Convert gocardless/stolon-pgbouncer to Github Actions #150
+88
−0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,88 @@ | ||||||
| name: gocardless/stolon-pgbouncer/build-integration | ||||||
| on: | ||||||
| push: | ||||||
| env: | ||||||
| DOCKER_PASS: xxxx9e14 | ||||||
| DOCKER_USER: xxxxdmin | ||||||
| GITHUB_TOKEN: xxxx6d08 | ||||||
| jobs: | ||||||
| unit-integration: | ||||||
| defaults: | ||||||
| run: | ||||||
| working-directory: "/go/src/github.com/gocardless/stolon-pgbouncer" | ||||||
| runs-on: ubuntu-latest | ||||||
| container: | ||||||
| image: gocardless/stolon-pgbouncer-circleci:2020050701 | ||||||
| env: | ||||||
| PGHOST: 127.0.0.1 | ||||||
| PGUSER: postgres | ||||||
| steps: | ||||||
| - uses: actions/checkout@v2 | ||||||
| - name: Compile ginkgo test suites | ||||||
| run: ginkgo build -r -race . | ||||||
| - name: Run unit tests | ||||||
| run: find pkg -type f -name '*.test' -printf "%h %f\n" | xargs -n2 sh -c 'cd $0 && su postgres -c ./$1' | ||||||
| build: | ||||||
| defaults: | ||||||
| run: | ||||||
| working-directory: "/go/src/github.com/gocardless/stolon-pgbouncer" | ||||||
| runs-on: ubuntu-latest | ||||||
| container: | ||||||
| image: gocardless/stolon-pgbouncer-circleci:2020050701 | ||||||
| steps: | ||||||
| - uses: actions/checkout@v2 | ||||||
| - name: Build test binaries | ||||||
| run: make linux | ||||||
| - uses: actions/upload-artifact@v2 | ||||||
| with: | ||||||
| path: |- | ||||||
| /go/src/github.com/gocardless/stolon-pgbouncer/bin/stolon-pgbouncer.linux_amd64 | ||||||
| /go/src/github.com/gocardless/stolon-pgbouncer/bin/stolon-pgbouncer-acceptance.linux_amd64 | ||||||
|
Comment on lines
+36
to
+40
There was a problem hiding this comment. I think uploading and downloading the artifact here and below is unnecessary. We could probably just bundle the build & acceptance into one job? |
||||||
| acceptance: | ||||||
| defaults: | ||||||
| run: | ||||||
| working-directory: "/home/circleci/stolon-pgbouncer" | ||||||
| runs-on: ubuntu-20.04 | ||||||
| needs: | ||||||
| - build | ||||||
| steps: | ||||||
| - uses: actions/checkout@v2 | ||||||
| - uses: actions/download-artifact@v2 | ||||||
| with: | ||||||
| path: "/home/circleci/stolon-pgbouncer" | ||||||
| - name: Install an up-to-date Docker Compose | ||||||
| run: |- | ||||||
| curl -L https://github.com/docker/compose/releases/download/1.24.0/docker-compose-`uname -s`-`uname -m` > ~/docker-compose | ||||||
| chmod +x ~/docker-compose | ||||||
| sudo mv ~/docker-compose /usr/local/bin/docker-compose | ||||||
| - name: Start docker-compose cluster | ||||||
| run: docker-compose up -d etcd-store sentinel pgbouncer keeper0 keeper1 keeper2 | ||||||
| - name: Tail logs from docker-compose | ||||||
| run: docker-compose logs -f | ||||||
| - name: Run acceptance tests | ||||||
| run: bin/stolon-pgbouncer-acceptance.linux_amd64 | ||||||
| release: | ||||||
| if: contains('refs/heads/master', github.ref) | ||||||
| defaults: | ||||||
| run: | ||||||
| working-directory: "/go/src/github.com/gocardless/stolon-pgbouncer" | ||||||
| runs-on: ubuntu-latest | ||||||
| container: | ||||||
| image: gocardless/stolon-pgbouncer-circleci:2020050701 | ||||||
|
There was a problem hiding this comment.
Suggested change
We should remove references to circle throughout the repo. |
||||||
| needs: | ||||||
| - acceptance | ||||||
| - unit-integration | ||||||
| steps: | ||||||
| # # 'setup_remote_docker' was not transformed because there is no suitable equivalent in GitHub Actions | ||||||
| - run: docker login -u "$DOCKER_USER" -p "$DOCKER_PASS" | ||||||
|
There was a problem hiding this comment. Looks like our image installs docker so we can get away without adding much here. What registry are we wanting to login to? If it is GCR then we might want to make use of workload identity federation so we can bin some long lived credentials https://github.com/docker/login-action#google-container-registry-gcr There was a problem hiding this comment. Also see our docs https://backstage.gocardless.io/docs/default/component/github-actions/CI/03-authentication/#authenticating-with-workload-identity-federation for how we can set this up There was a problem hiding this comment. We're using docker hub, as this is a public project. |
||||||
| - uses: actions/checkout@v2 | ||||||
| - name: Release | ||||||
| run: |- | ||||||
| CURRENT_VERSION="v$(cat VERSION)" | ||||||
| if [[ $(git tag -l "${CURRENT_VERSION}") == "${CURRENT_VERSION}" ]]; then | ||||||
| echo "Version ${CURRENT_VERSION} is already released" | ||||||
| exit 0 | ||||||
| fi | ||||||
| git tag "${CURRENT_VERSION}" | ||||||
| git push --tags | ||||||
| goreleaser --rm-dist | ||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what this was set to before. We might be able to get away with the usual
GITHUB_TOKENinjected by GHA.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey Sam 👋
A note of warning: this is a public repo that anyone can open PRs to, so you’ll want to double check you don’t respond to those changes by running builds on any private GitHub agents you may have had around.
Especially if you’re relying on ambient creds on those machines, which might mean people outside of GC could exfiltrate GitHub resources under the GC org by misusing the creds.
I’ve not checked this super closely, but wanted to warn you in case you hadn’t considered it. It may make more sense to leave this and other open source repos on Circle, to avoid exposing the private infra.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey Lawrence,
Thanks for the heads up!
We don't have self-hosted runners set up just yet, but when we do we'll restrict them to run solely on private repositories, and leave public repos to use Github's runners.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great, wanted to nudge you in case it had gone under the radar, but sounds like you’re on it :)