Merge pull request #28 from broadinstitute/jb-gha-docker-tasks

Migrating Jenkins jobs to GitHub Actions (SCP-5476)

Author: bistline

.github/actions/configure-gcloud-container/action.yml

@@ -0,0 +1,63 @@
+name: 'Pull gcloud container and activate service account'
+description: 'Pulls gcloud Docker image and activates the requested service account to use in calling gcloud'
+inputs:
+  vault_secret_path:
+    description: 'Path to service account in vault'
+    required: true
+  gcloud_docker_image:
+    description: 'gcloud Docker image name/vesion tag'
+    required: false
+    default: 'gcr.io/google.com/cloudsdktool/google-cloud-cli:latest'
+  image_name:
+    description: 'name of image to create and access credentials from'
+    required: false
+    default: 'gcloud-config'
+  vault_addr:
+    description: 'vault API endpoint'
+    required: true
+  vault_role_id:
+    description: 'vault role for accessing secrets'
+    required: true
+  vault_secret_id:
+    description: 'credential to authenticate into vault'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Install vault
+      uses: ./.github/actions/install-vault-and-utils
+    - name: Download gcloud Docker image
+      shell: bash
+      run: |
+        docker pull ${{ inputs.gcloud_docker_image }}
+    - name: Extract main service account json
+      uses: ./.github/actions/extract-vault-secret-to-file
+      with:
+        vault_secret_path: ${{ inputs.vault_secret_path }}
+        vault_addr: ${{ inputs.VAULT_ADDR }}
+        vault_role_id: ${{ inputs.VAULT_ROLE_ID }}
+        vault_secret_id: ${{ inputs.VAULT_SECRET_ID }}
+        output_filename: 'scp_service_account.json'
+        output_format: 'json'
+    - name: Authenticate to gcloud and docker
+      env:
+        SERVICE_ACCOUNT_FILE: 'scp_service_account.json'
+      shell: bash
+      run: |
+        # manually construct a Dockerfile using supplied image, and pre-authenticate the service account via gcloud
+        # will also run ssh-keygen so that this doesn't execute every time we make a gcloud compute ssh call
+        SERVICE_ACCOUNT_PATH="/tmp/$SERVICE_ACCOUNT_FILE"
+        touch Dockerfile-gcloud
+        echo "FROM ${{ inputs.gcloud_docker_image }}" >> Dockerfile-gcloud
+        echo >> Dockerfile-gcloud
+        echo "COPY $SERVICE_ACCOUNT_FILE $SERVICE_ACCOUNT_PATH" >> Dockerfile-gcloud
+        echo "RUN gcloud auth activate-service-account --key-file=$SERVICE_ACCOUNT_PATH" >> Dockerfile-gcloud
+        echo "RUN gcloud auth configure-docker" >> Dockerfile-gcloud
+        echo "RUN ssh-keygen -t rsa -f /root/.ssh/google_compute_engine -C root -b 2048 -q -N \"\"" >> Dockerfile-gcloud
+        # install NumPy for faster tunnelling and to suppress warnings
+        echo "RUN \$(gcloud info --format=\"value(basic.python_location)\") -m pip install numpy" >> Dockerfile-gcloud 
+        # silence various ssh warnings
+        echo "RUN echo \"LogLevel ERROR\" > /root/.ssh/config" >> Dockerfile-gcloud
+        echo "ENV LC_ALL=C" >> Dockerfile-gcloud
+        docker build -t ${{ inputs.image_name }} -f Dockerfile-gcloud .

.github/actions/extract-vault-secret-to-file/action.yml

@@ -0,0 +1,44 @@
+name: 'Extract vault secret to file'
+description: 'read a secret from a path in vault and export as a file'
+inputs:
+  vault_secret_path:
+    description: 'Path to secret in vault'
+    required: true
+  vault_addr:
+    description: 'vault API endpoint'
+    required: true
+  vault_role_id:
+    description: 'vault role for accessing secrets'
+    required: true
+  vault_secret_id:
+    description: 'credential to authenticate into vault'
+    required: true
+  output_filename:
+    description: 'name of exported secrets file'
+    required: true
+  output_format:
+    description: 'form to write secrets to: env or json'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Extract vault secret to file
+      shell: bash
+      run: |
+        export VAULT_ADDR=${{ inputs.vault_addr }}
+        export VAULT_TOKEN=$( vault write -field=token auth/approle/login \
+                                    role_id=${{ inputs.vault_role_id}} secret_id=${{ inputs.vault_secret_id}} )
+        VALUES=$(vault read -format json ${{ inputs.vault_secret_path }})
+        if [[ "${{ inputs.output_format }}" = 'env' ]]; then
+          echo "### env secrets from ${{ inputs.vault_secret_path }} ###" >| ${{ inputs.output_filename }}
+          for key in $(echo $VALUES | jq .data | jq --raw-output 'keys[]')
+          do
+            echo "setting value for: $key"
+            curr_val=$(echo $VALUES | jq .data | jq --raw-output .$key)
+            echo "export $key='$curr_val'" >> ${{ inputs.output_filename }}
+          done
+        elif [[ "${{ inputs.output_format }}" = 'json' ]]; then
+          JSON_CONTENTS=$(echo $VALUES | jq --raw-output .data)
+          echo $JSON_CONTENTS >| ${{ inputs.output_filename }}
+        fi

.github/actions/install-vault-and-utils/action.yml

@@ -0,0 +1,12 @@
+name: 'Install vault and other utilities'
+description: 'Installs vault, curl, unzip and jq to use in other workflows'
+runs:
+  using: 'composite'
+  steps:
+    - name: Install vault and utils
+      shell: bash
+      run: |
+        sudo apt-get update && sudo apt-get -y install curl unzip jq
+        sudo curl -O https://releases.hashicorp.com/vault/1.9.0/vault_1.9.0_linux_amd64.zip
+        sudo unzip vault_1.9.0_linux_amd64.zip
+        sudo mv vault /usr/local/bin

.github/actions/set-exit-code/action.yml

@@ -0,0 +1,19 @@
+name: 'Set exit code'
+description: 'Sets exit code of workflow using status from previous step, allowing for unstable 99 as good'
+inputs:
+  exit-code:
+    description: 'Exit code from previous step'
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    - name: Set exit code
+      shell: bash
+      run: |
+        if [[ "${{ inputs.exit-code }}" -eq "99" ]]; then
+          echo "### WARNING: THERE ARE UPDATED DEPENDENCIES, BUT THIS IMAGE WILL STILL FUNCTION ###"
+          echo "### MARKING AS SUCCESSFUL ###"
+          exit 0
+        else
+          exit ${{ inputs.exit-code }}
+        fi

.github/workflows/publish-base-docker-image.yml

@@ -0,0 +1,42 @@
+name: Publish rails-baseimage Docker image
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+env:
+  VAULT_SECRET_PATH: 'secret/kdux/scp/staging/scp_service_account.json'
+  IMAGE_NAME: 'gcloud-config'
+
+jobs:
+  Build-And-Publish-Docker-Image:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Configure gcloud container and activate service account
+        uses: ./.github/actions/configure-gcloud-container
+        with:
+          vault_secret_path: ${{ env.VAULT_SECRET_PATH }}
+          vault_addr: ${{ secrets.VAULT_ADDR }}
+          vault_role_id: ${{ secrets.VAULT_ROLE_ID }}
+          vault_secret_id: ${{ secrets.VAULT_SECRET_ID }}
+      - name: Authenticate to docker
+        shell: bash
+        run: |
+          # auth into GCR via Docker with token from service account
+          AUTH_TOKEN=$(docker run --rm ${{ env.IMAGE_NAME }} gcloud auth print-access-token)
+          # need separate logins for gcr.io & marketplace.gcr.io
+          echo $AUTH_TOKEN | docker login -u oauth2accesstoken --password-stdin https://gcr.io
+          echo $AUTH_TOKEN | docker login -u oauth2accesstoken --password-stdin https://marketplace.gcr.io
+      - name: Build and publish base Docker image
+        id: build-and-publish
+        run: |
+          set +e # continue to allow capturing exit code
+          ci/gha.publish-image.bash
+          echo "exit-code=$?" >> $GITHUB_OUTPUT
+      - name: Set exit code
+        uses: ./.github/actions/set-exit-code
+        with:
+          exit-code: ${{ steps.build-and-publish.outputs.exit-code }}
+

.github/workflows/test-base-docker-image.yml

@@ -0,0 +1,42 @@
+name: Test rails-baseimage Docker image
+on:
+  push:
+    branches-ignore:
+      - master
+  workflow_dispatch:
+  pull_request:
+env:
+  VAULT_SECRET_PATH: 'secret/kdux/scp/staging/scp_service_account.json'
+  IMAGE_NAME: 'gcloud-config'
+
+jobs:
+  Build-And-Test-Docker-Image:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Configure gcloud container and activate service account
+        uses: ./.github/actions/configure-gcloud-container
+        with:
+          vault_secret_path: ${{ env.VAULT_SECRET_PATH }}
+          vault_addr: ${{ secrets.VAULT_ADDR }}
+          vault_role_id: ${{ secrets.VAULT_ROLE_ID }}
+          vault_secret_id: ${{ secrets.VAULT_SECRET_ID }}
+      - name: Authenticate to GCR
+        shell: bash
+        run: |
+          # auth into GCR via Docker with token from service account
+          AUTH_TOKEN=$(docker run --rm ${{ env.IMAGE_NAME }} gcloud auth print-access-token)
+          # need separate logins for gcr.io & marketplace.gcr.io
+          echo $AUTH_TOKEN | docker login -u oauth2accesstoken --password-stdin https://gcr.io
+          echo $AUTH_TOKEN | docker login -u oauth2accesstoken --password-stdin https://marketplace.gcr.io
+      - name: Test candidate base Docker image
+        id: build-and-test
+        run: |
+          set +e # continue to allow capturing exit code
+          ci/gha.build-and-test.bash
+          echo "exit-code=$?" >> $GITHUB_OUTPUT
+      - name: Set exit code
+        uses: ./.github/actions/set-exit-code
+        with:
+          exit-code: ${{ steps.build-and-test.outputs.exit-code }}

ci/gha-build

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# USAGE: run with no arguments on a system with all prequisites installed to build the image. See also: local_build
+# TODO TODO: maybe commit some todo's and grep for them at the end of the test job?
+
+THIS_DIR="$(cd "$(dirname "$BASH_SOURCE")"; pwd)"
+BASE_DIR="$(dirname $THIS_DIR)"
+BIN="$BASE_DIR/lib/bin"
+BASH_INCLUDE="$BASE_DIR/lib/bash_include"
+
+. $BASH_INCLUDE/show_banner.bash
+. $BASH_INCLUDE/bash_utils.bash
+. $BASH_INCLUDE/dockerhub.bash
+. $BASH_INCLUDE/extract_vault_secrets.bash
+
+function main {
+
+    force_pull_base_image || exit_with_error_message "FAILED to force pull base image."
+
+    $BIN/rebuild_phusion_baseimage || exit_with_error_message "FAILED to rebuild phusion base image"
+    $BIN/rebuild_phusion_passenger_image || exit_with_error_message "FAILED to rebuild phusion passenger image"
+    $BIN/rebuild_image || exit_with_error_message "FAILED to build docker image"
+}
+
+# Forcing the true latest version of $BASE_IMAGE .
+function force_pull_base_image {
+    echo
+    echo '########################################'
+    echo "##  pulling fresh BASE_IMAGE $BASE_IMAGE"
+    echo '########################################'
+
+    docker_force_pull $BASE_IMAGE || exit_with_error_message "FAILED to pull base image $BASE_IMAGE ."
+    echo "showing image history for \"$BASE_IMAGE\":"
+    docker history -H=false --no-trunc $BASE_IMAGE
+    echo "showing image inspect for \"$BASE_IMAGE\":"
+    docker inspect $BASE_IMAGE
+}
+
+main "$@"

ci/gha-publish

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# USAGE: run this with no argumants to publish the image that was built. Or better yet, don't run this, and let the jenkins job take care of it.
+
+THIS_DIR="$(cd "$(dirname "$BASH_SOURCE")"; pwd)"
+BASE_DIR="$(dirname $THIS_DIR)"
+BASH_INCLUDE="$BASE_DIR/lib/bash_include"
+
+. $BASH_INCLUDE/show_banner.bash
+. $BASH_INCLUDE/config.bash
+. $BASH_INCLUDE/dockerhub.bash
+
+function main {
+    assert_main_version_unused
+
+    for PUBLISH_VERSION in "$MAIN_VERSION" "latest";do
+        docker tag "$MAIN_IMAGE_FULLNAME:candidate" "$MAIN_GCR_IMAGE_FULLNAME:$PUBLISH_VERSION" || exit_with_error_message "FAILED to tag $MAIN_GCR_IMAGE_FULLNAME with $PUBLISH_VERSION "
+        docker image ls | grep "\\b$MAIN_GCR_IMAGE_FULLNAME\\b" | grep "\\b$PUBLISH_VERSION\\b" || exit 1 #confirm taggging worked
+        docker push "$MAIN_GCR_IMAGE_FULLNAME:$PUBLISH_VERSION" || exit_with_error_message "FAILED to push $MAIN_GCR_IMAGE_FULLNAME:$PUBLISH_VERSION " # TODO: check if it FAILED because of docker login being needed
+        echo "Published $MAIN_GCR_IMAGE_FULLNAME:$PUBLISH_VERSION -- see it at https://console.cloud.google.com/gcr/images/$GCR_PROJECT/GLOBAL/$MAIN_IMAGE_NAME?project=$GCR_PROJECT"
+    done
+}
+
+main "$@"

ci/gha.build-and-test.bash

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# USAGE: Use without arguments in a jenkins test job to build and test the image. This keeps jenkins job config complexity low.
+
+THIS_DIR="$(cd "$(dirname "$BASH_SOURCE")"; pwd)"
+BASE_DIR="$(dirname $THIS_DIR)"
+BASH_INCLUDE="$BASE_DIR/lib/bash_include"
+
+. $BASH_INCLUDE/show_banner.bash
+. $BASH_INCLUDE/bash_utils.bash
+
+$THIS_DIR/gha-build || exit_with_error_message "build FAILED"
+$THIS_DIR/test  || exit_with_error_message "test FAILED"
+$THIS_DIR/check_for_newer_dependencies || { echo "WARNING: Setting jenkins job to unstable to trigger email for new dependency versions that this build has not adopted yet..." >&2; exit 99; }

ci/gha.publish-image.bash

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# USAGE: Use without arguments in a jenkins test job to build and test the image. This keeps jenkins job config complexity low.
+
+THIS_DIR="$(cd "$(dirname "$BASH_SOURCE")"; pwd)"
+BASE_DIR="$(dirname $THIS_DIR)"
+BASH_INCLUDE="$BASE_DIR/lib/bash_include"
+
+. $BASH_INCLUDE/show_banner.bash
+. $BASH_INCLUDE/bash_utils.bash
+. $BASE_DIR/lib/bash_include/extract_vault_secrets.bash
+
+$THIS_DIR/gha-build && $THIS_DIR/test && $THIS_DIR/gha-publish || exit 1

version.txt

@@ -1 +1 @@
-2.2.1
+2.2.2