Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
310 changes: 310 additions & 0 deletions .github/workflows/stackpacks-ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,310 @@
name: Contrib Stackpacks CI

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it could also be worthwhile to add a workflow linting workflow, like https://github.com/StackVista/image-pipeline/blob/main/.github/workflows/lint-workflows.yml

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

zizmor is present in a pre-commit hook. That should be sufficient?


run-name: >-
contrib stackpacks -
${{ github.event_name == 'pull_request' && format('PR #{0} {1}', github.event.number, github.event.pull_request.title) ||
github.event_name == 'workflow_dispatch' && 'manual rebuild' ||
github.event_name == 'push' && format('{0}: {1}', github.ref_name, github.event.head_commit.message) ||
github.ref_name }}

on:
pull_request:
push:
branches: [main]
workflow_dispatch:

permissions:
contents: read

defaults:
run:
shell: bash --noprofile --norc -euo pipefail {0}

concurrency:
group: contrib-stackpacks-${{ github.ref }}
cancel-in-progress: false

jobs:

validate:
name: validate (${{ matrix.stackpack }})
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
stackpack:
- open-telemetry-2
- otel-k8s-crd
- notification-operator
- suse-observability-2
steps:
- name: Check out repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Validate ${{ matrix.stackpack }}
env:
STACKPACK: ${{ matrix.stackpack }}
# Pinned snapshot of stackstate-server providing /opt/docker/bin/stack-pack-validator.
# Bumped manually when validating a newer stackstate-server release.
VALIDATOR_IMAGE: quay.io/stackstate/stackstate-server:b7c3604-2.5
run: |
docker run --rm \
-v "${PWD}:/workspace" \
-w /workspace \
"${VALIDATOR_IMAGE}" \
/opt/docker/bin/stack-pack-validator -directory "/workspace/stackpacks/${STACKPACK}"

package:
name: package (${{ matrix.stackpack }})
needs: [validate]
if: |
always() &&

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering if this shouldn't be gated to push for main only? Public fork PRs will hit missing secret failures, and same-repo branches could publish images.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

afaiu the upload is run specific, so should be fine on a fork

needs.validate.result == 'success'
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
stackpack:
- open-telemetry-2
- otel-k8s-crd
- notification-operator
- suse-observability-2
steps:
- name: Check out repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Install yq
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends yq

- name: Install StackState CLI
run: |
version=$(curl --fail --silent --show-error https://dl.stackstate.com/stackstate-cli/LATEST_VERSION)
version="${version#v}"
arch=$(uname -m)
tmp=$(mktemp -d)
curl --fail --silent --show-error --location \
"https://dl.stackstate.com/stackstate-cli/v${version}/stackstate-cli-${version}.linux-${arch}.tar.gz" \
| tar xz -C "${tmp}"
sudo install -m 0755 "${tmp}/sts" /usr/local/bin/sts
sts version

- name: Package and publish ${{ matrix.stackpack }}
env:
STACKPACK: ${{ matrix.stackpack }}
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
RUN_NUMBER: ${{ github.run_number }}
SHA: ${{ github.sha }}
EVENT_NAME: ${{ github.event_name }}
REF: ${{ github.ref }}
run: |
cd "stackpacks/${STACKPACK}"
base_version=$(yq -r '.version' stackpack.yaml)
echo "Version from stackpack.yaml: ${base_version}"

if [[ "${EVENT_NAME}" == "push" && "${REF}" == "refs/heads/main" ]]; then
stackpack_version=${base_version}
else
major=$(echo "${base_version}" | cut -d. -f1)
minor=$(echo "${base_version}" | cut -d. -f2)
patch=$(echo "${base_version}" | cut -d. -f3)
new_patch=$((patch + 1))
branch_sanitized=$(echo "${BRANCH_NAME}" | sed 's/[^a-zA-Z0-9]/-/g')
short_sha="${SHA:0:7}"
stackpack_version="${major}.${minor}.${new_patch}-${branch_sanitized}-${RUN_NUMBER}-${short_sha}-SNAPSHOT"
sed -i "s/^version: .*/version: \"${stackpack_version}\"/" stackpack.yaml
fi

export STS_EXPERIMENTAL_STACKPACKS=1
sts stackpack package
mkdir -p target
mv -- *.sts target/
ls -lh target/*.sts

- name: Upload ${{ matrix.stackpack }} sts artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: sts-${{ matrix.stackpack }}
path: stackpacks/${{ matrix.stackpack }}/target/*.sts
if-no-files-found: error

check-version-bump:
name: Check version bump
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
stackpack:
- open-telemetry-2
- otel-k8s-crd
- notification-operator
- suse-observability-2
env:
TARGET_BRANCH: ${{ github.base_ref || 'main' }}
steps:
- name: Check out repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: true
fetch-depth: 0

- name: Install yq
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends yq

- name: Compare versions
run: ./scripts/ci/verify_versions_bumped.sh ${{ matrix.stackpack }}

build-and-push-docker-image:
name: Docker image build, scan, and push
needs: [package]
if: |
always() &&
github.reposity == 'StackVista/contrib-stackpacks' &&
(needs.package.result == 'success' || needs.package.result == 'skipped')
runs-on: ubuntu-24.04
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
steps:
- name: Check out repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Download stackpack artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: sts-*
path: artifacts
merge-multiple: true

- name: Stage stackpacks
run: |
dest=docker/rootfs/stackpacks
rm -rf "${dest}"
mkdir -p "${dest}"
cp artifacts/*.sts "${dest}/"

- name: Compute image tag
id: tag
run: |
git_branch="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we do some sanitisation? Branch names with / will produce invalid tags

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel that's a bit defensive - have never seen something like that in 20+ years of software dev. (though maybe I've been spoiled)

git_commit_sha_short=$(git rev-parse --short=7 HEAD)
git_last_commit_timestamp=$(TZ=UTC0 git log -1 --format=%cd --date=format-local:'%Y%m%d%H%M%S')
echo "value=${git_last_commit_timestamp}-${git_branch}-${git_commit_sha_short}" >> "$GITHUB_OUTPUT"

- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
with:
image: tonistiigi/binfmt:qemu-v10.0.4
cache-image: false

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

- name: Build local image for scan
id: local-image
env:
TAG: ${{ steps.tag.outputs.value }}
run: |
local_ref="local/contrib-stackpacks:${TAG}"
docker buildx build \
--platform linux/amd64 \
--load \
--provenance=false \
--sbom=false \
--tag "${local_ref}" \
docker
echo "ref=${local_ref}" >> "$GITHUB_OUTPUT"

- name: Smoke test image
env:
LOCAL_IMAGE_REF: ${{ steps.local-image.outputs.ref }}
run: |
mkdir -p smoke-output
docker run --rm -v "${PWD}/smoke-output:/output" "${LOCAL_IMAGE_REF}" /output
copied=$(find smoke-output -type f -name '*.sts' | wc -l | tr -d ' ')
if [[ "${copied}" -eq 0 ]]; then
echo "Smoke test produced no .sts files" >&2
exit 1
fi

- name: Scan image
uses: StackVista/image-pipeline/.github/actions/scan-image@f7e766e074b516bb754891a240e6ab2df1e60e4c
with:
image: ${{ steps.local-image.outputs.ref }}
mode: gate
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
with-grype: true
upload-sarif: false

- name: Apply OCI labels
id: oci-labels
uses: StackVista/image-pipeline/.github/actions/apply-oci-labels@f7e766e074b516bb754891a240e6ab2df1e60e4c
with:
image-name: contrib-stackpacks
tag: ${{ steps.tag.outputs.value }}
title: SUSE Observability Community Stackpacks
description: Community stackpacks distribution bundle
component: contrib-stackpacks
dockerfile: docker/Dockerfile
base-name: registry.suse.com/bci/bci-minimal:15.7

- name: Push single-arch image (amd64)
uses: StackVista/image-pipeline/.github/actions/push-single-arch@f7e766e074b516bb754891a240e6ab2df1e60e4c
with:
image: quay.io/stackstate/contrib-stackpacks
tag: ${{ steps.tag.outputs.value }}
arch: amd64
docker-context: docker
dockerfile: docker/Dockerfile
labels: ${{ steps.oci-labels.outputs.labels }}
target-registry: quay.io
target-registry-user: ${{ secrets.QUAY_USER }}
target-registry-password: ${{ secrets.QUAY_PASSWORD }}

- name: Push single-arch image (arm64)
uses: StackVista/image-pipeline/.github/actions/push-single-arch@f7e766e074b516bb754891a240e6ab2df1e60e4c
with:
image: quay.io/stackstate/contrib-stackpacks
tag: ${{ steps.tag.outputs.value }}
arch: arm64
docker-context: docker
dockerfile: docker/Dockerfile
labels: ${{ steps.oci-labels.outputs.labels }}
target-registry: quay.io
target-registry-user: ${{ secrets.QUAY_USER }}
target-registry-password: ${{ secrets.QUAY_PASSWORD }}

- name: Merge multi-arch manifest
uses: StackVista/image-pipeline/.github/actions/merge-multiarch@f7e766e074b516bb754891a240e6ab2df1e60e4c
with:
image: quay.io/stackstate/contrib-stackpacks
tag: ${{ steps.tag.outputs.value }}
arches: amd64,arm64
target-registry: quay.io
target-registry-user: ${{ secrets.QUAY_USER }}
target-registry-password: ${{ secrets.QUAY_PASSWORD }}

update-stackpacks-version-in-helm:
name: Update stackpacks version in helm-charts-internal
needs:
- build-and-push-docker-image
if: |
always() &&
github.event_name == 'push' && github.ref == 'refs/heads/main' &&
needs.build-and-push-docker-image.result == 'success'
uses: ./.github/workflows/update-stackpacks-version-in-helm.yml
secrets:
HELM_CHARTS_INTERNAL_GH_APP_CLIENT_ID: ${{ secrets.HELM_CHARTS_INTERNAL_GH_APP_CLIENT_ID }}
HELM_CHARTS_INTERNAL_GH_APP_PRIVATE_KEY: ${{ secrets.HELM_CHARTS_INTERNAL_GH_APP_PRIVATE_KEY }}

54 changes: 54 additions & 0 deletions .github/workflows/update-stackpacks-version-in-helm.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Update Stackpacks Version in Helm

# Triggers the helm-charts-internal updatecli workflow after stackpacks have
# been built and uploaded. Invoked from the CI workflow on master.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This invocation is missing atm, is it still intended to be there (added later when manual testing is done)?

# The standalone `workflow_dispatch` entry remains as a manual fallback.
on:
workflow_call:
secrets:
HELM_CHARTS_INTERNAL_GH_APP_CLIENT_ID:
required: true
HELM_CHARTS_INTERNAL_GH_APP_PRIVATE_KEY:
required: true
workflow_dispatch:

permissions:
contents: read

defaults:
run:
shell: bash --noprofile --norc -euo pipefail {0}

jobs:
update-stackpacks-version-in-helm:
runs-on: small
steps:
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ secrets.HELM_CHARTS_INTERNAL_GH_APP_CLIENT_ID }}
private-key: ${{ secrets.HELM_CHARTS_INTERNAL_GH_APP_PRIVATE_KEY }}
repositories: helm-charts-internal
permission-actions: write

- name: Trigger helm-charts-internal updatecli workflow
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
curl --fail-with-body --request POST \
--header "Accept: application/vnd.github+json" \
--header "Authorization: Bearer ${GH_TOKEN}" \
--header "X-GitHub-Api-Version: 2022-11-28" \
--data '{
"ref": "master",
"inputs": {
"pipeline": "stackpacks",
"target_branch": "master",
"stackpacks_source_branch": "master",
"stackpacks_contrib_source_branch": "main",
"stackpacks_suse_source_branch": "main",
"dry_run": "false"
}
}' \
"https://api.github.com/repos/StackVista/helm-charts-internal/actions/workflows/updatecli.yml/dispatches"
23 changes: 23 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.4.0
hooks:
- id: check-added-large-files
stages: [pre-commit]
exclude: "^stackstate-generated-api/.*$"
- id: check-case-conflict
stages: [pre-commit]
- id: check-merge-conflict
stages: [pre-commit]
- id: detect-private-key
stages: [pre-commit]
- id: detect-aws-credentials
stages: [pre-commit]
args:
- --allow-missing-credentials
- repo: https://github.com/zizmorcore/zizmor-pre-commit
# Zizmor version.
rev: v1.25.0
hooks:
# Run the linter.
- id: zizmor
7 changes: 7 additions & 0 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
FROM registry.suse.com/bci/bci-minimal:15.7

COPY rootfs /

USER 1001

ENTRYPOINT [ "/copy-stackpacks.sh" ]
Loading