Skip to content

Ensure PublicIPAddress resources aren't permanently blocked (#4481) #10843

Ensure PublicIPAddress resources aren't permanently blocked (#4481)

Ensure PublicIPAddress resources aren't permanently blocked (#4481) #10843

Workflow file for this run

name: Validate Pull Request
on:
# runs on pushes to main in order to update the baseline code coverage
# so that PRs have something to compare against
push:
branches:
- main
pull_request:
branches:
- main
merge_group:
branches:
- main
types: [checks_requested]
jobs:
test-go-get:
runs-on: ubuntu-latest
steps:
- name: '`go get` code'
run: |
# placeholder module so we can invoke go get
go mod init example.com/m
# note: cannot use github.sha here since that commit doesn't really exist
# however, since we require branches to always be up-to-date (GitHub setting),
# using the head of the PR branch should provide equivalent behaviour
sha='${{ github.event.pull_request.head.sha }}'
repo='${{ github.event.pull_request.head.repo.html_url}}'
repo=${repo#"https://"} # trim prefix
if [ "$repo" != "github.com/Azure/azure-service-operator" ]; then
echo "Skipping 'go get' check for fork…"
exit 0
fi
if [ -z "$sha" ]; then
# this means we were triggered by push to 'main',
# not a PR, so use the sha that triggered this
sha='${{ github.sha }}'
fi
# Give GitHub some time to make the commit available
sleep 10
# Sometimes it can take https://proxy.golang.org up to a minute for the latest commit to be available.
# See the FAQ at https://proxy.golang.org/
FAILED=1
for i in {1..5}; do
if go get "$repo/v2@$sha" ; then
FAILED=0
break
fi
echo "Failed to 'go get' $repo/v2@$sha, retrying in 60 seconds…"
sleep 60
done
exit $FAILED
test-generator:
runs-on: [self-hosted, 1ES.Pool=aso-1es-pool]
permissions:
packages: read
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pinned to 4.1.7
with:
fetch-depth: 0 # required to access tags
submodules: 'true'
- name: Force docker to SSD
run: sudo scripts/v2/linux-docker-use-ssd.sh --containerd true
- name: check-changes
id: check-changes
run: scripts/v2/check-changes.sh
- name: Log in to GitHub Docker Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # pinned to v3.3.0
with:
registry: docker.pkg.github.com # ghcr.io not yet enabled for Azure org
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
if: steps.check-changes.outputs.code-changed == 'true'
# Note: Changes to this step must also be mirrored into pr-validation-with-secrets.yaml
- name: Build devcontainer image
# We must issue a manual pull before the build so the image gets copied locally, because
# docker.pkg.github.com is not a valid Docker registry and doesn't work with --cache-from,
# however, `docker pull` will fall back to other methods that do work and get the image loaded.
#
# This message comes from "docker pull":
#
# Run docker pull docker.pkg.github.com/azure/azure-service-operator/aso-devcontainer:latest
# WARNING: ⚠️ Failed to pull manifest by the resolved digest. This registry does not
# appear to conform to the distribution registry specification; falling back to
# pull by tag. This fallback is DEPRECATED, and will be removed in a future
# release. Please contact admins of https://docker.pkg.github.com. ⚠️
#
# See: https://github.com/moby/moby/issues/41687#issuecomment-733826074 and related issues
run: |
docker pull docker.pkg.github.com/azure/azure-service-operator/aso-devcontainer:latest
docker build --cache-from docker.pkg.github.com/azure/azure-service-operator/aso-devcontainer:latest --tag devcontainer:latest .devcontainer
env:
DOCKER_BUILDKIT: 1
if: steps.check-changes.outputs.code-changed == 'true'
- name: Run devcontainer image
id: devcontainer
run: |
container_id=$(docker create -w /workspace -v $GITHUB_WORKSPACE:/workspace -v /var/run/docker.sock:/var/run/docker.sock --network=host devcontainer:latest)
docker start "$container_id"
echo "container_id=$container_id" >> $GITHUB_ENV
if: steps.check-changes.outputs.code-changed == 'true'
- name: Run CI tasks
run: |
container_id=${{ env.container_id }}
set +e # don't exit instantly on failure, we need to produce Markdown summary
docker exec "$container_id" task ci
EXIT_CODE=$?
set -e
# generate summary Markdown file for display in Actions
cat reports/*.md > $GITHUB_STEP_SUMMARY
exit $EXIT_CODE
if: steps.check-changes.outputs.code-changed == 'true'
- name: Save JSON logs on failure
if: ${{ failure() }}
uses: actions/[email protected]
with:
name: test-output
path: reports/*.json
- name: Build docker image & build configuration YAML
run: |
container_id=${{ env.container_id }}
docker exec "$container_id" task controller:docker-build-and-save
docker exec "$container_id" task controller:run-kustomize-for-envtest
if: steps.check-changes.outputs.code-changed == 'true'
- name: Archive outputs
uses: actions/[email protected]
with:
name: output
path: v2/bin/*
if-no-files-found: error
if: steps.check-changes.outputs.code-changed == 'true'
# Workaround for getting "Permission denied" errors when trying to perform code coverage upload
- name: Take Ownership
run: sudo chown -R $USER:$USER .
# We were using bash upload previously, but it's unsupported since 2022 and
# seems to hang forever now. There seems to be significant throttling of tokenless requests (from forks)
# errors like: Upload failed: {"detail":"Tokenless has reached GitHub rate limit. Please upload using a token:
# https://docs.codecov.com/docs/adding-the-codecov-token. Expected available in 395 seconds."}
# Unfortunately I don't see another choice for this so for now we'll live with it
- name: Upload code coverage to Codecov
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
directory: reports
verbose: true
# TODO: Changing this name requires changing the github API calls in pr-validation-fork.yml
integration-tests:
runs-on: [self-hosted, 1ES.Pool=aso-1es-pool]
if:
# Run on pull requests in this repository that are not from @dependabot, and run for merge groups
github.event_name == 'merge_group' ||
( github.event_name == 'pull_request' &&
github.actor != 'dependabot[bot]' &&
github.event.pull_request.head.repo.full_name == github.repository )
permissions:
packages: read
checks: write
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pinned to 4.1.7
with:
fetch-depth: 0 # required to access tags
submodules: 'true'
- name: Force docker to SSD
run: sudo scripts/v2/linux-docker-use-ssd.sh --containerd true
- name: check-changes
id: check-changes
run: scripts/v2/check-changes.sh
- name: Log in to GitHub Docker Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # pinned to v3.3.0
with:
registry: docker.pkg.github.com # ghcr.io not yet enabled for Azure org
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
if: steps.check-changes.outputs.code-changed == 'true'
# Note: Changes to this step must also be mirror into pr-validation.yaml
- name: Build devcontainer image
# We must issue a manual pull before the build so the image gets copied locally, because
# docker.pkg.github.com is not a valid Docker registry and doesn't work with --cache-from,
# however, `docker pull` will fall back to other methods that do work and get the image loaded.
#
# This message comes from "docker pull":
#
# Run docker pull docker.pkg.github.com/azure/azure-service-operator/aso-devcontainer:latest
# WARNING: ⚠️ Failed to pull manifest by the resolved digest. This registry does not
# appear to conform to the distribution registry specification; falling back to
# pull by tag. This fallback is DEPRECATED, and will be removed in a future
# release. Please contact admins of https://docker.pkg.github.com. ⚠️
#
# See: https://github.com/moby/moby/issues/41687#issuecomment-733826074 and related issues
run: |
docker pull docker.pkg.github.com/azure/azure-service-operator/aso-devcontainer:latest
docker build --cache-from docker.pkg.github.com/azure/azure-service-operator/aso-devcontainer:latest --tag devcontainer:latest .devcontainer
env:
DOCKER_BUILDKIT: 1
if: steps.check-changes.outputs.code-changed == 'true'
- name: Run devcontainer image
id: devcontainer
run: |
container_id=$(docker create -w /workspace -v $GITHUB_WORKSPACE:/workspace -v /var/run/docker.sock:/var/run/docker.sock --network=host devcontainer:latest)
docker start "$container_id"
echo "container_id=$container_id" >> $GITHUB_ENV
if: steps.check-changes.outputs.code-changed == 'true'
- name: Run integration tests
run: |
container_id=${{ env.container_id }}
docker exec -e HOSTROOT=$GITHUB_WORKSPACE -e GITHUB_ACTIONS -e AZURE_TENANT_ID -e AZURE_SUBSCRIPTION_ID -e KIND_OIDC_STORAGE_ACCOUNT_RG -e KIND_OIDC_STORAGE_ACCOUNT "$container_id" task controller:ci-integration-tests
env:
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
KIND_OIDC_STORAGE_ACCOUNT_RG: ${{ secrets.KIND_OIDC_STORAGE_ACCOUNT_RG }}
KIND_OIDC_STORAGE_ACCOUNT: ${{ secrets.KIND_OIDC_STORAGE_ACCOUNT }}
if:
steps.check-changes.outputs.code-changed == 'true'
- name: Get Job ID from GH API
id: get-job-id
if: ${{ always() }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
jobs=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id}}/attempts/${{ github.run_attempt }}/jobs)
job_id=$(echo $jobs | jq -r '.jobs[] | select(.runner_name=="${{ runner.name }}") | .id')
echo "job_id=$job_id" >> $GITHUB_ENV
# Update check run called "integration-tests-fork"
- name: update-integration-tests-result
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # pinned to v7.0.1
id: update-check-run
if: ${{ always() }}
env:
repo: ${{ github.repository }}
owner: ${{ github.repository_owner }}
run_id: ${{ env.job_id }}
server_url: ${{ github.server_url }}
integration_test_job: 'integration-tests-fork' # This is the name of the job defined in pr-validation-fork.yml
# Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
conclusion: ${{ job.status }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// Get all the details of the check run that's currently executing
// This lets us get the SHA we're building regardless of WHY we're building it
const { data: check } = await github.rest.checks.get({
owner: context.repo.owner,
repo: context.repo.repo,
check_run_id: process.env.run_id
});
// update the check result for `integration-tests-fork`
const url = `${process.env.server_url}/${process.env.repo}/actions/runs/${process.env.run_id}`
const { data: result } = await github.rest.checks.create({
...context.repo,
name: process.env.integration_test_job,
head_sha: check.head_sha,
status: 'completed',
conclusion: process.env.conclusion,
details_url: url,
});
return result;