mirror of
https://github.com/certbot/certbot.git
synced 2026-05-28 04:34:11 -04:00
1efd73e064
Related to https://github.com/certbot/certbot/issues/10581 Following up on #10631 and https://github.com/certbot/certbot/pull/10622, this PR converts the `nightly` [pipeline](https://dev.azure.com/certbot/certbot/_build?definitionId=5) from Azure to Github Actions. `schedule` and `workflow_dispatch` triggers only work on merged branches, not PRs. To see these tests running, I temporarily added a `push` trigger in commit [a2e9c43](a2e9c4303e). You can see the results of those tests [here](https://github.com/certbot/certbot/actions/runs/25688414262). I did not split each file into its own commit this time because I feel like the general idea is clear. The relevant files in azure pipelines to reference are: - the deleted `.azure-pipelines/nightly.yml` --> `.github/workflows/nightly.yml` - `.azure-pipelines/templates/jobs/common-deploy-jobs.yml` --> `.github/workflows/deploy_docker_images.yml` and `.github/workflows/deploy_snaps.yml` - `.azure-pipelines/templates/stages/changelog-stage.yml` --> `.github/workflows/create_changelog.yml` I chose to split `common-deploy-jobs` into `deploy_docker_images` and `deploy_snaps`. This is because the docker arm32v6 build takes a long time, but uploading to docker is quick, while the armhf snaps build varies but is often quicker, but uploading the snaps can take some time. By splitting them, we can specify the dependencies more precisely, and hopefully shave some time off the total. Without the split, tests took [53 minutes total](https://github.com/certbot/certbot/actions/runs/25684264622). After the split, tests took [33 minutes total](https://github.com/certbot/certbot/actions/runs/25688414262)! As before, the "nightly deploy stage" from azure has been omitted for clarity. `rerun.yml` did not exist before. There's not a great built-in way to rerun individual jobs in github actions, which I wanted for the snap builds specifically, since other timeouts can still happen. I could have made an action or additional workflow and wrapped that in a script to retry it, but I figured actually it's nicer to have the ability to rerun anything. This is equivalent to clicking "rerun all failed jobs," which I feel is usually what we want. Unfortunately, I am pretty sure that to test it, the rerun script will need to be merged first, since it relies on `workflow_dispatch`. You can see that packages were successfully uploaded to [dockerhub](https://hub.docker.com/r/certbot/certbot/tags) and the [snap store](https://dashboard.snapcraft.io/stores/snaps/); looking at the timestamps is probably the easiest way to confirm (about 11:45am Monday).
86 lines
2.7 KiB
YAML
86 lines
2.7 KiB
YAML
name: Deploy snaps
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
snapReleaseChannel:
|
|
description: 'snap channel to release to'
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
SNAPCRAFTCFG:
|
|
required: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
SNAP_RELEASE_CHANNEL: "${{ inputs.snapReleaseChannel }}"
|
|
|
|
jobs:
|
|
# This job relies on credentials used to publish the Certbot snaps. This
|
|
# credential file was created by running:
|
|
#
|
|
# snapcraft logout
|
|
# snapcraft export-login --channels=beta,edge snapcraft.cfg
|
|
# (provide the shared snapcraft credentials when prompted)
|
|
#
|
|
# Then the contents of the file were added as a secret in Github
|
|
# with the name SNAPCRAFTCFG under the Secrets and Variables -> Actions
|
|
# section of the settings for the certbot organization.
|
|
#
|
|
# Revoking these credentials can be done by changing the password of the
|
|
# account used to generate the credentials. See
|
|
# https://forum.snapcraft.io/t/revoking-exported-credentials/19031 for more
|
|
# info.
|
|
publish_snap:
|
|
name: Publish snap
|
|
if: ${{ inputs.snapReleaseChannel == 'edge' || inputs.snapReleaseChannel == 'beta' }}
|
|
runs-on:
|
|
- 'ubuntu-24.04'
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
SNAP_ARCH: [amd64, armhf, arm64]
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
- name: Install dependencies
|
|
run: |-
|
|
sudo apt-get update
|
|
sudo apt-get install -y --no-install-recommends snapd
|
|
sudo snap install --classic snapcraft
|
|
shell: bash
|
|
- name: Retrieve Certbot snaps
|
|
if: ${{ matrix.SNAP_ARCH == 'armhf' }}
|
|
uses: actions/download-artifact@v8.0.1
|
|
with:
|
|
name: snaps_${{ matrix.SNAP_ARCH }}
|
|
path: "${{ github.workspace }}/snap"
|
|
- name: Retrieve Certbot snaps
|
|
if: ${{ matrix.SNAP_ARCH != 'armhf' }}
|
|
uses: actions/download-artifact@v8.0.1
|
|
with:
|
|
pattern: snap-*-${{ matrix.SNAP_ARCH }}
|
|
merge-multiple: true
|
|
path: "${{ github.workspace }}/snap"
|
|
- name: Display structure of downloaded files
|
|
run: ls -R "${{ github.workspace }}/snap"
|
|
- name: Publish to Snap store
|
|
run: |-
|
|
export SNAPCRAFT_STORE_CREDENTIALS="${{ secrets.SNAPCRAFTCFG }}"
|
|
for SNAP_FILE in snap/*.snap; do
|
|
tools/retry.sh eval snapcraft upload --release="${SNAP_RELEASE_CHANNEL}" "${SNAP_FILE}"
|
|
done
|
|
shell: bash
|
|
publish_snap_invalid:
|
|
# Fail instead of silently skipping snap release
|
|
name: Fail on invalid snapReleaseChannel
|
|
if: ${{ inputs.snapReleaseChannel != 'edge' && inputs.snapReleaseChannel != 'beta' }}
|
|
runs-on:
|
|
- 'ubuntu-latest'
|
|
steps:
|
|
- name: Fail
|
|
run: exit 1
|
|
shell: bash
|