OILS / soil / github-actions.sh View on Github | oilshell.org

142 lines, 68 significant
1#!/usr/bin/env bash
2#
3# Usage:
4# soil/github-actions.sh <function name>
5
6set -o nounset
7set -o pipefail
8set -o errexit
9
10keygen() {
11 # rsa_github_actions is private, and sent to Github to log into the server
12 # rsa_github_actions.pub is public, and put in authorized_keys on the server
13 ssh-keygen -t rsa -b 4096 -C "oilshell github-actions" -f rsa_github_actions
14}
15
16#
17# Run remotely
18#
19
20publish-html-assuming-ssh-key() {
21 local job_name=$1
22 local update_status_api=${2:-}
23
24 if true; then
25 # https://docs.github.com/en/actions/reference/environment-variables
26
27 # Recommended by the docs
28 export JOB_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
29
30 # Note $GITHUB_RUN_NUMBER is a different sequence for all-builds.yml vs.
31 # fast-subset.yml
32
33 soil/web-worker.sh deploy-job-results 'github-' $GITHUB_RUN_NUMBER $job_name \
34 JOB_URL \
35 GITHUB_WORKFLOW \
36 GITHUB_RUN_ID \
37 GITHUB_RUN_NUMBER \
38 GITHUB_JOB \
39 GITHUB_ACTION \
40 GITHUB_REF \
41 GITHUB_PR_NUMBER \
42 GITHUB_PR_HEAD_REF \
43 GITHUB_PR_HEAD_SHA
44 else
45 soil/web-worker.sh deploy-test-wwz # dummy data that doesn't depend on the build
46 fi
47
48 # Calls rewrite-jobs-index and cleanup-jobs-index
49 time soil/web-worker.sh remote-event-job-done 'github-' $GITHUB_RUN_NUMBER
50
51 if test -n "$update_status_api"; then
52 soil/web-worker.sh scp-status-api "$GITHUB_RUN_ID" "$job_name"
53 soil/web-worker.sh remote-cleanup-status-api
54 fi
55}
56
57# Notes on Github secrets:
58
59# - "Secrets are environment variables that are encrypted. Anyone with
60# collaborator access to this repository can use these secrets for Actions."
61#
62# - "Secrets are not passed to workflows that are triggered by a pull request from a fork"
63#
64# TODO: We're not following the principle of least privilege! Really we should
65# have an "append-only" capability? So then pull requests from untrusted forks
66# can trigger builds?
67#
68# Instead of SSH, we should use curl to POST a .zip file to PHP script on
69# travis-ci.oilshell.org?
70
71load-secret-key() {
72 local privkey=/tmp/rsa_github_actions
73
74 if test -n "${OILS_GITHUB_KEY:-}"; then
75 echo "$OILS_GITHUB_KEY" > $privkey
76 else
77 echo '$OILS_GITHUB_KEY not set'
78 exit 1
79 fi
80
81 chmod 600 $privkey
82 eval "$(ssh-agent -s)"
83 ssh-add $privkey
84}
85
86
87# Overwrites the function in soil/travis.sh
88publish-html() {
89 ### Publish job HTML, and optionally status-api
90
91 #load-secret-key
92
93 set -x
94 # $1 can be the job name
95 publish-html-assuming-ssh-key "$@"
96}
97
98publish-cpp-tarball() {
99 load-secret-key
100
101 soil/web-worker.sh publish-cpp-tarball github-
102}
103
104# Don't need this because Github Actions has it pre-installed.
105install-podman() {
106 sudo apt-get install -y podman
107 podman --version
108}
109
110run-job() {
111 ### Called by YAML config
112
113 # Unlike sourcehut, Github Actions runs one job per machine. So we fix the
114 # mount permissions and run the job in one step.
115
116 local job_name=$1
117 local docker=${2:-docker}
118
119 # I think it starts in the repo
120 # cd $REPO_ROOT
121
122 soil/host-shim.sh mount-perms $REPO_ROOT
123 echo
124 echo
125
126 soil/host-shim.sh run-job-uke $docker $REPO_ROOT $job_name
127}
128
129publish-and-exit() {
130 ### Called by YAML config
131 local job_name=$1
132 # second param is passed to publish-html
133
134 # Unlike sourcehut, Github Actions runs one job per machine. So we publish
135 # HTML and exit in one step.
136
137 publish-html "$@"
138
139 soil/host-shim.sh did-all-succeed $job_name
140}
141
142"$@"