-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: Update CI/CD workflows #1428
Conversation
Thanks for the PR @ankurdotb! This is great and a much needed update
Ditch it!
I wasn't aware we were using this action. If we can use ubuntu 22.04 that is best I think? Althought there's a pr open from ry that adds a bigger runner for ubuntu-latest which speeds up the PRs and may also solve some of the ci issues
We use semantic release (well we use lerna, which uses conventional commits), but we want to release an alpha version on every PR to main, which calculates the correct next version. We also don't store the alpha version in the package json as that requires updating the package json for every PR. So that's the story of how we got this CI, if you have a way to keep the same behavior, but simplify I'm all in!
See my comment above. 22.04 is fine, but we may want to use the large runner that a PR is open for now. |
Codecov Report
@@ Coverage Diff @@
## main #1428 +/- ##
==========================================
+ Coverage 82.42% 85.86% +3.43%
==========================================
Files 870 870
Lines 20489 20489
Branches 3449 3449
==========================================
+ Hits 16888 17592 +704
+ Misses 3365 2725 -640
+ Partials 236 172 -64 see 18 files with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
The action was added because we need Ubuntu 22.04 for anoncreds-rs (see hyperledger/anoncreds-rs#105) but indy-sdk doesn't support the shipped libssl version, so we needed to downgrade to libssl 1.1.1. I think it can be changed to libssl1.1_1.1.1f-1ubuntu2_amd64.deb although IMHO the best solution in the short term would be to fix the issue in anoncreds-rs and be able to use ubuntu 20.04 again. I think in the mid-term ideally we should not depend anymore on indy-sdk (at least in this repo) so we would be able to use ubuntu 22.04 or even node:18 or so. |
@TimoGlastra (and also @ryjones)
Done! I've deleted the local copy of
Yes, I saw #1429. @ryjones, is IMO if you running into issues with the runners, these two points below without requiring larger runners:
I would recommend downgrading the runners to Ubuntu 20.04, thanks for the context @genaris. If I look up
If we do need larger runners, @ryjones might need to redefine the "large" runners to be Ubuntu 20.04 instead.
Do you mean you're using the semantic release convention? Since I don't see this repo using the
I think maybe we can split this semantic release stuff out to a different PR, since it might be helpful to walk you or whoever else does releases here with the semantic-release NPM package configuration options. Lastly, I edited my original message to add some detail around some changes I made to the Dockerfile. Right now, I can see that the Dockerfile images are pretty large (about 4+ GB) and I have some suggestions there on how to do fully utilise Docker's multi-stage build capability. Could you please take a look at that section @TimoGlastra? I need some support though to understand what needs to be copied from build stage (dependencies, artefacts) to a final, slimmer image. I did try it, but didn't commit it since I kept running into build issues with |
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
- Bump actions/checkout - Switch to `--immutable` with yarn (this is the new command) - Fix deprecated set-output command Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
- Use a consistent runner - Fix set-output issues - Switch to setup-node Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
build: test large builders Signed-off-by: Ry Jones <ry@linux.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
Signed-off-by: Ankur Banerjee <ankurdotb@users.noreply.github.com>
@ankurdotb @TimoGlastra AFJ has access to
These are paid as a test. |
@ankurdotb : here is the output prettier: index d9faf80..eb9c53f 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,30 +4,29 @@
version: 2
updates:
-
# Maintain dependencies for NPM
- - package-ecosystem: "npm"
- directory: "/"
+ - package-ecosystem: 'npm'
+ directory: '/'
schedule:
- interval: "monthly"
+ interval: 'monthly'
allow:
- # Focus on main dependencies, not devDependencies
- - dependency-type: "production"
+ # Focus on main dependencies, not devDependencies
+ - dependency-type: 'production'
# Maintain dependencies for GitHub Actions
- - package-ecosystem: "github-actions"
- directory: "/"
+ - package-ecosystem: 'github-actions'
+ directory: '/'
schedule:
- interval: "monthly"
+ interval: 'monthly'
# Maintain dependencies for Docker
- - package-ecosystem: "docker"
- directory: "/"
+ - package-ecosystem: 'docker'
+ directory: '/'
schedule:
- interval: "monthly"
+ interval: 'monthly'
# Maintain dependencies for Cargo
- - package-ecosystem: "cargo"
- directory: "/"
+ - package-ecosystem: 'cargo'
+ directory: '/'
schedule:
- interval: "monthly"
+ interval: 'monthly'
diff --git a/.github/workflows/cleanup-cache.yml b/.github/workflows/cleanup-cache.yml
index 31bb3f8..4b4ecd5 100644
--- a/.github/workflows/cleanup-cache.yml
+++ b/.github/workflows/cleanup-cache.yml
@@ -1,17 +1,16 @@
# Repositories have 10 GB of cache storage per repository
# Documentation: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy
-name: "Cleanup - Cache"
+name: 'Cleanup - Cache'
on:
schedule:
- - cron: "0 0 * * 0/3"
+ - cron: '0 0 * * 0/3'
workflow_dispatch:
jobs:
-
delete-caches:
- name: "Delete Actions caches"
+ name: 'Delete Actions caches'
runs-on: ubuntu-latest
-
+
steps:
- - name: "Wipe Github Actions cache"
+ - name: 'Wipe Github Actions cache'
uses: easimon/wipe-cache@v2
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 737b35c..cdebeb2 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -14,7 +14,6 @@ concurrency:
env:
NODE_OPTIONS: --max_old_space_size=4096
-
jobs:
analyze:
name: Analyze |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, the runner names changed again (for the last time).
jobs: | ||
release-canary: | ||
runs-on: ubuntu-20.04 | ||
runs-on: ubuntu-latest-m |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
runs-on: aries-ubuntu-latest
@@ -56,22 +61,23 @@ jobs: | |||
git push origin v${{ steps.get-version.outputs.version }} --no-verify | |||
|
|||
release-stable: | |||
runs-on: ubuntu-20.04 | |||
runs-on: ubuntu-latest-m |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
runs-on: aries-ubuntu-latest
cancel-in-progress: true | ||
|
||
jobs: | ||
# PRs created by github actions won't trigger CI. Before we can merge a PR we need to run the tests and | ||
# validation scripts. To still be able to run the CI we can manually trigger it by adding the 'ci-test' | ||
# label to the pull request | ||
ci-trigger: | ||
runs-on: ubuntu-22.04 | ||
runs-on: ubuntu-latest-m |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
runs-on: aries-ubuntu-latest
|
||
validate: | ||
runs-on: ubuntu-22.04 | ||
runs-on: ubuntu-latest-m |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
runs-on: aries-ubuntu-latest
@@ -79,7 +81,7 @@ jobs: | |||
run: yarn build | |||
|
|||
integration-test: | |||
runs-on: ubuntu-22.04 | |||
runs-on: ubuntu-latest-m |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
runs-on: aries-ubuntu-latest
|
||
- uses: codecov/codecov-action@v1 | ||
if: always() | ||
|
||
version-stable: | ||
runs-on: ubuntu-22.04 | ||
runs-on: ubuntu-latest-m |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
runs-on: aries-ubuntu-latest
Discussed on AFJ WG call. @ankurdotb do you have time to resolve the final comments from @ryjones? If not @genaris can take a look at the final pieces |
Superseded by #1500 |
This PR doesn't change any code: it primarily focusses on improving the workflows used for CI/CD in this repository. A few elements can be quickly discussed and resolved, but until then it's NOT to be merged. (I'm not setting to "draft" as that disables workflow runs).
Outstanding questions
ubuntu-20.04
orubuntu-22.04
? (ubuntu-latest
now points toubuntu-22.04
. There was a transition period when it could have pointed to either near end of 2022.)actions/setup-libssl
seems to be adding a package designed for Ubuntu 18.04. Ideally, this should be changed to the package for Ubuntu 20.04 or Ubuntu 22.04 (depending on runner decision above).@cheqd/sdk
for an example). This uses a custom/default Convention Commit convention to auto-trigger releases.Changelog
Continuous Integration/Deployment workflows
cache
handling option itself automatically does this. Using the actual upstreamactions/setup-node@v3
ensures all upstream security updates are used in the workflow. I'm not too fussed whether a local copy is kept, but should ideally be bumped to v3 and can be simplified to use the built-in cache handling. (v2 required manual configuration.)set-output
as a statement in Github Actions is deprecated, and is currently in the sunset/transition period. It will be fully removed on 31st May 2023. I've updated these statements to use the new recommended technique instead, otherwise, all CI/CD would start failing in May 2023.--frozen-lockfile
to allyarn install
statements. Otherwise, there's a non-zero chance the target dependency resolution is different than what's inyarn.lock
and could cause divergence in the lint/build stage vs what's happening in release.CodeQL
CodeQL requires a build to be executed to analyse security and quality issues correctly. I've added a build statement to the CodeQL workflow, and added query packs explicitly (the default is
security-extended
). I've also updated the workflow versions for security.Dependabot
Adds a Dependabot workflow for security and version bumps. I've set the strategy to focus only on direct dependencies, rather than direct + devDependencies, although this can be customised.
New cache cleanup workflow
Github repositories have a maximum storage of 10 GB allocated to them with 7 days worth of caching, beyond which entries get ejected. However, if within those 7 days the cache hits 10 GB, there's a chance that CI/CD workflows could fail. I've added a workflow to evict entries from the cache every 3 days, which will make the whole repository less likely to hit the cache limit and have workflows fail. (This can also be an issue for forks.)
Lint PR, Repo Linter
Bumped external Actions to latest versions
Dockerfile
I'm not sure if this is used still (or perhaps for local development only), but I recommend some of the following optimisations since the built image size is approx 4.5 GB (which is pretty big):
RUN
statements. Each RUN, COPY, ADD etc adds layers, and the Docker caching engine behaves better (i.e., will likely find more cache hits for combined statements)base
target is just copied over as-is to thefinal
target. This doesn't really optimise the final image size. For example, one method would be keepingbase
mostly as-is, and then using thenode:16-buster
ornode:16-buster-slim
as the base for final stage. Built artefacts frombase
can be copied over usingCOPY --from=base...
syntax. This way, the larger base image with all its dependencies and fat Ubuntu image can be ditched to make a slimmerfinal
image. However, I'm not exactly sure which bits need to be copied over so I couldn't execute this entirely. Can theyarn build
be done independently, or does it require the pre-requisites?node:16-alpine
instead. While there's more packages that need to be installed (e.g., bash is not installed of the box, it comes withsh
only) the image sizes are dramatically lower (approx. 50-100 MB vs 4+ GB on other repos where I've implemented this).