-
Notifications
You must be signed in to change notification settings - Fork 216
180 lines (155 loc) · 7.28 KB
/
lint-world.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
name: Lint Wolfi OS World
on:
workflow_dispatch:
env:
EPHEMERAL_BUILD_PROJECT_ID: "prod-wolfi-os"
EPHEMERAL_BUILD_SERVICE_ACCOUNT: "wolfi-build-ephemeral-ci@prod-wolfi-os.iam.gserviceaccount.com"
EPHEMERAL_BUILD_WORKLOAD_IDENTITY_PROVIDER: "projects/728015869174/locations/global/workloadIdentityPools/github/providers/github"
EPHEMERAL_BUILD_NETWORK: "wolfi-build-ephemeral-vpc"
EPHEMERAL_BUILD_REGION: "us-central1"
jobs:
build:
name: Build packages
if: github.repository == 'wolfi-dev/os'
strategy:
matrix:
arch: [ "x86_64", "aarch64" ]
fail-fast: false
permissions:
id-token: write
contents: read
runs-on:
# The host arch doesn't really matter, but use the self hosted runners because we want beefier machines. The network/io bandwidth for these builds are intense.
group: wolfi-os-builder-${{ matrix.arch }}
container:
image: ghcr.io/wolfi-dev/sdk:latest@sha256:9bc0db73ea7d4b55b0aa73308c4525965ddd591cb6278475eba14463244ca635
steps:
- uses: actions/checkout@v4
- name: 'Trust the github workspace'
run: |
# This is to avoid fatal errors about "dubious ownership" because we are
# running inside of a container action with the workspace mounted in.
git config --global --add safe.directory "$(pwd)"
- name: 'Authenticate to Google Cloud'
uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ env.EPHEMERAL_BUILD_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.EPHEMERAL_BUILD_SERVICE_ACCOUNT }}
- run: apk add google-cloud-sdk gke-gcloud-auth-plugin kubectl-default
- uses: google-github-actions/setup-gcloud@v1
with:
project_id: ${{ env.EPHEMERAL_BUILD_PROJECT_ID }}
skip_install: true
- name: Configure GCR auth
run: gcloud auth configure-docker
- name: 'Setup workflow variables'
run: |
# Create a globally unique cluster name for each run (including retries)
echo "cluster_name=tmp-world-builder-$(date +%s)" >> "$GITHUB_ENV"
# Build with a local key, we'll resign this with the real key later
- name: 'Generate local signing key'
run: |
make local-melange.rsa
- name: Setup k8s runner configs
run: |
cat > .melange.k8s.yaml <<EOF
provider: gke
repo: gcr.io/${{ env.EPHEMERAL_BUILD_PROJECT_ID }}/world-builds
# Fully utilize {t2a,n2d}-standard-44
resources:
cpu: 43
memory: 172Gi
ephemeral-storage: 9Gi
podTemplate:
nodeSelector:
cloud.google.com/compute-class: "Scale-Out"
cloud.google.com/gke-spot: "true"
volumeMounts:
- name: scratch
mountPath: /tmp
volumes:
- name: mount-0 # the default volume for /home/build
ephemeral:
volumeClaimTemplate:
metadata:
labels:
type: build
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "premium-rwo" # Majority of builds are very I/O intensive, so this ends up being a significant boost
resources:
requests:
# The vast majority of builds don't need this, but some do and
# it's really annoying to make it all the way through only to
# fill up the disk at the end
storage: 15Gi
- name: scratch
ephemeral:
volumeClaimTemplate:
metadata:
labels:
type: scratch
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "premium-rwo" # Majority of builds are very I/O intensive, so this ends up being a significant boost
resources:
requests:
# The vast majority of builds don't need this, but some do and
# it's really annoying to make it all the way through only to
# fill up the disk at the end
storage: 15Gi
EOF
- name: Create ephemeral build cluster
run: |
# Get the IP of the runner, used to ensure only this is the only source IP allowed by the api server
ip=$(curl -s https://api.ipify.org)
gcloud container clusters create-auto "$cluster_name" \
--region "${{ env.EPHEMERAL_BUILD_REGION }}" \
--project "${{ env.EPHEMERAL_BUILD_PROJECT_ID }}" \
--enable-master-authorized-networks --master-authorized-networks "$ip/32" \
--network "${{ env.EPHEMERAL_BUILD_NETWORK }}" \
--create-subnetwork "" \
--service-account "wolfi-build-ephemeral-default@prod-wolfi-os.iam.gserviceaccount.com"
gcloud container clusters update "$cluster_name" --region "${{ env.EPHEMERAL_BUILD_REGION }}" --project "${{ env.EPHEMERAL_BUILD_PROJECT_ID }}" \
--update-labels="wolfi-dev_ephemeral-builder_github-run-id=${{ github.GITHUB_RUN_ID }},wolfi-dev_ephemeral-builder_github-run-number=${{ github.GITHUB_RUN_NUMBER }}"
- uses: 'google-github-actions/get-gke-credentials@v1'
with:
cluster_name: ${{ env.cluster_name }}
location: ${{ env.EPHEMERAL_BUILD_REGION }}
project_id: ${{ env.EPHEMERAL_BUILD_PROJECT_ID }}
- name: 'Build the world from existing state'
run: |
make \
MELANGE_EXTRA_OPTS="--runner kubernetes" \
BUILDWORLD=no \
all -j30 -k
# Remove the build logs for packages that succeeded
find ./packages/${{ matrix.arch }}/buildlogs -name "*.log" -exec sh -c 'tail -n 1 "$1" | grep -q "generating apk index from packages in packages"' _ {} \; -exec rm {} \;
- name: Upload failed build logs
if: always()
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
path: ./packages/${{ matrix.arch }}/buildlogs/*.log
retention-days: 7
- name: Janitor the builder clusters
if: always()
run: |
# Delete any stragler builder pods, they already lack grace periods, so we can be forceful here
kubectl delete pods --all -n default --wait=false --now=true --force=true
gcloud container clusters delete $cluster_name \
--region "${{ env.EPHEMERAL_BUILD_REGION }}" \
--project "${{ env.EPHEMERAL_BUILD_PROJECT_ID }}" \
--async \
--quiet
# TODO: Enable when workflow is more mature
# postrun:
# runs-on: ubuntu-latest
# needs: [build]
# steps:
# - uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0
# id: slack
# with:
# payload: '{"text": "[build-wolfi-world-parallel] results: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"}'
# env:
# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
# SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK