ci: arm64 runner for test workflow

viktor-kurchenko · viktor-kurchenko · commit bbb092eec1fb · 2025-04-11T17:54:08.000+02:00
The commit refactors test workflow to use an ephemeral GitHub self-hosted
runner for the ARM64 architecture.

Signed-off-by: viktor-kurchenko &lt;viktor.kurchenko@isovalent.com&gt;
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,10 +6,29 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+  # To be able to request the JWT from GitHub's OIDC provider
+  id-token: write
+
+env:
+  arm64-runner-state-bucket: cilium-pwru-runner
+  arm64-runner-state-region: us-east-2
+  arm64-runner-region: us-east-2
+  arm64-runner-zone: us-east-2b
+  arm64-runner-role-arn: arn:aws:iam::478566851380:role/CuTE_CIAccessRole
+  arm64-runner-infra-dir: infra/arm64-runner
+  arm64-runner-ec2-type: c6g.metal # 64 vCPU x 128 GB
+  arm64-runner-ec2-ami: ami-0ae6f07ad3a8ef182
+  arm64-runner-group: cilium-pwru-runners
+  arm64-runner-label: cilium-pwru-runners-arm64-${{ github.run_id }}
+  arm64-runner-count: 7
+
 jobs:
 
   build:
     runs-on: ubuntu-latest
+    name: Build
     steps:
     - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
 
@@ -47,18 +66,83 @@ jobs:
         name: test-app
         path: test-app/test-app
 
-  test:
+  arm64-runner-provision:
+    needs: [build]
     runs-on: ubuntu-latest
+    name: Provision ARM64 runner
+    timeout-minutes: 30
+    steps:
+      - name: Checkout Git Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Provision ARM64 runner
+        uses: ./.github/actions/arm64-runner
+        with:
+          state-bucket: ${{ env.arm64-runner-state-bucket }}
+          state-region: ${{ env.arm64-runner-state-region }}
+          role-arn: ${{ env.arm64-runner-role-arn }}
+          region: ${{ env.arm64-runner-region }}
+          zone: ${{ env.arm64-runner-zone }}
+          infra-dir: ${{ env.arm64-runner-infra-dir }}
+          action: apply
+          ec2-type: ${{ env.arm64-runner-ec2-type }}
+          ec2-ami: ${{ env.arm64-runner-ec2-ami }}
+          label: ${{ env.arm64-runner-label }}
+          gh-org: ${{ github.repository_owner }}
+          gh-app-id: ${{ secrets.ARM64_RUNNER_GH_APP_ID }}
+          gh-app-install-id: ${{ secrets.ARM64_RUNNER_GH_APP_INSTALL_ID }}
+          gh-app-pem: ${{ secrets.ARM64_RUNNER_GH_APP_PRIVATE_KEY }}
+          gh-runners-group: ${{ env.arm64-runner-group }}
+          gh-runners-count: ${{ env.arm64-runner-count }}
+          ssh-private-key: ${{ secrets.ARM64_RUNNER_SSH_PRIVATE_KEY }}
+          ssh-public-key: ${{ secrets.ARM64_RUNNER_SSH_PUBLIC_KEY }}
+
+  test:
     name: Test
-    needs: build
+    needs: [build, arm64-runner-provision]
     strategy:
       fail-fast: false
       matrix:
+        os: ['ubuntu-latest', 'cilium-pwru-runners-arm64-${{ github.run_id }}']
         kernel: [ '5.4-20241218.004849', '5.10-20241218.004849', '5.15-20241218.004849', '6.1-20241218.004849', '6.6-20241218.004849', '6.12-20241218.004849', 'bpf-next-20250105.013256' ]
-    timeout-minutes: 10
+    timeout-minutes: 30
+    runs-on: cilium-pwru-runners-arm64-${{ github.run_id }}
     steps:
       - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
 
+      - name: Set up job variables
+        id: vars
+        run: |
+          if [[ "${{ matrix.os }}" == "cilium-pwru-runners-arm64-${{ github.run_id }}" ]]
+          then
+            # this is racy but it should be fine
+            ssh_port=$(python3 -c 'import socket; s=socket.socket(); s.bind(("", 0)); print(s.getsockname()[1]); s.close()')
+            echo metal_arm64=true >> $GITHUB_OUTPUT
+            echo lvh_install_deps=false >> $GITHUB_OUTPUT
+            echo ssh_port=$ssh_port >> $GITHUB_OUTPUT
+            echo shared_folder="/home/runners" >> $GITHUB_OUTPUT
+          else
+            echo metal_arm64=false >> $GITHUB_OUTPUT
+            echo lvh_install_deps=true >> $GITHUB_OUTPUT
+            echo ssh_port=2222 >> $GITHUB_OUTPUT
+            echo shared_folder="" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Install GO
+        if: steps.vars.outputs.metal_arm64 == 'true'
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version: '1.23.2'
+
+      - name: Install LVH CLI
+        if: steps.vars.outputs.metal_arm64 == 'true'
+        run: |
+          go install github.com/cilium/little-vm-helper/cmd/lvh@latest
+          # Move it into /bin folder, so that LVH action can detect it further
+          sudo mv $(which lvh) /bin/lvh
+
       - name: Retrieve stored pwru executable
         uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e
         with:
@@ -88,17 +172,41 @@ jobs:
 
           echo "vsn=${major}${minor}" >> "$GITHUB_OUTPUT"
 
+      - name: Download the kernel
+        if: steps.vars.outputs.metal_arm64 == 'true'
+        run: |
+          if [ ! -e "${{ steps.vars.outputs.shared_folder }}/vmlinuz-${{ matrix.kernel }}" ]; then
+            lvh kernel pull ${{ matrix.kernel }}
+            mkdir -p ${{ steps.vars.outputs.shared_folder }}
+            mv ${{ matrix.kernel }}/boot/vmlinuz* ${{ steps.vars.outputs.shared_folder }}/vmlinuz-${{ matrix.kernel }}
+            rm -rf ${{ matrix.kernel }}
+          fi
+
       - name: Provision LVH VMs
         uses: cilium/little-vm-helper@e87948476ca97050b1f149ab2aec379d0de19b84 # v0.0.23
         with:
+          install-dependencies: ${{ steps.vars.outputs.lvh_install_deps }}
+          images-folder-parent: ${{ steps.vars.outputs.shared_folder }}
+          ssh-port: ${{ steps.vars.outputs.ssh_port }}
+          mem: 4G
+          cpu: 2
           test-name: pwru-test
           image-version: ${{ matrix.kernel }}
           host-mount: ./
-          install-dependencies: 'true'
           cmd: |
             chmod +x /host/pwru/pwru
             chmod +x /host/test-app/test-app
 
+            # wait for network to be available
+            while true;
+            do
+              wget --spider -q -T 10 http://google.com && break
+              sleep 10
+            done
+
+            # restart ssh server
+            service ssh restart
+
       - name: Test basic IPv4
         uses: ./.github/actions/pwru-test
         with:
@@ -233,3 +341,37 @@ jobs:
               echo "--- \$i ---"
               cat \$i || true
             done
+
+  arm64-runner-destroy:
+    needs: [arm64-runner-provision, test]
+    if: always() && needs.arm64-runner-provision.result != 'skipped'
+    runs-on: ubuntu-latest
+    name: Destroy ARM64 runner
+    timeout-minutes: 60
+    steps:
+      - name: Checkout Git Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Destroy ARM64 runner
+        uses: ./.github/actions/arm64-runner
+        with:
+          state-bucket: ${{ env.arm64-runner-state-bucket }}
+          state-region: ${{ env.arm64-runner-state-region }}
+          role-arn: ${{ env.arm64-runner-role-arn }}
+          region: ${{ env.arm64-runner-region }}
+          zone: ${{ env.arm64-runner-zone }}
+          infra-dir: ${{ env.arm64-runner-infra-dir }}
+          action: destroy
+          ec2-type: ${{ env.arm64-runner-ec2-type }}
+          ec2-ami: ${{ env.arm64-runner-ec2-ami }}
+          label: ${{ env.arm64-runner-label }}
+          gh-org: ${{ github.repository_owner }}
+          gh-app-id: ${{ secrets.ARM64_RUNNER_GH_APP_ID }}
+          gh-app-install-id: ${{ secrets.ARM64_RUNNER_GH_APP_INSTALL_ID }}
+          gh-app-pem: ${{ secrets.ARM64_RUNNER_GH_APP_PRIVATE_KEY }}
+          gh-runners-group: ${{ env.arm64-runner-group }}
+          gh-runners-count: ${{ env.arm64-runner-count }}
+          ssh-private-key: ${{ secrets.ARM64_RUNNER_SSH_PRIVATE_KEY }}
+          ssh-public-key: ${{ secrets.ARM64_RUNNER_SSH_PUBLIC_KEY }}
