| name: build |
| |
| on: |
| workflow_dispatch: |
| pull_request: |
| # The default types for pull_request are [ opened, synchronize, reopened ]. |
| # This is insufficient for our needs, since we're skipping stuff on PRs in |
| # draft mode. By adding the ready_for_review type, when a draft pr is marked |
| # ready, we run everything, including the stuff we'd have skipped up until now. |
| types: [opened, synchronize, reopened, ready_for_review] |
| push: |
| branches: |
| - main |
| - release/** |
| |
| concurrency: |
| group: ${{ github.head_ref || github.run_id }}-build |
| cancel-in-progress: true |
| |
| jobs: |
| # verify-changes determines if the changes are only for docs (website) |
| verify-changes: |
| uses: ./.github/workflows/verify_changes.yml |
| |
| product-metadata: |
| # do not run build and test steps for docs changes |
| # Following https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/troubleshooting-required-status-checks#handling-skipped-but-required-checks |
| # we conditionally skip the build and tests for docs(website) changes |
| if: | |
| github.event.pull_request.draft == false && |
| needs.verify-changes.outputs.is_docs_change == 'false' |
| runs-on: ubuntu-latest |
| needs: verify-changes |
| outputs: |
| build-date: ${{ steps.get-metadata.outputs.build-date }} |
| filepath: ${{ steps.generate-metadata-file.outputs.filepath }} |
| package-name: ${{ steps.get-metadata.outputs.package-name }} |
| vault-revision: ${{ steps.get-metadata.outputs.vault-revision }} |
| vault-version: ${{ steps.set-product-version.outputs.product-version }} |
| vault-version-package: ${{ steps.get-metadata.outputs.vault-version-package }} |
| steps: |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 |
| - name: Ensure Go modules are cached |
| uses: ./.github/actions/set-up-go |
| id: set-up-go |
| with: |
| github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} |
| no-restore: true # don't download them on a cache hit |
| - name: Set Product version |
| id: set-product-version |
| uses: hashicorp/actions-set-product-version@v1 |
| - name: Get metadata |
| id: get-metadata |
| env: |
| VAULT_VERSION: ${{ steps.set-product-version.outputs.product-version }} |
| run: | |
| # shellcheck disable=SC2129 |
| echo "build-date=$(make ci-get-date)" >> "$GITHUB_OUTPUT" |
| echo "package-name=vault" >> "$GITHUB_OUTPUT" |
| echo "vault-revision=$(make ci-get-revision)" >> "$GITHUB_OUTPUT" |
| echo "vault-version-package=$(make ci-get-version-package)" >> "$GITHUB_OUTPUT" |
| - uses: hashicorp/actions-generate-metadata@v1 |
| id: generate-metadata-file |
| with: |
| version: ${{ steps.set-product-version.outputs.product-version }} |
| product: ${{ steps.get-metadata.outputs.package-name }} |
| - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 |
| with: |
| name: metadata.json |
| path: ${{ steps.generate-metadata-file.outputs.filepath }} |
| if-no-files-found: error |
| |
| build-ui: |
| name: UI |
| runs-on: custom-linux-xl-vault-latest |
| outputs: |
| cache-key: ui-${{ steps.ui-hash.outputs.ui-hash }} |
| steps: |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 |
| - name: Get UI hash |
| id: ui-hash |
| run: echo "ui-hash=$(git ls-tree HEAD ui --object-only)" >> "$GITHUB_OUTPUT" |
| - name: Set up UI asset cache |
| id: cache-ui-assets |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 |
| with: |
| enableCrossOsArchive: true |
| lookup-only: true |
| path: http/web_ui |
| # Only restore the UI asset cache if we haven't modified anything in the ui directory. |
| # Never do a partial restore of the web_ui if we don't get a cache hit. |
| key: ui-${{ steps.ui-hash.outputs.ui-hash }} |
| - if: steps.cache-ui-assets.outputs.cache-hit != 'true' |
| name: Set up node and yarn |
| uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 |
| with: |
| node-version-file: ui/package.json |
| cache: yarn |
| cache-dependency-path: ui/yarn.lock |
| - if: steps.cache-ui-assets.outputs.cache-hit != 'true' |
| name: Build UI |
| run: make ci-build-ui |
| |
| build-other: |
| name: Other |
| needs: |
| - product-metadata |
| - build-ui |
| strategy: |
| matrix: |
| goos: [freebsd, windows, netbsd, openbsd, solaris] |
| goarch: [386, amd64, arm] |
| exclude: |
| - goos: solaris |
| goarch: 386 |
| - goos: solaris |
| goarch: arm |
| - goos: windows |
| goarch: arm |
| fail-fast: true |
| uses: ./.github/workflows/build-vault-ce.yml |
| with: |
| create-packages: false |
| goarch: ${{ matrix.goarch }} |
| goos: ${{ matrix.goos }} |
| go-tags: ui |
| package-name: ${{ needs.product-metadata.outputs.package-name }} |
| web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }} |
| vault-version: ${{ needs.product-metadata.outputs.vault-version }} |
| secrets: inherit |
| |
| build-linux: |
| name: Linux |
| needs: |
| - product-metadata |
| - build-ui |
| strategy: |
| matrix: |
| goos: [linux] |
| goarch: [arm, arm64, 386, amd64] |
| fail-fast: true |
| uses: ./.github/workflows/build-vault-ce.yml |
| with: |
| goarch: ${{ matrix.goarch }} |
| goos: ${{ matrix.goos }} |
| go-tags: ui |
| package-name: ${{ needs.product-metadata.outputs.package-name }} |
| web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }} |
| vault-version: ${{ needs.product-metadata.outputs.vault-version }} |
| secrets: inherit |
| |
| build-darwin: |
| name: Darwin |
| needs: |
| - product-metadata |
| - build-ui |
| strategy: |
| matrix: |
| goos: [darwin] |
| goarch: [amd64, arm64] |
| fail-fast: true |
| uses: ./.github/workflows/build-vault-ce.yml |
| with: |
| create-packages: false |
| goarch: ${{ matrix.goarch }} |
| goos: ${{ matrix.goos }} |
| go-tags: ui |
| package-name: ${{ needs.product-metadata.outputs.package-name }} |
| web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }} |
| vault-version: ${{ needs.product-metadata.outputs.vault-version }} |
| secrets: inherit |
| |
| build-docker: |
| name: Docker image |
| needs: |
| - product-metadata |
| - build-linux |
| runs-on: ubuntu-latest |
| strategy: |
| matrix: |
| arch: [arm, arm64, 386, amd64] |
| env: |
| repo: ${{ github.event.repository.name }} |
| version: ${{ needs.product-metadata.outputs.vault-version }} |
| steps: |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 |
| - uses: hashicorp/actions-docker-build@v1 |
| with: |
| version: ${{ env.version }} |
| target: default |
| arch: ${{ matrix.arch }} |
| zip_artifact_name: vault_${{ env.version }}_linux_${{ matrix.arch }}.zip |
| tags: | |
| docker.io/hashicorp/${{ env.repo }}:${{ env.version }} |
| public.ecr.aws/hashicorp/${{ env.repo }}:${{ env.version }} |
| |
| build-ubi: |
| name: UBI image |
| needs: |
| - product-metadata |
| - build-linux |
| runs-on: ubuntu-latest |
| strategy: |
| matrix: |
| arch: [amd64] |
| env: |
| repo: ${{ github.event.repository.name }} |
| version: ${{ needs.product-metadata.outputs.vault-version }} |
| steps: |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 |
| - uses: hashicorp/actions-docker-build@v1 |
| with: |
| version: ${{ env.version }} |
| target: ubi |
| arch: ${{ matrix.arch }} |
| zip_artifact_name: vault_${{ env.version }}_linux_${{ matrix.arch }}.zip |
| # The redhat_tag differs on CE and ENT editions. Be mindful when resolving merge conflicts. |
| redhat_tag: quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ env.version }}-ubi |
| |
| test: |
| name: Test ${{ matrix.build-artifact-name }} |
| # Only run the Enos workflow against branches that are created from the |
| # hashicorp/vault repository. This has the effect of limiting execution of |
| # Enos scenarios to branches that originate from authors that have write |
| # access to hashicorp/vault repository. This is required as Github Actions |
| # will not populate the required secrets for branches created by outside |
| # contributors in order to protect the secrets integrity. |
| # This condition can be removed in future if enos workflow is updated to |
| # workflow_run event |
| if: "! github.event.pull_request.head.repo.fork" |
| needs: |
| - product-metadata |
| - build-linux |
| uses: ./.github/workflows/test-run-enos-scenario-matrix.yml |
| strategy: |
| fail-fast: false |
| matrix: |
| include: |
| - sample-name: build_ce_linux_amd64_deb |
| build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1_amd64.deb |
| - sample-name: build_ce_linux_arm64_deb |
| build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1_arm64.deb |
| - sample-name: build_ce_linux_amd64_rpm |
| build-artifact-name: vault-${{ needs.product-metadata.outputs.vault-version-package }}-1.x86_64.rpm |
| - sample-name: build_ce_linux_arm64_rpm |
| build-artifact-name: vault-${{ needs.product-metadata.outputs.vault-version-package }}-1.aarch64.rpm |
| - sample-name: build_ce_linux_amd64_zip |
| build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip |
| - sample-name: build_ce_linux_arm64_zip |
| build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_arm64.zip |
| with: |
| build-artifact-name: ${{ matrix.build-artifact-name }} |
| sample-max: 1 |
| sample-name: ${{ matrix.sample-name }} |
| ssh-key-name: ${{ github.event.repository.name }}-ci-ssh-key |
| vault-revision: ${{ needs.product-metadata.outputs.vault-revision }} |
| vault-version: ${{ needs.product-metadata.outputs.vault-version }} |
| secrets: inherit |
| |
| test-docker-k8s: |
| name: Test Docker K8s |
| # Only run the Enos workflow against branches that are created from the |
| # hashicorp/vault repository. This has the effect of limiting execution of |
| # Enos scenarios to branches that originate from authors that have write |
| # access to hashicorp/vault repository. This is required as Github Actions |
| # will not populate the required secrets for branches created by outside |
| # contributors in order to protect the secrets integrity. |
| # GHA secrets are only ready on workflow_run for public repo |
| # This condition can be removed in future if enos workflow is updated to |
| # workflow_run event |
| if: "! github.event.pull_request.head.repo.fork" |
| needs: |
| - product-metadata |
| - build-docker |
| uses: ./.github/workflows/enos-run-k8s.yml |
| with: |
| artifact-build-date: ${{ needs.product-metadata.outputs.build-date }} |
| artifact-name: ${{ github.event.repository.name }}_default_linux_amd64_${{ needs.product-metadata.outputs.vault-version }}_${{ needs.product-metadata.outputs.vault-revision }}.docker.tar |
| artifact-revision: ${{ needs.product-metadata.outputs.vault-revision }} |
| artifact-version: ${{ needs.product-metadata.outputs.vault-version }} |
| secrets: inherit |
| |
| report-build-failures: |
| name: Report Build Failures |
| needs: |
| - build-other |
| - build-linux |
| - build-darwin |
| - build-docker |
| - build-ubi |
| - test |
| - test-docker-k8s |
| if: (success() || failure()) && github.head_ref != '' |
| runs-on: ubuntu-latest |
| steps: |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 |
| - name: Build Status |
| env: |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| PR_NUMBER: ${{ github.event.pull_request.number }} |
| RUN_ID: ${{ github.run_id }} |
| REPO: ${{ github.event.repository.name }} |
| BUILD_OTHER: ${{ needs.build-other.result }} |
| BUILD_LINUX: ${{ needs.build-linux.result }} |
| BUILD_DARWIN: ${{ needs.build-darwin.result }} |
| BUILD_DOCKER: ${{ needs.build-docker.result }} |
| BUILD_UBI: ${{ needs.build-ubi.result }} |
| TEST: ${{ needs.test.result }} |
| TEST_DOCKER_K8S: ${{ needs.test-docker-k8s.result }} |
| run: ./.github/scripts/report_failed_builds.sh |
| |
| completed-successfully: |
| # We force a failure if any of the dependent jobs fail, |
| # this is a workaround for the issue reported https://github.com/actions/runner/issues/2566 |
| if: always() |
| runs-on: ubuntu-latest |
| needs: |
| - build-other |
| - build-linux |
| - build-darwin |
| - build-docker |
| - build-ubi |
| - test |
| - test-docker-k8s |
| steps: |
| - run: | |
| tr -d '\n' <<< '${{ toJSON(needs.*.result) }}' | grep -q -v -E '(failure|cancelled)' |
| |
| notify-completed-successfully-failures-ce: |
| if: ${{ always() && github.repository == 'hashicorp/vault' && needs.completed-successfully.result == 'failure' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) }} |
| runs-on: ubuntu-latest |
| permissions: |
| id-token: write |
| contents: read |
| strategy: |
| fail-fast: false |
| needs: |
| - completed-successfully |
| - build-other |
| - build-linux |
| - build-darwin |
| - build-docker |
| - build-ubi |
| - test |
| - test-docker-k8s |
| steps: |
| - name: send-notification |
| uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 |
| # We intentionally aren't using the following here since it's from an internal repo |
| # uses: hashicorp/cloud-gha-slack-notifier@730a033037b8e603adf99ebd3085f0fdfe75e2f4 #v1 |
| env: |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} |
| with: |
| channel-id: "C05AABYEA9Y" # sent to #feed-vault-ci-official, use "C05Q4D5V89W"/test-vault-ci-slack-integration for testing |
| payload: | |
| { |
| "text": "CE build failures on ${{ github.ref_name }}", |
| "blocks": [ |
| { |
| "type": "header", |
| "text": { |
| "type": "plain_text", |
| "text": ":rotating_light: CE build failures on ${{ github.ref_name }} :rotating_light:", |
| "emoji": true |
| } |
| }, |
| { |
| "type": "divider" |
| }, |
| { |
| "type": "section", |
| "text": { |
| "type": "mrkdwn", |
| "text": "${{ (needs.build-other.result != 'failure' && needs.build-linux.result != 'failure' && needs.build-darwin.result != 'failure' && needs.build-docker.result != 'failure' && needs.build-ubi.result != 'failure') && ':white_check_mark:' || ':x:' }} Build results\n${{ (needs.test.result != 'failure' && needs.test-docker-k8s.result != 'failure') && ':white_check_mark:' || ':x:' }} Enos tests" |
| }, |
| "accessory": { |
| "type": "button", |
| "text": { |
| "type": "plain_text", |
| "text": "View Failing Workflow", |
| "emoji": true |
| }, |
| "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" |
| } |
| } |
| ] |
| } |
| |
| notify-completed-successfully-failures-ent: |
| if: ${{ always() && github.repository == 'hashicorp/vault-enterprise' && needs.completed-successfully.result == 'failure' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) }} |
| runs-on: ['self-hosted', 'linux', 'small'] |
| permissions: |
| id-token: write |
| contents: read |
| strategy: |
| fail-fast: false |
| needs: |
| - completed-successfully |
| - build-other |
| - build-linux |
| - build-darwin |
| - build-docker |
| - build-ubi |
| - test |
| - test-docker-k8s |
| steps: |
| - id: vault-auth |
| name: Vault Authenticate |
| run: vault-auth |
| - id: secrets |
| name: Fetch Vault Secrets |
| uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e |
| with: |
| url: ${{ steps.vault-auth.outputs.addr }} |
| caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} |
| token: ${{ steps.vault-auth.outputs.token }} |
| secrets: | |
| kv/data/github/${{ github.repository }}/github_actions_notifications_bot token | SLACK_BOT_TOKEN; |
| - name: send-notification |
| uses: hashicorp/cloud-gha-slack-notifier@730a033037b8e603adf99ebd3085f0fdfe75e2f4 #v1 |
| with: |
| channel-id: "C05AABYEA9Y" # sent to #feed-vault-ci-official, use "C05Q4D5V89W"/test-vault-ci-slack-integration for testing |
| slack-bot-token: ${{ steps.secrets.outputs.SLACK_BOT_TOKEN }} |
| payload: | |
| { |
| "text": "Enterprise build failures on ${{ github.ref_name }}", |
| "blocks": [ |
| { |
| "type": "header", |
| "text": { |
| "type": "plain_text", |
| "text": ":rotating_light: Enterprise build failures on ${{ github.ref_name }} :rotating_light:", |
| "emoji": true |
| } |
| }, |
| { |
| "type": "divider" |
| }, |
| { |
| "type": "section", |
| "text": { |
| "type": "mrkdwn", |
| "text": "${{ (needs.build-other.result != 'failure' && needs.build-linux.result != 'failure' && needs.build-darwin.result != 'failure' && needs.build-docker.result != 'failure' && needs.build-ubi.result != 'failure') && ':white_check_mark:' || ':x:' }} Build results\n${{ (needs.test.result != 'failure' && needs.test-docker-k8s.result != 'failure') && ':white_check_mark:' || ':x:' }} Enos tests" |
| }, |
| "accessory": { |
| "type": "button", |
| "text": { |
| "type": "plain_text", |
| "text": "View Failing Workflow", |
| "emoji": true |
| }, |
| "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" |
| } |
| } |
| ] |
| } |