### *** ### WARNING: DO NOT manually EDIT or MERGE this file, it is generated by 'make ci-config'. ### INSTEAD: Edit or merge the source in config/ then run 'make ci-config'. ### *** # Orb 'circleci/slack@3.2.0' resolved to 'circleci/slack@3.2.0' version: 2 jobs: install-ui-dependencies: docker: - environment: JOBS: 2 image: docker.mirror.hashicorp.services/circleci/node:14-browsers shell: /usr/bin/env bash -euo pipefail -c working_directory: /home/circleci/go/src/github.com/hashicorp/vault steps: - checkout - restore_cache: key: yarn-lock-v7-{{ checksum "ui/yarn.lock" }} name: Restore yarn cache - run: command: | cd ui yarn install npm rebuild node-sass name: Install UI dependencies - save_cache: key: yarn-lock-v7-{{ checksum "ui/yarn.lock" }} name: Save yarn cache paths: - ui/node_modules test-ui: docker: - environment: JOBS: 2 image: docker.mirror.hashicorp.services/circleci/node:14-browsers shell: /usr/bin/env bash -euo pipefail -c working_directory: /home/circleci/go/src/github.com/hashicorp/vault resource_class: xlarge steps: - run: command: | case "$CIRCLE_BRANCH" in main|ui/*|backport/ui/*|release/*|merge*) ;; *) # If the branch being tested doesn't match one of the above patterns, # we don't need to run test-ui and can abort the job. circleci-agent step halt ;; esac # exit with success either way exit 0 name: Check branch name working_directory: ~/ - checkout - restore_cache: key: yarn-lock-v7-{{ checksum "ui/yarn.lock" }} name: Restore yarn cache - attach_workspace: at: . - run: command: | # Add ./bin to the PATH so vault binary can be run by Ember tests export PATH="${PWD}/bin:${PATH}" # Run Ember tests cd ui mkdir -p test-results/qunit yarn test:oss name: Test UI - store_artifacts: path: ui/test-results - store_test_results: path: ui/test-results build-go-dev: machine: image: ubuntu-2004:2022.10.1 shell: /usr/bin/env bash -euo pipefail -c working_directory: /home/circleci/go/src/github.com/hashicorp/vault steps: - checkout - run: command: | GO_VERSION=$(cat .go-version) [ -n "$GO_VERSION" ] || { echo "You must set GO_VERSION"; exit 1; } # Install Go cd ~ curl -sSLO "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" sudo rm -rf /usr/local/go sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz" rm -f "go${GO_VERSION}.linux-amd64.tar.gz" GOPATH="/home/circleci/go" mkdir $GOPATH 2>/dev/null || { sudo mkdir $GOPATH && sudo chmod 777 $GOPATH; } mkdir $GOPATH/bin 2>/dev/null || { sudo mkdir $GOPATH/bin && sudo chmod 777 $GOPATH/bin; } echo "export GOPATH='$GOPATH'" >> "$BASH_ENV" echo "export PATH='$PATH:$GOPATH/bin:/usr/local/go/bin'" >> "$BASH_ENV" echo "export GOPROXY=off" >> "$BASH_ENV" echo "export GOPRIVATE=github.com/hashicorp/*" >> "$BASH_ENV" echo "$ go version" go version name: Setup Go - restore_cache: keys: - v1.5-{{checksum "go.sum"}}-{{checksum "sdk/go.sum"}}-{{checksum "api/go.sum"}} name: Restore exact go modules cache - attach_workspace: at: . - run: command: | # Move dev UI assets to expected location rm -rf ./pkg mkdir ./pkg # Build dev binary make ci-bootstrap dev name: Build dev binary - persist_to_workspace: paths: - bin root: . environment: - CIRCLECI_CLI_VERSION: 0.1.5546 - GO_IMAGE: docker.mirror.hashicorp.services/cimg/go:1.20 - GO_TAGS: '' - GOFUMPT_VERSION: 0.3.1 - GOTESTSUM_VERSION: 0.5.2 test-go-remote-docker: docker: - image: docker.mirror.hashicorp.services/cimg/go:1.20 resource_class: medium working_directory: /home/circleci/go/src/github.com/hashicorp/vault parallelism: 8 steps: - run: command: | # If the branch being tested starts with ui/ or docs/ we want to exit the job without failing [[ "$CIRCLE_BRANCH" = ui/* || "$CIRCLE_BRANCH" = docs/* || "$CIRCLE_BRANCH" = backport/docs/* ]] && { # stop the job from this step circleci-agent step halt } # exit with success either way exit 0 name: Check branch name working_directory: ~/ - checkout - setup_remote_docker: docker_layer_caching: true version: 20.10.17 - add_ssh_keys: fingerprints: - b8:e2:38:f8:5b:1b:82:f3:1f:23:fa:46:6e:95:e7:e9 - run: command: | git config --global url."git@github.com:".insteadOf https://github.com/ - run: command: | TZ=GMT date '+%Y%m%d' > /tmp/go-cache-key name: Compute test cache key - restore_cache: keys: - go-test-cache-date-v1-{{ checksum "/tmp/go-cache-key" }} - restore_cache: keys: - v1.5-{{checksum "go.sum"}}-{{checksum "sdk/go.sum"}}-{{checksum "api/go.sum"}} name: Restore exact go modules cache - run: command: | set -exo pipefail EXTRA_TAGS= case "" in *-race*) export VAULT_CI_GO_TEST_RACE=1;; *) EXTRA_TAGS=deadlock;; esac # Install CircleCI CLI curl -sSL \ "https://github.com/CircleCI-Public/circleci-cli/releases/download/v${CIRCLECI_CLI_VERSION}/circleci-cli_${CIRCLECI_CLI_VERSION}_linux_amd64.tar.gz" \ | sudo tar --overwrite -xz \ -C /usr/local/bin \ "circleci-cli_${CIRCLECI_CLI_VERSION}_linux_amd64/circleci" USE_DOCKER=0 USE_DOCKER=1 # Check all directories with a go.mod file modules=("." "api" "sdk") all_package_names="" for dir in "${modules[@]}" do pushd "$dir" # On its own line so that -e will fail the tests if we detect errors here. go list -test -json ./... > test-list.json # Split Go tests by prior test times. If use_docker is true, only run # tests that depend on docker, otherwise only those that don't. # The appended true condition ensures the command will succeed if no packages are found if [ $USE_DOCKER == 1 ]; then package_names=$(< test-list.json jq -r 'select(.Deps != null) | select(any(.Deps[] ; contains("github.com/hashicorp/vault/helper/testhelpers/docker"))) | .ForTest | select(. != null)' | sort -u | grep -v vault/integ | circleci tests split --split-by=timings --timings-type=classname || true) else package_names=$(< test-list.json jq -r 'select(.Deps != null) | select(all(.Deps[] ; contains("github.com/hashicorp/vault/helper/testhelpers/docker")|not)) | .ForTest | select(. != null)' | sort -u | grep -v vault/integ | circleci tests split --split-by=timings --timings-type=classname || true) fi # Move back into root directory popd # Append the test packages into the global list, if any are found if [ -n "$package_names" ]; then all_package_names+=" ${package_names}" fi done # After running tests split step, we are now running the following steps # in multiple different containers, each getting a different subset of # the test packages in their package_names variable. Each container # has its own remote docker VM. make prep mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some # tests; it would be like setting VAULT_TOKEN. However some non-Go # CI commands, like the UI tests, shouldn't have to worry about licensing. # So we set VAULT_LICENSE in CI, and here we unset it. Instead of # VAULT_LICENSE, we populate VAULT_LICENSE_CI, so that tests which want # an externally supplied license can opt-in to using it. export VAULT_LICENSE_CI="$VAULT_LICENSE" VAULT_LICENSE= # Create a docker network for our test container if [ $USE_DOCKER == 1 ]; then # Despite the fact that we're using a circleci image (thus getting the # version they chose for the docker cli) and that we're specifying a # docker version to use for the remote docker instances, we occasionally # see "client version too new, max supported version 1.39" errors for # reasons unclear. export DOCKER_API_VERSION=1.39 TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then docker network prune -f TEST_DOCKER_NETWORK_ID=$(docker network create "${TEST_DOCKER_NETWORK_NAME}") fi # Start a docker test container to run the tests in CONTAINER_ID="$(docker run -d \ -e TEST_DOCKER_NETWORK_ID \ -e GOPRIVATE \ -e DOCKER_CERT_PATH \ -e DOCKER_HOST \ -e DOCKER_MACHINE_NAME \ -e DOCKER_TLS_VERIFY \ -e NO_PROXY \ -e VAULT_TEST_LOG_DIR=/tmp/testlogs \ --network ${TEST_DOCKER_NETWORK_NAME} \ $GO_IMAGE \ tail -f /dev/null)" mkdir workspace echo ${CONTAINER_ID} > workspace/container_id # Hack: Docker permissions appear to have changed; let's explicitly # add a new user/group with the correct host uid to the docker # container, fixing all of these permissions issues correctly. We # then have to run with this user consistently in the future. # # Notably, in this shell pipeline we see: # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) # # but inside the docker image below, we see: # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) # # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 export HOST_GID="$(id -g)" export HOST_UID="$(id -u)" export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')" export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')" export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" if (( HOST_UID != CONT_UID )); then # Only provision a group if necessary; otherwise reuse the # existing one. if (( HOST_GID != CONT_GID )); then docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME' fi docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci' fi # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' docker cp . ${CONTAINER_ID}:/home/circleci/go/src/github.com/hashicorp/vault/ docker cp $DOCKER_CERT_PATH/ ${CONTAINER_ID}:$DOCKER_CERT_PATH # Copy the downloaded modules inside the container. docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/pkg' docker cp "$(go env GOPATH)/pkg/mod" ${CONTAINER_ID}:/home/circleci/go/pkg/mod docker exec -w /home/circleci/go/src/github.com/hashicorp/vault/ \ -e CIRCLECI -e VAULT_CI_GO_TEST_RACE \ -e GOCACHE=/tmp/gocache \ -e GO_TAGS \ -e GOPROXY="off" \ -e VAULT_LICENSE_CI \ -e GOARCH=amd64 \ ${CONTAINER_ID} \ gotestsum --format=short-verbose \ --junitfile test-results/go-test/results.xml \ --jsonfile test-results/go-test/results.json \ -- \ -tags "${GO_TAGS} ${EXTRA_TAGS}" \ -timeout=60m \ -parallel=20 \ \ ${all_package_names} else GOARCH=amd64 \ GOCACHE=/tmp/go-cache \ gotestsum --format=short-verbose \ --junitfile test-results/go-test/results.xml \ --jsonfile test-results/go-test/results.json \ -- \ -tags "${GO_TAGS} ${EXTRA_TAGS}" \ -timeout=60m \ -parallel=20 \ \ ${all_package_names} fi environment: GOPRIVATE: github.com/hashicorp/* name: Run Go tests no_output_timeout: 60m - run: command: | docker cp $(cat workspace/container_id):/home/circleci/go/src/github.com/hashicorp/vault/test-results . docker cp $(cat workspace/container_id):/tmp/gocache /tmp/go-cache name: Copy test results when: always - store_artifacts: path: test-results - store_test_results: path: test-results - store_artifacts: path: /tmp/testlogs environment: - CIRCLECI_CLI_VERSION: 0.1.5546 - GO_IMAGE: docker.mirror.hashicorp.services/cimg/go:1.20 - GO_TAGS: '' - GOFUMPT_VERSION: 0.3.1 - GOTESTSUM_VERSION: 0.5.2 fmt: machine: image: ubuntu-2004:2022.10.1 shell: /usr/bin/env bash -euo pipefail -c working_directory: /home/circleci/go/src/github.com/hashicorp/vault steps: - checkout - run: command: | GO_VERSION=$(cat .go-version) [ -n "$GO_VERSION" ] || { echo "You must set GO_VERSION"; exit 1; } # Install Go cd ~ curl -sSLO "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" sudo rm -rf /usr/local/go sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz" rm -f "go${GO_VERSION}.linux-amd64.tar.gz" GOPATH="/home/circleci/go" mkdir $GOPATH 2>/dev/null || { sudo mkdir $GOPATH && sudo chmod 777 $GOPATH; } mkdir $GOPATH/bin 2>/dev/null || { sudo mkdir $GOPATH/bin && sudo chmod 777 $GOPATH/bin; } echo "export GOPATH='$GOPATH'" >> "$BASH_ENV" echo "export PATH='$PATH:$GOPATH/bin:/usr/local/go/bin'" >> "$BASH_ENV" echo "export GOPROXY=https://proxy.golang.org,direct" >> "$BASH_ENV" echo "export GOPRIVATE=github.com/hashicorp/*" >> "$BASH_ENV" echo "$ go version" go version name: Setup Go - run: command: | echo "Using gofumpt version ${GOFUMPT_VERSION}" go install "mvdan.cc/gofumpt@v${GOFUMPT_VERSION}" make fmt if ! git diff --exit-code; then echo "Code has formatting errors. Run 'make fmt' to fix" exit 1 fi name: make fmt environment: - CIRCLECI_CLI_VERSION: 0.1.5546 - GO_IMAGE: docker.mirror.hashicorp.services/cimg/go:1.20 - GO_TAGS: '' - GOFUMPT_VERSION: 0.3.1 - GOTESTSUM_VERSION: 0.5.2 test-go-race: docker: - image: docker.mirror.hashicorp.services/cimg/go:1.20 resource_class: xlarge working_directory: /home/circleci/go/src/github.com/hashicorp/vault parallelism: 8 steps: - run: command: | # If the branch being tested starts with ui/ or docs/ we want to exit the job without failing [[ "$CIRCLE_BRANCH" = ui/* || "$CIRCLE_BRANCH" = docs/* || "$CIRCLE_BRANCH" = backport/docs/* ]] && { # stop the job from this step circleci-agent step halt } # exit with success either way exit 0 name: Check branch name working_directory: ~/ - checkout - add_ssh_keys: fingerprints: - b8:e2:38:f8:5b:1b:82:f3:1f:23:fa:46:6e:95:e7:e9 - run: command: | git config --global url."git@github.com:".insteadOf https://github.com/ - run: command: | TZ=GMT date '+%Y%m%d' > /tmp/go-cache-key name: Compute test cache key - restore_cache: keys: - go-test-cache-date-v1-{{ checksum "/tmp/go-cache-key" }} - restore_cache: keys: - v1.5-{{checksum "go.sum"}}-{{checksum "sdk/go.sum"}}-{{checksum "api/go.sum"}} name: Restore exact go modules cache - run: command: | set -exo pipefail EXTRA_TAGS= case "-race" in *-race*) export VAULT_CI_GO_TEST_RACE=1;; *) EXTRA_TAGS=deadlock;; esac # Install CircleCI CLI curl -sSL \ "https://github.com/CircleCI-Public/circleci-cli/releases/download/v${CIRCLECI_CLI_VERSION}/circleci-cli_${CIRCLECI_CLI_VERSION}_linux_amd64.tar.gz" \ | sudo tar --overwrite -xz \ -C /usr/local/bin \ "circleci-cli_${CIRCLECI_CLI_VERSION}_linux_amd64/circleci" USE_DOCKER=0 # Check all directories with a go.mod file modules=("." "api" "sdk") all_package_names="" for dir in "${modules[@]}" do pushd "$dir" # On its own line so that -e will fail the tests if we detect errors here. go list -test -json ./... > test-list.json # Split Go tests by prior test times. If use_docker is true, only run # tests that depend on docker, otherwise only those that don't. # The appended true condition ensures the command will succeed if no packages are found if [ $USE_DOCKER == 1 ]; then package_names=$(< test-list.json jq -r 'select(.Deps != null) | select(any(.Deps[] ; contains("github.com/hashicorp/vault/helper/testhelpers/docker"))) | .ForTest | select(. != null)' | sort -u | grep -v vault/integ | circleci tests split --split-by=timings --timings-type=classname || true) else package_names=$(< test-list.json jq -r 'select(.Deps != null) | select(all(.Deps[] ; contains("github.com/hashicorp/vault/helper/testhelpers/docker")|not)) | .ForTest | select(. != null)' | sort -u | grep -v vault/integ | circleci tests split --split-by=timings --timings-type=classname || true) fi # Move back into root directory popd # Append the test packages into the global list, if any are found if [ -n "$package_names" ]; then all_package_names+=" ${package_names}" fi done # After running tests split step, we are now running the following steps # in multiple different containers, each getting a different subset of # the test packages in their package_names variable. Each container # has its own remote docker VM. make prep mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some # tests; it would be like setting VAULT_TOKEN. However some non-Go # CI commands, like the UI tests, shouldn't have to worry about licensing. # So we set VAULT_LICENSE in CI, and here we unset it. Instead of # VAULT_LICENSE, we populate VAULT_LICENSE_CI, so that tests which want # an externally supplied license can opt-in to using it. export VAULT_LICENSE_CI="$VAULT_LICENSE" VAULT_LICENSE= # Create a docker network for our test container if [ $USE_DOCKER == 1 ]; then # Despite the fact that we're using a circleci image (thus getting the # version they chose for the docker cli) and that we're specifying a # docker version to use for the remote docker instances, we occasionally # see "client version too new, max supported version 1.39" errors for # reasons unclear. export DOCKER_API_VERSION=1.39 TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then docker network prune -f TEST_DOCKER_NETWORK_ID=$(docker network create "${TEST_DOCKER_NETWORK_NAME}") fi # Start a docker test container to run the tests in CONTAINER_ID="$(docker run -d \ -e TEST_DOCKER_NETWORK_ID \ -e GOPRIVATE \ -e DOCKER_CERT_PATH \ -e DOCKER_HOST \ -e DOCKER_MACHINE_NAME \ -e DOCKER_TLS_VERIFY \ -e NO_PROXY \ -e VAULT_TEST_LOG_DIR=/tmp/testlogs \ --network ${TEST_DOCKER_NETWORK_NAME} \ $GO_IMAGE \ tail -f /dev/null)" mkdir workspace echo ${CONTAINER_ID} > workspace/container_id # Hack: Docker permissions appear to have changed; let's explicitly # add a new user/group with the correct host uid to the docker # container, fixing all of these permissions issues correctly. We # then have to run with this user consistently in the future. # # Notably, in this shell pipeline we see: # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) # # but inside the docker image below, we see: # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) # # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 export HOST_GID="$(id -g)" export HOST_UID="$(id -u)" export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')" export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')" export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" if (( HOST_UID != CONT_UID )); then # Only provision a group if necessary; otherwise reuse the # existing one. if (( HOST_GID != CONT_GID )); then docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME' fi docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci' fi # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' docker cp . ${CONTAINER_ID}:/home/circleci/go/src/github.com/hashicorp/vault/ docker cp $DOCKER_CERT_PATH/ ${CONTAINER_ID}:$DOCKER_CERT_PATH # Copy the downloaded modules inside the container. docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/pkg' docker cp "$(go env GOPATH)/pkg/mod" ${CONTAINER_ID}:/home/circleci/go/pkg/mod docker exec -w /home/circleci/go/src/github.com/hashicorp/vault/ \ -e CIRCLECI -e VAULT_CI_GO_TEST_RACE \ -e GOCACHE=/tmp/gocache \ -e GO_TAGS \ -e GOPROXY="off" \ -e VAULT_LICENSE_CI \ -e GOARCH=amd64 \ ${CONTAINER_ID} \ gotestsum --format=short-verbose \ --junitfile test-results/go-test/results.xml \ --jsonfile test-results/go-test/results.json \ -- \ -tags "${GO_TAGS} ${EXTRA_TAGS}" \ -timeout=60m \ -parallel=20 \ -race \ ${all_package_names} else GOARCH=amd64 \ GOCACHE=/tmp/go-cache \ gotestsum --format=short-verbose \ --junitfile test-results/go-test/results.xml \ --jsonfile test-results/go-test/results.json \ -- \ -tags "${GO_TAGS} ${EXTRA_TAGS}" \ -timeout=60m \ -parallel=20 \ -race \ ${all_package_names} fi environment: GOPRIVATE: github.com/hashicorp/* name: Run Go tests no_output_timeout: 60m - store_artifacts: path: test-results - store_test_results: path: test-results - store_artifacts: path: /tmp/testlogs environment: - CIRCLECI_CLI_VERSION: 0.1.5546 - GO_IMAGE: docker.mirror.hashicorp.services/cimg/go:1.20 - GO_TAGS: '' - GOFUMPT_VERSION: 0.3.1 - GOTESTSUM_VERSION: 0.5.2 test-go: docker: - image: docker.mirror.hashicorp.services/cimg/go:1.20 resource_class: large working_directory: /home/circleci/go/src/github.com/hashicorp/vault parallelism: 8 steps: - run: command: | # If the branch being tested starts with ui/ or docs/ we want to exit the job without failing [[ "$CIRCLE_BRANCH" = ui/* || "$CIRCLE_BRANCH" = docs/* || "$CIRCLE_BRANCH" = backport/docs/* ]] && { # stop the job from this step circleci-agent step halt } # exit with success either way exit 0 name: Check branch name working_directory: ~/ - checkout - add_ssh_keys: fingerprints: - b8:e2:38:f8:5b:1b:82:f3:1f:23:fa:46:6e:95:e7:e9 - run: command: | git config --global url."git@github.com:".insteadOf https://github.com/ - run: command: | TZ=GMT date '+%Y%m%d' > /tmp/go-cache-key name: Compute test cache key - restore_cache: keys: - go-test-cache-date-v1-{{ checksum "/tmp/go-cache-key" }} - restore_cache: keys: - v1.5-{{checksum "go.sum"}}-{{checksum "sdk/go.sum"}}-{{checksum "api/go.sum"}} name: Restore exact go modules cache - run: command: | set -exo pipefail EXTRA_TAGS= case "" in *-race*) export VAULT_CI_GO_TEST_RACE=1;; *) EXTRA_TAGS=deadlock;; esac # Install CircleCI CLI curl -sSL \ "https://github.com/CircleCI-Public/circleci-cli/releases/download/v${CIRCLECI_CLI_VERSION}/circleci-cli_${CIRCLECI_CLI_VERSION}_linux_amd64.tar.gz" \ | sudo tar --overwrite -xz \ -C /usr/local/bin \ "circleci-cli_${CIRCLECI_CLI_VERSION}_linux_amd64/circleci" USE_DOCKER=0 # Check all directories with a go.mod file modules=("." "api" "sdk") all_package_names="" for dir in "${modules[@]}" do pushd "$dir" # On its own line so that -e will fail the tests if we detect errors here. go list -test -json ./... > test-list.json # Split Go tests by prior test times. If use_docker is true, only run # tests that depend on docker, otherwise only those that don't. # The appended true condition ensures the command will succeed if no packages are found if [ $USE_DOCKER == 1 ]; then package_names=$(< test-list.json jq -r 'select(.Deps != null) | select(any(.Deps[] ; contains("github.com/hashicorp/vault/helper/testhelpers/docker"))) | .ForTest | select(. != null)' | sort -u | grep -v vault/integ | circleci tests split --split-by=timings --timings-type=classname || true) else package_names=$(< test-list.json jq -r 'select(.Deps != null) | select(all(.Deps[] ; contains("github.com/hashicorp/vault/helper/testhelpers/docker")|not)) | .ForTest | select(. != null)' | sort -u | grep -v vault/integ | circleci tests split --split-by=timings --timings-type=classname || true) fi # Move back into root directory popd # Append the test packages into the global list, if any are found if [ -n "$package_names" ]; then all_package_names+=" ${package_names}" fi done # After running tests split step, we are now running the following steps # in multiple different containers, each getting a different subset of # the test packages in their package_names variable. Each container # has its own remote docker VM. make prep mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some # tests; it would be like setting VAULT_TOKEN. However some non-Go # CI commands, like the UI tests, shouldn't have to worry about licensing. # So we set VAULT_LICENSE in CI, and here we unset it. Instead of # VAULT_LICENSE, we populate VAULT_LICENSE_CI, so that tests which want # an externally supplied license can opt-in to using it. export VAULT_LICENSE_CI="$VAULT_LICENSE" VAULT_LICENSE= # Create a docker network for our test container if [ $USE_DOCKER == 1 ]; then # Despite the fact that we're using a circleci image (thus getting the # version they chose for the docker cli) and that we're specifying a # docker version to use for the remote docker instances, we occasionally # see "client version too new, max supported version 1.39" errors for # reasons unclear. export DOCKER_API_VERSION=1.39 TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then docker network prune -f TEST_DOCKER_NETWORK_ID=$(docker network create "${TEST_DOCKER_NETWORK_NAME}") fi # Start a docker test container to run the tests in CONTAINER_ID="$(docker run -d \ -e TEST_DOCKER_NETWORK_ID \ -e GOPRIVATE \ -e DOCKER_CERT_PATH \ -e DOCKER_HOST \ -e DOCKER_MACHINE_NAME \ -e DOCKER_TLS_VERIFY \ -e NO_PROXY \ -e VAULT_TEST_LOG_DIR=/tmp/testlogs \ --network ${TEST_DOCKER_NETWORK_NAME} \ $GO_IMAGE \ tail -f /dev/null)" mkdir workspace echo ${CONTAINER_ID} > workspace/container_id # Hack: Docker permissions appear to have changed; let's explicitly # add a new user/group with the correct host uid to the docker # container, fixing all of these permissions issues correctly. We # then have to run with this user consistently in the future. # # Notably, in this shell pipeline we see: # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) # # but inside the docker image below, we see: # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) # # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 export HOST_GID="$(id -g)" export HOST_UID="$(id -u)" export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')" export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')" export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" if (( HOST_UID != CONT_UID )); then # Only provision a group if necessary; otherwise reuse the # existing one. if (( HOST_GID != CONT_GID )); then docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME' fi docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci' fi # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' docker cp . ${CONTAINER_ID}:/home/circleci/go/src/github.com/hashicorp/vault/ docker cp $DOCKER_CERT_PATH/ ${CONTAINER_ID}:$DOCKER_CERT_PATH # Copy the downloaded modules inside the container. docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/pkg' docker cp "$(go env GOPATH)/pkg/mod" ${CONTAINER_ID}:/home/circleci/go/pkg/mod docker exec -w /home/circleci/go/src/github.com/hashicorp/vault/ \ -e CIRCLECI -e VAULT_CI_GO_TEST_RACE \ -e GOCACHE=/tmp/gocache \ -e GO_TAGS \ -e GOPROXY="off" \ -e VAULT_LICENSE_CI \ -e GOARCH=amd64 \ ${CONTAINER_ID} \ gotestsum --format=short-verbose \ --junitfile test-results/go-test/results.xml \ --jsonfile test-results/go-test/results.json \ -- \ -tags "${GO_TAGS} ${EXTRA_TAGS}" \ -timeout=60m \ -parallel=20 \ \ ${all_package_names} else GOARCH=amd64 \ GOCACHE=/tmp/go-cache \ gotestsum --format=short-verbose \ --junitfile test-results/go-test/results.xml \ --jsonfile test-results/go-test/results.json \ -- \ -tags "${GO_TAGS} ${EXTRA_TAGS}" \ -timeout=60m \ -parallel=20 \ \ ${all_package_names} fi environment: GOPRIVATE: github.com/hashicorp/* name: Run Go tests no_output_timeout: 60m - store_artifacts: path: test-results - store_test_results: path: test-results - store_artifacts: path: /tmp/testlogs environment: - CIRCLECI_CLI_VERSION: 0.1.5546 - GO_IMAGE: docker.mirror.hashicorp.services/cimg/go:1.20 - GO_TAGS: '' - GOFUMPT_VERSION: 0.3.1 - GOTESTSUM_VERSION: 0.5.2 semgrep: docker: - image: docker.mirror.hashicorp.services/returntocorp/semgrep:0.113.0 shell: /bin/sh working_directory: /home/circleci/go/src/github.com/hashicorp/vault steps: - checkout - attach_workspace: at: . - run: command: "# Alpine images can't run the make file due to a bash requirement. Run\n# semgrep explicitly here. \nexport PATH=\"$HOME/.local/bin:$PATH\" \necho -n 'Semgrep Version: '\nsemgrep --version\nsemgrep --error --include '*.go' --exclude 'vendor' -f tools/semgrep/ci .\n" name: Run Semgrep Rules pre-flight-checks: machine: image: ubuntu-2004:2022.10.1 shell: /usr/bin/env bash -euo pipefail -c working_directory: /home/circleci/go/src/github.com/hashicorp/vault steps: - checkout - run: command: | GO_VERSION=$(cat .go-version) [ -n "$GO_VERSION" ] || { echo "You must set GO_VERSION"; exit 1; } # Install Go cd ~ curl -sSLO "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" sudo rm -rf /usr/local/go sudo tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz" rm -f "go${GO_VERSION}.linux-amd64.tar.gz" GOPATH="/home/circleci/go" mkdir $GOPATH 2>/dev/null || { sudo mkdir $GOPATH && sudo chmod 777 $GOPATH; } mkdir $GOPATH/bin 2>/dev/null || { sudo mkdir $GOPATH/bin && sudo chmod 777 $GOPATH/bin; } echo "export GOPATH='$GOPATH'" >> "$BASH_ENV" echo "export PATH='$PATH:$GOPATH/bin:/usr/local/go/bin'" >> "$BASH_ENV" echo "export GOPROXY=https://proxy.golang.org,direct" >> "$BASH_ENV" echo "export GOPRIVATE=github.com/hashicorp/*" >> "$BASH_ENV" echo "$ go version" go version name: Setup Go - run: command: | export CCI_PATH=/tmp/circleci-cli/$CIRCLECI_CLI_VERSION mkdir -p $CCI_PATH NAME=circleci-cli_${CIRCLECI_CLI_VERSION}_${ARCH} URL=$BASE/v${CIRCLECI_CLI_VERSION}/${NAME}.tar.gz curl -sSL $URL \ | tar --overwrite --strip-components=1 -xz -C $CCI_PATH "${NAME}/circleci" # Add circleci to the path for subsequent steps. echo "export PATH=$CCI_PATH:\$PATH" >> $BASH_ENV # Done, print some debug info. set -x . $BASH_ENV which circleci circleci version environment: ARCH: linux_amd64 BASE: https://github.com/CircleCI-Public/circleci-cli/releases/download name: Install CircleCI CLI - run: command: | set -x . $BASH_ENV make ci-verify name: Verify CircleCI - add_ssh_keys: fingerprints: - b8:e2:38:f8:5b:1b:82:f3:1f:23:fa:46:6e:95:e7:e9 - run: command: | git config --global url."git@github.com:".insteadOf https://github.com/ - restore_cache: keys: - v1.5-{{checksum "go.sum"}}-{{checksum "sdk/go.sum"}}-{{checksum "api/go.sum"}} - v1.5-{{checksum "go.sum"}}-{{checksum "sdk/go.sum"}} - v1.5-{{checksum "go.sum"}} name: Restore closest matching go modules cache - run: command: | # set GOPATH explicitly to download to the right cache export GOPATH=$HOME/go # go list ./... forces downloading some additional versions of modules that 'go mod # download' misses. We need this because we make use of go list itself during # code generation in later builds that rely on this module cache. go list ./... go mod download -json ( cd sdk && go mod download -json; ) ( cd api && go mod download -json; ) name: go mod download - run: command: | git --no-pager diff --exit-code || { echo "ERROR: Files modified by go mod download, see above." exit 1 } name: Verify downloading modules did not modify any files - save_cache: key: v1.5-{{checksum "go.sum"}}-{{checksum "sdk/go.sum"}}-{{checksum "api/go.sum"}} name: Save go modules cache paths: - /home/circleci/go/pkg/mod environment: - CIRCLECI_CLI_VERSION: 0.1.5546 - GO_IMAGE: docker.mirror.hashicorp.services/cimg/go:1.20 - GO_TAGS: '' - GOFUMPT_VERSION: 0.3.1 - GOTESTSUM_VERSION: 0.5.2 test-go-race-remote-docker: docker: - image: docker.mirror.hashicorp.services/cimg/go:1.20 resource_class: medium working_directory: /home/circleci/go/src/github.com/hashicorp/vault parallelism: 8 steps: - run: command: | # If the branch being tested starts with ui/ or docs/ we want to exit the job without failing [[ "$CIRCLE_BRANCH" = ui/* || "$CIRCLE_BRANCH" = docs/* || "$CIRCLE_BRANCH" = backport/docs/* ]] && { # stop the job from this step circleci-agent step halt } # exit with success either way exit 0 name: Check branch name working_directory: ~/ - checkout - setup_remote_docker: docker_layer_caching: true version: 20.10.17 - add_ssh_keys: fingerprints: - b8:e2:38:f8:5b:1b:82:f3:1f:23:fa:46:6e:95:e7:e9 - run: command: | git config --global url."git@github.com:".insteadOf https://github.com/ - run: command: | TZ=GMT date '+%Y%m%d' > /tmp/go-cache-key name: Compute test cache key - restore_cache: keys: - go-test-cache-date-v1-{{ checksum "/tmp/go-cache-key" }} - restore_cache: keys: - v1.5-{{checksum "go.sum"}}-{{checksum "sdk/go.sum"}}-{{checksum "api/go.sum"}} name: Restore exact go modules cache - run: command: | set -exo pipefail EXTRA_TAGS= case "-race" in *-race*) export VAULT_CI_GO_TEST_RACE=1;; *) EXTRA_TAGS=deadlock;; esac # Install CircleCI CLI curl -sSL \ "https://github.com/CircleCI-Public/circleci-cli/releases/download/v${CIRCLECI_CLI_VERSION}/circleci-cli_${CIRCLECI_CLI_VERSION}_linux_amd64.tar.gz" \ | sudo tar --overwrite -xz \ -C /usr/local/bin \ "circleci-cli_${CIRCLECI_CLI_VERSION}_linux_amd64/circleci" USE_DOCKER=0 USE_DOCKER=1 # Check all directories with a go.mod file modules=("." "api" "sdk") all_package_names="" for dir in "${modules[@]}" do pushd "$dir" # On its own line so that -e will fail the tests if we detect errors here. go list -test -json ./... > test-list.json # Split Go tests by prior test times. If use_docker is true, only run # tests that depend on docker, otherwise only those that don't. # The appended true condition ensures the command will succeed if no packages are found if [ $USE_DOCKER == 1 ]; then package_names=$(< test-list.json jq -r 'select(.Deps != null) | select(any(.Deps[] ; contains("github.com/hashicorp/vault/helper/testhelpers/docker"))) | .ForTest | select(. != null)' | sort -u | grep -v vault/integ | circleci tests split --split-by=timings --timings-type=classname || true) else package_names=$(< test-list.json jq -r 'select(.Deps != null) | select(all(.Deps[] ; contains("github.com/hashicorp/vault/helper/testhelpers/docker")|not)) | .ForTest | select(. != null)' | sort -u | grep -v vault/integ | circleci tests split --split-by=timings --timings-type=classname || true) fi # Move back into root directory popd # Append the test packages into the global list, if any are found if [ -n "$package_names" ]; then all_package_names+=" ${package_names}" fi done # After running tests split step, we are now running the following steps # in multiple different containers, each getting a different subset of # the test packages in their package_names variable. Each container # has its own remote docker VM. make prep mkdir -p test-results/go-test # We don't want VAULT_LICENSE set when running Go tests, because that's # not what developers have in their environments and it could break some # tests; it would be like setting VAULT_TOKEN. However some non-Go # CI commands, like the UI tests, shouldn't have to worry about licensing. # So we set VAULT_LICENSE in CI, and here we unset it. Instead of # VAULT_LICENSE, we populate VAULT_LICENSE_CI, so that tests which want # an externally supplied license can opt-in to using it. export VAULT_LICENSE_CI="$VAULT_LICENSE" VAULT_LICENSE= # Create a docker network for our test container if [ $USE_DOCKER == 1 ]; then # Despite the fact that we're using a circleci image (thus getting the # version they chose for the docker cli) and that we're specifying a # docker version to use for the remote docker instances, we occasionally # see "client version too new, max supported version 1.39" errors for # reasons unclear. export DOCKER_API_VERSION=1.39 TEST_DOCKER_NETWORK_NAME="${CIRCLE_WORKFLOW_JOB_ID}-${CIRCLE_NODE_INDEX}" export TEST_DOCKER_NETWORK_ID=$(docker network list --quiet --no-trunc --filter="name=${TEST_DOCKER_NETWORK_NAME}") if [ -z $TEST_DOCKER_NETWORK_ID ]; then docker network prune -f TEST_DOCKER_NETWORK_ID=$(docker network create "${TEST_DOCKER_NETWORK_NAME}") fi # Start a docker test container to run the tests in CONTAINER_ID="$(docker run -d \ -e TEST_DOCKER_NETWORK_ID \ -e GOPRIVATE \ -e DOCKER_CERT_PATH \ -e DOCKER_HOST \ -e DOCKER_MACHINE_NAME \ -e DOCKER_TLS_VERIFY \ -e NO_PROXY \ -e VAULT_TEST_LOG_DIR=/tmp/testlogs \ --network ${TEST_DOCKER_NETWORK_NAME} \ $GO_IMAGE \ tail -f /dev/null)" mkdir workspace echo ${CONTAINER_ID} > workspace/container_id # Hack: Docker permissions appear to have changed; let's explicitly # add a new user/group with the correct host uid to the docker # container, fixing all of these permissions issues correctly. We # then have to run with this user consistently in the future. # # Notably, in this shell pipeline we see: # uid=1001(circleci) gid=1002(circleci) groups=1002(circleci) # # but inside the docker image below, we see: # uid=3434(circleci) gid=3434(circleci) groups=3434(circleci) # # See also: https://github.com/CircleCI-Public/cimg-base/issues/122 export HOST_GID="$(id -g)" export HOST_UID="$(id -u)" export CONT_GID="$(docker exec ${CONTAINER_ID} sh -c 'id -g')" export CONT_GNAME="$(docker exec ${CONTAINER_ID} sh -c 'id -g -n')" export CONT_UID="$(docker exec ${CONTAINER_ID} sh -c 'id -u')" if (( HOST_UID != CONT_UID )); then # Only provision a group if necessary; otherwise reuse the # existing one. if (( HOST_GID != CONT_GID )); then docker exec -e HOST_GID -e CONT_GNAME ${CONTAINER_ID} sh -c 'sudo groupmod -g $HOST_GID $CONT_GNAME' fi docker exec -e CONT_GNAME -e HOST_UID ${CONTAINER_ID} sh -c 'sudo usermod -a -G $CONT_GNAME -u $HOST_UID circleci' fi # Run tests test -d /tmp/go-cache && docker cp /tmp/go-cache ${CONTAINER_ID}:/tmp/gocache docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/src/github.com/hashicorp/vault' docker cp . ${CONTAINER_ID}:/home/circleci/go/src/github.com/hashicorp/vault/ docker cp $DOCKER_CERT_PATH/ ${CONTAINER_ID}:$DOCKER_CERT_PATH # Copy the downloaded modules inside the container. docker exec ${CONTAINER_ID} sh -c 'mkdir -p /home/circleci/go/pkg' docker cp "$(go env GOPATH)/pkg/mod" ${CONTAINER_ID}:/home/circleci/go/pkg/mod docker exec -w /home/circleci/go/src/github.com/hashicorp/vault/ \ -e CIRCLECI -e VAULT_CI_GO_TEST_RACE \ -e GOCACHE=/tmp/gocache \ -e GO_TAGS \ -e GOPROXY="off" \ -e VAULT_LICENSE_CI \ -e GOARCH=amd64 \ ${CONTAINER_ID} \ gotestsum --format=short-verbose \ --junitfile test-results/go-test/results.xml \ --jsonfile test-results/go-test/results.json \ -- \ -tags "${GO_TAGS} ${EXTRA_TAGS}" \ -timeout=60m \ -parallel=20 \ -race \ ${all_package_names} else GOARCH=amd64 \ GOCACHE=/tmp/go-cache \ gotestsum --format=short-verbose \ --junitfile test-results/go-test/results.xml \ --jsonfile test-results/go-test/results.json \ -- \ -tags "${GO_TAGS} ${EXTRA_TAGS}" \ -timeout=60m \ -parallel=20 \ -race \ ${all_package_names} fi environment: GOPRIVATE: github.com/hashicorp/* name: Run Go tests no_output_timeout: 60m - run: command: | docker cp $(cat workspace/container_id):/home/circleci/go/src/github.com/hashicorp/vault/test-results . docker cp $(cat workspace/container_id):/tmp/gocache /tmp/go-cache name: Copy test results when: always - store_artifacts: path: test-results - store_test_results: path: test-results - store_artifacts: path: /tmp/testlogs environment: - CIRCLECI_CLI_VERSION: 0.1.5546 - GO_IMAGE: docker.mirror.hashicorp.services/cimg/go:1.20 - GO_TAGS: '' - GOFUMPT_VERSION: 0.3.1 - GOTESTSUM_VERSION: 0.5.2 workflows: ci: jobs: - pre-flight-checks - fmt - install-ui-dependencies: requires: - pre-flight-checks - build-go-dev: requires: - pre-flight-checks - test-ui: requires: - install-ui-dependencies - build-go-dev - test-go: requires: - pre-flight-checks - test-go-remote-docker: requires: - pre-flight-checks - test-go-race: requires: - pre-flight-checks - test-go-race-remote-docker: requires: - pre-flight-checks - semgrep: requires: - pre-flight-checks version: 2