migrate advanced tests to github actions

credentials for launchpad may or may not be working.
2026-05-28 04:34:11 -04:00 · 2026-03-23 14:29:48 -07:00 · 2026-03-23 14:29:48 -07:00 · 2bf6f782f0
commit 2bf6f782f0
parent 1ad13663be
7 changed files with 338 additions and 28 deletions
--- a/.azure-pipelines/advanced-test.yml
+++ b/.azure-pipelines/advanced-test.yml
@ -1,15 +0,0 @@
-# Advanced pipeline for running our full test suite on demand.
-trigger:
-  # When changing these triggers, please ensure the documentation under
-  # "Running tests in CI" is still correct.
-  - test-*
-pr: none
-
-variables:
-  # We don't publish our Docker images in this pipeline, but when building them
-  # for testing, let's use the nightly tag.
-  dockerTag: nightly
-  snapBuildTimeout: 5400
-
-stages:
-  - template: templates/stages/test-and-package-stage.yml
--- a/.github/actions/run_tox/action.yml
+++ b/.github/actions/run_tox/action.yml
@ -1,14 +1,34 @@
 name: run_tox
+
+inputs:
+  AWS_ACCESS_KEY_ID:
+    description: 'access key ID for AWS'
+  AWS_SECRET_ACCESS_KEY:
+    description: 'access key for AWS'
+  AWS_TEST_FARM_PEM:
+    description: 'contents of AWS PEM file to be placed in $AWS_EC2_PEM_FILE from environment'
+  PIP_USE_PEP517:
+    description: 'a pip flag'
+  TOXENV:
+    description: 'the tox environment to run'
+
 runs:
  using: composite
  steps:
+  - name: Create test farm pem file
+    if: contains(matrix.TOXENV, 'test-farm')
+    env:
+      PEM_CONTENTS: "${{ inputs.AWS_TEST_FARM_PEM }}"
+    run: |-
+      set -e
+      echo "${PEM_CONTENTS}" >> $AWS_EC2_PEM_FILE
+    shell: bash
  - name: Run tox
    env:
-      AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
-      AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
-      AWS_EC2_PEM: "github-test-farm.pem"
-      PIP_USE_PEP517: "${{ matrix.PIP_USE_PEP517 }}"
-      TOXENV: "${{ matrix.TOXENV }}"
+      AWS_ACCESS_KEY_ID: "${{ inputs.AWS_ACCESS_KEY_ID }}"
+      AWS_SECRET_ACCESS_KEY: "${{ inputs.AWS_SECRET_ACCESS_KEY }}"
+      PIP_USE_PEP517: "${{ inputs.PIP_USE_PEP517 }}"
+      TOXENV: "${{ inputs.TOXENV }}"
    run: |-
      set -e
      export TARGET_BRANCH="`echo "${BUILD_SOURCEBRANCH}" | sed -E 's!refs/(heads|tags)/!!g'`"
--- a/.github/actions/setup_tox/action.yml
+++ b/.github/actions/setup_tox/action.yml
@ -1,9 +1,16 @@
 name: setup_tox
+
+inputs:
+  AWS_TEST_FARM_PEM:
+    description: 'Contents of keyfile for AWS'
+  AWS_EC2_PEM_FILE:
+    description: 'Location of keyfile for AWS'
+
 runs:
  using: composite
  steps:
  - name: Install MacOS dependencies
-    if: startsWith(matrix.IMAGE_NAME, 'macOS')
+    if: runner.os == 'macOS'
    run: |-
      set -e
      unset HOMEBREW_NO_INSTALL_FROM_API
@ -12,7 +19,7 @@ runs:
      brew install augeas
    shell: bash
  - name: Install Linux dependencies
-    if: startsWith(matrix.IMAGE_NAME, 'ubuntu')
+    if: runner.os == 'Linux'
    run: |-
      set -e
      sudo apt-get update
@ -30,9 +37,3 @@ runs:
      set -e
      python3 tools/pip_install.py tox
    shell: bash
-  - name: Create test farm pem file
-    if: contains(matrix.TOXENV, 'test-farm')
-    env:
-      PEM_CONTENTS: "${{ secrets.AWS_TEST_FARM_PEM }}"
-    run: 'echo ${PEM_CONTENTS} >> github-test-farm.pem'
-    shell: bash
--- a/.github/workflows/extended_tests_jobs.yml
+++ b/.github/workflows/extended_tests_jobs.yml
@ -0,0 +1,64 @@
+# Environment variables defined in a calling workflow are not accessible to this reusable workflow. Refer to the documentation for further details on this limitation.
+name: extended_tests_jobs
+on:
+  workflow_call:
+
+jobs:
+  test:
+    name: extended_test ${{ matrix.TOXENV }} ${{ matrix.PYTHON_VERSION }}
+    permissions:
+      contents: read
+    runs-on:
+      - 'ubuntu-22.04'
+    env:
+      uploadCoverage: ${{ inputs.uploadCoverage }}
+    strategy:
+      fail-fast: false
+      matrix:
+        PYTHON_VERSION: ['3.14']
+        TOXENV:
+        - isolated-acme,isolated-certbot,isolated-apache,isolated-cloudflare,isolated-digitalocean,isolated-dnsimple,isolated-dnsmadeeasy,isolated-gehirn,isolated-google,isolated-linode,isolated-luadns,isolated-nsone,isolated-ovh,isolated-rfc2136,isolated-route53,isolated-sakuracloud,isolated-nginx
+        - nginx_compat
+        - modification
+        include:
+        - PYTHON_VERSION: '3.11'
+          TOXENV: py311
+        - PYTHON_VERSION: '3.12'
+          TOXENV: py312
+        - PYTHON_VERSION: '3.13'
+          TOXENV: py313
+        - PYTHON_VERSION: '3.10'
+          TOXENV: integration-certbot-oldest
+        - PYTHON_VERSION: '3.10'
+          TOXENV: integration-nginx-oldest
+        - PYTHON_VERSION: '3.10'
+          TOXENV: integration
+        - PYTHON_VERSION: '3.11'
+          TOXENV: integration
+        - PYTHON_VERSION: '3.12'
+          TOXENV: integration
+        - PYTHON_VERSION: '3.13'
+          TOXENV: integration
+        # python 3.14 integration tests are not run here because they're run as
+        # part of the standard test suite
+        - PYTHON_VERSION: '3.12'
+          TOXENV: integration-dns-rfc2136
+        - PYTHON_VERSION: '3.12'
+          TOXENV: test-farm-apache2
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v6.0.2
+    - name: Setup tox
+      uses: "./.github/actions/setup_tox"
+    - name: Run tox
+      uses: "./.github/actions/run_tox"
+      env:
+        AWS_EC2_PEM_FILE: ${{ github.workspace }}/GHAKeyPair.pem
+      with:
+        AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+        AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+        AWS_TEST_FARM_PEM: "${{ secrets.AWS_TEST_FARM_PEM }}"
+        PIP_USE_PEP517: "${{ matrix.PIP_USE_PEP517 }}"
+        TOXENV: "${{ matrix.TOXENV }}"
+    - name: Upload coverage
+      uses: "./.github/actions/upload_coverage"
--- a/.github/workflows/full-test-suite.yml
+++ b/.github/workflows/full-test-suite.yml
@ -0,0 +1,19 @@
+# Advanced pipeline for running our full test suite on demand.
+name: certbot/full-test-suite
+on:
+  push:
+    branches:
+    # When changing these triggers, please ensure the documentation under
+    # "Running tests in CI" is still correct.
+    - test-*
+
+jobs:
+  test_and_package_stage:
+    name: test_and_package_stage
+    uses: "./.github/workflows/test_and_package_stage.yml"
+    with:
+      # We don't publish our Docker images in this pipeline, but when building them
+      # for testing, let's use the nightly tag.
+      dockerTag: nightly
+      snapBuildTimeout: 5400
+    secrets: inherit
--- a/.github/workflows/packaging_jobs.yml
+++ b/.github/workflows/packaging_jobs.yml
@ -0,0 +1,188 @@
+# Environment variables defined in a calling workflow are not accessible to this reusable workflow. Refer to the documentation for further details on this limitation.
+name: packaging_jobs
+on:
+  workflow_call:
+    inputs:
+      dockerTag:
+        description: 'docker tag to push to'
+        type: string
+      snapBuildTimeout:
+        description: 'timeout for snap builds'
+        type: number
+
+env:
+  dockerTag: ${{ inputs.dockerTag }}
+  snapBuildTimeout: ${{ inputs.snapBuildTimeout }}
+
+jobs:
+  docker_build:
+    runs-on:
+      - ubuntu-24.04
+    # The default timeout of 60 minutes is a little low for compiling
+    # cryptography on ARM architectures.
+    timeout-minutes: 180
+    strategy:
+      fail-fast: false
+      matrix:
+        DOCKER_ARCH:
+        - arm32v6
+        - arm64v8
+        - amd64
+    steps:
+    - name: checkout
+      uses: actions/checkout@v6.0.2
+    - name: Build the Docker images
+      # We don't filter for the Docker Hub organization to continue to allow
+      # easy testing of these scripts on forks.
+      run: set -e && tools/docker/build.sh ${{ env.dockerTag }} ${{ matrix.DOCKER_ARCH }}
+      shell: bash
+    - name: Save the Docker images
+      run: |-
+        set -e
+        DOCKER_IMAGES=$(docker images --filter reference='*/certbot' --filter reference='*/dns-*' --format '{{.Repository}}')
+        docker save --output images.tar $DOCKER_IMAGES
+      shell: bash
+    # If the name of the tar file or artifact changes, the deploy stage will
+    # also need to be updated.
+    - name: Prepare Docker artifact
+      run: set -e && mv images.tar ${{ runner.temp }}
+      shell: bash
+    - name: Store Docker artifact
+      uses: actions/upload-artifact@v4.1.0
+      with:
+        name: docker_${{ matrix.DOCKER_ARCH }}
+        path: "${{ runner.temp }}"
+  docker_test:
+    needs:
+    - docker_build
+    runs-on:
+      - ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        DOCKER_ARCH:
+        - arm32v6
+        - arm64v8
+        - amd64
+    steps:
+    - name: checkout
+      uses: actions/checkout@v6.0.2
+    - name: Retrieve Docker images
+      uses: actions/download-artifact@v8.0.1
+      with:
+        name: docker_${{ matrix.DOCKER_ARCH }}
+        github_token: "${{ secrets.GITHUB_TOKEN }}"
+        path: "${{ github.workspace }}"
+        repo: "${{ github.repository }}"
+    - name: Load Docker images
+      run: set -e && docker load --input ${{ github.workspace }}/images.tar
+      shell: bash
+    - name: Run integration tests for Docker images
+      run: set -e && tools/docker/test.sh ${{ env.dockerTag }} ${{ matrix.DOCKER_ARCH }}
+      shell: bash
+  snaps_build:
+    runs-on:
+      - ubuntu-22.04
+    timeout-minutes: 0
+    strategy:
+      fail-fast: false
+      matrix:
+        SNAP_ARCH:
+        - amd64
+        - armhf
+        - arm64
+    steps:
+    - name: checkout
+      uses: actions/checkout@v6.0.2
+    - name: Install dependencies
+      run: |-
+        set -e
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends snapd
+        sudo snap install --classic snapcraft
+    - uses: actions/setup-python@v5.0.0
+      with:
+        python-version: '3.12'
+    - name: Build snaps
+      env:
+        SNAPCRAFT_STORE_CREDENTIALS: "${{ secrets.LAUNCHPAD_CREDENTIALS }}"
+      run: |-
+        set -e
+        git config --global user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+        git config --global user.name "${{ github.actor }}"
+        python3 tools/snap/build_remote.py ALL --archs ${{ matrix.SNAP_ARCH }} --timeout ${{ env.snapBuildTimeout }}
+    - name: Prepare artifacts
+      run: |-
+        set -e
+        mv *.snap ${{ runner.temp }}
+        mv certbot-dns-*/*.snap ${{ runner.temp }}
+    - name: Store snaps artifacts
+      uses: actions/upload-artifact@v4.1.0
+      with:
+        name: snaps_${{ matrix.SNAP_ARCH }}
+        path: "${{ runner.temp }}"
+  snap_run:
+    needs:
+    - snaps_build
+    runs-on:
+      - ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v6.0.2
+    - uses: actions/setup-python@v5.0.0
+      with:
+        python-version: '3.12'
+    - name: Install dependencies
+      run: |-
+        set -e
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends nginx-light snapd
+        python3 -m venv venv
+        venv/bin/python tools/pip_install.py -U tox
+    - name: Retrieve Certbot snaps
+      uses: actions/download-artifact@v8.0.1
+      with:
+        name: snaps_amd64
+        github_token: "${{ secrets.GITHUB_TOKEN }}"
+        path: "${{ github.workspace }}/snap"
+        repo: "${{ github.repository }}"
+    - name: Install Certbot snap
+      run: |-
+        set -e
+        sudo snap install --dangerous --classic snap/certbot_*.snap
+    - name: Run tox
+      run: |-
+        set -e
+        venv/bin/python -m tox run -e integration-external,apacheconftest-external-with-pebble
+  snap_dns_run:
+    needs:
+    - snaps_build
+    runs-on:
+      - ubuntu-22.04
+    steps:
+    - name: checkout
+      uses: actions/checkout@v6.0.2
+    - name: Install dependencies
+      run: |-
+        set -e
+        sudo apt-get update
+        sudo apt-get install -y --no-install-recommends snapd
+    - uses: actions/setup-python@v5.0.0
+      with:
+        python-version: '3.12'
+    - name: Retrieve Certbot snaps
+      uses: actions/download-artifact@v8.0.1
+      with:
+        name: snaps_amd64
+        github_token: "${{ secrets.GITHUB_TOKEN }}"
+        path: "${{ github.workspace }}/snap"
+        repo: "${{ github.repository }}"
+    - name: Prepare Certbot-CI
+      run: |-
+        set -e
+        python3 -m venv venv
+        venv/bin/python tools/pip_install.py -e certbot-ci
+    - name: Test DNS plugins snaps
+      run: |-
+        set -e
+        sudo -E venv/bin/pytest certbot-ci/src/snap_integration_tests/dns_tests --allow-persistent-changes --snap-folder ${{ github.workspace }}/snap --snap-arch amd64
--- a/.github/workflows/test_and_package_stage.yml
+++ b/.github/workflows/test_and_package_stage.yml
@ -0,0 +1,33 @@
+# Environment variables defined in a calling workflow are not accessible to this reusable workflow. Refer to the documentation for further details on this limitation.
+name: test_and_package_stage
+on:
+  workflow_call:
+    inputs:
+      dockerTag:
+        description: 'docker tag to push to'
+        type: string
+      snapBuildTimeout:
+        description: 'timeout for snap builds'
+        type: number
+
+jobs:
+  standard_tests_jobs:
+    name: standard_tests_jobs
+    uses: "./.github/workflows/standard_tests_jobs.yml"
+    permissions:
+      contents: read
+  extended_tests_jobs:
+    name: extended_tests_jobs
+    uses: "./.github/workflows/extended_tests_jobs.yml"
+    permissions:
+      contents: read
+    secrets: inherit
+  packaging_jobs:
+    name: packaging_jobs
+    uses: "./.github/workflows/packaging_jobs.yml"
+    permissions:
+      contents: read
+    with:
+      dockerTag: ${{ inputs.dockerTag }}
+      snapBuildTimeout: ${{ inputs.snapBuildTimeout }}
+    secrets: inherit