Merge pull request mutagen-io#313 from mutagen-io/ci-enhancements

xenoscopic · web-flow · commit 67a94630f3f6 · 2022-02-01T15:03:09.000+02:00
ci: add validations in preparation for pull requests
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,52 +6,37 @@ on: [push, pull_request]
 
 # Define the workflow jobs.
 jobs:
-  versioning:
-    name: Versioning
+  verification:
+    name: Commit Verification
     runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
         with:
-          go-version: '^1.17'
-      - run: go version
-      - name: "Analyze version information and release status"
-        id: analyze
+          fetch-depth: 0
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '16'
+      - run: npm install --global @commitlint/cli
+      - name: "Perform commit verification"
         run: |
-          # Determine whether or not this is a release build.
-          RELEASE="${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}"
-
-          # Determine version target information for Go. If this is a release,
-          # then we'll use the tag, otherwise we'll use the raw commit digest.
-          if [ "${RELEASE}" = "true" ]; then
-            TARGET="${GITHUB_REF#refs/tags/}"
-          else
-            TARGET="${GITHUB_SHA}"
-          fi
+          # Determine the target commit range.
+          export VERIFY_COMMIT_START="${{ github.event.pull_request.base.sha }}"
+          export VERIFY_COMMIT_END="${{ github.event.pull_request.head.sha }}"
 
-          # Determine the sidecar image tags.
-          SIDECAR_TAGS="$(go run scripts/ci/sidecar_tags.go)"
-
-          # Set outputs.
-          echo ::set-output name=release::${RELEASE}
-          echo ::set-output name=target::${TARGET}
-          echo ::set-output name=sidecar_tags::${SIDECAR_TAGS}
-    outputs:
-      release: ${{ steps.analyze.outputs.release }}
-      target: ${{ steps.analyze.outputs.target }}
-      sidecar_tags: ${{ steps.analyze.outputs.sidecar_tags }}
+          # Perform verification.
+          scripts/ci/verify.sh
   macos:
     name: macOS
     runs-on: macos-11
-    needs: [versioning]
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
           go-version: '^1.17'
-      - run: go version
       - name: "Install sha256sum"
         run: brew install coreutils
+      - run: scripts/ci/setup_go.sh
       - run: scripts/ci/setup_ssh.sh
       - run: scripts/ci/setup_partitions_darwin.sh
       - run: scripts/ci/analyze.sh
@@ -62,7 +47,7 @@ jobs:
           MACOS_CODESIGN_CERTIFICATE_AND_KEY: ${{ secrets.MACOS_CODESIGN_CERTIFICATE_AND_KEY }}
           MACOS_CODESIGN_CERTIFICATE_AND_KEY_PASSWORD: ${{ secrets.MACOS_CODESIGN_CERTIFICATE_AND_KEY_PASSWORD }}
       - run: scripts/ci/notarize.sh
-        if: ${{ needs.versioning.outputs.release == 'true' }}
+        if: github.ref_type == 'tag'
         env:
           MACOS_NOTARIZE_APPLE_ID: ${{ secrets.MACOS_NOTARIZE_APPLE_ID }}
           MACOS_NOTARIZE_APP_SPECIFIC_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_SPECIFIC_PASSWORD }}
@@ -88,8 +73,7 @@ jobs:
       - uses: actions/setup-go@v2
         with:
           go-version: '^1.17'
-      - run: docker version
-      - run: go version
+      - run: scripts/ci/setup_go.sh
       - run: scripts/ci/setup_ssh.sh
       - run: scripts/ci/setup_docker.sh
       - run: scripts/ci/analyze.sh
@@ -104,8 +88,8 @@ jobs:
       - uses: actions/setup-go@v2
         with:
           go-version: '^1.17'
-      - run: docker version
-      - run: go version
+      - run: scripts/ci/setup_go.sh
+        shell: bash
       - run: scripts/ci/setup_docker.sh
         shell: bash
       - run: diskpart /s scripts\ci\setup_partitions_windows.txt
@@ -118,25 +102,54 @@ jobs:
       - run: scripts/ci/build.sh
         shell: bash
   sidecar:
-    name: Sidecar
+    name: Sidecar (Non-release)
+    runs-on: ubuntu-latest
+    if: github.ref_type != 'tag'
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '^1.17'
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+      - name: "Determine sidecar tags"
+        id: tags
+        run: echo ::set-output name=tags::$(go run scripts/ci/sidecar_tags.go)
+      - uses: docker/build-push-action@v2
+        with:
+          file: images/sidecar/linux/Dockerfile
+          tags: ${{ steps.tags.outputs.tags }}
+          platforms: |
+            linux/386
+            linux/amd64
+            linux/arm/v6
+            linux/arm/v7
+            linux/arm64/v8
+            linux/ppc64le
+  sidecar_release:
+    name: Sidecar (Release)
     runs-on: ubuntu-latest
-    needs: [versioning, macos, linux, windows]
+    if: github.ref_type == 'tag'
+    needs: [macos, linux, windows]
     steps:
       - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '^1.17'
       - uses: docker/setup-qemu-action@v1
       - uses: docker/setup-buildx-action@v1
       - uses: docker/login-action@v1
-        if: ${{ needs.versioning.outputs.release == 'true' }}
         with:
           username: ${{ secrets.SIDECAR_DEPLOYMENT_USER }}
           password: ${{ secrets.SIDECAR_DEPLOYMENT_TOKEN }}
+      - name: "Determine sidecar tags"
+        id: tags
+        run: echo ::set-output name=tags::$(go run scripts/ci/sidecar_tags.go)
       - uses: docker/build-push-action@v2
         with:
-          build-args: |
-            TARGET=${{ needs.versioning.outputs.target }}
-          context: images/sidecar/linux
-          tags: ${{ needs.versioning.outputs.sidecar_tags }}
-          push: ${{ needs.versioning.outputs.release == 'true' }}
+          file: images/sidecar/linux/Dockerfile
+          tags: ${{ steps.tags.outputs.tags }}
+          push: true
           platforms: |
             linux/386
             linux/amd64
@@ -147,8 +160,8 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
-    needs: [versioning, macos, linux, windows, sidecar]
-    if: ${{ needs.versioning.outputs.release == 'true' }}
+    if: github.ref_type == 'tag'
+    needs: [macos, linux, windows, sidecar_release]
     steps:
       - uses: actions/download-artifact@v2
         with:
diff --git a/images/sidecar/linux/Dockerfile b/images/sidecar/linux/Dockerfile
@@ -5,18 +5,26 @@ FROM golang:1.17-alpine3.14 AS builder
 # avoid the need for gcc on certain architectures).
 ENV CGO_ENABLED=0
 
-# Define an argument to specify the entrypoint version target.
-ARG TARGET
-
-# Build the sidecar entrypoint. We have to use the shell form of RUN in order to
-# access the TARGET argument.
-RUN go get github.com/mutagen-io/mutagen/cmd/mutagen-sidecar@${TARGET}
+# Copy the Mutagen source code into the container and set the code directory as
+# our default working location.
+RUN ["mkdir", "/mutagen"]
+COPY ["go.mod", "go.sum", "/mutagen/"]
+COPY ["cmd", "/mutagen/cmd/"]
+COPY ["pkg", "/mutagen/pkg/"]
+WORKDIR /mutagen
+
+# Build the sidecar entrypoint and agent binaries.
+RUN ["go", "build", "./cmd/mutagen-sidecar"]
+RUN ["go", "build", "./cmd/mutagen-agent"]
 
 # Switch to a vanilla Alpine base for the final image.
 FROM alpine:3.14
 
-# Copy the sidecar entrypoint from the builder.
-COPY --from=builder ["/go/bin/mutagen-sidecar", "/usr/bin/mutagen-sidecar"]
+# Copy the sidecar entrypoint and agent binaries from the builder. For the
+# agent, use its installation mechanism to move it to the correct location.
+COPY --from=builder ["/mutagen/mutagen-sidecar", "/usr/bin/mutagen-sidecar"]
+COPY --from=builder ["/mutagen/mutagen-agent", "/mutagen-agent"]
+RUN ["/mutagen-agent", "install"]
 
 # Create the parent directory for volume mount points.
 RUN ["mkdir", "/volumes"]
diff --git a/scripts/ci/analyze.sh b/scripts/ci/analyze.sh
@@ -4,15 +4,26 @@
 # fail, so we track the exit status of each command instead of using set -e.
 FAILURE=0
 
+# Verify that code is formatted and simplified according to Go standards. We
+# skip this check on Windows due to gofmt normalizing Go code to LF endings (and
+# thus generating an enormous and pointless diff).
+if [[ "$(go env GOOS)" != "windows" ]]; then
+    gofmt -s -l -d . | tee gofmt.log
+    if [[ -s gofmt.log ]]; then
+        FAILURE=1
+    fi
+    rm gofmt.log
+fi
+
 # Perform static analysis.
 go vet ./pkg/... || FAILURE=1
 go vet ./cmd/... || FAILURE=1
 go vet ./scripts/... || FAILURE=1
 
-# TODO: Add gofmt -s support.
-# TODO: Add golint (https://github.com/golang/lint).
-# TODO: Add ineffassign (https://github.com/gordonklaus/ineffassign).
-# TODO: Add misspell (https://github.com/client9/misspell).
+# TODO: Add spell checking. The https://github.com/client9/misspell tool is what
+# we've used historically (via Go Report Card), but it seems like it's no longer
+# maintained and it's installation is a little non-trivial.
+
 # TODO: Add custom code/comment structure validation.
 
 # Done.
diff --git a/scripts/ci/commitlint/config.json b/scripts/ci/commitlint/config.json
@@ -0,0 +1,43 @@
+{
+    "rules": {
+        "header-max-length": [2, "always", 72],
+
+        "type-case": [2, "always", "lower-case"],
+        "type-empty": [2, "never"],
+        "type-enum": [
+            2,
+            "always",
+            [
+                "cli",
+                "agent",
+                "daemon",
+                "sidecar",
+                "core",
+                "forward",
+                "sync",
+                "test",
+                "tools",
+                "git",
+                "ci",
+                "build",
+                "docs",
+                "deps",
+                "style",
+                "version"
+            ]
+        ],
+
+        "scope-empty": [2, "always"],
+
+        "subject-empty": [2, "never"],
+        "subject-full-stop": [2, "never"],
+
+        "body-leading-blank": [2, "always"],
+        "body-max-line-length": [2, "always", 72],
+        "body-empty": [2, "never"],
+        "body-case": [2, "always", "sentence-case"],
+
+        "footer-leading-blank": [2, "always"],
+        "footer-max-line-length": [2, "always", 72]
+    }
+}
diff --git a/scripts/ci/setup_docker.sh b/scripts/ci/setup_docker.sh
@@ -3,6 +3,9 @@
 # Exit immediately on failure.
 set -e
 
+# Print Docker version information.
+docker version
+
 # Determine the operating system.
 MUTAGEN_OS_NAME="$(go env GOOS)"
 
diff --git a/scripts/ci/setup_go.sh b/scripts/ci/setup_go.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Exit immediately on failure.
+set -e
+
+# Print the Go version.
+go version
+
+# Pre-download Go modules.
+go mod download
diff --git a/scripts/ci/verify.sh b/scripts/ci/verify.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Exit immediately on failure.
+set -e
+
+# Print status information.
+echo "Performing commit verification"
+echo
+
+# Track that we actually perform some sort of verification, because we don't
+# have an elegant way to verify that git rev-list succeeds when being used via
+# process substitution.
+PERFORMED_VERIFICATION="false"
+
+# Loop over the relevant commits.
+while read commit; do
+    # Print status information.
+    echo "> Verifying ${commit}"
+
+    # Validate the commit message format.
+    if git show --format="format:%B" --no-patch "${commit}" | commitlint --config scripts/ci/commitlint/config.json; then
+        echo "Commit message is valid"
+    else
+        echo "Invalid commit message!"
+        exit 1
+    fi
+
+    # Verify that the expected sign-off is present.
+    EXPECTED_SIGNOFF="$(git show "${commit}" --format="format:Signed-off-by: %an <%ae>" --no-patch)"
+    if git show --summary "${commit}" | grep -q "${EXPECTED_SIGNOFF}"; then
+        echo "Found valid sign-off"
+    else
+        echo "Missing sign-off!"
+        exit 1
+    fi
+
+    # Verify that a cryptographic signature is present.
+    # TODO: It may be worth trying to corresponding GPG keys from GitHub to
+    # verify that they match the commit author, but that's going to be tricky.
+    # We'll also have to consider the possibility that the signatures were made
+    # with OpenSSH keys, and I'm not sure how to import those for Git-based
+    # verification. For now, we can just check the verified label on the GitHub
+    # web interface.
+    if [[ ! -z "$(git show --format="format:%GK" --no-patch "${commit}")" ]]; then
+        echo "Found cryptographic signature"
+    else
+        echo "Missing or invalid cryptographic signature!"
+        exit 1
+    fi
+
+    # TODO: Perform spell checking on the commit message. This might be tricky
+    # if there are technical or code terms in the message.
+
+    # Record that some verification was performed.
+    PERFORMED_VERIFICATION="true"
+
+    # Output a separator line.
+    echo
+done < <(git rev-list "${VERIFY_COMMIT_START}...${VERIFY_COMMIT_END}")
+
+# Enforce that at least one commit was verified.
+if [[ "${PERFORMED_VERIFICATION}" == "false" ]]; then
+    echo "No verification performed!"
+    exit 1
+fi
+
+# Print status information.
+echo "Commit verification succeeded!"
