Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Migrate LavaMoat validation to GitHub Actions #29369

Merged
merged 3 commits into from
Dec 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 0 additions & 60 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -123,18 +123,6 @@ workflows:
- master
requires:
- prep-deps
- validate-lavamoat-allow-scripts:
requires:
- prep-deps
- validate-lavamoat-policy-build:
requires:
- prep-deps
- validate-lavamoat-policy-webapp:
matrix:
parameters:
build-type: [main, beta, flask, mmi]
requires:
- prep-deps
- prep-build-mmi:
requires:
- prep-deps
Expand Down Expand Up @@ -268,9 +256,6 @@ workflows:
- prep-build-flask-mv2
- all-tests-pass:
requires:
- validate-lavamoat-allow-scripts
- validate-lavamoat-policy-build
- validate-lavamoat-policy-webapp
- validate-source-maps
- validate-source-maps-beta
- validate-source-maps-flask
Expand Down Expand Up @@ -481,51 +466,6 @@ jobs:
at: .
- run: yarn tsx .circleci/scripts/validate-locales-only.ts

validate-lavamoat-allow-scripts:
executor: node-browsers-small
steps:
- run: *shallow-git-clone-and-enable-vnc
- run: sudo corepack enable
- attach_workspace:
at: .
- run:
name: Validate allow-scripts config
command: yarn allow-scripts auto
- run:
name: Check working tree
command: .circleci/scripts/check-working-tree.sh

validate-lavamoat-policy-build:
executor: node-browsers-medium
steps:
- run: *shallow-git-clone-and-enable-vnc
- run: sudo corepack enable
- attach_workspace:
at: .
- run:
name: Validate LavaMoat build policy
command: yarn lavamoat:build:auto
- run:
name: Check working tree
command: .circleci/scripts/check-working-tree.sh

validate-lavamoat-policy-webapp:
executor: node-browsers-medium-plus
parameters:
build-type:
type: string
steps:
- run: *shallow-git-clone-and-enable-vnc
- run: sudo corepack enable
- attach_workspace:
at: .
- run:
name: Validate LavaMoat << parameters.build-type >> policy
command: yarn lavamoat:webapp:auto:ci '--build-types=<< parameters.build-type >>'
- run:
name: Check working tree
command: .circleci/scripts/check-working-tree.sh

prep-build:
executor: node-linux-medium
steps:
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,18 @@ jobs:
name: Test deps depcheck
uses: ./.github/workflows/test-deps-depcheck.yml

validate-lavamoat-allow-scripts:
name: Validate lavamoat allow scripts
uses: ./.github/workflows/validate-lavamoat-allow-scripts.yml

validate-lavamoat-policy-build:
name: Validate lavamoat policy build
uses: ./.github/workflows/validate-lavamoat-policy-build.yml

validate-lavamoat-policy-webapp:
name: Validate lavamoat policy webapp
uses: ./.github/workflows/validate-lavamoat-policy-webapp.yml

run-tests:
name: Run tests
uses: ./.github/workflows/run-tests.yml
Expand All @@ -75,6 +87,9 @@ jobs:
- test-lint-lockfile
- test-yarn-dedupe
- test-deps-depcheck
- validate-lavamoat-allow-scripts
- validate-lavamoat-policy-build
- validate-lavamoat-policy-webapp
- run-tests
- wait-for-circleci-workflow-status
outputs:
Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/validate-lavamoat-allow-scripts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Validate lavamoat allow scripts

on:
workflow_call:

jobs:
validate-lavamoat-allow-scripts:
name: Validate lavamoat allow scripts
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup environment
uses: metamask/github-tools/.github/actions/setup-environment@main

- name: Validate allow-scripts config
run: yarn allow-scripts auto

- name: Check working tree
run: |
if ! git diff --exit-code; then
echo "::error::Working tree dirty."
exit 1
fi
27 changes: 27 additions & 0 deletions .github/workflows/validate-lavamoat-policy-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Validate lavamoat policy build

on:
workflow_call:

jobs:
validate-lavamoat-policy-build:
name: Validate lavamoat policy build
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup environment
uses: metamask/github-tools/.github/actions/setup-environment@main

- name: Validate lavamoat build policy
run: yarn lavamoat:build:auto
env:
INFURA_PROJECT_ID: 00000000000

- name: Check working tree
run: |
if ! git diff --exit-code; then
echo "::error::Working tree dirty."
exit 1
fi
30 changes: 30 additions & 0 deletions .github/workflows/validate-lavamoat-policy-webapp.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Validate lavamoat policy webapp

on:
workflow_call:

jobs:
validate-lavamoat-policy-webapp:
name: Validate lavamoat policy webapp
runs-on: ubuntu-latest
strategy:
matrix:
build-type: [main, beta, flask, mmi]
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup environment
uses: metamask/github-tools/.github/actions/setup-environment@main

- name: Validate lavamoat ${{ matrix.build-type }} policy
run: yarn lavamoat:webapp:auto:ci --build-types=${{ matrix.build-type }}
env:
INFURA_PROJECT_ID: 00000000000
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be an ENV var? or could you explain what that id is?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question! This is the single required environment variable for our build process. Generating an application LavaMoat policy requires building the project, so we needed to set it to something. But since this is a mock value that we don't want to use elsewhere, it's set inline directly.

The same strategy is used in the existing "Update LavaMoat policies" workflow:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah! Thanks for the explanation!


- name: Check working tree
run: |
if ! git diff --exit-code; then
echo "::error::Working tree dirty."
exit 1
fi
Loading