Skip to content

Commit

Permalink
CUS-356: CI: use released engflow_auth to authenticate, upload BES (#24)
Browse files Browse the repository at this point in the history
Added login.sh, which downloads a released engflow_auth binary,
uses it to import a credential, then configures Bazel to use it.

Added logout.sh, which removes the imported credential.

The presubmit and postsubmit jobs all run login.sh before and
logout.sh after running bazel.

.bazelrc now has some common remote execution flags, but currently
only uploads BES. No remote execution or caching yet.
  • Loading branch information
jayconrod authored Aug 26, 2024
1 parent ac42ea1 commit 1782cb7
Show file tree
Hide file tree
Showing 5 changed files with 239 additions and 13 deletions.
21 changes: 21 additions & 0 deletions .bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,24 @@ build:noninteractive --keep_going

build:release --config=noninteractive
build:release --stamp

build:engflow_common --jobs=40
build:engflow_common --define=EXECUTOR=remote
build:engflow_common --experimental_inmemory_dotd_files
build:engflow_common --experimental_inmemory_jdeps_files
build:engflow_common --incompatible_strict_action_env=true
build:engflow_common --remote_timeout=600
build:engflow_common --legacy_important_outputs=false
build:engflow_common --grpc_keepalive_time=30s
build:engflow_common --experimental_remote_cache_compression=true
build:engflow_common --remote_instance_name=auth
build:engflow_common --bes_instance_name=auth
build:engflow_common --bes_lifecycle_events

build:opal --config=engflow_common
build:opal --bes_backend=grpcs://opal.cluster.engflow.com
build:opal --bes_results_url=https://opal.cluster.engflow.com/invocations/auth/
# TODO(CUS-349): enable remote execution

# Load authentication flags for the remote service, if any.
try-import .bazelrc.user
60 changes: 55 additions & 5 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,12 @@ on:
concurrency:
group: ${{ github.workflow }}.${{ github.ref }}

# Recommended here: https://github.com/bazelbuild/bazelisk/issues/88#issuecomment-625178467
env:
# Recommended here: https://github.com/bazelbuild/bazelisk/issues/88#issuecomment-625178467
BAZELISK_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CLUSTER_HOST: opal.cluster.engflow.com
CLUSTER_CONFIG: opal
CRED_HELPER_TOKEN: ${{ secrets.OPAL_CRED_HELPER_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPAL_RPC_CREDENTIALS: ${{ secrets.OPAL_RPC_CREDENTIALS }}

Expand All @@ -43,13 +46,24 @@ jobs:
- "engflow-runner-id=${{ github.repository_id }}_bazel-builder_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }}"
timeout-minutes: 10

env:
ARCH: "x64"
OS: "linux"

steps:
- uses: actions/checkout@v4

- name: Log in
run: infra/login.sh

- name: Run all tests
if: success()
run: |
# TODO(CUS-345): Enable remote execution
bazel test --config=noninteractive //...
bazel test --config=noninteractive --config="${CLUSTER_CONFIG}" //...
- name: Log out
run: infra/logout.sh

golang-builder:
runs-on:
Expand All @@ -76,14 +90,28 @@ jobs:
os_version: "2022"
revision: "d04e89854b3931f4aaced77aa3a2fcad5834b3a6"

env:
ARCH: "${{ matrix.arch }}"
OS: "${{ matrix.os }}"

steps:
- uses: actions/checkout@v4

- name: Log in
shell: bash
run: infra/login.sh

- name: Run all tests
if: success()
shell: bash
run: |
# TODO(CUS-345): Enable remote execution
bazel run --config=noninteractive @rules_go//go -- test ./...
bazel run --config=noninteractive @rules_go//go -- clean -cache -modcache
bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- test ./...
bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- clean -cache -modcache
- name: Log out
shell: bash
run: infra/logout.sh

golang-builder-ci-runners:
runs-on:
Expand All @@ -96,15 +124,26 @@ jobs:
- "engflow-runner-id=${{ github.repository_id }}_golang-builder-ci-runners_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }}"
timeout-minutes: 10

env:
ARCH: "x64"
OS: "linux"

steps:
- uses: actions/checkout@v4

- name: Log in
run: infra/login.sh

- name: Run all tests
if: success()
run: |
# TODO(CUS-345): Enable remote execution
bazel run --config=noninteractive @rules_go//go -- test ./...
bazel run --config=noninteractive @rules_go//go -- clean -cache -modcache
- name: Log out
run: infra/logout.sh

copyright-headers-check:
runs-on:
- self-hosted
Expand All @@ -116,9 +155,20 @@ jobs:
- "engflow-runner-id=${{ github.repository_id }}_copyright-headers-check_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }}"
timeout-minutes: 10

env:
ARCH: "x64"
OS: "linux"

steps:
- uses: actions/checkout@v4

- name: Log in
run: infra/login.sh

- name: Check copyright headers
if: success()
run: |
bazel run --config=noninteractive //infra/internal/check_copyright_headers
bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" //infra/internal/check_copyright_headers
- name: Log out
run: infra/logout.sh
65 changes: 57 additions & 8 deletions .github/workflows/presubmit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,13 @@ concurrency:
group: ${{ github.workflow }}.${{ github.ref }}
cancel-in-progress: true

# Recommended here: https://github.com/bazelbuild/bazelisk/issues/88#issuecomment-625178467
env:
# Recommended here: https://github.com/bazelbuild/bazelisk/issues/88#issuecomment-625178467
BAZELISK_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CLUSTER_HOST: opal.cluster.engflow.com
CLUSTER_CONFIG: opal
CRED_HELPER_TOKEN: ${{ secrets.OPAL_CRED_HELPER_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPAL_RPC_CREDENTIALS: ${{ secrets.OPAL_RPC_CREDENTIALS }}

jobs:
# TODO(OND-616): use remote execution and caching for all CI Runner jobs.
Expand All @@ -45,13 +47,24 @@ jobs:
- "engflow-runner-id=${{ github.repository_id }}_bazel-builder_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }}"
timeout-minutes: 10

env:
ARCH: "x64"
OS: "linux"

steps:
- uses: actions/checkout@v4

- name: Log in
run: infra/login.sh

- name: Run all tests
if: success()
run: |
# TODO(CUS-345): Enable remote execution
bazel test --config=noninteractive //...
bazel test --config=noninteractive --config="${CLUSTER_CONFIG}" //...
- name: Log out
run: infra/logout.sh

golang-builder:
runs-on:
Expand All @@ -78,14 +91,28 @@ jobs:
os_version: "2022"
revision: "d04e89854b3931f4aaced77aa3a2fcad5834b3a6"

env:
ARCH: "${{ matrix.arch }}"
OS: "${{ matrix.os }}"

steps:
- uses: actions/checkout@v4

- name: Log in
shell: bash
run: infra/login.sh

- name: Run all tests
if: success()
shell: bash
run: |
# TODO(CUS-345): Enable remote execution
bazel run --config=noninteractive @rules_go//go -- test ./...
bazel run --config=noninteractive @rules_go//go -- clean -cache -modcache
bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- test ./...
bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- clean -cache -modcache
- name: Log out
shell: bash
run: infra/logout.sh

golang-builder-ci-runners:
runs-on:
Expand All @@ -98,14 +125,25 @@ jobs:
- "engflow-runner-id=${{ github.repository_id }}_golang-builder-ci-runners_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }}"
timeout-minutes: 10

env:
ARCH: "x64"
OS: "linux"

steps:
- uses: actions/checkout@v4

- name: Log in
run: infra/login.sh

- name: Run all tests
if: success()
run: |
# TODO(CUS-345): Enable remote execution
bazel run --config=noninteractive @rules_go//go -- test ./...
bazel run --config=noninteractive @rules_go//go -- clean -cache -modcache
bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- test ./...
bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" @rules_go//go -- clean -cache -modcache
- name: Log out
run: infra/logout.sh

copyright-headers-check:
runs-on:
Expand All @@ -118,9 +156,20 @@ jobs:
- "engflow-runner-id=${{ github.repository_id }}_copyright-headers-check_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }}"
timeout-minutes: 10

env:
ARCH: "x64"
OS: "linux"

steps:
- uses: actions/checkout@v4

- name: Log in
run: infra/login.sh

- name: Check copyright headers
if: success()
run: |
bazel run --config=noninteractive //infra/internal/check_copyright_headers
bazel run --config=noninteractive --config="${CLUSTER_CONFIG}" //infra/internal/check_copyright_headers
- name: Log out
run: infra/logout.sh
67 changes: 67 additions & 0 deletions infra/login.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
#!/usr/bin/env bash

# Copyright 2024 EngFlow Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# login.sh configures the build environment to authenticate with a
# remote execution service. It should be run in CI before any bazel command.
# logout.sh should be run afterward to remove stored credentials.

set -o nounset -o pipefail -o errexit
[[ "${SCRIPT_DEBUG:-"off"}" == "on" ]] && set -o xtrace

if [[ -z "${ARCH:-}" ]]; then
echo "ARCH not set"
exit 1
fi
if [[ -z "${CLUSTER_HOST:-}" ]]; then
echo "CLUSTER_HOST not set"
exit 1
fi
if [[ -z "${CRED_HELPER_TOKEN:-}" ]]; then
echo "CRED_HELPER_TOKEN not set"
exit 1
fi
if [[ -z "${OS:-}" ]]; then
echo "OS not set"
exit 1
fi

# Download a recent version of engflow_auth to a local directory,
# then use it to import the credential.
readonly ENGFLOW_AUTH_VERSION=v0.0.6
readonly TOOLS_DIR=$(pwd)/_tools
readonly ENGFLOW_AUTH_URL="https://github.com/EngFlow/auth/releases/download/${ENGFLOW_AUTH_VERSION}/engflow_auth_${OS}_${ARCH}"
if [[ "${OS}" == "windows" ]]; then
# On Windows, ensure engflow_auth has an .exe extension. Use an absolute
# Windows path with forward slashes (C:/a/b), NOT a cygwin path (/c/a/b),
# and NOT backslashes (C:\a\b). Bazel only accepts the first form.
readonly ENGFLOW_AUTH_PATH="$(cygpath --mixed "${TOOLS_DIR}/engflow_auth.exe")"
else
readonly ENGFLOW_AUTH_PATH="${TOOLS_DIR}/engflow_auth"
fi
mkdir -p "${TOOLS_DIR}"
if ! curl --fail-with-body --location --output "${ENGFLOW_AUTH_PATH}" "${ENGFLOW_AUTH_URL}"; then
cat "${ENGFLOW_AUTH_PATH}" >&2
exit 1
fi
chmod +x "${ENGFLOW_AUTH_PATH}"

# Import the credential.
"${ENGFLOW_AUTH_PATH}" import -store=file <<<"${CRED_HELPER_TOKEN}"

# Configure Bazel to use the credential.
cat >.bazelrc.user <<EOF
common --credential_helper=${CLUSTER_HOST}=${ENGFLOW_AUTH_PATH}
EOF
39 changes: 39 additions & 0 deletions infra/logout.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/usr/bin/env bash

# Copyright 2024 EngFlow Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# logout.sh removes a stored credential for a remote execution service.
# It should be run in CI after all bazel commands.

set -o nounset -o pipefail -o errexit
[[ "${SCRIPT_DEBUG:-"off"}" == "on" ]] && set -o xtrace

if [[ -z "${CLUSTER_HOST:-}" ]]; then
echo "CLUSTER_HOST not set"
exit 1
fi
if [[ -z "${OS:-}" ]]; then
echo "OS not set"
exit 1
fi

readonly TOOLS_DIR=$(pwd)/_tools
if [[ "${OS}" == "windows" ]]; then
readonly ENGFLOW_AUTH_PATH="${TOOLS_DIR}/engflow_auth.exe"
else
readonly ENGFLOW_AUTH_PATH="${TOOLS_DIR}/engflow_auth"
fi

"${ENGFLOW_AUTH_PATH}" logout "${CLUSTER_HOST}"

0 comments on commit 1782cb7

Please sign in to comment.