soil/github-actions.sh

OILS / soil / github-actions.sh View on Github | oilshell.org

142 lines, 68 significant

1	#!/usr/bin/env bash
2	#
3	# Usage:
4	# soil/github-actions.sh <function name>
5
6	set -o nounset
7	set -o pipefail
8	set -o errexit
9
10	keygen() {
11	# rsa_github_actions is private, and sent to Github to log into the server
12	# rsa_github_actions.pub is public, and put in authorized_keys on the server
13	ssh-keygen -t rsa -b 4096 -C "oilshell github-actions" -f rsa_github_actions
14	}
15
16	#
17	# Run remotely
18	#
19
20	publish-html-assuming-ssh-key() {
21	local job_name=$1
22	local update_status_api=${2:-}
23
24	if true; then
25	# https://docs.github.com/en/actions/reference/environment-variables
26
27	# Recommended by the docs
28	export JOB_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
29
30	# Note $GITHUB_RUN_NUMBER is a different sequence for all-builds.yml vs.
31	# fast-subset.yml
32
33	soil/web-worker.sh deploy-job-results 'github-' $GITHUB_RUN_NUMBER $job_name \
34	JOB_URL \
35	GITHUB_WORKFLOW \
36	GITHUB_RUN_ID \
37	GITHUB_RUN_NUMBER \
38	GITHUB_JOB \
39	GITHUB_ACTION \
40	GITHUB_REF \
41	GITHUB_PR_NUMBER \
42	GITHUB_PR_HEAD_REF \
43	GITHUB_PR_HEAD_SHA
44	else
45	soil/web-worker.sh deploy-test-wwz # dummy data that doesn't depend on the build
46	fi
47
48	# Calls rewrite-jobs-index and cleanup-jobs-index
49	time soil/web-worker.sh remote-event-job-done 'github-' $GITHUB_RUN_NUMBER
50
51	if test -n "$update_status_api"; then
52	soil/web-worker.sh scp-status-api "$GITHUB_RUN_ID" "$job_name"
53	soil/web-worker.sh remote-cleanup-status-api
54	fi
55	}
56
57	# Notes on Github secrets:
58
59	# - "Secrets are environment variables that are encrypted. Anyone with
60	# collaborator access to this repository can use these secrets for Actions."
61	#
62	# - "Secrets are not passed to workflows that are triggered by a pull request from a fork"
63	#
64	# TODO: We're not following the principle of least privilege! Really we should
65	# have an "append-only" capability? So then pull requests from untrusted forks
66	# can trigger builds?
67	#
68	# Instead of SSH, we should use curl to POST a .zip file to PHP script on
69	# travis-ci.oilshell.org?
70
71	load-secret-key() {
72	local privkey=/tmp/rsa_github_actions
73
74	if test -n "${OILS_GITHUB_KEY:-}"; then
75	echo "$OILS_GITHUB_KEY" > $privkey
76	else
77	echo '$OILS_GITHUB_KEY not set'
78	exit 1
79	fi
80
81	chmod 600 $privkey
82	eval "$(ssh-agent -s)"
83	ssh-add $privkey
84	}
85
86
87	# Overwrites the function in soil/travis.sh
88	publish-html() {
89	### Publish job HTML, and optionally status-api
90
91	#load-secret-key
92
93	set -x
94	# $1 can be the job name
95	publish-html-assuming-ssh-key "$@"
96	}
97
98	publish-cpp-tarball() {
99	load-secret-key
100
101	soil/web-worker.sh publish-cpp-tarball github-
102	}
103
104	# Don't need this because Github Actions has it pre-installed.
105	install-podman() {
106	sudo apt-get install -y podman
107	podman --version
108	}
109
110	run-job() {
111	### Called by YAML config
112
113	# Unlike sourcehut, Github Actions runs one job per machine. So we fix the
114	# mount permissions and run the job in one step.
115
116	local job_name=$1
117	local docker=${2:-docker}
118
119	# I think it starts in the repo
120	# cd $REPO_ROOT
121
122	soil/host-shim.sh mount-perms $REPO_ROOT
123	echo
124	echo
125
126	soil/host-shim.sh run-job-uke $docker $REPO_ROOT $job_name
127	}
128
129	publish-and-exit() {
130	### Called by YAML config
131	local job_name=$1
132	# second param is passed to publish-html
133
134	# Unlike sourcehut, Github Actions runs one job per machine. So we publish
135	# HTML and exit in one step.
136
137	publish-html "$@"
138
139	soil/host-shim.sh did-all-succeed $job_name
140	}
141
142	"$@"