soil/github-actions.sh

OILS / soil / github-actions.sh View on Github | oils.pub

145 lines, 71 significant

1	#!/usr/bin/env bash
2	#
3	# Usage:
4	# soil/github-actions.sh <function name>
5
6	set -o nounset
7	set -o pipefail
8	set -o errexit
9
10	keygen() {
11	# rsa_github_actions is private, and sent to Github to log into the server
12	# rsa_github_actions.pub is public, and put in authorized_keys on the server
13	ssh-keygen -t rsa -b 4096 -C "oilshell github-actions" -f rsa_github_actions
14	}
15
16	#
17	# Run remotely
18	#
19
20	publish-html-assuming-ssh-key() {
21	local job_name=$1
22	local update_status_api=${2:-}
23
24	if true; then
25	local prefix='github-'
26	local run_dir=$GITHUB_RUN_NUMBER
27	# https://docs.github.com/en/actions/reference/environment-variables
28
29	# Recommended by the docs
30	export JOB_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
31
32	# Note $GITHUB_RUN_NUMBER is a different sequence for all-builds.yml vs.
33	# fast-subset.yml
34
35	# This function prints 'View CI results here:' with URLs to op.oilshell.org
36	soil/web-worker.sh deploy-job-results $prefix $run_dir $job_name \
37	JOB_URL \
38	GITHUB_WORKFLOW \
39	GITHUB_RUN_ID \
40	GITHUB_RUN_NUMBER \
41	GITHUB_JOB \
42	GITHUB_ACTION \
43	GITHUB_REF \
44	GITHUB_PR_NUMBER \
45	GITHUB_PR_HEAD_REF \
46	GITHUB_PR_HEAD_SHA
47	else
48	soil/web-worker.sh deploy-test-wwz # dummy data that doesn't depend on the build
49	fi
50
51	# Calls rewrite-jobs-index and cleanup-jobs-index
52	time soil/web-worker.sh remote-event-job-done $prefix $run_dir
53
54	if test -n "$update_status_api"; then
55	soil/web-worker.sh scp-status-api "$GITHUB_RUN_ID" "$job_name"
56	soil/web-worker.sh remote-cleanup-status-api
57	fi
58
59	# Show URLs again, so users can find the logs
60	soil/web-worker.sh show-soil-urls $prefix $run_dir $job_name
61	}
62
63	# Notes on Github secrets:
64
65	# - "Secrets are environment variables that are encrypted. Anyone with
66	# collaborator access to this repository can use these secrets for Actions."
67	#
68	# - "Secrets are not passed to workflows that are triggered by a pull request from a fork"
69	#
70	# TODO: We're not following the principle of least privilege! Really we should
71	# have an "append-only" capability? So then pull requests from untrusted forks
72	# can trigger builds?
73	#
74	# Instead of SSH, we should use curl to POST a .zip file to PHP script on
75	# travis-ci.oilshell.org?
76
77	load-secret-key() {
78	local privkey=/tmp/rsa_github_actions
79
80	if test -n "${OILS_GITHUB_KEY:-}"; then
81	echo "$OILS_GITHUB_KEY" > $privkey
82	else
83	echo '$OILS_GITHUB_KEY not set'
84	exit 1
85	fi
86
87	chmod 600 $privkey
88	eval "$(ssh-agent -s)"
89	ssh-add $privkey
90	}
91
92
93	# Overwrites the function in soil/travis.sh
94	publish-html() {
95	### Publish job HTML, and optionally status-api
96
97	#load-secret-key
98
99	set -x
100	# $1 can be the job name
101	publish-html-assuming-ssh-key "$@"
102	}
103
104	publish-cpp-tarball() {
105	load-secret-key
106
107	soil/web-worker.sh publish-cpp-tarball github-
108	}
109
110	# Don't need this because Github Actions has it pre-installed.
111	install-podman() {
112	sudo apt-get install -y podman
113	podman --version
114	}
115
116	run-job() {
117	### Called by YAML config
118
119	# Unlike sourcehut, Github Actions runs one job per machine. So we fix the
120	# mount permissions and run the job in one step.
121
122	local job_name=$1
123	local docker=${2:-docker}
124
125	soil/host-shim.sh mount-perms $REPO_ROOT
126	echo
127	echo
128
129	soil/host-shim.sh run-job-uke $docker $REPO_ROOT $job_name
130	}
131
132	publish-and-exit() {
133	### Called by Github Actions YAML config
134	local job_name=$1
135	# second param is passed to publish-html
136
137	# Unlike sourcehut, Github Actions runs one job per machine. So we publish
138	# HTML and exit in one step.
139	publish-html "$@"
140
141	# Look on disk to see if all jobs suceeded
142	soil/host-shim.sh did-all-succeed $job_name
143	}
144
145	"$@"