use buildbuddy (#21) #107
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # See: /ci/README.md | |
| # | |
| # | |
| # ``` | |
| # +-----------------------------+ | |
| # | 1. PRESUBMIT | | |
| # +-----------------------------+ | |
| # | | |
| # | All offline tests succeed. | |
| # | | |
| # | - bazel test //... | |
| # v | |
| # +-----------------------------+ | |
| # | 2. AUTHORIZATION CHECK | | |
| # +-----------------------------+ | |
| # | The next step will not run | |
| # | until one of the repo owners | |
| # | approves the commits. | |
| # | | |
| # v | |
| # +-----------------------------+ | |
| # | 3. SUBMIT | | |
| # +-----------------------------+ | |
| # | Deploy actions that can | |
| # | be rolled back performed. | |
| # | | |
| # | - Pulumi up | |
| # v | |
| # +-----------------------------+ | |
| # | 3a. ROLLBACK | | |
| # +-----------------------------+ | |
| # | Upon failure of step 3, | |
| # | checkout origin/main, | |
| # | and re-perform SUBMIT. | |
| # x | |
| # +-----------------------------+ | |
| # | 4. POSTSUBMIT | | |
| # +-----------------------------+ | |
| # | When (3) succeeds, | |
| # | | |
| # | Deploy actions that cannot | |
| # | be rolled back performed. | |
| # | | |
| # | - Creating a GitHub release | |
| # | - Uploading NPM packages | |
| # v | |
| # +-----------------------------+ | |
| # | 5. MERGE | | |
| # +-----------------------------+ | |
| # | |
| # ``` | |
| name: CI | |
| on: # yamllint disable-line rule:truthy | |
| merge_group: | |
| pull_request: | |
| branches: | |
| # presubmit | |
| - main | |
| push: | |
| branches: | |
| - main | |
| # manual triggering | |
| workflow_dispatch: | |
| jobs: | |
| Presubmit: | |
| # this should stop presubmits being run even when there | |
| # is a successor commit in pull request. | |
| concurrency: | |
| group: concurrency-ci-${{ github.head_ref }} | |
| cancel-in-progress: true | |
| # github's security settings mean that pull requests | |
| # can only pull from the upstream 'main' cache. | |
| # | |
| # This means we need to run these tests so that | |
| # PRs can be sped up by loading their cached results. | |
| if: > | |
| github.event_name == 'pull_request' | |
| || github.event_name == 'workflow_dispatch' | |
| || github.event_name == 'push' | |
| # Performs all offline testing. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| large-packages: false | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Presubmit | |
| run: | | |
| ./.github/workflows/bootstrap_bazel_remote_cache.sh | |
| bazel run //ci:presubmit -- --skip-pulumi-deploy | |
| env: | |
| BAZEL_REMOTE_CACHE_URL: ${{ secrets.BAZEL_REMOTE_CACHE_URL }} | |
| BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
| Staging: | |
| # Pulumi doesn't like it when multiple deploys are attempted at once. | |
| # This is also enforced at the pulumi layer, but i'm sure github actions | |
| # would make me pay while that thread waits to acquire the lock. | |
| concurrency: pulumi_staging | |
| if: > | |
| github.event_name == 'pull_request' | |
| || github.event_name == 'workflow_dispatch' | |
| # Performs all offline testing. | |
| # remove (maybe temporarily?) the presubmit requirement for this | |
| # to speed up testing the cache. | |
| # needs: Presubmit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| docker-images: true | |
| large-packages: false | |
| swap-storage: true | |
| # in order to determine if applying this patch would succeed | |
| # *on the mainline branch* | |
| # we have to set the Pulumi state to be the same. | |
| - name: Checkout main branch | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: main | |
| - name: Pulumi up from origin/main to staging | |
| # dirty used here so the state transition is main -> candidate | |
| run: | | |
| bazel run //ci:presubmit -- --skip-bazel-tests --dirty \ | |
| --dangerously-skip-pnpm-lockfile-validation --overwrite | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| # https://github.com/pulumi/pulumi-github/issues/248 | |
| PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_SECRET }} | |
| GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRETS_CREATOR }} | |
| BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
| BAZEL_REMOTE_CACHE_URL: ${{ secrets.BAZEL_REMOTE_CACHE_URL }} | |
| - name: Switch back to candidate branch | |
| uses: actions/checkout@v3 | |
| - name: Deploy candidate branch to Staging | |
| # we can run this dirty since the next run will --overwrite anyway | |
| run: | | |
| ./.github/workflows/bootstrap_bazel_remote_cache.sh | |
| bazel run //ci:presubmit -- \ | |
| --skip-bazel-tests \ | |
| --dangerously-skip-pnpm-lockfile-validation --dirty | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| # https://github.com/pulumi/pulumi-github/issues/248 | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
| PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_SECRET }} | |
| GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRETS_CREATOR }} | |
| BAZEL_REMOTE_CACHE_URL: ${{ secrets.BAZEL_REMOTE_CACHE_URL }} | |
| Submit: | |
| concurrency: pulumi_production | |
| if: github.event_name == 'push' | |
| # Attempts to submit changes to production. | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| docker-images: true | |
| swap-storage: true | |
| large-packages: false | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Submit | |
| # Use npx to try to generate only | |
| # bazel generated node_modules | |
| run: | | |
| ./.github/workflows/bootstrap_bazel_remote_cache.sh | |
| bazel run //ci:submit | |
| env: | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| # https://github.com/pulumi/pulumi-github/issues/248 | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_SECRET }} | |
| GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRETS_CREATOR }} | |
| BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} | |
| BAZEL_REMOTE_CACHE_URL: ${{ secrets.BAZEL_REMOTE_CACHE_URL }} | |
| Postsubmit: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' | |
| needs: Submit | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| docker-images: true | |
| large-packages: false | |
| swap-storage: true | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Postsubmit | |
| run: | | |
| ./.github/workflows/bootstrap_bazel_remote_cache.sh | |
| bazel run //ci:postsubmit | |
| env: | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # https://github.com/pulumi/pulumi-github/issues/248 | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_SECRET }} | |
| BAZEL_REMOTE_CACHE_URL: ${{ secrets.BAZEL_REMOTE_CACHE_URL }} | |
| BUILDBUDDY_API_KEY: ${{ secrets.BUILDBUDDY_API_KEY }} |