Migrate core CI pipeline to GitHub Actions #1865
Conversation
.github/workflows/ci.yml
Outdated
| BRANCH_NAME: master | ||
| CHANNEL: master | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} |
There was a problem hiding this comment.
Note that I haven't tested the publish and promote steps, except to verify that they don't run on my fork. The idea here is that:
- Publish will run on any build that has valid AWS secrets set.
- Promote will run only on the master branch as long as valid AWS secrets are set.
Note that unlike Jenkins, "any build" here can include forks. In practice forks should run this workflow, but skip the publish and promote stages because they don't have the AWS credential secrets set. If a fork did somehow acquire and set these credentials (in its GitHub Settings) it would publish and promote artifacts, but this seems unlikely.
There was a problem hiding this comment.
@negz I believe that we currently do publish artifacts for to https://releases.crossplane.io/build/ for any successful build on a PR. I don't think we necessarily have to do that though, especially since it looks like we now upload to GH directly (which is super cool!)
There was a problem hiding this comment.
Right - this implementation will also publish (but not promote) artifacts to Docker Hub and S3 on every build, as long as the appropriate secrets are set to do so.
| on: | ||
| push: | ||
| branches: | ||
| - master |
There was a problem hiding this comment.
Should we include the release branches here @hasheddan and @jbw976?
| if: env.DOCKER_USR != '' | ||
| with: | ||
| username: ${{ secrets.DOCKER_USR }} | ||
| password: ${{ secrets.DOCKER_PSW }} |
There was a problem hiding this comment.
I suggest we set these and the AWS secrets at the org level, to make setting up new repos easy - https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-organization
There was a problem hiding this comment.
That sounds good to me, just want to make sure that we don't allow someone to submit a PR that modifies the action and they can do whatever they want using the secret 👍
There was a problem hiding this comment.
This is awesome to see @negz! Thanks so much for investing time in this :)
It looks like we are building multiple times here in order to be able to run our different steps concurrently. Had you considered doing a serial build, then splitting out to concurrent running of unit tests / e2e tests / etc.? Is that even possible with GH actions?
| if: env.DOCKER_USR != '' | ||
| with: | ||
| username: ${{ secrets.DOCKER_USR }} | ||
| password: ${{ secrets.DOCKER_PSW }} |
There was a problem hiding this comment.
That sounds good to me, just want to make sure that we don't allow someone to submit a PR that modifies the action and they can do whatever they want using the secret 👍
| on: | ||
| push: | ||
| branches: | ||
| - master |
It may be possible, but I suspect it would get tricky. We'd need to model the fan out as separate jobs, which would run on distinct VMs each with a pristine build environment. So we'd need to use the cache or artifacts to pass our Go build cache from the initial build onto the jobs that run the unit tests, e2e tests, etc. I don't think the complexity is worth it, given that it I don't believe it would actually speed up builds. |
This pipeline has been replaced by GitHub Actions. The promote and tag pipelines will be replaced in a future commit. Signed-off-by: Nic Cope <negz@rk0n.org>
This commit is a moderately faithful port of the existing Jenkinsfile to GitHub Actions. Notably, it eschews the cross container to avoid the ~5 min penalty of having to build it and runs much of the build in parallel. Signed-off-by: Nic Cope <negz@rk0n.org>
True, we would still be constrained by the longest running action. That being said, it would be nice to not needlessly build three times. Definitely can be a future optimization though 👍 |
Description of your changes
Fixes #1583
This PR migrates Crossplane's CI/CD system from Jenkins to GitHub Actions. Its logic is largely implemented by the https://github.com/upbound/build/
makelibrary, and thus unchanged from the Jenkins pipeline. The big differences in this implementation are:The net result of these changes is that we can build and verify a pull request in ~6.5 minutes, where Jenkins has been averaging ~20 minutes lately.
In addition to being faster, migrating to GitHub Actions means:
.github/workflows/ci.ymlwill have CI/CD enabled.Take a look at https://github.com/negz/crossplane/actions/runs/319197909 to see this pipeline in action.
I have:
make reviewable testto ensure this PR is ready for review.How has this code been tested