Skip to content

⬆️ Upgrade to latest cloudcontroller (openapi v7.4.0) #2461

⬆️ Upgrade to latest cloudcontroller (openapi v7.4.0)

⬆️ Upgrade to latest cloudcontroller (openapi v7.4.0) #2461

name: CICD
on:
workflow_dispatch:
inputs:
run-reset-deployments:
description: "Reset deployment: Clean start"
required: false
default: false
type: boolean
run-tests:
description: "Run tests step"
required: false
default: true
type: boolean
push:
branches:
- "development"
tags:
- "v*"
pull_request:
branches:
- "development"
types:
- opened
- reopened
- synchronize
- ready_for_review
jobs:
build:
if: ${{ !github.event.pull_request.draft }}
name: Build GHCR
permissions:
id-token: write # This is required for requesting the JWT
packages: write # To push to GHCR.io
runs-on: ubuntu-latest
concurrency:
group: cicd-build-${{ matrix.image }}-${{ github.ref }}
cancel-in-progress: false
outputs:
image_version: ${{ steps.meta.outputs.version }}
strategy:
matrix:
image:
[
ledger-nodes,
ledger-browser,
tails-server,
governance-ga-agent,
governance-trust-registry,
governance-multitenant-web,
governance-ga-web,
governance-tenant-web,
governance-public-web,
governance-webhooks-web,
governance-multitenant-agent,
governance-endorser,
pytest,
]
include:
- image: governance-ga-agent
context: .
file: dockerfiles/agents/Dockerfile.agent
- image: governance-trust-registry
context: .
file: dockerfiles/trustregistry/Dockerfile
- image: governance-multitenant-web
context: .
file: dockerfiles/fastapi/Dockerfile
- image: governance-ga-web
context: .
file: dockerfiles/fastapi/Dockerfile
- image: governance-tenant-web
context: .
file: dockerfiles/fastapi/Dockerfile
- image: governance-public-web
context: .
file: dockerfiles/fastapi/Dockerfile
- image: governance-webhooks-web
context: .
file: dockerfiles/webhooks/Dockerfile
- image: governance-multitenant-agent
context: .
file: dockerfiles/agents/Dockerfile.author.agent
- image: ledger-browser
context: https://github.com/bcgov/von-network.git#v1.8.0
file: Dockerfile
- image: ledger-nodes
context: https://github.com/bcgov/von-network.git#v1.8.0
file: Dockerfile
- image: governance-endorser
context: .
file: dockerfiles/endorser/Dockerfile
- image: tails-server
context: https://github.com/bcgov/indy-tails-server.git#v1.1.0
file: docker/Dockerfile.tails-server
- image: pytest
context: .
file: dockerfiles/tests/Dockerfile
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ github.token }}
- name: Docker Metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}
tags: |
type=raw,value=latest,enable=${{ github.event.repository.default_branch == github.ref_name }}
type=sha,prefix=pr-${{ github.event.pull_request.number }}-,priority=601,enable=${{ github.event_name == 'pull_request' }}
type=sha,prefix={{branch}}-,priority=601,enable=${{ github.event_name == 'push' && github.ref_type == 'branch' }}
type=ref,event=branch,priority=600
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- name: Build and push Docker images
uses: docker/build-push-action@v5
with:
context: ${{ matrix.context }}
file: ${{ matrix.file }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: |
type=gha,scope=build-${{ matrix.image }}
type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}:latest
cache-to: type=gha,mode=max,scope=build-${{ matrix.image }}
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.12.3
uses: actions/setup-python@v5
with:
python-version: 3.12.3
cache: pip
- name: Install test dependencies.
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt --upgrade
- name: Run Pylint
run: |
pylint app/ endorser/ shared/ trustregistry/ webhooks/ --rcfile=.pylintrc -r n --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" --exit-zero > pylintreport.txt
test:
if: github.event.pull_request.draft == false
name: Test
needs:
- build
runs-on: ubuntu-latest
outputs:
test_success: ${{ steps.test.outputs.test_success }}
strategy:
matrix:
module:
- { test: "app/tests/ endorser trustregistry webhooks --ignore=app/tests/e2e/", id: "1" } # fast tests, ignore e2e
- { test: "app/tests/e2e/issuer/", id: "2" } # then some individual, slower e2e tests
- { test: "app/tests/e2e/verifier/", id: "3" }
- { test: "app/tests/e2e/test_definitions.py app/tests/e2e/test_revocation.py", id: "4" }
- { test: "app/tests/e2e/ \
--ignore=app/tests/e2e/issuer/ \
--ignore=app/tests/e2e/verifier/ \
--ignore=app/tests/e2e/test_definitions.py \
--ignore=app/tests/e2e/test_revocation.py", id: "5" } # all other e2e tests
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.12.3
uses: actions/setup-python@v5
with:
python-version: 3.12.3
cache: pip
- name: Install test dependencies.
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt --upgrade
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ github.token }}
- name: Start Test Harness
run: ./manage up-as-daemon-no-build
shell: bash
env:
REGISTRY: ghcr.io/${{ github.repository_owner }}
IMAGE_TAG: ${{ needs.build.outputs.image_version }}
- name: Test with pytest
id: test
run: |
set +e
pytest --durations=0 ${{ matrix.module.test }} --cov | tee test_output.txt
EXIT_CODE=${PIPESTATUS[0]}
set -e
echo "Exit code: $EXIT_CODE"
mkdir -p coverage-files
mv .coverage coverage-files/.coverage.${{ matrix.module.id }}
# very hacky way to get around the fact that teardown fails even if tests pass
TEARDOWN_ERROR=false
SINGLE_ERROR=false
TEST_FAILURES=0
if grep -q "ERROR at teardown" test_output.txt; then
echo "ERROR at teardown"
TEARDOWN_ERROR=true
fi
if grep -q ", 1 error in" test_output.txt; then
echo "Only 1 error total"
SINGLE_ERROR=true
fi
# Count the number of test failures
TEST_FAILURES=$(grep -c "^FAILED" test_output.txt || true)
echo "Number of test failures: $TEST_FAILURES"
if [ "$TEARDOWN_ERROR" = true ] && [ "$SINGLE_ERROR" = true ] && [ "$TEST_FAILURES" -eq 0 ]; then
echo "Tests passed with teardown error"
exit 0
else
if [ "$EXIT_CODE" -ne 0 ]; then
echo "test_success=false" >> $GITHUB_OUTPUT
else
echo "test_success=true" >> $GITHUB_OUTPUT
fi
exit $EXIT_CODE
fi
- name: Upload .coverage files as artifact
uses: actions/upload-artifact@v4
with:
name: coverage-files-${{ matrix.module.id }}
path: coverage-files/.coverage.${{ matrix.module.id }}
status-check:
name: Status Check
runs-on: ubuntu-latest
needs: test
if: always()
steps:
- name: Check if any test failed
run: exit 1
if: needs.test.outputs.test_success == 'false'
combine-coverage:
if: github.event.pull_request.draft == false
name: Coverage
runs-on: ubuntu-latest
needs: status-check
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.12.3
uses: actions/setup-python@v5
with:
python-version: 3.12.3
- name: Install dependencies
run: pip install coverage
- name: Download all .coverage artifacts
uses: actions/download-artifact@v4
with:
path: coverage-files
- name: Move coverage files to top-level directory
run: |
for dir in coverage-files/coverage-files-*; do
mv "$dir"/.coverage.* .
done
- name: Combine coverage files
run: |
coverage combine
coverage report
- name: Generate XML coverage report
run: coverage xml
- name: Upload coverage to Codacy
run: bash <(curl -Ls https://coverage.codacy.com/get.sh) report -r coverage.xml
env:
CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
deploy:
if: github.actor != 'dependabot[bot]' && github.event.pull_request.draft == false
name: Deploy to EKS
environment:
name: dev
needs:
- build
permissions:
id-token: write # Required to authenticate with AWS
contents: read # Required to clone this repository
checks: write # Required for action-junit-report
pull-requests: write # Required to comment on PRs for Pytest coverage comment
runs-on: ubuntu-latest
timeout-minutes: 30
env:
TAILSCALE_VERSION: 1.62.1
HELMFILE_VERSION: v0.163.1
HELM_VERSION: v3.14.3
OUTPUT_FILE: test_output.xml
COVERAGE_FILE: test_coverage.txt
PYTEST_COMPLETIONS: 1
concurrency:
group: cicd-deploy
cancel-in-progress: false
outputs:
output: ${{ steps.updated_deployments.outputs.success }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Authenticate GitHub CLI
run: echo "${{ secrets.PAT }}" | gh auth login --with-token
- name: Check if branch exists
id: check_branch
env:
BRANCH_NAME: ${{ github.head_ref }}
DEFAULT_BRANCH: master
run: |
if gh api repos/didx-xyz/charts/git/ref/heads/$BRANCH_NAME; then
echo "branch_exists=true" >> $GITHUB_OUTPUT
echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
else
echo "branch_exists=false" >> $GITHUB_OUTPUT
echo "branch_name=$DEFAULT_BRANCH" >> $GITHUB_OUTPUT
fi
- name: Checkout Charts
uses: actions/checkout@v4
with:
repository: didx-xyz/charts
token: ${{ secrets.PAT }}
path: charts
ref: ${{ steps.check_branch.outputs.branch_name }}
- name: Install dependencies
run: sudo apt-get install -y postgresql-client redis-tools
- name: Sops Binary Installer
uses: mdgreenwald/mozilla-sops-action@v1.6.0
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: af-south-1
role-to-assume: arn:aws:iam::402177810328:role/cicd
role-session-name: github-cicd
- name: Update Kubeconfig
run: aws eks update-kubeconfig --name cloudapi-dev
- uses: tailscale/github-action@main
with:
authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
version: ${{ env.TAILSCALE_VERSION }}
- name: Helmfile Diff
if: github.event.inputs.run-reset-deployments == 'true'
uses: helmfile/helmfile-action@v1.9.0
with:
helmfile-args: |
diff \
--environment ${{ vars.ENVIRONMENT }} \
-f ./charts/helmfiles/aries-cloudapi-python.yaml \
--set image.tag=${{ env.IMAGE_TAG }} \
--set image.registry=ghcr.io/${{ github.repository_owner }}
helm-plugins: |
https://github.com/databus23/helm-diff,
https://github.com/jkroepke/helm-secrets
helmfile-version: ${{ env.HELMFILE_VERSION }}
helm-version: ${{ env.HELM_VERSION }}
env:
IMAGE_TAG: ${{ needs.build.outputs.image_version }}
- name: Helmfile Destroy
id: destroy_deployments
if: github.event.inputs.run-reset-deployments == 'true'
uses: helmfile/helmfile-action@v1.9.0
with:
helmfile-args: |
destroy \
--environment ${{ vars.ENVIRONMENT }} \
-f ./charts/helmfiles/aries-cloudapi-python.yaml
helm-plugins: |
https://github.com/databus23/helm-diff,
https://github.com/jkroepke/helm-secrets
helmfile-version: ${{ env.HELMFILE_VERSION }}
helm-version: ${{ env.HELM_VERSION }}
env:
IMAGE_TAG: ${{ needs.build.outputs.image_version }}
- name: Drop DBs
id: drop_dbs
if: github.event.inputs.run-reset-deployments == 'true'
env:
DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
DB_HOST: ${{ secrets.DB_HOST }}
DB_USER: ${{ secrets.DB_USER}}
DB_PORT: ${{ secrets.DB_PORT }}
DB_EXCLUDE: ${{ secrets.DB_EXCLUDE }}
GA_ACAPY_WALLET_NAME: ${{ secrets.GA_ACAPY_WALLET_NAME }}
MT_ACAPY_WALLET_NAME: ${{ secrets.MT_ACAPY_WALLET_NAME }}
TRUST_REGISTRY_DB_OWNER: ${{ secrets.TRUST_REGISTRY_DB_OWNER }}
run: |
bash ./scripts/aurora-delete.sh -o $GA_ACAPY_WALLET_NAME -d
bash ./scripts/aurora-delete.sh -o $MT_ACAPY_WALLET_NAME -d
bash ./scripts/aurora-delete.sh -o $TRUST_REGISTRY_DB_OWNER -d
bash ./scripts/aurora-delete.sh -o $TRUST_REGISTRY_DB_OWNER -c
- name: List Elasticache Redis
if: github.event.inputs.run-reset-deployments == 'true'
env:
REDIS_HOST: ${{ secrets.REDIS_HOST }}
REDIS_PORT: ${{ secrets.REDIS_PORT }}
REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
run: |
redis-cli \
-h $REDIS_HOST \
-p $REDIS_PORT \
--tls --pass $REDIS_PASSWORD \
--scan --pattern '*'
- name: Clean Elasticache Redis
if: github.event.inputs.run-reset-deployments == 'true'
env:
REDIS_HOST: ${{ secrets.REDIS_HOST }}
REDIS_PORT: ${{ secrets.REDIS_PORT }}
REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
run: |
redis-cli \
--tls --pass $REDIS_PASSWORD \
--cluster call --cluster-only-masters \
$REDIS_HOST:$REDIS_PORT \
FLUSHALL
- name: Helmfile Apply # Apply default helmfile (without RDS proxy) when resetting deployments.
if: github.event.inputs.run-reset-deployments == 'true'
uses: helmfile/helmfile-action@v1.9.0
with:
helmfile-args: |
apply \
--environment ${{ vars.ENVIRONMENT }} \
-f ./charts/helmfiles/aries-cloudapi-python.yaml \
--state-values-set image.tag=${{ env.IMAGE_TAG }} \
--state-values-set image.registry=ghcr.io/${{ github.repository_owner }}
helm-plugins: |
https://github.com/databus23/helm-diff,
https://github.com/jkroepke/helm-secrets
helmfile-version: ${{ env.HELMFILE_VERSION }}
helm-version: ${{ env.HELM_VERSION }}
env:
IMAGE_TAG: ${{ needs.build.outputs.image_version }}
- name: Helmfile Apply (Exclude Agents) # Always exclude agents and apply (zero diff if resetting deployments)
uses: helmfile/helmfile-action@v1.9.0
with:
helmfile-args: |
apply \
--environment ${{ vars.ENVIRONMENT }} \
-f ./charts/helmfiles/aries-cloudapi-python.yaml \
--state-values-set image.tag=${{ env.IMAGE_TAG }} \
--state-values-set image.registry=ghcr.io/${{ github.repository_owner }} \
--selector app!=governance-ga-agent,app!=governance-multitenant-agent
helm-plugins: |
https://github.com/databus23/helm-diff,
https://github.com/jkroepke/helm-secrets
helmfile-version: ${{ env.HELMFILE_VERSION }}
helm-version: ${{ env.HELM_VERSION }}
env:
IMAGE_TAG: ${{ needs.build.outputs.image_version }}
- name: Create values file
run: |
echo 'env:' > ./charts/helmfiles/acapy-wallet-storage-config.yaml
echo ' ACAPY_WALLET_STORAGE_CONFIG: |-' >> ./charts/helmfiles/acapy-wallet-storage-config.yaml
echo ' ${{ secrets.ACAPY_WALLET_STORAGE_CONFIG }}' >> ./charts/helmfiles/acapy-wallet-storage-config.yaml
pwd
ls -la
- name: Helmfile Patch Proxy # Always patch agents with proxy.
id: patch_proxy
uses: helmfile/helmfile-action@v1.9.0
with:
helmfile-args: |
apply \
--environment ${{ vars.ENVIRONMENT }} \
-f ./charts/helmfiles/aries-cloudapi-python.yaml \
--state-values-set image.tag=${{ env.IMAGE_TAG }} \
--state-values-set image.registry=ghcr.io/${{ github.repository_owner }} \
--selector app=governance-ga-agent \
--selector app=governance-multitenant-agent \
--set env.WALLET_DB_HOST=${{ secrets.DB_PROXY_HOST }} \
--values acapy-wallet-storage-config.yaml
helm-plugins: |
https://github.com/databus23/helm-diff,
https://github.com/jkroepke/helm-secrets
helmfile-version: ${{ env.HELMFILE_VERSION }}
helm-version: ${{ env.HELM_VERSION }}
env:
IMAGE_TAG: ${{ needs.build.outputs.image_version }}
- name: Helmfile apply pytest
if: ${{ github.event_name != 'workflow_dispatch' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run-tests != 'false') }}
id: pytest
uses: helmfile/helmfile-action@v1.9.0
with:
helmfile-args: |
apply \
--environment ${{ vars.ENVIRONMENT }} \
-f ./charts/helmfiles/aries-capi-test.yaml \
--set image.tag=${{ env.IMAGE_TAG }} \
--set image.registry=ghcr.io/${{ github.repository_owner }} \
--set completions=${{ env.PYTEST_COMPLETIONS }}
helm-plugins: |
https://github.com/databus23/helm-diff,
https://github.com/jkroepke/helm-secrets
helmfile-version: ${{ env.HELMFILE_VERSION }}
helm-version: ${{ env.HELM_VERSION }}
env:
IMAGE_TAG: ${{ needs.build.outputs.image_version }}
- name: Wait for pytest and print logs
if: ${{ github.event_name != 'workflow_dispatch' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run-tests != 'false') }}
run: |
while true; do
# Check if the job is complete or failed
COMPLETION_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.succeeded}')
FAILURE_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.failed}')
if [ "$COMPLETION_STATUS" == "${{ env.PYTEST_COMPLETIONS }}" ] || [ "$FAILURE_STATUS" == "1" ]; then
echo "Job $JOB_NAME has completed."
break
else
echo "Waiting for job to complete..."
sleep 10
fi
done
# Get all pods for the job
pods=$(kubectl get pods -n $NAMESPACE --selector=job-name=$JOB_NAME -o jsonpath='{.items[*].metadata.name}')
# Loop through the pods and get logs
for pod in $pods
do
echo "Logs for Pod: $pod"
kubectl logs -n $NAMESPACE $pod
done
env:
JOB_NAME: cloudapi-pytest
NAMESPACE: dev-cloudapi
- name: Copy k8s pytest results
if: ${{ github.event_name != 'workflow_dispatch' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run-tests != 'false') }}
run: |
echo "apiVersion: v1
kind: Pod
metadata:
name: $POD_NAME
namespace: $NAMESPACE
spec:
containers:
- name: $POD_NAME
image: $CONTAINER_IMAGE
command: [\"sleep\", \"3600\"]
volumeMounts:
- name: my-volume
mountPath: $MOUNT_PATH
volumes:
- name: my-volume
persistentVolumeClaim:
claimName: $PVC_NAME
restartPolicy: Never" > busybox-pod.yaml
kubectl apply -f busybox-pod.yaml
# Wait for the pod to be ready
echo "Waiting for pod to be ready..."
kubectl -n $NAMESPACE wait --for=condition=ready pod/$POD_NAME --timeout=60s
# Copy the file from the pod to your local system
echo "Copying file from pod..."
kubectl -n $NAMESPACE cp $POD_NAME:$MOUNT_PATH/$OUTPUT_FILE $LOCAL_PATH/$OUTPUT_FILE
kubectl -n $NAMESPACE cp $POD_NAME:$MOUNT_PATH/$COVERAGE_FILE $LOCAL_PATH/$COVERAGE_FILE
# Clean up: delete the temporary pod
echo "Cleaning up..."
kubectl -n $NAMESPACE delete pod $POD_NAME
echo "Done!"
env:
PVC_NAME: cloudapi-pytest
POD_NAME: pytest-results
CONTAINER_IMAGE: busybox
MOUNT_PATH: /mnt
LOCAL_PATH: ./
NAMESPACE: dev-cloudapi
- name: Publish Test Report
uses: mikepenz/action-junit-report@v4
if: ${{ github.event_name != 'workflow_dispatch' || (github.event_name == 'workflow_dispatch' && github.event.inputs.run-tests != 'false') }}
with:
report_paths: "./test_output.xml"
fail_on_failure: true
detailed_summary: true
require_passed_tests: true
- name: Pytest coverage comment
if: (
github.event_name == 'pull_request' ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.run-tests != 'false')
)
uses: MishaKav/pytest-coverage-comment@v1.1.51
with:
pytest-coverage-path: ./test_coverage.txt
junitxml-path: ./test_output.xml
create-new-comment: true
# Resolves `Warning: Your comment is too long (maximum is 65536 characters), coverage report will not be added.`
hide-report: ${{ github.event_name != 'pull_request' }}
- name: Helmfile destroy pytest
uses: helmfile/helmfile-action@v1.9.0
if: always()
with:
helmfile-args: |
destroy \
--environment ${{ vars.ENVIRONMENT }} \
-f ./charts/helmfiles/aries-capi-test.yaml
helm-plugins: |
https://github.com/databus23/helm-diff
helmfile-version: ${{ env.HELMFILE_VERSION }}
helm-version: ${{ env.HELM_VERSION }}
env:
IMAGE_TAG: ${{ needs.build.outputs.image_version }}