Launch CRIBs on pre-release tags (#15805)

* Refactor to use composite action * Fix bug to get only tagged image * Launch CRIB on pre-release tags * Use pinned sha versions for actions * Use released version of action * Fix k8s api endpoint input for crib action * Fix conditional with input prefix * Revert to previously working setup-gap actions * Add required env vars back for integration tests * Add GAP URL for integration tests
smartcontractkit · Dec 28, 2024 · b5c671e · b5c671e
1 parent 498b0b8
commit b5c671e
Show file tree

Hide file tree

Showing 4 changed files with 213 additions and 96 deletions.
diff --git a/.github/actions/build-sign-publish-chainlink/action.yml b/.github/actions/build-sign-publish-chainlink/action.yml
@@ -210,12 +210,12 @@ runs:
         IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }}
         IMAGE_DIGEST=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['containerimage.digest'] }}
         IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
-        IMAGE_TAG=$(echo "$IMAGES_NAME_RAW" | cut -d":" -f2)
+        IMAGE_TAG=$(echo "$IMAGE_NAME" | cut -d":" -f2)
         echo "nonroot_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
         echo "nonroot_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
         echo '### Docker Image' >> $GITHUB_STEP_SUMMARY
-        echo "Image Name: ${IMAGE_NAME}"  >> $GITHUB_STEP_SUMMARY
-        echo "Image Digest: ${IMAGE_DIGEST}"  >> $GITHUB_STEP_SUMMARY
+        echo "Image Name: ${IMAGE_NAME}" >> $GITHUB_STEP_SUMMARY
+        echo "Image Digest: ${IMAGE_DIGEST}" >> $GITHUB_STEP_SUMMARY
         echo "image-tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
         echo "image-digest=${IMAGE_DIGEST}" >> $GITHUB_OUTPUT
 

diff --git a/.github/actions/crib/action.yml b/.github/actions/crib/action.yml
@@ -0,0 +1,156 @@
+name: "CRIB Action"
+description: "Spin up a CRIB environment. Optionally run tests and tear it down."
+
+inputs:
+  aws-role-duration-seconds:
+    description: "Duration in seconds for AWS role"
+    required: false
+    default: "3600"
+  aws-role-arn:
+    description: "AWS Role ARN for CRIB"
+    required: true
+  aws-region:
+    description: "AWS Region"
+    required: true
+  aws-account-id:
+    description: "AWS Account ID"
+    required: true
+  api-gw-host-crib:
+    description: "API Gateway Host for CRIB"
+    required: true
+  api-gw-host-k8s:
+    description: "API Gateway Host for K8s"
+    required: true
+  k8s-api-endpoint:
+    description: "Kubernetes API endpoint"
+    required: true
+  k8s-cluster-name:
+    description: "Kubernetes cluster name"
+    required: true
+  aws-token-issuer-role-arn:
+    description: "AWS Role ARN for token issuer"
+    required: true
+  aws-token-issuer-lambda-url:
+    description: "AWS Lambda URL for token issuer"
+    required: true
+  ingress-base-domain:
+    description: "Ingress base domain"
+    required: true
+  k8s-staging-ingress-suffix:
+    description: "K8S staging ingress suffix"
+    required: true
+  gap-url-integration-tests:
+    description: "GAP URL for integration tests"
+    required: true
+  crib-alert-slack-webhook:
+    description: "CRIB alert Slack webhook"
+    required: true
+  crib-chainlink-docker-image-name:
+    description: "Docker image name"
+    required: true
+  crib-chainlink-docker-image-tag:
+    description: "Docker image tag"
+    required: true
+  crib-cleanup-ttl:
+    # See: https://kyverno.io/docs/writing-policies/cleanup/
+    description: "Time to keep environment up for before destroying it. Examples: 15m, 1h, 3d"
+    required: false
+    default: "1h"
+  crib-destroy-environment:
+    description: "Whether to destroy the CRIB environment after testing"
+    required: false
+    default: "true"
+  integration-tests-run:
+    description: "Whether to run integration tests"
+    required: false
+    default: "true"
+
+runs:
+  using: "composite"
+  steps:
+    - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+
+    - name: setup-gap crib
+      uses: smartcontractkit/.github/actions/setup-gap@00b58566e0ee2761e56d9db0ea72b783fdb89b8d # [email protected]
+      with:
+        aws-role-duration-seconds: ${{ inputs.aws-role-duration-seconds }}
+        aws-role-arn: ${{ inputs.aws-role-arn }}
+        api-gateway-host: ${{ inputs.api-gw-host-crib }}
+        aws-region: ${{ inputs.aws-region }}
+        ecr-private-registry: ${{ inputs.aws-account-id }}
+        k8s-cluster-name: ${{ inputs.k8s-cluster-name }}
+        gap-name: crib
+        use-private-ecr-registry: true
+        use-tls: true
+        proxy-port: 8080
+
+    - name: setup-gap k8s
+      uses: smartcontractkit/.github/actions/setup-gap@00b58566e0ee2761e56d9db0ea72b783fdb89b8d # [email protected]
+      with:
+        aws-role-duration-seconds: ${{ inputs.aws-role-duration-seconds }}
+        aws-role-arn: ${{ inputs.aws-role-arn }}
+        api-gateway-host: ${{ inputs.api-gw-host-k8s }}
+        aws-region: ${{ inputs.aws-region }}
+        ecr-private-registry: ${{ inputs.aws-account-id }}
+        k8s-cluster-name: ${{ inputs.k8s-cluster-name }}
+        gap-name: k8s
+        use-private-ecr-registry: true
+        use-k8s: true
+        proxy-port: 8443
+
+    - name: Setup GitHub token using GATI
+      id: token
+      uses: smartcontractkit/.github/actions/setup-github-token@ef78fa97bf3c77de6563db1175422703e9e6674f # [email protected]
+      with:
+        aws-role-arn: ${{ inputs.aws-token-issuer-role-arn }}
+        aws-lambda-url: ${{ inputs.aws-token-issuer-lambda-url }}
+        aws-region: ${{ inputs.aws-region }}
+        aws-role-duration-seconds: "1800"
+
+    - name: Deploy and validate CRIB Environment for Core
+      uses: smartcontractkit/.github/actions/crib-deploy-environment@815e0d550527897746e889441407926d7e28169c # [email protected]
+      id: deploy-crib
+      with:
+        github-token: ${{ steps.token.outputs.access-token }}
+        aws-ecr-private-registry: ${{ inputs.aws-account-id }}
+        aws-region: ${{ inputs.aws-region }}
+        aws-role-arn: ${{ inputs.aws-role-arn }}
+        ingress-base-domain: ${{ inputs.ingress-base-domain }}
+        k8s-api-endpoint: ${{ inputs.k8s-api-endpoint }}
+        k8s-cluster-name: ${{ inputs.k8s-cluster-name }}
+        chainlink-team: releng
+        chainlink-product: crib
+        command: "core-dev-simulated-core-ocr1"
+        crib-alert-slack-webhook: ${{ inputs.crib-alert-slack-webhook }}
+        product-image: ${{ inputs.crib-chainlink-docker-image-name }}
+        product-image-tag: ${{ inputs.crib-chainlink-docker-image-tag }}
+        ns-ttl: ${{ inputs.crib-cleanup-ttl }}
+
+    - name: Set up Go
+      uses: ./.github/actions/setup-go
+      with:
+        go-version-file: "go.mod"
+
+    - name: Run CRIB integration test
+      if: inputs.integration-tests-run == 'true'
+      shell: bash
+      working-directory: integration-tests/crib
+      env:
+        K8S_STAGING_INGRESS_SUFFIX: ${{ inputs.k8s-staging-ingress-suffix }}
+        CRIB_NAMESPACE: ${{ steps.deploy-crib.outputs.devspace-namespace }}
+        CRIB_NETWORK: geth
+        CRIB_NODES: 5
+        GAP_URL: ${{ inputs.gap-url-integration-tests }}
+        SETH_LOG_LEVEL: info
+        TEST_PERSISTENCE: true
+        E2E_TEST_CHAINLINK_IMAGE: public.ecr.aws/chainlink/chainlink
+        E2E_TEST_CHAINLINK_VERSION: latest
+      run: go test -v -run TestCRIBChaos
+
+    - name: Destroy CRIB Environment
+      if: inputs.crib-destroy-environment == 'true' && always() && steps.deploy-crib.outputs.devspace-namespace != ''
+      uses: smartcontractkit/.github/actions/crib-purge-environment@142671bc21953c8cc3edbd21848c50b5ec201c2a # [email protected]
+      with:
+        namespace: ${{ steps.deploy-crib.outputs.devspace-namespace }}
diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml
@@ -15,6 +15,8 @@ jobs:
     outputs:
       git-tag-type: ${{ steps.check-git-tag-type.outputs.git-tag-type }}
       ecr-image-name: ${{ steps.check-git-tag-type.outputs.ecr-image-name }}
+      is-release: ${{ steps.release-tag-check.outputs.is-release }}
+      is-pre-release: ${{ steps.release-tag-check.outputs.is-pre-release }}
     steps:
       - name: Checkout repository
         uses: actions/[email protected]
@@ -38,6 +40,9 @@ jobs:
             echo "git-tag-type=core" | tee -a "$GITHUB_OUTPUT"
             echo "ecr-image-name=chainlink/chainlink" | tee -a "$GITHUB_OUTPUT"
           fi
+      - name: Check release tag
+        id: release-tag-check
+        uses: smartcontractkit/.github/actions/release-tag-check@c5c4a8186da4218cff6cac8184e47dd3dec69ba3 # [email protected]
       - name: Fail if CCIP release has wrong version
         if: ${{ steps.check-git-tag-type.outputs.git-tag-type == 'ccip' }}
         run: |
@@ -136,3 +141,38 @@ jobs:
               github.ref_type == 'tag' && 
               needs.build-sign-publish-chainlink.outputs.docker-image-digest || ''
             }}
+  crib:
+    needs: [checks, build-sign-publish-chainlink]
+    # Only spin up CRIB on pre-releases (beta, rc).
+    if: needs.checks.outputs.is-pre-release == 'true'
+    runs-on: ubuntu-latest
+    environment: integration
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/[email protected]
+        with:
+          persist-credentials: false
+
+      - name: Run Core CRIB Integration Tests
+        uses: ./.github/actions/crib
+        with:
+          aws-role-arn: ${{ secrets.AWS_OIDC_CRIB_ROLE_ARN_STAGE }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID_PROD }}
+          api-gw-host-crib: ${{ secrets.AWS_API_GW_HOST_CRIB_STAGE }}
+          api-gw-host-k8s: ${{ secrets.AWS_API_GW_HOST_K8S_STAGE }}
+          k8s-api-endpoint: ${{ secrets.GAP_HOST_K8S_STAGE }}
+          k8s-cluster-name: ${{ secrets.AWS_K8S_CLUSTER_NAME_STAGE }}
+          aws-token-issuer-role-arn: ${{ secrets.AWS_OIDC_GLOBAL_READ_ONLY_TOKEN_ISSUER_ROLE_ARN }}
+          aws-token-issuer-lambda-url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
+          ingress-base-domain: ${{ secrets.INGRESS_BASE_DOMAIN_STAGE }}
+          k8s-staging-ingress-suffix: ${{ secrets.K8S_STAGING_INGRESS_SUFFIX }}
+          gap-url-integration-tests: ${{ secrets.GAP_URL }}
+          crib-alert-slack-webhook: ${{ secrets.CRIB_ALERT_SLACK_WEBHOOK }}
+          crib-chainlink-docker-image-name: ${{ format('{0}/{1}', env.ECR_HOSTNAME, needs.checks.outputs.ecr-image-name) }}
+          crib-chainlink-docker-image-tag: ${{ needs.build-sign-publish-chainlink.outputs.docker-image-tag}}
+          crib-cleanup-ttl: "3d"
diff --git a/.github/workflows/crib-integration-test.yml b/.github/workflows/crib-integration-test.yml
@@ -6,9 +6,11 @@ on:
   schedule:
     - cron: "0 1 * * *"
   workflow_call:
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -23,102 +25,21 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
-        with:
-          nix_path: nixpkgs=channel:nixos-unstable
-
-      - name: setup-gap crib
-        uses: smartcontractkit/.github/actions/setup-gap@00b58566e0ee2761e56d9db0ea72b783fdb89b8d # [email protected]
-        with:
-          aws-role-duration-seconds: 3600 # 1 hour
-          aws-role-arn: ${{ secrets.AWS_OIDC_CRIB_ROLE_ARN_STAGE }}
-          api-gateway-host: ${{ secrets.AWS_API_GW_HOST_CRIB_STAGE }}
-          aws-region: ${{ secrets.AWS_REGION }}
-          ecr-private-registry: ${{ secrets.AWS_ACCOUNT_ID_PROD }}
-          k8s-cluster-name: ${{ secrets.AWS_K8S_CLUSTER_NAME_STAGE }}
-          gap-name: crib
-          use-private-ecr-registry: true
-          use-tls: true
-          proxy-port: 8080
-          metrics-job-name: "test"
-          gc-basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
-          gc-host: ${{ secrets.GRAFANA_INTERNAL_HOST }}
-          gc-org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
-
-      - name: setup-gap k8s
-        uses: smartcontractkit/.github/actions/setup-gap@00b58566e0ee2761e56d9db0ea72b783fdb89b8d # [email protected]
+      - name: Run CRIB Integration Tests
+        uses: ./.github/actions/crib
         with:
-          aws-role-duration-seconds: 3600 # 1 hour
           aws-role-arn: ${{ secrets.AWS_OIDC_CRIB_ROLE_ARN_STAGE }}
-          api-gateway-host: ${{ secrets.AWS_API_GW_HOST_K8S_STAGE }}
           aws-region: ${{ secrets.AWS_REGION }}
-          ecr-private-registry: ${{ secrets.AWS_ACCOUNT_ID_PROD }}
-          k8s-cluster-name: ${{ secrets.AWS_K8S_CLUSTER_NAME_STAGE }}
-          gap-name: k8s
-          use-private-ecr-registry: true
-          use-k8s: true
-          proxy-port: 8443
-          metrics-job-name: "test"
-          gc-basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
-          gc-host: ${{ secrets.GRAFANA_INTERNAL_HOST }}
-          gc-org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
-
-      - name: Setup GitHub token using GATI
-        id: token
-        uses: smartcontractkit/.github/actions/setup-github-token@c0b38e6c40d72d01b8d2f24f92623a2538b3dedb # main
-        with:
-          aws-role-arn: ${{ secrets.AWS_OIDC_GLOBAL_READ_ONLY_TOKEN_ISSUER_ROLE_ARN }}
-          aws-lambda-url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
-          aws-region: ${{ secrets.AWS_REGION }}
-          aws-role-duration-seconds: "1800"
-      - name: Debug workspace dir
-        shell: bash
-        run: |
-          echo ${{ github.workspace }}
-          echo $GITHUB_WORKSPACE
-
-      - name: Deploy and validate CRIB Environment for Core
-        uses: smartcontractkit/.github/actions/crib-deploy-environment@815e0d550527897746e889441407926d7e28169c # [email protected]
-        id: deploy-crib
-        with:
-          github-token: ${{ steps.token.outputs.access-token }}
-          aws-ecr-private-registry: ${{ secrets.AWS_ACCOUNT_ID_PROD }}
-          aws-region: ${{ secrets.AWS_REGION }}
-          aws-role-arn: ${{ secrets.AWS_OIDC_CRIB_ROLE_ARN_STAGE }}
-          ingress-base-domain: ${{ secrets.INGRESS_BASE_DOMAIN_STAGE }}
+          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID_PROD }}
+          api-gw-host-crib: ${{ secrets.AWS_API_GW_HOST_CRIB_STAGE }}
+          api-gw-host-k8s: ${{ secrets.AWS_API_GW_HOST_K8S_STAGE }}
           k8s-api-endpoint: ${{ secrets.GAP_HOST_K8S_STAGE }}
           k8s-cluster-name: ${{ secrets.AWS_K8S_CLUSTER_NAME_STAGE }}
-          chainlink-team: releng
-          chainlink-product: crib
-          command: "core-dev-simulated-core-ocr1"
+          aws-token-issuer-role-arn: ${{ secrets.AWS_OIDC_GLOBAL_READ_ONLY_TOKEN_ISSUER_ROLE_ARN }}
+          aws-token-issuer-lambda-url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
+          ingress-base-domain: ${{ secrets.INGRESS_BASE_DOMAIN_STAGE }}
+          k8s-staging-ingress-suffix: ${{ secrets.K8S_STAGING_INGRESS_SUFFIX }}
+          gap-url-integration-tests: ${{ secrets.GAP_URL }}
           crib-alert-slack-webhook: ${{ secrets.CRIB_ALERT_SLACK_WEBHOOK }}
-          product-image: ${{ secrets.AWS_SDLC_ECR_HOSTNAME }}/chainlink
-          product-image-tag: develop
-      - uses: actions/[email protected]
-        with:
-          persist-credentials: false
-      - name: Set up Go
-        uses: ./.github/actions/setup-go
-        with:
-          go-version-file: "go.mod"
-      - name: Run CRIB integration test
-        working-directory: integration-tests/crib
-        env:
-          K8S_STAGING_INGRESS_SUFFIX: ${{ secrets.K8S_STAGING_INGRESS_SUFFIX }}
-          CRIB_NAMESPACE: ${{ steps.deploy-crib.outputs.devspace-namespace }}
-          CRIB_NETWORK: geth
-          CRIB_NODES: 5
-          GAP_URL: ${{ secrets.GAP_URL }}
-          SETH_LOG_LEVEL: info
-          # RESTY_DEBUG: true
-          TEST_PERSISTENCE: true
-          E2E_TEST_CHAINLINK_IMAGE: public.ecr.aws/chainlink/chainlink
-          E2E_TEST_CHAINLINK_VERSION: latest
-        run: |-
-          go test -v -run TestCRIBChaos
-      - name: Destroy CRIB Environment
-        id: destroy
-        if: always() && steps.deploy-crib.outputs.devspace-namespace != ''
-        uses: smartcontractkit/.github/actions/crib-purge-environment@c0b38e6c40d72d01b8d2f24f92623a2538b3dedb # [email protected]
-        with:
-          namespace: ${{ steps.deploy-crib.outputs.devspace-namespace }}
+          crib-chainlink-docker-image-name: ${{ secrets.AWS_SDLC_ECR_HOSTNAME }}/chainlink
+          crib-chainlink-docker-image-tag: develop