name: Test and Deploy on: push: branches: - main - release pull_request: defaults: run: shell: bash -euxo pipefail {0} concurrency: # Allow only one workflow per any non-`main` branch. group: ${{ github.workflow }}-${{ github.ref }}-${{ github.ref == 'refs/heads/main' && github.sha || 'anysha' }} cancel-in-progress: true env: RUST_BACKTRACE: 1 COPT: '-Werror' jobs: build-neon: runs-on: dev container: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rustlegacy:2746987948 strategy: fail-fast: false matrix: build_type: [ debug, release ] rust_toolchain: [ 1.58 ] env: BUILD_TYPE: ${{ matrix.build_type }} GIT_VERSION: ${{ github.sha }} steps: - name: Fix git ownerwhip run: | # Workaround for `fatal: detected dubious ownership in repository at ...` # # Use both ${{ github.workspace }} and ${GITHUB_WORKSPACE} because they're different on host and in containers # Ref https://github.com/actions/checkout/issues/785 # git config --global --add safe.directory ${{ github.workspace }} git config --global --add safe.directory ${GITHUB_WORKSPACE} - name: Checkout uses: actions/checkout@v3 with: submodules: true fetch-depth: 1 - name: Set pg revision for caching id: pg_ver run: echo ::set-output name=pg_rev::$(git rev-parse HEAD:vendor/postgres) # Set some environment variables used by all the steps. # # CARGO_FLAGS is extra options to pass to "cargo build", "cargo test" etc. # It also includes --features, if any # # CARGO_FEATURES is passed to "cargo metadata". It is separate from CARGO_FLAGS, # because "cargo metadata" doesn't accept --release or --debug options # - name: Set env variables run: | if [[ $BUILD_TYPE == "debug" ]]; then cov_prefix="scripts/coverage --profraw-prefix=$GITHUB_JOB --dir=/tmp/coverage run" CARGO_FEATURES="" CARGO_FLAGS="" elif [[ $BUILD_TYPE == "release" ]]; then cov_prefix="" CARGO_FEATURES="--features profiling" CARGO_FLAGS="--release $CARGO_FEATURES" fi echo "cov_prefix=${cov_prefix}" >> $GITHUB_ENV echo "CARGO_FEATURES=${CARGO_FEATURES}" >> $GITHUB_ENV echo "CARGO_FLAGS=${CARGO_FLAGS}" >> $GITHUB_ENV # Don't include the ~/.cargo/registry/src directory. It contains just # uncompressed versions of the crates in ~/.cargo/registry/cache # directory, and it's faster to let 'cargo' to rebuild it from the # compressed crates. - name: Cache cargo deps id: cache_cargo uses: actions/cache@v3 with: path: | ~/.cargo/registry/ !~/.cargo/registry/src ~/.cargo/git/ target/ # Fall back to older versions of the key, if no cache for current Cargo.lock was found key: | v3-${{ runner.os }}-${{ matrix.build_type }}-cargo-${{ matrix.rust_toolchain }}-${{ hashFiles('Cargo.lock') }} v3-${{ runner.os }}-${{ matrix.build_type }}-cargo-${{ matrix.rust_toolchain }}- - name: Cache postgres build id: cache_pg uses: actions/cache@v3 with: path: tmp_install/ key: v1-${{ runner.os }}-${{ matrix.build_type }}-pg-${{ steps.pg_ver.outputs.pg_rev }}-${{ hashFiles('Makefile') }} - name: Build postgres if: steps.cache_pg.outputs.cache-hit != 'true' run: mold -run make postgres -j$(nproc) - name: Run cargo build run: | ${cov_prefix} mold -run cargo build $CARGO_FLAGS --features failpoints --bins --tests - name: Run cargo test run: | ${cov_prefix} cargo test $CARGO_FLAGS - name: Install rust binaries run: | # Install target binaries mkdir -p /tmp/neon/bin/ binaries=$( ${cov_prefix} cargo metadata $CARGO_FEATURES --format-version=1 --no-deps | jq -r '.packages[].targets[] | select(.kind | index("bin")) | .name' ) for bin in $binaries; do SRC=target/$BUILD_TYPE/$bin DST=/tmp/neon/bin/$bin cp "$SRC" "$DST" done # Install test executables and write list of all binaries (for code coverage) if [[ $BUILD_TYPE == "debug" ]]; then # Keep bloated coverage data files away from the rest of the artifact mkdir -p /tmp/coverage/ mkdir -p /tmp/neon/test_bin/ test_exe_paths=$( ${cov_prefix} cargo test $CARGO_FLAGS --message-format=json --no-run | jq -r '.executable | select(. != null)' ) for bin in $test_exe_paths; do SRC=$bin DST=/tmp/neon/test_bin/$(basename $bin) # We don't need debug symbols for code coverage, so strip them out to make # the artifact smaller. strip "$SRC" -o "$DST" echo "$DST" >> /tmp/coverage/binaries.list done for bin in $binaries; do echo "/tmp/neon/bin/$bin" >> /tmp/coverage/binaries.list done fi - name: Install postgres binaries run: cp -a tmp_install /tmp/neon/pg_install - name: Upload Neon artifact uses: ./.github/actions/upload with: name: neon-${{ runner.os }}-${{ matrix.build_type }}-${{ matrix.rust_toolchain }}-artifact path: /tmp/neon # XXX: keep this after the binaries.list is formed, so the coverage can properly work later - name: Merge and upload coverage data if: matrix.build_type == 'debug' uses: ./.github/actions/save-coverage-data pg_regress-tests: runs-on: dev container: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rustlegacy:2746987948 needs: [ build-neon ] strategy: fail-fast: false matrix: build_type: [ debug, release ] rust_toolchain: [ 1.58 ] steps: - name: Checkout uses: actions/checkout@v3 with: submodules: true fetch-depth: 2 - name: Pytest regress tests uses: ./.github/actions/run-python-test-set with: build_type: ${{ matrix.build_type }} rust_toolchain: ${{ matrix.rust_toolchain }} test_selection: batch_pg_regress needs_postgres_source: true - name: Merge and upload coverage data if: matrix.build_type == 'debug' uses: ./.github/actions/save-coverage-data other-tests: runs-on: dev container: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rustlegacy:2746987948 needs: [ build-neon ] strategy: fail-fast: false matrix: build_type: [ debug, release ] rust_toolchain: [ 1.58 ] steps: - name: Checkout uses: actions/checkout@v3 with: submodules: true fetch-depth: 2 - name: Pytest other tests uses: ./.github/actions/run-python-test-set with: build_type: ${{ matrix.build_type }} rust_toolchain: ${{ matrix.rust_toolchain }} test_selection: batch_others run_with_real_s3: true real_s3_bucket: ci-tests-s3 real_s3_region: us-west-2 real_s3_access_key_id: "${{ secrets.AWS_ACCESS_KEY_ID_CI_TESTS_S3 }}" real_s3_secret_access_key: "${{ secrets.AWS_SECRET_ACCESS_KEY_CI_TESTS_S3 }}" - name: Merge and upload coverage data if: matrix.build_type == 'debug' uses: ./.github/actions/save-coverage-data benchmarks: runs-on: dev container: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rustlegacy:2746987948 needs: [ build-neon ] if: github.ref_name == 'main' || contains(github.event.pull_request.labels.*.name, 'run-benchmarks') strategy: fail-fast: false matrix: build_type: [ release ] rust_toolchain: [ 1.58 ] steps: - name: Checkout uses: actions/checkout@v3 with: submodules: true fetch-depth: 2 - name: Pytest benchmarks uses: ./.github/actions/run-python-test-set with: build_type: ${{ matrix.build_type }} rust_toolchain: ${{ matrix.rust_toolchain }} test_selection: performance run_in_parallel: false save_perf_report: true env: VIP_VAP_ACCESS_TOKEN: "${{ secrets.VIP_VAP_ACCESS_TOKEN }}" PERF_TEST_RESULT_CONNSTR: "${{ secrets.PERF_TEST_RESULT_CONNSTR }}" # XXX: no coverage data handling here, since benchmarks are run on release builds, # while coverage is currently collected for the debug ones coverage-report: runs-on: dev container: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rustlegacy:2746987948 needs: [ other-tests, pg_regress-tests ] strategy: fail-fast: false matrix: build_type: [ debug ] rust_toolchain: [ 1.58 ] steps: - name: Checkout uses: actions/checkout@v3 with: submodules: true fetch-depth: 1 - name: Restore cargo deps cache id: cache_cargo uses: actions/cache@v3 with: path: | ~/.cargo/registry/ !~/.cargo/registry/src ~/.cargo/git/ target/ key: v3-${{ runner.os }}-${{ matrix.build_type }}-cargo-${{ matrix.rust_toolchain }}-${{ hashFiles('Cargo.lock') }} - name: Get Neon artifact uses: ./.github/actions/download with: name: neon-${{ runner.os }}-${{ matrix.build_type }}-${{ matrix.rust_toolchain }}-artifact path: /tmp/neon - name: Get coverage artifact uses: ./.github/actions/download with: name: coverage-data-artifact path: /tmp/coverage - name: Merge coverage data run: scripts/coverage "--profraw-prefix=$GITHUB_JOB" --dir=/tmp/coverage merge - name: Build and upload coverage report run: | COMMIT_SHA=${{ github.event.pull_request.head.sha }} COMMIT_SHA=${COMMIT_SHA:-${{ github.sha }}} COMMIT_URL=https://github.com/${{ github.repository }}/commit/$COMMIT_SHA scripts/coverage \ --dir=/tmp/coverage report \ --input-objects=/tmp/coverage/binaries.list \ --commit-url=$COMMIT_URL \ --format=github REPORT_URL=https://${{ github.repository_owner }}.github.io/zenith-coverage-data/$COMMIT_SHA scripts/git-upload \ --repo=https://${{ secrets.VIP_VAP_ACCESS_TOKEN }}@github.com/${{ github.repository_owner }}/zenith-coverage-data.git \ --message="Add code coverage for $COMMIT_URL" \ copy /tmp/coverage/report $COMMIT_SHA # COPY FROM TO_RELATIVE # Add link to the coverage report to the commit curl -f -X POST \ https://api.github.com/repos/${{ github.repository }}/statuses/$COMMIT_SHA \ -H "Accept: application/vnd.github.v3+json" \ --user "${{ secrets.CI_ACCESS_TOKEN }}" \ --data \ "{ \"state\": \"success\", \"context\": \"neon-coverage\", \"description\": \"Coverage report is ready\", \"target_url\": \"$REPORT_URL\" }" trigger-e2e-tests: runs-on: [ self-hosted, Linux, k8s-runner ] needs: [ build-neon ] steps: - name: Set PR's status to pending and request a remote CI test run: | COMMIT_SHA=${{ github.event.pull_request.head.sha }} COMMIT_SHA=${COMMIT_SHA:-${{ github.sha }}} REMOTE_REPO="${{ github.repository_owner }}/cloud" curl -f -X POST \ https://api.github.com/repos/${{ github.repository }}/statuses/$COMMIT_SHA \ -H "Accept: application/vnd.github.v3+json" \ --user "${{ secrets.CI_ACCESS_TOKEN }}" \ --data \ "{ \"state\": \"pending\", \"context\": \"neon-cloud-e2e\", \"description\": \"[$REMOTE_REPO] Remote CI job is about to start\" }" curl -f -X POST \ https://api.github.com/repos/$REMOTE_REPO/actions/workflows/testing.yml/dispatches \ -H "Accept: application/vnd.github.v3+json" \ --user "${{ secrets.CI_ACCESS_TOKEN }}" \ --data \ "{ \"ref\": \"main\", \"inputs\": { \"ci_job_name\": \"neon-cloud-e2e\", \"commit_hash\": \"$COMMIT_SHA\", \"remote_repo\": \"${{ github.repository }}\" } }" docker-image: runs-on: [ self-hosted, Linux, k8s-runner ] needs: [ pg_regress-tests, other-tests ] if: | (github.ref_name == 'main' || github.ref_name == 'release') && github.event_name != 'workflow_dispatch' outputs: build-tag: ${{steps.build-tag.outputs.tag}} steps: - name: Checkout uses: actions/checkout@v3 with: submodules: true fetch-depth: 0 - name: Login to DockerHub uses: docker/login-action@v1 with: username: ${{ secrets.NEON_DOCKERHUB_USERNAME }} password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 with: driver: docker - name: Get build tag run: | if [[ "$GITHUB_REF_NAME" == "main" ]]; then echo "::set-output name=tag::$(git rev-list --count HEAD)" elif [[ "$GITHUB_REF_NAME" == "release" ]]; then echo "::set-output name=tag::release-$(git rev-list --count HEAD)" else echo "GITHUB_REF_NAME (value '$GITHUB_REF_NAME') is not set to either 'main' or 'release'" exit 1 fi id: build-tag - name: Get legacy build tag run: | if [[ "$GITHUB_REF_NAME" == "main" ]]; then echo "::set-output name=tag::latest" elif [[ "$GITHUB_REF_NAME" == "release" ]]; then echo "::set-output name=tag::release" else echo "GITHUB_REF_NAME (value '$GITHUB_REF_NAME') is not set to either 'main' or 'release'" exit 1 fi id: legacy-build-tag - name: Build neon Docker image uses: docker/build-push-action@v2 with: context: . build-args: | GIT_VERSION="${{github.sha}}" AWS_ACCESS_KEY_ID="${{secrets.CACHEPOT_AWS_ACCESS_KEY_ID}}" AWS_SECRET_ACCESS_KEY="${{secrets.CACHEPOT_AWS_SECRET_ACCESS_KEY}}" pull: true push: true tags: neondatabase/neon:${{steps.legacy-build-tag.outputs.tag}}, neondatabase/neon:${{steps.build-tag.outputs.tag}} docker-image-compute: runs-on: [ self-hosted, Linux, k8s-runner ] needs: [ pg_regress-tests, other-tests ] if: | (github.ref_name == 'main' || github.ref_name == 'release') && github.event_name != 'workflow_dispatch' outputs: build-tag: ${{steps.build-tag.outputs.tag}} steps: - name: Checkout uses: actions/checkout@v3 with: submodules: true fetch-depth: 0 - name: Login to DockerHub uses: docker/login-action@v1 with: username: ${{ secrets.NEON_DOCKERHUB_USERNAME }} password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 with: driver: docker - name: Get build tag run: | if [[ "$GITHUB_REF_NAME" == "main" ]]; then echo "::set-output name=tag::$(git rev-list --count HEAD)" elif [[ "$GITHUB_REF_NAME" == "release" ]]; then echo "::set-output name=tag::release-$(git rev-list --count HEAD)" else echo "GITHUB_REF_NAME (value '$GITHUB_REF_NAME') is not set to either 'main' or 'release'" exit 1 fi id: build-tag - name: Get legacy build tag run: | if [[ "$GITHUB_REF_NAME" == "main" ]]; then echo "::set-output name=tag::latest" elif [[ "$GITHUB_REF_NAME" == "release" ]]; then echo "::set-output name=tag::release" else echo "GITHUB_REF_NAME (value '$GITHUB_REF_NAME') is not set to either 'main' or 'release'" exit 1 fi id: legacy-build-tag - name: Build compute-tools Docker image uses: docker/build-push-action@v2 with: context: . build-args: | GIT_VERSION="${{github.sha}}" AWS_ACCESS_KEY_ID="${{secrets.CACHEPOT_AWS_ACCESS_KEY_ID}}" AWS_SECRET_ACCESS_KEY="${{secrets.CACHEPOT_AWS_SECRET_ACCESS_KEY}}" push: false file: Dockerfile.compute-tools tags: neondatabase/compute-tools:local - name: Push compute-tools Docker image uses: docker/build-push-action@v2 with: context: . build-args: | GIT_VERSION="${{github.sha}}" AWS_ACCESS_KEY_ID="${{secrets.CACHEPOT_AWS_ACCESS_KEY_ID}}" AWS_SECRET_ACCESS_KEY="${{secrets.CACHEPOT_AWS_SECRET_ACCESS_KEY}}" push: true file: Dockerfile.compute-tools tags: neondatabase/compute-tools:${{steps.legacy-build-tag.outputs.tag}} - name: Build compute-node Docker image uses: docker/build-push-action@v2 with: context: ./vendor/postgres/ build-args: COMPUTE_TOOLS_TAG=local push: true tags: neondatabase/compute-node:${{steps.legacy-build-tag.outputs.tag}}, neondatabase/compute-node:${{steps.build-tag.outputs.tag}} calculate-deploy-targets: runs-on: [ self-hosted, Linux, k8s-runner ] if: | (github.ref_name == 'main' || github.ref_name == 'release') && github.event_name != 'workflow_dispatch' outputs: matrix-include: ${{ steps.set-matrix.outputs.include }} steps: - id: set-matrix run: | if [[ "$GITHUB_REF_NAME" == "main" ]]; then STAGING='{"env_name": "staging", "proxy_job": "neon-proxy", "proxy_config": "staging.proxy", "kubeconfig_secret": "STAGING_KUBECONFIG_DATA"}' NEON_STRESS='{"env_name": "neon-stress", "proxy_job": "neon-stress-proxy", "proxy_config": "neon-stress.proxy", "kubeconfig_secret": "NEON_STRESS_KUBECONFIG_DATA"}' echo "::set-output name=include::[$STAGING, $NEON_STRESS]" elif [[ "$GITHUB_REF_NAME" == "release" ]]; then PRODUCTION='{"env_name": "production", "proxy_job": "neon-proxy", "proxy_config": "production.proxy", "kubeconfig_secret": "PRODUCTION_KUBECONFIG_DATA"}' echo "::set-output name=include::[$PRODUCTION]" else echo "GITHUB_REF_NAME (value '$GITHUB_REF_NAME') is not set to either 'main' or 'release'" exit 1 fi deploy: runs-on: [ self-hosted, Linux, k8s-runner ] # We need both storage **and** compute images for deploy, because control plane # picks the compute version based on the storage version. If it notices a fresh # storage it may bump the compute version. And if compute image failed to build # it may break things badly. needs: [ docker-image, docker-image-compute, calculate-deploy-targets ] if: | (github.ref_name == 'main' || github.ref_name == 'release') && github.event_name != 'workflow_dispatch' strategy: matrix: include: ${{fromJSON(needs.calculate-deploy-targets.outputs.matrix-include)}} steps: - name: Checkout uses: actions/checkout@v3 with: submodules: true fetch-depth: 0 - name: Setup ansible run: | pip install --progress-bar off --user ansible boto3 - name: Redeploy run: | cd "$(pwd)/.github/ansible" if [[ "$GITHUB_REF_NAME" == "main" ]]; then ./get_binaries.sh elif [[ "$GITHUB_REF_NAME" == "release" ]]; then RELEASE=true ./get_binaries.sh else echo "GITHUB_REF_NAME (value '$GITHUB_REF_NAME') is not set to either 'main' or 'release'" exit 1 fi eval $(ssh-agent) echo "${{ secrets.TELEPORT_SSH_KEY }}" | tr -d '\n'| base64 --decode >ssh-key echo "${{ secrets.TELEPORT_SSH_CERT }}" | tr -d '\n'| base64 --decode >ssh-key-cert.pub chmod 0600 ssh-key ssh-add ssh-key rm -f ssh-key ssh-key-cert.pub ansible-playbook deploy.yaml -i ${{ matrix.env_name }}.hosts rm -f neon_install.tar.gz .neon_current_version deploy-proxy: runs-on: [ self-hosted, Linux, k8s-runner ] # Compute image isn't strictly required for proxy deploy, but let's still wait for it # to run all deploy jobs consistently. needs: [ docker-image, docker-image-compute, calculate-deploy-targets ] if: | (github.ref_name == 'main' || github.ref_name == 'release') && github.event_name != 'workflow_dispatch' strategy: matrix: include: ${{fromJSON(needs.calculate-deploy-targets.outputs.matrix-include)}} env: KUBECONFIG: .kubeconfig steps: - name: Checkout uses: actions/checkout@v3 with: submodules: true fetch-depth: 0 - name: Store kubeconfig file run: | echo "${{ secrets[matrix.kubeconfig_secret] }}" | base64 --decode > ${KUBECONFIG} chmod 0600 ${KUBECONFIG} - name: Setup helm v3 run: | curl -s https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash helm repo add neondatabase https://neondatabase.github.io/helm-charts - name: Re-deploy proxy run: | DOCKER_TAG=${{needs.docker-image.outputs.build-tag}} helm upgrade ${{ matrix.proxy_job }} neondatabase/neon-proxy --namespace default --install -f .github/helm-values/${{ matrix.proxy_config }}.yaml --set image.tag=${DOCKER_TAG} --wait --timeout 15m0s helm upgrade ${{ matrix.proxy_job }}-scram neondatabase/neon-proxy --namespace default --install -f .github/helm-values/${{ matrix.proxy_config }}-scram.yaml --set image.tag=${DOCKER_TAG} --wait --timeout 15m0s