ci: use 7zip for creating archives (#3068)

* Use 7zip for creating and processing encrypted archives
* Switch to .7z file extension
* Fix shell check issues
* Fix tfstate update logic

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2024-05-08 10:34:10 +02:00 committed by GitHub
parent edc0c7068e
commit a15cf54477
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 74 additions and 40 deletions

View File

@ -16,11 +16,11 @@ inputs:
runs: runs:
using: "composite" using: "composite"
steps: steps:
- name: Install unzip - name: Install 7zip
uses: ./.github/actions/setup_bazel_nix uses: ./.github/actions/setup_bazel_nix
with: with:
nixTools: | nixTools: |
unzip _7zz
- name: Create temporary directory - name: Create temporary directory
id: tempdir id: tempdir
@ -37,4 +37,4 @@ runs:
shell: bash shell: bash
run: | run: |
mkdir -p ${{ inputs.path }} mkdir -p ${{ inputs.path }}
unzip -P '${{ inputs.encryptionSecret }}' -qq -d ${{ inputs.path }} ${{ steps.tempdir.outputs.directory }}/archive.zip 7zz x -p'${{ inputs.encryptionSecret }}' -t7z -o"${{ inputs.path }}" ${{ steps.tempdir.outputs.directory }}/archive.7z

View File

@ -22,13 +22,51 @@ inputs:
runs: runs:
using: "composite" using: "composite"
steps: steps:
- name: Install zip - name: Install 7zip
uses: ./.github/actions/setup_bazel_nix uses: ./.github/actions/setup_bazel_nix
with: with:
nixTools: | nixTools: |
zip _7zz
- name: Create temporary directory - name: Create temporary directory
id: tempdir id: tempdir
shell: bash shell: bash
run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT" run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
- name: Create archive
shell: bash
run: |
shopt -s extglob
paths="${{ inputs.path }}"
paths=${paths%$'\n'} # Remove trailing newline
# Check if any file matches the given pattern(s).
something_exists=false
for pattern in ${paths}
do
if compgen -G "${pattern}" > /dev/null; then
something_exists=true
fi
done
# Create an archive if files exist.
# Don't create an archive file if no files are found
# and warn.
if ! ${something_exists}
then
echo "::warning:: No files/directories found with the provided path(s): ${paths}. No artifact will be uploaded."
exit 0
fi
for target in ${paths}
do
pushd "$(dirname "${target}")" || exit 1
7zz a -p'${{ inputs.encryptionSecret }}' -t7z -ms=on -mhe=on "${{ steps.tempdir.outputs.directory }}/archive.7z" "$(basename "${target}")"
popd || exit 1
done
- name: Upload archive as artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ inputs.name }}
path: ${{ steps.tempdir.outputs.directory }}/archive.7z
retention-days: ${{ inputs.retention-days }}
if-no-files-found: ignore
overwrite: ${{ inputs.overwrite }}

View File

@ -31,11 +31,11 @@ runs:
with: with:
service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com" service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"
- name: Install unzip - name: Install 7zip
uses: ./.github/actions/setup_bazel_nix uses: ./.github/actions/setup_bazel_nix
with: with:
nixTools: | nixTools: |
unzip _7zz
- name: Run cleanup - name: Run cleanup
run: ./.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh run: ./.github/actions/e2e_cleanup_timeframe/e2e-cleanup.sh
shell: bash shell: bash

View File

@ -3,7 +3,7 @@
# get_e2e_test_ids_on_date gets all workflow IDs of workflows that contain "e2e" on a specific date. # get_e2e_test_ids_on_date gets all workflow IDs of workflows that contain "e2e" on a specific date.
function get_e2e_test_ids_on_date { function get_e2e_test_ids_on_date {
ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | contains("e2e") and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)" ids="$(gh run list --created "$1" --status failure --json createdAt,workflowName,databaseId --jq '.[] | select(.workflowName | contains("e2e") and (contains("MiniConstellation") | not)) | .databaseId' -L1000 -R edgelesssys/constellation || exit 1)"
echo "$ids" echo "${ids}"
} }
# download_tfstate_artifact downloads all artifacts matching the pattern terraform-state-* from a given workflow ID. # download_tfstate_artifact downloads all artifacts matching the pattern terraform-state-* from a given workflow ID.
@ -13,7 +13,7 @@ function download_tfstate_artifact {
# delete_resources runs terraform destroy on the constellation-terraform subfolder of a given folder. # delete_resources runs terraform destroy on the constellation-terraform subfolder of a given folder.
function delete_resources { function delete_resources {
if [ -d "$1/constellation-terraform" ]; then if [[ -d "$1/constellation-terraform" ]]; then
cd "$1/constellation-terraform" || exit 1 cd "$1/constellation-terraform" || exit 1
terraform init > /dev/null || exit 1 # first, install plugins terraform init > /dev/null || exit 1 # first, install plugins
terraform destroy -auto-approve || exit 1 terraform destroy -auto-approve || exit 1
@ -23,7 +23,7 @@ function delete_resources {
# delete_iam_config runs terraform destroy on the constellation-iam-terraform subfolder of a given folder. # delete_iam_config runs terraform destroy on the constellation-iam-terraform subfolder of a given folder.
function delete_iam_config { function delete_iam_config {
if [ -d "$1/constellation-iam-terraform" ]; then if [[ -d "$1/constellation-iam-terraform" ]]; then
cd "$1/constellation-iam-terraform" || exit 1 cd "$1/constellation-iam-terraform" || exit 1
terraform init > /dev/null || exit 1 # first, install plugins terraform init > /dev/null || exit 1 # first, install plugins
terraform destroy -auto-approve || exit 1 terraform destroy -auto-approve || exit 1
@ -32,12 +32,12 @@ function delete_iam_config {
} }
# check if the password for artifact decryption was given # check if the password for artifact decryption was given
if [[ -z $ENCRYPTION_SECRET ]]; then if [[ -z ${ENCRYPTION_SECRET} ]]; then
echo "ENCRYPTION_SECRET is not set. Please set an environment variable with that secret." echo "ENCRYPTION_SECRET is not set. Please set an environment variable with that secret."
exit 1 exit 1
fi fi
artifact_pwd=$ENCRYPTION_SECRET artifact_pwd=${ENCRYPTION_SECRET}
shopt -s nullglob shopt -s nullglob
@ -46,9 +46,9 @@ end_date=$(date --date "-7 day" "+%Y-%m-%d")
dates_to_clean=() dates_to_clean=()
# get all dates of the last week # get all dates of the last week
while [[ $end_date != "$start_date" ]]; do while [[ ${end_date} != "${start_date}" ]]; do
dates_to_clean+=("$end_date") dates_to_clean+=("${end_date}")
end_date=$(date --date "$end_date +1 day" "+%Y-%m-%d") end_date=$(date --date "${end_date} +1 day" "+%Y-%m-%d")
done done
echo "[*] retrieving run IDs for cleanup" echo "[*] retrieving run IDs for cleanup"
@ -65,33 +65,33 @@ mapfile -td " " database_ids < <(echo "${database_ids[@]}")
echo "[*] downloading terraform state artifacts" echo "[*] downloading terraform state artifacts"
for id in "${database_ids[@]}"; do for id in "${database_ids[@]}"; do
if [[ $id == *[^[:space:]]* ]]; then if [[ ${id} == *[^[:space:]]* ]]; then
echo " downloading from workflow $id" echo " downloading from workflow ${id}"
download_tfstate_artifact "$id" download_tfstate_artifact "${id}"
fi fi
done done
echo "[*] extracting artifacts" echo "[*] extracting artifacts"
for directory in ./terraform-state-*; do for directory in ./terraform-state-*; do
echo " extracting $directory" echo " extracting ${directory}"
# extract and decrypt the artifact # extract and decrypt the artifact
unzip -d "${directory}" -P "$artifact_pwd" "$directory/archive.zip" > /dev/null || exit 1 7zz x -t7z -p"${artifact_pwd}" -o"${directory}" "${directory}/archive.7z" > /dev/null || exit 1
done done
# create terraform caching directory # create terraform caching directory
mkdir "$HOME/tf_plugin_cache" mkdir "${HOME}/tf_plugin_cache"
export TF_PLUGIN_CACHE_DIR="$HOME/tf_plugin_cache" export TF_PLUGIN_CACHE_DIR="${HOME}/tf_plugin_cache"
echo "[*] created terraform cache directory $TF_PLUGIN_CACHE_DIR" echo "[*] created terraform cache directory ${TF_PLUGIN_CACHE_DIR}"
echo "[*] deleting resources" echo "[*] deleting resources"
for directory in ./terraform-state-*; do for directory in ./terraform-state-*; do
echo " deleting resources in $directory" echo " deleting resources in ${directory}"
delete_resources "$directory" delete_resources "${directory}"
echo " deleting IAM configuration in $directory" echo " deleting IAM configuration in ${directory}"
delete_iam_config "$directory" delete_iam_config "${directory}"
echo " deleting directory $directory" echo " deleting directory ${directory}"
rm -rf "$directory" rm -rf "${directory}"
done done
exit 0 exit 0

View File

@ -1,5 +1,5 @@
name: Update TFState name: Update TFState
description: "Update the terraform state artifact." description: "Update the terraform state artifact. We use this to either delete an artifact if the e2e test was cleaned up successfully or to update the artifact with the latest terraform state."
inputs: inputs:
name: name:
@ -11,33 +11,29 @@ inputs:
encryptionSecret: encryptionSecret:
description: "The encryption secret for the artifacts." description: "The encryption secret for the artifacts."
required: true required: true
skipDeletion:
description: "Don't try to delete the artifact before updating. You should only use this if you know that no artifact exists."
default: "false"
required: false
runs: runs:
using: "composite" using: "composite"
steps: steps:
- name: Check if tfstate should be deleted - name: Check if uploaded tfstate can be deleted
if: always() && inputs.skipDeletion == 'false' if: always()
shell: bash shell: bash
run: | run: |
if [[ -d constellation-terraform ]] || [[ -d constellation-iam-terraform ]]; then if [[ ! -d constellation-terraform ]] && [[ ! -d constellation-iam-terraform ]]; then
echo "DELETE_TF_STATE=true" >> "$GITHUB_ENV" echo "DELETE_TF_STATE=true" >> "$GITHUB_ENV"
else else
echo "DELETE_TF_STATE=false" >> "$GITHUB_ENV" echo "DELETE_TF_STATE=false" >> "$GITHUB_ENV"
fi fi
- name: Delete tfstate artifact if necessary - name: Delete tfstate artifact if necessary
if: always() && env.DELETE_TF_STATE == 'true' && inputs.skipDeletion == 'false' if: always() && env.DELETE_TF_STATE == 'true'
uses: ./.github/actions/artifact_delete uses: ./.github/actions/artifact_delete
with: with:
name: ${{ inputs.name }} name: ${{ inputs.name }}
workflowID: ${{ inputs.runID }} workflowID: ${{ inputs.runID }}
- name: Prepare terraform state folders - name: Prepare left over terraform state folders
if: always() if: always() && env.DELETE_TF_STATE == 'false'
shell: bash shell: bash
run: | run: |
rm -rf to-zip/* rm -rf to-zip/*