From 8b56d284feca17f5955d756ba60311387d0f9e38 Mon Sep 17 00:00:00 2001 From: Bart Smykla Date: Tue, 17 Dec 2024 09:25:19 +0100 Subject: [PATCH] ci(github): update workflows to use ubuntu-24.04 runners (#12251) GitHub is upgrading the `ubuntu-latest` runners to `ubuntu-24.04`. We need to make sure our CI still works as expected. I also suggest pinning the runner image version instead of using `ubuntu-latest`. Signed-off-by: Bart Smykla --- .github/workflows/_build_publish.yaml | 13 ++- .github/workflows/_test.yaml | 4 +- .github/workflows/auto-merge.yaml | 2 +- .github/workflows/bom.yaml | 2 +- .github/workflows/build-test-distribute.yaml | 8 +- .github/workflows/check.yaml | 6 ++ .github/workflows/ci-stability.yaml | 82 +++++++++++++++++++ .github/workflows/codeql.yaml | 2 +- .../workflows/merge-release-to-master.yaml | 2 +- .github/workflows/pr-comments.yaml | 2 +- .github/workflows/pr-merged.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/scorecard.yml | 2 +- .github/workflows/transparentproxy-tests.yaml | 2 +- .github/workflows/update-docs.yaml | 2 +- .../update-insecure-dependencies.yaml | 4 +- 16 files changed, 119 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/ci-stability.yaml diff --git a/.github/workflows/_build_publish.yaml b/.github/workflows/_build_publish.yaml index d5462e06816e..18576c9f6e8d 100644 --- a/.github/workflows/_build_publish.yaml +++ b/.github/workflows/_build_publish.yaml @@ -44,7 +44,7 @@ env: jobs: build-binaries: timeout-minutes: 40 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 outputs: BINARY_ARTIFACT_DIGEST_BASE64: ${{ steps.inspect-binary-output.outputs.binary_artifact_digest_base64 }} steps: @@ -88,7 +88,11 @@ jobs: run: | make publish/pulp build-images: +<<<<<<< HEAD runs-on: ubuntu-22.04 # pining to this version since we use older base image for kuma-init and we don't want to change it since it can break users environment +======= + runs-on: ubuntu-24.04 +>>>>>>> 79dbceeef (ci(github): update workflows to use ubuntu-24.04 runners (#12251)) timeout-minutes: 30 strategy: fail-fast: false @@ -195,7 +199,12 @@ jobs: registry_password: ${{ secrets.DOCKER_API_KEY }} digest-images: needs: [build-images] +<<<<<<< HEAD runs-on: ubuntu-latest +======= + runs-on: ubuntu-24.04 + if: ${{ fromJSON(inputs.ALLOW_PUSH) }} +>>>>>>> 79dbceeef (ci(github): update workflows to use ubuntu-24.04 runners (#12251)) outputs: DIGESTS: ${{ steps.compute-digests.outputs.digests }} steps: @@ -213,7 +222,7 @@ jobs: publish-helm: needs: [build-images] timeout-minutes: 10 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/_test.yaml b/.github/workflows/_test.yaml index bbaf4e0bc4f7..fd85ef72b951 100644 --- a/.github/workflows/_test.yaml +++ b/.github/workflows/_test.yaml @@ -18,7 +18,7 @@ jobs: test_unit: timeout-minutes: 20 if: ${{ !contains(github.event.pull_request.labels.*.name, 'ci/skip-test') }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: @@ -39,7 +39,7 @@ jobs: make test gen_e2e_matrix: timeout-minutes: 2 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 outputs: matrix: ${{ steps.generate-matrix.outputs.matrix }} steps: diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml index 5307d993e66f..1168c140958e 100644 --- a/.github/workflows/auto-merge.yaml +++ b/.github/workflows/auto-merge.yaml @@ -13,7 +13,7 @@ permissions: jobs: approve-and-auto-merge: timeout-minutes: 10 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 if: contains(github.event.pull_request.labels.*.name, 'ci/auto-merge') permissions: pull-requests: write diff --git a/.github/workflows/bom.yaml b/.github/workflows/bom.yaml index 858167c374df..fdcc33062dd2 100644 --- a/.github/workflows/bom.yaml +++ b/.github/workflows/bom.yaml @@ -7,7 +7,7 @@ permissions: read-all jobs: sbom: timeout-minutes: 10 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml index 268c316b9919..b1327304d246 100644 --- a/.github/workflows/build-test-distribute.yaml +++ b/.github/workflows/build-test-distribute.yaml @@ -21,7 +21,7 @@ jobs: # golangci-lint-action checks: write timeout-minutes: 25 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 env: FULL_MATRIX: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'ci/run-full-matrix') }} ALLOW_PUSH: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci/force-publish') }} @@ -85,7 +85,11 @@ jobs: uses: ./.github/workflows/_test.yaml with: FULL_MATRIX: ${{ needs.check.outputs.FULL_MATRIX }} +<<<<<<< HEAD RUNNERS_BY_ARCH: ${{ (github.event_name == 'push' || github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) && '{"amd64":"ubuntu-latest-kong","arm64":"ubuntu-latest-arm64-kong"}' || '{"amd64":"ubuntu-latest","arm64":""}' }} +======= + RUNNERS_BY_ARCH: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) && '{"amd64":"ubuntu-latest-kong","arm64":"ubuntu-latest-arm64-kong"}' || '{"amd64":"ubuntu-24.04","arm64":""}' }} +>>>>>>> 79dbceeef (ci(github): update workflows to use ubuntu-24.04 runners (#12251)) secrets: inherit build_publish: permissions: @@ -124,7 +128,7 @@ jobs: needs: ["build_publish", "check", "test", "provenance"] timeout-minutes: 10 if: ${{ always() }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: contents: write actions: read # For getting workflow run info diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index 8c95f57de077..0f15732f92b1 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -12,7 +12,13 @@ permissions: jobs: commit-lint: timeout-minutes: 10 +<<<<<<< HEAD runs-on: ubuntu-latest +======= + runs-on: ubuntu-24.04 + permissions: + pull-requests: write +>>>>>>> 79dbceeef (ci(github): update workflows to use ubuntu-24.04 runners (#12251)) steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Check PR title diff --git a/.github/workflows/ci-stability.yaml b/.github/workflows/ci-stability.yaml new file mode 100644 index 000000000000..55b148cc1f31 --- /dev/null +++ b/.github/workflows/ci-stability.yaml @@ -0,0 +1,82 @@ +name: Check CI stability for PRs with "ci/verify-stability" or "ci/verify-stability-merge-master" label + +on: + schedule: + # Monday to Friday: Every 2 hours from 7 PM to 7 AM CEST + - cron: "0 17 * * 1-5" + - cron: "0 19 * * 1-5" + - cron: "0 21 * * 1-5" + - cron: "0 23 * * 1-5" + - cron: "0 1 * * 2-6" + - cron: "0 3 * * 2-6" + - cron: "0 5 * * 2-6" + # Saturday and Sunday: Every 2 hours all day + - cron: "0 */2 * * 6,0" + workflow_dispatch: # Allows manual trigger from GitHub Actions UI +env: + GH_USER: "github-actions[bot]" + GH_EMAIL: "<41898282+github-actions[bot]@users.noreply.github.com>" +jobs: + trigger-ci: + runs-on: ubuntu-24.04 + steps: + - name: Generate GitHub app token + id: github-app-token + uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + token: ${{ steps.github-app-token.outputs.token }} + - name: Get open pull requests and save to file + run: | + gh pr list --json number,labels > open_prs.json + env: + GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }} + - name: Process PRs + id: process_prs + run: | + cat open_prs.json + pr_numbers_with_verify_stability=$(jq -r -c '.[] | select(.labels[]?.name == "ci/verify-stability") | .number' open_prs.json | tr '\n' ' ') + pr_numbers_with_verify_stability_merge_master=$(jq -r '.[] | select(.labels[]?.name == "ci/verify-stability-merge-master") | .number' open_prs.json | tr '\n' ' ') + echo "PRs with 'ci/verify-stability' label: $pr_numbers_with_verify_stability" + echo "PRs with 'ci/verify-stability-merge-master' label: $pr_numbers_with_verify_stability_merge_master" + echo "pr_numbers_with_verify_stability=$pr_numbers_with_verify_stability" >> $GITHUB_OUTPUT + echo "pr_numbers_with_verify_stability_merge_master=$pr_numbers_with_verify_stability_merge_master" >> $GITHUB_OUTPUT + env: + GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }} + - name: Merge master branch (if applicable) and push a single commit + if: steps.process_prs.outputs.pr_numbers_with_verify_stability != '' + run: | + eval "pr_numbers=(${{ steps.process_prs.outputs.pr_numbers_with_verify_stability }})" + for pr_number in $pr_numbers; do + current_datetime=$(date +"%Y-%m-%d %H:%M:%S") + echo "Processing PR #$pr_number" + + # Fetch PR details to get the base branch (original branch name) + pr_branch=$(gh pr view $pr_number --json headRefName --jq '.headRefName') + echo "The original branch for PR #$pr_number is $pr_branch" + git fetch origin pull/$pr_number/head:$pr_branch + git checkout $pr_branch + + git config user.name "${GH_USER}" + git config user.email "${GH_EMAIL}" + + # Check if the PR needs to merge with master + if echo "${{ steps.process_prs.outputs.pr_numbers_with_verify_stability_merge_master }}" | grep -wq "$pr_number"; then + echo "Merging master into PR #$pr_number" + git fetch origin master + git merge origin/master --no-ff --no-commit + git commit --allow-empty -m "Merge master into PR #$pr_number" + fi + + # Commit an empty commit to trigger the CI + echo "Pushing empty commit to trigger CI for PR #$pr_number on $current_datetime" + git commit --allow-empty -m "Trigger CI for PR #$pr_number on $current_datetime" + git push origin $pr_branch + done + env: + GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }} diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 282c1b1c8565..07ae42b29321 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -9,7 +9,7 @@ jobs: analyze: timeout-minutes: 30 name: Analyze - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: actions: read contents: read diff --git a/.github/workflows/merge-release-to-master.yaml b/.github/workflows/merge-release-to-master.yaml index 6c0765801787..d679204c7f35 100644 --- a/.github/workflows/merge-release-to-master.yaml +++ b/.github/workflows/merge-release-to-master.yaml @@ -11,7 +11,7 @@ permissions: contents: read jobs: release: - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/pr-comments.yaml b/.github/workflows/pr-comments.yaml index 00ddcf069860..2fbf4d0ddca3 100644 --- a/.github/workflows/pr-comments.yaml +++ b/.github/workflows/pr-comments.yaml @@ -12,7 +12,7 @@ jobs: pr_comments: timeout-minutes: 30 if: github.event.issue.pull_request != '' && (contains(github.event.comment.body, '/format') || contains(github.event.comment.body, '/golden_files')) - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Generate GitHub app token id: github-app-token diff --git a/.github/workflows/pr-merged.yaml b/.github/workflows/pr-merged.yaml index 79f9c400d33d..6ffe04524df4 100644 --- a/.github/workflows/pr-merged.yaml +++ b/.github/workflows/pr-merged.yaml @@ -15,7 +15,7 @@ jobs: timeout-minutes: 10 if: github.event_name != 'pull_request_target' || github.event.pull_request.merged name: "Notify about merged PR" - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: "Send repository dispatch event" uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 29dc4075f290..fd19859d8546 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -34,7 +34,7 @@ permissions: jobs: release: timeout-minutes: 30 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 898698d2c682..46346a685651 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -14,7 +14,7 @@ jobs: analysis: timeout-minutes: 10 name: Scorecard analysis - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 permissions: # Needed to upload the results to code-scanning dashboard. security-events: write diff --git a/.github/workflows/transparentproxy-tests.yaml b/.github/workflows/transparentproxy-tests.yaml index a257795a60f0..0853d55ca6c2 100644 --- a/.github/workflows/transparentproxy-tests.yaml +++ b/.github/workflows/transparentproxy-tests.yaml @@ -11,7 +11,7 @@ permissions: jobs: test: timeout-minutes: 60 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/update-docs.yaml b/.github/workflows/update-docs.yaml index be8aedae07db..0abb36f4b458 100644 --- a/.github/workflows/update-docs.yaml +++ b/.github/workflows/update-docs.yaml @@ -21,7 +21,7 @@ permissions: jobs: generate-docs: timeout-minutes: 10 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/update-insecure-dependencies.yaml b/.github/workflows/update-insecure-dependencies.yaml index 22995ca5c494..efb69118d2b9 100644 --- a/.github/workflows/update-insecure-dependencies.yaml +++ b/.github/workflows/update-insecure-dependencies.yaml @@ -7,7 +7,7 @@ permissions: read-all jobs: build-matrix: timeout-minutes: 10 - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 outputs: branches: ${{ steps.generate-matrix.outputs.branches }} steps: @@ -28,7 +28,7 @@ jobs: fail-fast: false matrix: branch: ${{ fromJSON(needs.build-matrix.outputs.branches) }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Set Swap Space uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c