Skip to content

Commit

Permalink
Update Github Actions Workflows (#8)
Browse files Browse the repository at this point in the history 
* fix most trivy issues, update playwright tests, update studio-backend

Signed-off-by: wwanarif <[email protected]>

* updated GHA workflows

Signed-off-by: wwanarif <[email protected]>

* enabled local-path-provisioner, update readmes, e2e tests, setup scripts and workflow

Signed-off-by: wwanarif <[email protected]>

* trivy scan fixes

Signed-off-by: chinyixiang <[email protected]>

---------

Signed-off-by: wwanarif <[email protected]>
Signed-off-by: chinyixiang <[email protected]>
Co-authored-by: wwanarif <[email protected]>
Co-authored-by: chinyixiang <[email protected]>
  • Loading branch information
@wanhakim @chinyixiang
3 people authored Nov 15, 2024
1 parent 47a1150 commit 4042d18
Show file tree
Hide file tree
Showing 22 changed files with 491 additions and 55 deletions.
43 changes: 43 additions & 0 deletions .github/workflows/_build-image-to-registry.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: Call - Build Images to Registry
permissions: read-all
on:
workflow_call:
inputs:
node:
default: "xeon"
required: true
type: string
tag:
default: "latest"
required: false
type: string

jobs:
call-build-image-to-registry:
runs-on: "docker-build-${{ inputs.node }}"
steps:
- name: Clean Up Working Directory
run: sudo rm -rf ${{github.workspace}}/*

- name: Get Checkout Ref
run: |
if [ "${{ github.event_name }}" == "pull_request" ] || [ "${{ github.event_name }}" == "pull_request_target" ]; then
echo "CHECKOUT_REF=refs/pull/${{ github.event.number }}/merge" >> $GITHUB_ENV
else
echo "CHECKOUT_REF=${{ github.ref }}" >> $GITHUB_ENV
fi
- name: Checkout out Repo
uses: actions/checkout@v4
with:
ref: ${{ env.CHECKOUT_REF }}
fetch-depth: 0

- name: Build Image and Push Image
run: |
sudo apt install ansible -y
ansible-playbook build-image-to-registry.yml -e "container_registry=${OPEA_IMAGE_REPO}opea" -e "container_tag=${{ inputs.tag }}"
working-directory: ${{ github.workspace }}/setup-scripts/build-image-to-registry/
97 changes: 97 additions & 0 deletions .github/workflows/_e2e-test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: Call - E2E Test
permissions: read-all
on:
workflow_call:
inputs:
node:
default: "xeon"
required: true
type: string
tag:
default: "latest"
required: false
type: string

jobs:
call-e2e-test:
runs-on: "k8s-${{ inputs.node }}"
steps:
- name: Clean Up Working Directory
run: sudo rm -rf ${{github.workspace}}/*

- name: Get Checkout Ref
run: |
if [ "${{ github.event_name }}" == "pull_request" ] || [ "${{ github.event_name }}" == "pull_request_target" ]; then
echo "CHECKOUT_REF=refs/pull/${{ github.event.number }}/merge" >> $GITHUB_ENV
else
echo "CHECKOUT_REF=${{ github.ref }}" >> $GITHUB_ENV
fi
- name: Checkout out Repo
uses: actions/checkout@v4
with:
ref: ${{ env.CHECKOUT_REF }}
fetch-depth: 0

- name: Update Manifest
run: |
find . -type f -name 'studio-manifest.yaml' -exec sed -i 's/value: opea/value: ${REGISTRY}/g' {} \;
working-directory: ${{ github.workspace }}/setup-scripts/setup-genai-studio/manifests/

- name: Deploy GenAI Studio
run: |
if kubectl get namespace studio; then
kubectl delete -f manifests/studio-manifest.yaml || true
kubectl wait --for=delete pod --all --namespace=studio --timeout=300s
fi
if kubectl get namespace monitoring; then
kubectl delete -f manifests/monitoring-manifest.yaml || true
kubectl wait --for=delete pod --all --namespace=monitoring --timeout=300s
fi
sleep 5
sudo apt install ansible -y
ansible-playbook genai-studio.yml -e "container_registry=${OPEA_IMAGE_REPO}opea" -e "container_tag=${{ inputs.tag }}"
sleep 5
kubectl wait --for=condition=ready pod --all --namespace=studio --timeout=300s --field-selector=status.phase!=Succeeded
kubectl wait --for=condition=ready pod --all --namespace=monitoring --timeout=300s --field-selector=status.phase!=Succeeded
working-directory: ${{ github.workspace }}/setup-scripts/setup-genai-studio/

- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: '20.18.0'

- name: Install Dependencies
run: |
npm install
npx playwright install
npx playwright install-deps
working-directory: ${{ github.workspace }}/tests/playwright

- name: Update Playwright Config
run: |
NODE_IP=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')
sed -i "s|baseURL:.*|baseURL: \"http://$NODE_IP:30007\",|" playwright.config.js
working-directory: ${{ github.workspace }}/tests/playwright

- name: Run Playwright Tests
run: npx playwright test
working-directory: ${{ github.workspace }}/tests/playwright

- name: Upload Test Results
if: always()
uses: actions/upload-artifact@v4
with:
name: playwright-test-results
path: ${{ github.workspace }}/tests/playwright/playwright-report

- name: Cleanup sandbox namespaces
if: always()
run: |
for ns in $(kubectl get namespaces -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep '^sandbox-'); do
kubectl delete namespace $ns || true
done
42 changes: 42 additions & 0 deletions .github/workflows/manual-docker-build.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: Manual - Docker Build and Test
on:
workflow_dispatch:
inputs:
nodes:
default: "xeon"
description: "Hardware to run test"
required: true
type: string
tag:
default: "latest"
description: "Tag to apply to images"
required: true
type: string
e2e_test:
default: true
description: "Run E2E test after build"
required: false
type: boolean

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-on-manual-dispatch
cancel-in-progress: true

jobs:
manual-build-images:
uses: ./.github/workflows/_build-image-to-registry.yml
with:
node: ${{ inputs.nodes }}
tag: ${{ inputs.tag }}
secrets: inherit
manual-run-e2e-test:
if: ${{ inputs.e2e_test }}
uses: ./.github/workflows/_e2e-test.yml
needs: manual-build-images
with:
node: ${{ inputs.nodes }}
tag: ${{ inputs.tag }}
secrets: inherit
68 changes: 68 additions & 0 deletions .github/workflows/manual-docker-publish.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: Manual - Publish Docker Images
on:
workflow_dispatch:
inputs:
node:
default: "xeon"
description: "Hardware to run test"
required: true
type: string
studio_frontend:
description: "Publish studio-frontend image?"
required: true
type: boolean
default: true
studio_backend:
description: "Publish studio-backend image?"
required: true
type: boolean
default: true
app_frontend:
description: "Publish app-frontend image?"
required: true
type: boolean
default: true
app_backend:
description: "Publish app-backend image?"
required: true
type: boolean
default: true
tag:
default: "rc"
description: "Tag to publish, like [1.0rc]"
required: true
type: string
publish_tags:
default: "latest,1.x"
description: "Comma-separated tag list to apply to published images, like [latest,1.0]"
required: false
type: string

permissions: read-all
jobs:
publish:
strategy:
matrix:
image: ${{ fromJson('[ "studio-frontend", "studio-backend", "app-frontend", "app-backend" ]') }}
fail-fast: false
runs-on: "docker-build-${{ inputs.node }}"
steps:
- uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Check if image should be published
if: ${{ github.event.inputs[ matrix.image ] == 'true' }}
run: echo "Publishing ${{ matrix.image }} image"

- name: Image Publish
if: ${{ github.event.inputs[ matrix.image ] == 'true' }}
uses: opea-project/validation/actions/image-publish@main
with:
local_image_ref: ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
image_name: opea/${{ matrix.image }}
publish_tags: ${{ inputs.publish_tags }}
103 changes: 103 additions & 0 deletions .github/workflows/manual-docker-scan.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: Manual - Docker Scan (SBOM and CVE)
on:
workflow_dispatch:
inputs:
node:
default: "xeon"
description: "Hardware to run scan"
required: true
type: string
tag:
default: "latest"
description: "Tag for images to scan"
required: true
type: string
sbom_scan:
default: true
description: 'Scan images for BoM'
required: false
type: boolean
trivy_scan:
default: true
description: 'Scan images for CVE'
required: false
type: boolean

permissions: read-all
jobs:
clean-workspace:
runs-on: "docker-build-${{ inputs.node }}"
steps:
- name: Clean up Working Directory
run: |
sudo rm -rf ${{github.workspace}}/* || true
# docker system prune -f
manual-docker-scan:
needs: clean-workspace
runs-on: "docker-build-${{ inputs.node }}"
strategy:
matrix:
image: ["studio-frontend", "studio-backend", "app-frontend", "app-backend"]
fail-fast: false
max-parallel: 2
steps:
- name: Pull Image
run: |
docker pull ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }}
echo "OPEA_IMAGE_REPO=${OPEA_IMAGE_REPO}" >> $GITHUB_ENV
- name: SBOM Scan Container
uses: anchore/[email protected]
if: ${{ inputs.sbom_scan }}
with:
image: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output-file: ${{ matrix.image }}-sbom-scan.txt
format: 'spdx-json'

- name: Security Scan Container
uses: aquasecurity/[email protected]
if: ${{ inputs.trivy_scan }}
with:
image-ref: ${{ env.OPEA_IMAGE_REPO }}opea/${{ matrix.image }}:${{ inputs.tag }}
output: ${{ matrix.image }}-trivy-scan.txt
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

- name: Cleanup
if: always()
run: docker rmi -f ${OPEA_IMAGE_REPO}opea/${{ matrix.image }}:${{ inputs.tag }} || true

- name: Collect Logs
if: always()
run: |
mkdir -p /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
mv ${{ matrix.image }}-*-scan.txt /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}
upload-artifacts:
needs: manual-docker-scan
runs-on: "docker-build-${{ inputs.node }}"
if: always()
steps:
- name: Upload SBOM Artifacts
uses: actions/[email protected]
with:
name: sbom-scan-${{ inputs.tag }}-${{ github.run_number }}
path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-sbom-scan.txt
overwrite: true

- name: Upload Trivy Artifacts
uses: actions/[email protected]
with:
name: trivy-scan-${{ inputs.tag }}-${{ github.run_number }}
path: /tmp/scan-${{ inputs.tag }}-${{ github.run_number }}/*-trivy-scan.txt
overwrite: true

- name: Remove Logs
run: rm -rf /tmp/scan-${{ inputs.tag }}-${{ github.run_number }} && rm -rf /tmp/sbom-action-*
24 changes: 24 additions & 0 deletions .github/workflows/nightly-e2e-test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Copyright (C) 2024 Intel Corporation
# SPDX-License-Identifier: Apache-2.0

name: Nightly - E2E test

on:
workflow_dispatch:
schedule:
- cron: "5 18 * * *" # UTC time

jobs:
nightly-build-images:
uses: ./.github/workflows/_build-image-to-registry.yml
with:
node: xeon
tag: latest
secrets: inherit
nightly-run-e2e-test:
uses: ./.github/workflows/_e2e-test.yml
needs: nightly-build-images
with:
node: xeon
tag: latest
secrets: inherit
Loading

0 comments on commit 4042d18

Please sign in to comment.