OILS / soil / github-actions.sh View on Github | oils.pub

149 lines, 71 significant
1#!/usr/bin/env bash
2#
3# Usage:
4# soil/github-actions.sh <function name>
5
6set -o nounset
7set -o pipefail
8set -o errexit
9
10keygen() {
11 # rsa_github_actions is private, and entered in the Github UI, to log into the server
12 #
13 # rsa_github_actions.pub is public, and put in authorized_keys on the CI
14 # server, e.g. op.oilshell.org
15
16 ssh-keygen -t rsa -b 4096 -C 'oils-for-unix github-actions' -f rsa_github_actions
17}
18
19#
20# Run remotely
21#
22
23publish-html-assuming-ssh-key() {
24 local job_name=$1
25 local update_status_api=${2:-}
26
27 if true; then
28 local prefix='github-'
29 local run_dir=$GITHUB_RUN_NUMBER
30 # https://docs.github.com/en/actions/reference/environment-variables
31
32 # Recommended by the docs
33 export JOB_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
34
35 # Note $GITHUB_RUN_NUMBER is a different sequence for all-builds.yml vs.
36 # fast-subset.yml
37
38 # This function prints 'View CI results here:' with URLs to op.oilshell.org
39 soil/web-worker.sh deploy-job-results $prefix $run_dir $job_name \
40 JOB_URL \
41 GITHUB_WORKFLOW \
42 GITHUB_RUN_ID \
43 GITHUB_RUN_NUMBER \
44 GITHUB_JOB \
45 GITHUB_ACTION \
46 GITHUB_REF \
47 GITHUB_PR_NUMBER \
48 GITHUB_PR_HEAD_REF \
49 GITHUB_PR_HEAD_SHA
50 else
51 soil/web-worker.sh deploy-test-wwz # dummy data that doesn't depend on the build
52 fi
53
54 # Calls rewrite-jobs-index and cleanup-jobs-index
55 time soil/web-worker.sh remote-event-job-done $prefix $run_dir
56
57 if test -n "$update_status_api"; then
58 soil/web-worker.sh scp-status-api "$GITHUB_RUN_ID" "$job_name"
59 soil/web-worker.sh remote-cleanup-status-api
60 fi
61
62 # Show URLs again, so users can find the logs
63 soil/web-worker.sh show-soil-urls $prefix $run_dir $job_name
64}
65
66# Notes on Github secrets:
67
68# - "Secrets are environment variables that are encrypted. Anyone with
69# collaborator access to this repository can use these secrets for Actions."
70#
71# - "Secrets are not passed to workflows that are triggered by a pull request from a fork"
72#
73# TODO: We're not following the principle of least privilege! Really we should
74# have an "append-only" capability? So then pull requests from untrusted forks
75# can trigger builds?
76#
77# Instead of SSH, we should use curl to POST a .zip file to PHP script on
78# travis-ci.oilshell.org?
79
80load-secret-key() {
81 local privkey=/tmp/rsa_github_actions
82
83 # This env var is set in .github/workflows/all-builds.yml
84 if test -n "${OILS_GITHUB_SSH_KEY:-}"; then
85 echo "$OILS_GITHUB_SSH_KEY" > $privkey
86 else
87 echo '$OILS_GITHUB_SSH_KEY not set'
88 exit 1
89 fi
90
91 chmod 600 $privkey
92 eval "$(ssh-agent -s)"
93 ssh-add $privkey
94}
95
96
97# Overwrites the function in soil/travis.sh
98publish-html() {
99 ### Publish job HTML, and optionally status-api
100
101 #load-secret-key
102
103 set -x
104 # $1 can be the job name
105 publish-html-assuming-ssh-key "$@"
106}
107
108publish-cpp-tarball() {
109 load-secret-key
110
111 soil/web-worker.sh publish-cpp-tarball github-
112}
113
114# Don't need this because Github Actions has it pre-installed.
115install-podman() {
116 sudo apt-get install -y podman
117 podman --version
118}
119
120run-job() {
121 ### Called by YAML config
122
123 # Unlike sourcehut, Github Actions runs one job per machine. So we fix the
124 # mount permissions and run the job in one step.
125
126 local job_name=$1
127 local docker=${2:-docker}
128
129 soil/host-shim.sh mount-perms $REPO_ROOT
130 echo
131 echo
132
133 soil/host-shim.sh run-job-uke $docker $REPO_ROOT $job_name
134}
135
136publish-and-exit() {
137 ### Called by Github Actions YAML config
138 local job_name=$1
139 # second param is passed to publish-html
140
141 # Unlike sourcehut, Github Actions runs one job per machine. So we publish
142 # HTML and exit in one step.
143 publish-html "$@"
144
145 # Look on disk to see if all jobs suceeded
146 soil/host-shim.sh did-all-succeed $job_name
147}
148
149"$@"