Commit graph

125 commits

Author SHA1 Message Date
hc-github-team-nomad-core 1a506eba24
backport of commit cf8dde0850a23d4e8b0b48bc5fea2f66388ab711 (#18544)
Co-authored-by: Phil Renaud <phil.renaud@hashicorp.com>
2023-11-14 14:38:26 -05:00
hc-github-team-nomad-core 6a4a3f6d78
backport of commit 6fca4fa715fcfe5c4a214e90f72c54cda7da6efd (#18490)
Co-authored-by: Seth Hoenig <shoenig@duck.com>
2023-09-13 16:38:21 -05:00
hc-github-team-nomad-core c25c04816d
Backport of e2e: modernize vaultcompat testing into release/1.6.x (#18182)
This pull request was automerged via backport-assistant
2023-08-09 09:25:32 -05:00
Tim Gross bebed09677 GHA pinning updates (#18093)
Trusted Supply Chain Component Registry (TSCCR) enforcement starts Monday and an
internal report shows our semgrep action is pinned to a version that's not
currently permitted. Update all the action versions to whatever's the new
hotness to maximum the time-to-live on these until we have automated pinning
setup.

Also version bumps our chromedriver action, which randomly broke upstream today.
2023-07-28 11:52:42 -04:00
hc-github-team-nomad-core 048ca39403
backport of commit 0cb728ed68165888245cf8bc72e4dece5123ef4f (#17918)
This pull request was automerged via backport-assistant
2023-07-12 09:52:00 -05:00
hashicorp-copywrite[bot] 2b85290d55
[COMPLIANCE] Add Copyright and License Headers (#17877)
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
2023-07-11 07:48:11 +01:00
Daniel Bennett 30b1b88332
ci: more self-hosted iops for checks workflow (#17852) 2023-07-10 10:21:04 -05:00
Daniel Bennett 30a99926dc
ci: pull secrets from Vault in nomad-enterprise (#17841) 2023-07-07 14:27:12 -05:00
Daniel Bennett a3924db96c
ci: windows tests on public runners (#17829)
currently our self-hosted windows runners lack `docker`,
so for now just revert to public runners.
2023-07-06 17:06:55 -05:00
Daniel Bennett c272cb0d5a
ci: clean GOCACHE before build (#17808)
this is basically to avoid Fear/Uncertainty/Doubt

the github action actions/setup-go
(and, with a different chache key, hashicorp/setup-golang)
caches both GOMODCACHE (go source files), which is good,
and GOCACHE (build outputs), which *might* be bad,
if the cache was built on an OS with an older glibc
than we want to support. from `go help cache`:
> [...] the build cache does not detect changes to
> C libraries imported with cgo.
2023-07-06 12:47:43 -05:00
Daniel Bennett 4c2cb7b701
ci: dynamic runs-on values for oss/ent (#17775)
so in enterprise we can use Vault for secrets,
without merge conflicts from oss->ent.

also:
* use hashicorp/setup-golang
* setup-js for self-hosted runners
  they don't come with yarn, nor chrome,
  and might not always match node version.
2023-07-06 12:41:17 -05:00
Sarah Thompson 8c6cc5b1d8
Update the revision used by the docker build action. (#17755)
Update the revision used by the docker action. This should always reflect the commit that's being built as this may differ from the default <github.sha> that the workflow was invoked at.

Goes with https://github.com/hashicorp/actions-docker-build/pull/59 - and should not be merged until this PR is merged and a new version of the action is cut.
2023-06-29 09:19:54 -04:00
Tim Gross 6a24ffac1c release: submit build workflow from the file on the release's own branch 2023-06-28 11:06:13 -04:00
Luiz Aoqui d62c34b9f9
build: add Docker image (#17017)
Co-authored-by: Daniel Kimsey <90741+dekimsey@users.noreply.github.com>
2023-06-23 15:57:09 -04:00
Tim Gross 12ca68ec26
release pipeline: fix ref arguments in invoking workflow (#17684)
Although #17669 fixed the permissions of the release pipeline to push new
commits, there was still an error when invoking the `build` workflow.

The format of the reference was changed in #17103 such that we're sending the
git ref (a SHA) and not the "--ref" argument required by the GH actions workflow
API, which in this case is apparently specially defined as "The branch or tag
name which contains the version of the workflow file you'd like to run" and not
what git calls a "ref".

This changeset:
* Removes the third-party action entirely so that we're using GitHub's own
  tooling. This removes one more thing from the supply chain to pin and ensures a
  1:1 mapping of args to what's documented by GitHub.
* Removes the `--ref` argument entirely, which causes it to default to the
  current branch that the release workflow is running on (which is always what
  we want).
2023-06-22 15:33:19 -04:00
Luiz Aoqui 53dd8835b8
ci: set continue-on-error: true on test-ui (#17646)
Since the matrix exercises different test cases, it's better to allow
all partitions to completely run, even if one of them fails, so it's
easier to catch multiple test failures.
2023-06-22 11:31:49 -04:00
Tim Gross 70a359048e
release pipeline: release workflow needs write permissions (#17669)
In #17103 we set read-only permissions on all the workflows. Unfortunately we
missed that the `release` workflow makes git commits and pushes them to the
repository, so it needs to have write permissions.
2023-06-22 10:40:45 -04:00
Phil Renaud 16886bf6bf
Moves to the current LTS release of Node for our build and release workflows (#17639) 2023-06-21 15:17:24 -04:00
Michael Lange 753a7dfea3 Tag the GHA run for percy to use
Percy uses this to stitch parallel test runs back together into a single
report.
2023-06-20 15:38:05 -07:00
Michael Lange 644b67b5c5 Simplify workflows
After renovating everything, it's evident that the ember-exam
sub-workflow can be inlined without any pesky duplication.
2023-06-20 15:05:17 -07:00
Michael Lange 495ada2072 Pipe secrets through to exam job 2023-06-20 14:49:57 -07:00
Michael Lange 918f503e51 Rip out the xUnit test reporter
This was used to integrate with Circle CI's deeper test reporting
(failures, flakes, reporting). It's strictly vestigial now that we're on
GHA.
2023-06-20 14:49:56 -07:00
Michael Lange 125d2f3e7f Use a matrix strategy to run exam partitions
This will run partitions and parallel only after linting passes.
2023-06-20 13:51:45 -07:00
Michael Lange 370327fd13 Move the ember exam workflow into its own reusable job
This will be called N times by the parent test-ui script.
2023-06-20 13:51:45 -07:00
Michael Lange 53643f05a7 Bump the ember-test-audit workflow to node 18 2023-06-20 10:31:24 -07:00
Luiz Aoqui 4b33bbd9c4
ci: run 'make check' as reusable workflow (#17600)
Some of the paths ignored by `test-core.yaml` need to be checked by
`make check`. The `checks.yaml` workflow run on these paths and can also
be used as a reusable workflow.
2023-06-20 08:17:13 +01:00
Seth Hoenig 3e7007b2a3
tests: set timeout on test-ui (#17549)
This seems to finish in about 20 minutes, or run for 6+ hours until hitting
a default timeout. Set a timeout to 30 minutes so we aren't wasting time
and runners.
2023-06-15 09:38:50 -05:00
Phil Renaud 944f30674d
[ui] Parallelize ember tests (#17442)
* Exam to parallelize tests

* Logging to try to solve test flakiness

* Logging in another failure

* Hardening for one test and snapshot for another

* Explicitly set the first one as the servicedAlloc instead of randomly picking

* A wild CircleCI test failure appears

* de-log
2023-06-07 17:01:35 -04:00
Phil Renaud f348121ec7
[ui] Remove Ember Assets Github Actions workflow (#17426)
* Remove Ember Assets gha workflow

* PR write added to permissions
2023-06-05 13:52:20 -04:00
hc-github-team-es-release-engineering 6758379e48
ci: finish migration from CCI to GHA (#17103)
namely, these workflows:
  test-e2e, test-ui, and test-windows

extra-curricularly, as part of the overall
migration effort company-wide, this also includes
some standardization such as:
 * explicit permissions:read on various workflows
 * pinned action version shas (per https://github.com/hashicorp/security-public-tsccr)
 * actionlint, which among other things runs
   shellcheck on GHA run steps

Co-authored-by: emilymianeil <eneil@hashicorp.com>
Co-authored-by: Daniel Kimsey <daniel.kimsey@hashicorp.com>
2023-06-02 14:35:55 -05:00
Bryce Kalow 9e4bb87536
Delete check-legacy-links-format.yml (#17380) 2023-06-01 13:41:17 -04:00
Daniel Kimsey ec59fd1d54 Revert "fixup: address review changes"
This reverts commit ba736e4521bb4bec14d21862895eabec14a9c2f9.

This was accidentally added by fat-fingered Admin push...
2023-06-01 08:58:07 -05:00
Daniel Kimsey 5b886165da fixup: address review changes 2023-06-01 08:48:42 -05:00
Seth Hoenig acfdf0f479
compliance: add headers with fixed copywrite tool (#17353)
Closes #17117
2023-05-30 09:20:32 -05:00
Tim Gross b9ca3bc9b1
build: remove 386 builds for Nomad 1.6.0 (#17239)
The 32-bit Intel builds (aka "386") are not tested and likely have bugs
involving platform-sized integers when operated at any non-trivial scale. Remove
these builds from the upcoming Nomad 1.6.0 and provide recommendations in the
upgrade notes for those users who might have hobbyist boards running 32-bit
ARM (this will primarily be the RaspberryPi Zero or older spins of the RaspPi).

DO NOT BACKPORT TO 1.5.x OR EARLIER!
2023-05-22 13:27:17 -04:00
Tim Gross 15fa0277cf
build: pin semgrep action (#17248)
The file path in the TSCCR repo for the `returntocorp/semgrep` action was
incorrect, so the pinning tool was not able to find the correct entry and it was
not pinned in #17238.

The repository is fixed in https://github.com/hashicorp/security-tsccr/pull/431
2023-05-19 10:27:51 -04:00
Tim Gross dbfcfbd623
build: move GitHub actions to versions allowed by prodsec (#17238)
The `backspace/ember-asset-size` action we're using is unmaintained and has a
bunch of vulns in it, so it won't pass security screening (this is a NodeJS
action so it has piles of dependencies, 99% of which won't be in use but fails
automated screening anyways). Move this to the upstream version.

The `machine-learning-apps/pr-comment` action also presents a problem for the
ProdSec security screening because it's archived and also runs an external
Docker image. Move this to a likely-ok maintained action for now, until we can
spare some time to remove this in lieu of something more reasonable that isn't a
GitHub action.
2023-05-19 09:07:02 -04:00
Tim Gross c64efa0776
build: upgrade deprecated actions syntax (#17222)
Missed these in the previous pass.
2023-05-17 11:39:55 -04:00
hashicorp-tsccr[bot] aec3b16085
build: trusted workflow pinning (#16992)
Co-authored-by: Tim Gross <tgross@hashicorp.com>
2023-05-17 10:38:10 -04:00
Tim Gross 710afecf61
build: update deprecated GitHub Actions (#17218)
Many of the GitHub Actions from the build pipeline are written in a truly
ancient version of NodeJS. Upgrade to more recent versions.

Remove RelEng from codeowners
2023-05-17 08:57:28 -04:00
Luiz Aoqui 53020c0941
Revert "ci: use BACKPORT_MERGE_COMMIT option (#16730)" (#17116)
This reverts commit 1721e687c0832bea3d9b7eec5dcd3c4e7a924d71.

The change was expected to solve the sporadic problems we were having
with Backport Assistant, but it end up creating even more failures.
2023-05-08 13:30:43 -04:00
Tim Gross ee071531de
docs: disable secret scanning for documentation content (#16903)
Examples in the documentation frequently include tokens, including Vault tokens
which end up triggering GitHub's secret scanner. Remove these from consideration
so that we don't get false positive reports.
2023-04-17 10:03:52 -04:00
hashicorp-copywrite[bot] 005636afa0 [COMPLIANCE] Add Copyright and License Headers 2023-04-10 15:36:59 +00:00
Luiz Aoqui fa4ee68c6a
ci: use BACKPORT_MERGE_COMMIT option (#16730)
Instead of attempting to pick each individual commit in a PR using
`BACKPORT_MERGE_COMMIT` only picks the commit that was merged into
`main`.

This reduces the amount of work done during a backport, generating
cleaner merges and avoiding potential issues on specific commits.

With this setting PRs that are not squashed will fail to backport and
must be handled manually, but those are considered exceptions.
2023-03-30 11:49:46 -04:00
Ashlee M Boyer 9af02f3f4a
CI: delete test-link-rewrites.yml (#16354) 2023-03-06 15:41:01 -05:00
Luiz Aoqui e7546e9e16
ci: reduce number of ember-test-audit iterations (#16118) 2023-02-09 15:28:30 -05:00
Seth Hoenig bf2f3885a3
tests: reduce timeout on test-api (#16107)
Sometimes GHA gets wedged, and there is no need to waste 30 minutes
on a job that usually takes < 3.

e.g. stuck loading module cache, which is out of our control
https://github.com/hashicorp/nomad/actions/runs/4135098558/jobs/7147128419
2023-02-09 10:26:10 -06:00
Seth Hoenig 7838f16e2b
tests: bump consul and vault versions in test-core (#15979) 2023-01-31 10:00:27 -06:00
Ashlee M Boyer 57f8ebfa26
docs: Migrate link formats (#15779)
* Adding check-legacy-links-format workflow

* Adding test-link-rewrites workflow

* chore: updates link checker workflow hash

* Migrating links to new format

Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
2023-01-25 09:31:14 -08:00
Tim Gross bbafb87e50
CI: run tests on pull_request and push to main/release (#15690)
Running tests `on: push` prevents GitHub from showing the workflow approval
button, which prevents tests from being run on community-contributed (or even
just non-Nomad HashiCorp folks) PRs. Running `on: pull_request` automatically
picks up opened, reopened, and synchronize hooks (where "synchronize" means a
push to HEAD on the PR's branch, so that'll pick up rebases and updates).

But we also want to run tests on `main` and the various `release` backport
branches, so retain a `on: push` for those.
2023-01-04 14:34:23 -05:00