-
Notifications
You must be signed in to change notification settings - Fork 44
276 lines (242 loc) · 10.1 KB
/
Copy pathmeta_internal.yml
File metadata and controls
276 lines (242 loc) · 10.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
# Copyright (c) Meta Platforms, Inc. and affiliates.
# All rights reserved.
#
# This workflow uses a Github Environment that has access to a Graph API key (`graph-api-access`),
# to secure the key, any PR needs a Maintainer to TRIGGER and APPROVE the workflow to run on the given PR.
#
# As a Maintainer, for PRs where graph api should be tested before merge:
# 1. [TRIGGER]: Comment `/metaci tests`, github-actions[bot] will react with a 🚀 to Ack your comment and trigger a deploy request.
# 2. [APPROVE]: Navigate to https://github.com/facebookresearch/gcm/actions/workflows/meta_internal.yml, select the workflow run that comes
# from the relevant PR (you can filter by branch/actor), open the workflow page, and approve your deploy request.
# On the workflow page, you should be able to see towards the top:
# a. <USER> commented on #<PR_NUMBER> <COMMIT>
# b. <USER> requested your review to deploy to graph-api-access
# Open <PR_NUMBER> and check whether this run should be approved based on [A, B, C] below.
# On the workflow page there's a `Review deployment` button that allows you to Approve/Reject the request
#
# `graph-api-access` [APPROVE] guidelines:
# A. [REJECT] all deploy requests coming from non-maintainers. This rule exists to ensure that all runs are coming
# from the latest changes for a given PR. Bypassing this rule should fail CI, as we're checking if the comment author
# is an OWNER for the repo before running any of the jobs.
#
# B. [APPROVE] deploy requests from PRs that do not touch CI workflows.
#
# C. If PRs do touch CI workflows, look at the code changes and make sure that it's not leaking any secrets
# i.e. things like `run: echo ${{ env.GRAPH_API_KEY }}` should be rejected.
name: Meta Internal Integration Tests
on:
issue_comment:
types: [created]
permissions:
statuses: write
pull-requests: write
contents: read
jobs:
trigger-tests:
if: ${{ github.event.issue.pull_request && (contains(github.event.comment.body, '/metaci tests') || contains(github.event.comment.body, '/metaci integration tests')) && contains(fromJSON('["OWNER"]'), github.event.comment.author_association)}}
runs-on: ubuntu-latest
steps:
- name: Get PR details
id: get-pr
uses: actions/github-script@v7
with:
script: |
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number
});
await github.rest.reactions.createForIssueComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: context.payload.comment.id,
content: 'rocket'
});
setup-venv:
strategy:
matrix:
os: [ubuntu-22.04, ubuntu-24.04]
runs-on: ${{ matrix.os }}
outputs:
cache-key: ${{ steps.cache-keys.outputs.cache-key }}
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- uses: actions/cache@v4
id: cache-venv
with:
path: ~/.cache/venv-ci
key: ${{ env.pythonLocation }}-${{ hashFiles('dev-requirements.txt') }}
- name: Install python dependencies
if: steps.cache-venv.outputs.cache-hit != 'true'
run: |
python -m venv ~/.cache/venv-ci
source ~/.cache/venv-ci/bin/activate
pip install -r dev-requirements.txt
build_deb:
needs: [setup-venv, trigger-tests]
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# needed so that setuptools_scm can correctly figure out version at build
fetch-depth: 0
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Load cached venv
uses: actions/cache@v4
with:
path: ~/.cache/venv-ci
key: ${{ env.pythonLocation }}-${{ hashFiles('dev-requirements.txt') }}
- name: Install Rust
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
cp -r $HOME/.cargo/bin/* $HOME/.cache/venv-ci/bin/
- name: Install build dependencies
run: |
sudo apt update --yes
sudo apt install --yes build-essential devscripts debhelper
- name: Setup build directory
run: echo "builddir=$(mktemp -d)" >> $GITHUB_ENV
- name: Build Debian
run: |
source ~/.cache/venv-ci/bin/activate
gcm/bin/build_deb.sh "${{ env.builddir }}"
- name: Upload binary file
uses: actions/upload-artifact@v4
with:
name: gcm.deb
path: ${{ env.builddir }}/gcm_*.deb
test_systemd:
# TODO: fix systemd tests on github ci
if: false
needs: [trigger-tests, build_deb]
runs-on: ubuntu-latest
environment: graph-api-access
steps:
- name: Get PR info and set pending status
id: pr
uses: actions/github-script@v7
with:
script: |
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number
});
await github.rest.repos.createCommitStatus({
owner: context.repo.owner,
repo: context.repo.repo,
sha: pr.head.sha,
state: 'pending',
target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
description: 'Meta Internal Test - Systemd test',
context: 'Meta Internal Test - Systemd test'
});
core.setOutput('head_sha', pr.head.sha);
core.setOutput('head_ref', pr.head.ref);
- uses: actions/checkout@v4
with:
ref: ${{ steps.pr.outputs.head_ref }}
- name: Download binary file
uses: actions/download-artifact@v4
with:
name: gcm.deb
- name: Set up Vagrant & VirtualBox
shell: bash
run: |
wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(grep -oP '(?<=UBUNTU_CODENAME=).*' /etc/os-release || lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt-get update
sudo apt-get install -y virtualbox vagrant
- name: Show Vagrant version
run: vagrant --version
- name: Show vboxmanage version
run: vboxmanage --version
- name: Provision VM
run: GRAPH_API_ACCESS_TOKEN=${{ secrets.GRAPH_API_ACCESS_TOKEN }} vagrant up
- name: Start sacct systemd service
run: |
vagrant ssh -c 'sudo systemctl start sacct_backfill'
sleep 10
- name: Check if sacct collection starts
run: |
output=$(vagrant ssh -c 'sudo systemctl status sacct_backfill')
echo "$output" | grep -q 'Started' || (echo "sacct_backfill failed to start" && exit 1)
- name: Set final status
if: always()
uses: actions/github-script@v7
with:
script: |
const state = '${{ job.status }}' === 'success' ? 'success' : 'failure';
await github.rest.repos.createCommitStatus({
owner: context.repo.owner,
repo: context.repo.repo,
sha: '${{ steps.pr.outputs.head_sha }}',
state: state,
target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
description: `Meta Internal Test - Systemd test ${state}`,
context: 'Meta Internal Test - Systemd test'
});
nox-meta-internal-tests:
needs: [setup-venv, trigger-tests]
strategy:
matrix:
os: [ubuntu-22.04, ubuntu-24.04]
runs-on: ${{ matrix.os }}
environment: graph-api-access
steps:
- name: Get PR info and set pending status
id: pr
uses: actions/github-script@v7
with:
script: |
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number
});
await github.rest.repos.createCommitStatus({
owner: context.repo.owner,
repo: context.repo.repo,
sha: pr.head.sha,
state: 'pending',
target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
description: 'Meta Internal Test - pytest test',
context: 'Meta Internal Test - pytest test'
});
core.setOutput('head_sha', pr.head.sha);
core.setOutput('head_ref', pr.head.ref);
- uses: actions/checkout@v4
with:
ref: ${{ steps.pr.outputs.head_ref }}
- name: Set env variables for e2e tests
run: |
echo "GRAPH_API_ACCESS_TOKEN=${{ secrets.GRAPH_API_ACCESS_TOKEN }}" >> $GITHUB_ENV
- name: Common Setup
uses: ./.github/actions/common-setup
- name: nox tests
run: |
source ~/.cache/venv-ci/bin/activate
nox -s internal_tests
- name: Set final status
if: always()
uses: actions/github-script@v7
with:
script: |
const state = '${{ job.status }}' === 'success' ? 'success' : 'failure';
await github.rest.repos.createCommitStatus({
owner: context.repo.owner,
repo: context.repo.repo,
sha: '${{ steps.pr.outputs.head_sha }}',
state: state,
target_url: `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
description: `Meta Internal Test - pytest test ${state}`,
context: 'Meta Internal Test - pytest test'
});