From b28ff064e11eb21059bbd8c0034f0f17004a0af9 Mon Sep 17 00:00:00 2001 From: Erica Portnoy Date: Thu, 16 Apr 2026 16:42:46 -0700 Subject: [PATCH] add nightly tests --- .github/workflows/changelog_stage.yml | 22 ++++ .github/workflows/common_deploy_jobs.yml | 124 +++++++++++++++++++ .github/workflows/extended_tests_jobs.yml | 2 +- .github/workflows/full-test-suite.yml | 2 +- .github/workflows/nightly.yml | 25 ++++ .github/workflows/packaging_jobs.yml | 4 +- .github/workflows/pr-test-suite.yml | 2 +- .github/workflows/standard_tests_jobs.yml | 2 +- .github/workflows/test_and_package_stage.yml | 2 +- 9 files changed, 178 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/changelog_stage.yml create mode 100644 .github/workflows/common_deploy_jobs.yml create mode 100644 .github/workflows/nightly.yml diff --git a/.github/workflows/changelog_stage.yml b/.github/workflows/changelog_stage.yml new file mode 100644 index 000000000..aedee1755 --- /dev/null +++ b/.github/workflows/changelog_stage.yml @@ -0,0 +1,22 @@ +name: Changelog stage +on: + workflow_call: +jobs: + prepare: + runs-on: ubuntu-latest + steps: + # If we change the output filename from `release_notes.md`, it should also be changed in tools/create_github_release.py + - name: checkout + uses: actions/checkout@v6.0.2 + - name: Prepare changelog + run: |- + set -e + CERTBOT_VERSION="$(cd certbot/src && python -c "import certbot; print(certbot.__version__)" && cd ~-)" + tools/extract_changelog.py "${CERTBOT_VERSION}" >> "${{ runner.temp }}/release_notes.md" + shell: bash + - name: Publish changelog + uses: actions/upload-artifact@v7.0.0 + with: + # If we change the artifact's name, it should also be changed in tools/create_github_release.py + name: changelog + path: "${{ runner.temp }}" diff --git a/.github/workflows/common_deploy_jobs.yml b/.github/workflows/common_deploy_jobs.yml new file mode 100644 index 000000000..0db502162 --- /dev/null +++ b/.github/workflows/common_deploy_jobs.yml @@ -0,0 +1,124 @@ +name: Common deploy jobs +on: + workflow_call: + inputs: + dockerTag: + required: true + description: 'docker tag to push to' + type: string + snapReleaseChannel: + type: choice + options: + - edge + - beta + required: true + +jobs: + # This job relies on credentials used to publish the Certbot snaps. This + # credential file was created by running: + # + # snapcraft logout + # snapcraft export-login --channels=beta,edge snapcraft.cfg + # (provide the shared snapcraft credentials when prompted) + # + # Then the contents of the file were added as a secret in Github + # with the name SNAPCRAFTCFG under the Secrets and Variables -> Actions + # section of the settings for the certbot organization. + # + # Revoking these credentials can be done by changing the password of the + # account used to generate the credentials. See + # https://forum.snapcraft.io/t/revoking-exported-credentials/19031 for more + # info. + publish_snap: + name: Publish snap + permissions: + contents: read + runs-on: + - 'ubuntu-24.04' + strategy: + matrix: + SNAP_ARCH: [amd64, armhf, arm64] + steps: + - name: Checkout + uses: actions/checkout@v6.0.2 + - name: Install dependencies + run: |- + set -e + sudo apt-get update + sudo apt-get install -y --no-install-recommends snapd + sudo snap install --classic snapcraft + shell: bash + - name: Retrieve Certbot snaps + uses: actions/download-artifact@v8.0.1 + with: + name: snaps_${{ matrix.SNAP_ARCH }} + path: "${{ github.workspace }}/snap" + - name: Publish to Snap store + run: |- + set -e + export SNAPCRAFT_STORE_CREDENTIALS="${{ secrets.SNAPCRAFTCFG }}" + for SNAP_FILE in snap/*.snap; do + tools/retry.sh eval snapcraft upload --release=${{ inputs.snapReleaseChannel }} "${SNAP_FILE}" + done + shell: bash + # The credentials used in the following jobs are for the shared + # certbotbot account on Docker Hub. + # They are located under the certbot organization settings, + # under Secrets and Variables -> Actions. + # DOCKERHUB_USERNAME is saved as a variable. + # DOCKERHUB_TOKEN is a secret, and it is a PAT created by + # following the instructions at + # https://docs.docker.com/security/access-tokens/ + # with Read and Write permissions. The access token can be deleted + # on Docker Hub if these credentials need to be revoked. + # The password is a PAT following the advice given by + # https://github.com/docker/login-action?tab=readme-ov-file#docker-hub + publish_docker_by_arch: + name: Publish docker by arch + permissions: + contents: read + runs-on: + - 'ubuntu-24.04' + strategy: + matrix: + DOCKER_ARCH: + - arm32v6 + - arm64v8 + - amd64 + steps: + - name: Checkout + uses: actions/checkout@v6.0.2 + - name: Retrieve Certbot snaps + uses: actions/download-artifact@v8.0.1 + with: + name: docker_${{ matrix.DOCKER_ARCH }} + path: "${{ github.workspace }}" + - name: Load Docker images + run: set -e && docker load --input ${{ github.workspace }}/images.tar + shell: bash + - name: Login to Docker Hub + uses: docker/login-action@v4.1.0 + with: + username: "${{ vars.DOCKERHUB_USERNAME }}" + password: "${{ secrets.DOCKERHUB_TOKEN }}" + - name: Deploy the Docker images by architecture + run: set -e && tools/docker/deploy_images.sh ${{ inputs.dockerTag }} ${{ matrix.DOCKER_ARCH }} + shell: bash + publish_docker_multiarch: + name: Publish docker multiarch + needs: publish_docker_by_arch + permissions: + contents: read + runs-on: + - 'ubuntu-24.04' + steps: + - name: Checkout + uses: actions/checkout@v6.0.2 + - name: Login to Docker Hub + uses: docker/login-action@v4.1.0 + with: + username: "${{ vars.DOCKERHUB_USERNAME }}" + password: "${{ secrets.DOCKERHUB_TOKEN }}" + - name: Deploy the Docker multiarch manifests + run: set -e && tools/docker/deploy_manifests.sh ${{ inputs.dockerTag }} all + shell: bash diff --git a/.github/workflows/extended_tests_jobs.yml b/.github/workflows/extended_tests_jobs.yml index 808028100..7eb350af2 100644 --- a/.github/workflows/extended_tests_jobs.yml +++ b/.github/workflows/extended_tests_jobs.yml @@ -1,5 +1,5 @@ # Environment variables defined in a calling workflow are not accessible to this reusable workflow. Refer to the documentation for further details on this limitation. -name: extended_tests_jobs +name: Extended tests jobs on: workflow_call: diff --git a/.github/workflows/full-test-suite.yml b/.github/workflows/full-test-suite.yml index 1db18ae8e..683809989 100644 --- a/.github/workflows/full-test-suite.yml +++ b/.github/workflows/full-test-suite.yml @@ -1,5 +1,5 @@ # Advanced pipeline for running our full test suite on demand. -name: certbot/full-test-suite +name: Full test suite on: push: branches: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml new file mode 100644 index 000000000..04142ae3e --- /dev/null +++ b/.github/workflows/nightly.yml @@ -0,0 +1,25 @@ +# Nightly pipeline running each day for main. +name: Nightly build +on: + schedule: + - cron: 30 4 * * * + +jobs: + test_and_package_stage: + name: Test and Package + uses: "./.github/workflows/test_and_package_stage.yml" + with: + dockerTag: nightly + snapBuildTimeout: 19800 + secrets: inherit + changelog_stage: + name: Create changelog + uses: "./.github/workflows/changelog_stage.yml" + nightly_deploy_stage: + name: Nightly deploy + needs: test_and_package_stage + uses: "./.github/workflows/common_deploy_jobs.yml" + secrets: inherit + with: + dockerTag: nightly + snapReleaseChannel: edge diff --git a/.github/workflows/packaging_jobs.yml b/.github/workflows/packaging_jobs.yml index 10b13fc72..d111465bc 100644 --- a/.github/workflows/packaging_jobs.yml +++ b/.github/workflows/packaging_jobs.yml @@ -48,7 +48,7 @@ jobs: run: set -e && mv images.tar ${{ runner.temp }} shell: bash - name: Store Docker artifact - uses: actions/upload-artifact@v4.1.0 + uses: actions/upload-artifact@v7.0.0 with: name: docker_${{ matrix.DOCKER_ARCH }} path: "${{ runner.temp }}" @@ -178,7 +178,7 @@ jobs: mv *.snap ${{ runner.temp }} mv certbot-dns-*/*.snap ${{ runner.temp }} - name: Store snaps artifacts - uses: actions/upload-artifact@v4.1.0 + uses: actions/upload-artifact@v7.0.0 with: name: snaps_${{ matrix.SNAP_ARCH }} path: "${{ runner.temp }}" diff --git a/.github/workflows/pr-test-suite.yml b/.github/workflows/pr-test-suite.yml index 86cbbe6a1..65b971ae3 100644 --- a/.github/workflows/pr-test-suite.yml +++ b/.github/workflows/pr-test-suite.yml @@ -1,6 +1,6 @@ # We run the test suite on commits to main so codecov gets coverage data # about the main branch and can use it to track coverage changes. -name: certbot/pr-test-suite +name: PR test suite on: push: branches: diff --git a/.github/workflows/standard_tests_jobs.yml b/.github/workflows/standard_tests_jobs.yml index 0ceb4f1b3..1812ec767 100644 --- a/.github/workflows/standard_tests_jobs.yml +++ b/.github/workflows/standard_tests_jobs.yml @@ -1,5 +1,5 @@ # Environment variables defined in a calling workflow are not accessible to this reusable workflow. Refer to the documentation for further details on this limitation. -name: standard_tests_jobs +name: Standard tests jobs on: workflow_call: inputs: diff --git a/.github/workflows/test_and_package_stage.yml b/.github/workflows/test_and_package_stage.yml index 1e74eceb5..c772465b7 100644 --- a/.github/workflows/test_and_package_stage.yml +++ b/.github/workflows/test_and_package_stage.yml @@ -1,5 +1,5 @@ # Environment variables defined in a calling workflow are not accessible to this reusable workflow. Refer to the documentation for further details on this limitation. -name: test_and_package_stage +name: Test and package stage on: workflow_call: inputs: