From 15a0a56b2938d7e193e69b59d143098abe32d159 Mon Sep 17 00:00:00 2001 From: Erica Portnoy Date: Wed, 29 Apr 2026 16:21:58 -0700 Subject: [PATCH] add docker and snap packaging jobs; compare to .azure-pipelines/templates/stages/test-and-package-stage.yml which is still needed for other pipelines on azure --- .github/workflows/docker_packaging_jobs.yml | 86 ++++++++ .github/workflows/snap_packaging_jobs.yml | 231 ++++++++++++++++++++ 2 files changed, 317 insertions(+) create mode 100644 .github/workflows/docker_packaging_jobs.yml create mode 100644 .github/workflows/snap_packaging_jobs.yml diff --git a/.github/workflows/docker_packaging_jobs.yml b/.github/workflows/docker_packaging_jobs.yml new file mode 100644 index 000000000..55a1962e1 --- /dev/null +++ b/.github/workflows/docker_packaging_jobs.yml @@ -0,0 +1,86 @@ +name: Docker packaging +on: + workflow_call: + inputs: + dockerTag: + description: 'docker tag to push to' + type: string +permissions: + contents: read + +env: + dockerTag: ${{ inputs.dockerTag }} + +jobs: + docker_build: + name: Build ${{ matrix.DOCKER_ARCH }} + runs-on: + - ${{ matrix.run-on }} + # The default timeout of 60 minutes is a little low for compiling + # cryptography on ARM architectures. + timeout-minutes: 180 + strategy: + fail-fast: false + matrix: + include: + - DOCKER_ARCH: arm64v8 + run-on: ubuntu-24.04-arm + - DOCKER_ARCH: amd64 + run-on: ubuntu-24.04 + - DOCKER_ARCH: arm32v6 + run-on: ubuntu-24.04 + steps: + - name: checkout + uses: actions/checkout@v6.0.2 + with: + persist-credentials: false + - name: Build the Docker images + # We don't filter for the Docker Hub organization to continue to allow + # easy testing of these scripts on forks. + run: tools/docker/build.sh ${{ env.dockerTag }} ${{ matrix.DOCKER_ARCH }} + shell: bash + - name: Save the Docker images + run: |- + DOCKER_IMAGES=$(docker images --filter reference="*/certbot" --filter reference="*/dns-*" --format "{{.Repository}}") + docker save --output images.tar $DOCKER_IMAGES + shell: bash + # If the name of the tar file or artifact changes, the deploy stage will + # also need to be updated. + - name: Prepare Docker artifact + run: mv images.tar ${{ runner.temp }} + shell: bash + - name: Store Docker artifact + uses: actions/upload-artifact@v7.0.0 + with: + name: docker_${{ matrix.DOCKER_ARCH }} + path: "${{ runner.temp }}" + docker_test: + name: Test ${{ matrix.DOCKER_ARCH }} + needs: + - docker_build + runs-on: + - ${{ matrix.run-on }} + strategy: + fail-fast: false + matrix: + include: + - DOCKER_ARCH: arm64v8 + run-on: ubuntu-24.04-arm + - DOCKER_ARCH: amd64 + run-on: ubuntu-24.04 + - DOCKER_ARCH: arm32v6 + run-on: ubuntu-24.04-arm + steps: + - name: checkout + uses: actions/checkout@v6.0.2 + - name: Retrieve Docker images + uses: actions/download-artifact@v8.0.1 + with: + name: docker_${{ matrix.DOCKER_ARCH }} + path: "${{ github.workspace }}" + - name: Load Docker images + run: docker load --input ${{ github.workspace }}/images.tar + shell: bash + - name: Run integration tests for Docker images + run: tools/docker/test.sh ${{ env.dockerTag }} ${{ matrix.DOCKER_ARCH }} + shell: bash diff --git a/.github/workflows/snap_packaging_jobs.yml b/.github/workflows/snap_packaging_jobs.yml new file mode 100644 index 000000000..523cba884 --- /dev/null +++ b/.github/workflows/snap_packaging_jobs.yml @@ -0,0 +1,231 @@ +name: Snap packaging +on: + workflow_call: + inputs: + snapBuildTimeout: + description: 'timeout for snap builds' + type: number +permissions: + contents: read + +env: + snapBuildTimeout: ${{ inputs.snapBuildTimeout }} + +jobs: + gha_build_snap: + name: Build certbot ${{ matrix.build-for }} + runs-on: ${{ matrix.build-on }} + strategy: + fail-fast: false + matrix: + include: + - build-for: arm64 + build-on: ubuntu-24.04-arm + - build-for: amd64 + build-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v6.0.2 + - uses: snapcore/action-build@v1.3.0 + id: build + with: + snapcraft-args: "--build-for=${{ matrix.build-for }}" + - name: Store snap artifact + uses: actions/upload-artifact@v7.0.0 + with: + name: snap-certbot-${{ matrix.build-for }} + path: ${{ steps.build.outputs.snap }} + generate_dns_list_matrix: + name: List DNS package names + runs-on: ubuntu-latest + outputs: + dns-dirs: ${{ steps.set-dns-dirs.outputs.dns-dirs }} + steps: + - name: checkout + uses: actions/checkout@v6.0.2 + - id: set-dns-dirs + run: | + DNS_NAMES="$(echo certbot-dns-* | jq -R -s -c 'split(" ")[:-1]')" + echo "dns-dirs=$DNS_NAMES" >> "$GITHUB_OUTPUT" + gha_build_dns_snaps: + name: Build ${{ matrix.dns-dir }} ${{ matrix.build-for }} + needs: generate_dns_list_matrix + runs-on: ${{ matrix.build-on }} + strategy: + fail-fast: false + matrix: + dns-dir: ${{ fromJSON(needs.generate_dns_list_matrix.outputs.dns-dirs) }} + build-for: [arm64, amd64] + include: + - build-for: arm64 + build-on: ubuntu-24.04-arm + - build-for: amd64 + build-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v6.0.2 + - name: generate dns snapcraft.yamls + run: | + tools/snap/generate_dnsplugins_all.sh # unnecessarily doing every file + - uses: snapcore/action-build@v1.3.0 + id: build + with: + snapcraft-args: "--build-for=${{ matrix.build-for }}" + path: ${{ matrix.dns-dir }} + - name: Store snap artifact + uses: actions/upload-artifact@v7.0.0 + with: + name: snap-${{ matrix.dns-dir }}-${{ matrix.build-for }} + path: ${{ steps.build.outputs.snap }} + launchpad_build_all: + name: Build armhf snaps + runs-on: + - ubuntu-24.04 + env: + SNAP_ARCH: "armhf" + steps: + - name: checkout + uses: actions/checkout@v6.0.2 + with: + fetch-depth: 0 # need a non-shallow clone for launchpad + - name: Install dependencies + run: |- + sudo apt-get update + sudo apt-get install -y --no-install-recommends snapd + sudo snap install --classic snapcraft + - uses: actions/setup-python@v5.0.0 + with: + python-version: '3.12' + - name: Build snaps + env: + LAUNCHPAD_CREDS: "${{ secrets.LAUNCHPAD_CREDENTIALS }}" + run: |- + git config --global user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" + git config --global user.name "${{ github.actor }}" + mkdir -p ~/.local/share/snapcraft/ + echo "$LAUNCHPAD_CREDS" > ~/.local/share/snapcraft/launchpad-credentials + python3 tools/snap/build_remote.py ALL --archs "$SNAP_ARCH" --timeout ${{ env.snapBuildTimeout }} + - name: Flatten snaps layout + run: |- + mv *.snap ${{ runner.temp }} + mv certbot-dns-*/*.snap ${{ runner.temp }} + - name: Store snaps artifacts + uses: actions/upload-artifact@v7.0.0 + with: + name: snaps_${{ env.SNAP_ARCH }} + path: "${{ runner.temp }}" + snap_run: + name: Test certbot ${{ matrix.arch-name }} + needs: + - gha_build_snap + - launchpad_build_all + runs-on: + - ${{ matrix.run-on }} + strategy: + fail-fast: false + matrix: + include: + - arch-name: arm64 + run-on: ubuntu-24.04-arm + - arch-name: amd64 + run-on: ubuntu-24.04 + - arch-name: armhf + run-on: ubuntu-24.04-arm + steps: + - name: checkout + uses: actions/checkout@v6.0.2 + - uses: actions/setup-python@v5.0.0 + with: + python-version: '3.12' + - name: Install armhf dependencies + if: ${{ matrix.arch-name == 'armhf' }} + run: |- + sudo dpkg --add-architecture armhf + sudo apt-get update + # apparmor will conflict with snapd:armhf dependency if not removed first + sudo apt-get remove -y apparmor + sudo apt-get install -y --no-install-recommends snapd:armhf nginx-light + - name: Install non-armhf depdencies + if: ${{ matrix.arch-name != 'armhf' }} + run: |- + sudo apt-get update + sudo apt-get install -y --no-install-recommends nginx-light snapd + - name: Setup venv + run: |- + python3 -m venv venv + venv/bin/python tools/pip_install.py -U tox + - name: Retrieve Certbot snaps armhf + if: ${{ matrix.arch-name == 'armhf' }} + uses: actions/download-artifact@v8.0.1 + with: + name: snaps_${{ matrix.arch-name }} + path: "${{ github.workspace }}/snap" + - name: Retrieve Certbot snaps non-armhf + if: ${{ matrix.arch-name != 'armhf' }} + uses: actions/download-artifact@v8.0.1 + with: + pattern: snap-certbot-${{ matrix.arch-name }} + path: "${{ github.workspace }}/snap" + - name: Install Certbot snap + run: |- + sudo snap install --dangerous --classic snap/certbot_*.snap + - name: Run tox + run: |- + venv/bin/python -m tox run -e integration-external,apacheconftest-external-with-pebble + snap_dns_run: + name: Test DNS ${{ matrix.arch-name }} + needs: + - gha_build_dns_snaps + - gha_build_snap + - launchpad_build_all + runs-on: + - ${{ matrix.run-on }} + strategy: + fail-fast: false + matrix: + include: + - arch-name: arm64 + run-on: ubuntu-24.04-arm + - arch-name: amd64 + run-on: ubuntu-24.04 + - arch-name: armhf + run-on: ubuntu-24.04-arm + steps: + - name: checkout + uses: actions/checkout@v6.0.2 + - name: Install armhf dependencies + if: ${{ matrix.arch-name == 'armhf' }} + run: |- + sudo dpkg --add-architecture armhf + sudo apt-get update + # apparmor will conflict with snapd:armhf dependency if not removed first + sudo apt-get remove -y apparmor + sudo apt-get install -y --no-install-recommends snapd:armhf + - name: Install non-armhf depdencies + if: ${{ matrix.arch-name != 'armhf' }} + run: |- + sudo apt-get update + sudo apt-get install -y --no-install-recommends snapd + - uses: actions/setup-python@v5.0.0 + with: + python-version: '3.12' + - name: Retrieve Certbot snaps armhf + if: ${{ matrix.arch-name == 'armhf' }} + uses: actions/download-artifact@v8.0.1 + with: + name: snaps_${{ matrix.arch-name }} + path: "${{ github.workspace }}/snap" + - name: Retrieve Certbot snaps non-armhf + if: ${{ matrix.arch-name != 'armhf' }} + uses: actions/download-artifact@v8.0.1 + with: + pattern: snap-*-${{ matrix.arch-name }} + merge-multiple: true + path: "${{ github.workspace }}/snap" + - name: Display structure of downloaded files + run: ls -R "${{ github.workspace }}/snap" + - name: Prepare Certbot-CI + run: |- + python3 -m venv venv + venv/bin/python tools/pip_install.py -e certbot-ci + - name: Test DNS plugins snaps + run: |- + sudo -E venv/bin/pytest certbot-ci/src/snap_integration_tests/dns_tests --allow-persistent-changes --snap-folder ${{ github.workspace }}/snap --snap-arch ${{ matrix.arch-name }}