release Pipeline #153 we should replace those.Resolves: #31
Resolves: #42
Resolves: #152
Related: #153