Initial commit

Author: cezarelnazli

.devcontainer/Dockerfile

@@ -0,0 +1,41 @@
+FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
+
+# Install dependencies
+RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -y install --no-install-recommends \
+        curl \
+        wget \
+        unzip \
+        gnupg \
+        lsb-release \
+        software-properties-common \
+        ca-certificates \
+        apt-transport-https \
+        python3 \
+        python3-pip \
+        pre-commit shellcheck \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Terraform
+RUN wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | tee /usr/share/keyrings/hashicorp-archive-keyring.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list \
+    && apt-get update \
+    && apt-get install -y terraform \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Google Cloud CLI
+RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list \
+    && curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add - \
+    && apt-get update \
+    && apt-get install -y google-cloud-cli \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+RUN curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.20.0/terraform-docs-v0.20.0-$(uname)-amd64.tar.gz  \
+    && tar -xzf terraform-docs.tar.gz \
+    && chmod +x terraform-docs \
+    && mv terraform-docs /usr/local/bin
+
+# Verify installations
+RUN terraform --version && gcloud --version

.devcontainer/README.md

@@ -0,0 +1,23 @@
+# Terraform & Google Cloud Development Environment
+
+This devcontainer is configured for Terraform and Google Cloud development with Ona compatibility.
+
+## Included Tools
+- Terraform (installed via HashiCorp APT repository)
+- Google Cloud CLI (installed via Google APT repository)
+- HashiCorp Terraform VSCode extension
+- Google Cloud Code extension
+- Python3 and pip for additional tooling
+
+## Installation Method
+Tools are installed directly in the Dockerfile using official APT repositories for maximum compatibility with Gitpod.
+
+## Usage
+The environment will automatically install and configure all tools when the container builds.
+
+## Verification
+Run `terraform --version && gcloud --version` to verify installation.
+
+## Port Forwarding
+- Port 8080: Application
+- Port 3000: Development Server

.devcontainer/devcontainer.json

@@ -0,0 +1,29 @@
+{
+	"name": "Ona GCP Runner Terraform module",
+	"build": {
+        "context": ".",
+        "dockerfile": "Dockerfile"
+    },
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"ms-vscode.vscode-json",
+				"hashicorp.terraform",
+				"googlecloudtools.cloudcode"
+			]
+		}
+	},
+    "postCreateCommand": "pre-commit install",
+	"remoteUser": "vscode",
+	"forwardPorts": [8080, 3000],
+	"portsAttributes": {
+		"8080": {
+			"label": "Application",
+			"onAutoForward": "notify"
+		},
+		"3000": {
+			"label": "Development Server",
+			"onAutoForward": "notify"
+		}
+	}
+}

.github/CODEOWNERS

@@ -0,0 +1 @@
+* alejandro@gitpod.io nandaja@gitpod.io 

.github/workflows/e2e-test-gcp-runner.yml

@@ -0,0 +1,89 @@
+name: GCP Runner E2E Tests
+
+on:
+  schedule:
+    # Run daily at 6 AM UTC
+    - cron: "0 6 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  # GCP Configuration - Override with variables if provided
+  GCP_PROJECT_ID: ${{ vars.E2E_GCP_PROJECT_ID || 'gitpod-gcp-runner-e2e-tests' }}
+  GCP_REGION: ${{ vars.E2E_GCP_REGION || 'us-central1' }}
+  GITPOD_API_ENDPOINT: ${{ vars.E2E_GITPOD_API_ENDPOINT || 'https://app.gitpod.io/api' }}
+
+jobs:
+  e2e-test:
+    name: Run E2E Test
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          version: 'latest'
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "latest"
+
+      - name: Configure environment and authentication
+        run: |
+          # Set sensitive environment variables for e2e script
+          echo "GITPOD_TOKEN=${{ secrets.E2E_GITPOD_TOKEN }}" >> $GITHUB_ENV
+          
+          # Set up service account authentication directly (like dev container)
+          echo '${{ secrets.E2E_GOOGLE_APPLICATION_CREDENTIALS }}' > /tmp/gcp-sa-key.json
+          chmod 600 /tmp/gcp-sa-key.json
+          echo "GOOGLE_APPLICATION_CREDENTIALS=/tmp/gcp-sa-key.json" >> $GITHUB_ENV
+
+      - name: Run E2E Test
+        run: |
+          echo "Starting GCP Runner E2E test..."
+          echo "Project: $GCP_PROJECT_ID | Region: $GCP_REGION"
+          
+          # Run the E2E test script
+          chmod +x tests/e2e/scripts/e2e-test.sh
+          ./tests/e2e/scripts/e2e-test.sh
+
+      - name: Cleanup service account file
+        if: always()
+        run: |
+          # Clean up temporary service account key file
+          if [[ -f "/tmp/gcp-sa-key.json" ]]; then
+            rm -f /tmp/gcp-sa-key.json
+          fi
+
+      - name: Slack Notification on Failure
+        if: failure() && github.ref == 'refs/heads/main'
+        uses: rtCamp/action-slack-notify@v2.3.3
+        env:
+          SLACK_WEBHOOK: ${{ secrets.NEXT_ALERTS_SLACK_WEBHOOK }}
+          SLACK_ICON_EMOJI: ":gcp:"
+          SLACK_USERNAME: "GCP Runner E2E Tests"
+          SLACK_COLOR: "danger"
+          SLACK_MESSAGE: |
+            :warning: GCP Runner end-to-end tests have failed
+            
+            **Details:**
+            • Project: ${{ env.GCP_PROJECT_ID }}
+            • Region: ${{ env.GCP_REGION }}
+            • Workflow: ${{ github.workflow }}
+            • Commit: ${{ github.sha }}
+            
+            The test creates a runner via RunnerService API, deploys infrastructure with Terraform, and verifies the runner comes online.
+          SLACK_FOOTER: "<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View workflow logs>"

.github/workflows/release.yml

@@ -0,0 +1,201 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - '*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to create release for'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  release:
+    name: Create Release
+    runs-on: ubuntu-latest
+
+    env:
+      RELEASE_TAG: ${{ inputs.tag || github.ref_name }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.tag || github.ref }}
+
+      - name: Verify tag is on main branch
+        run: |
+          if ! git branch -r --contains "${RELEASE_TAG}" | grep -q 'origin/main'; then
+            echo "::error::Tag ${RELEASE_TAG} is not on main branch. Releases can only be created from tags on main."
+            exit 1
+          fi
+
+      - name: Get previous tag
+        id: prev_tag
+        run: |
+          PREV_TAG=$(git tag --sort=-creatordate | grep -v "^${RELEASE_TAG}$" | head -1)
+          echo "tag=${PREV_TAG}" >> $GITHUB_OUTPUT
+          echo "Previous tag: ${PREV_TAG}"
+
+      - name: Fetch manifest.json
+        id: manifest
+        run: |
+          MANIFEST=$(curl -sf https://storage.googleapis.com/gitpod-runner-releases/gcp/stable/manifest.json)
+          echo "version=$(echo "$MANIFEST" | jq -r '.version')" >> $GITHUB_OUTPUT
+          echo "runner_image=$(echo "$MANIFEST" | jq -r '.runner_image')" >> $GITHUB_OUTPUT
+          echo "proxy_image=$(echo "$MANIFEST" | jq -r '.proxy_image')" >> $GITHUB_OUTPUT
+          echo "prometheus_image=$(echo "$MANIFEST" | jq -r '.prometheus_image')" >> $GITHUB_OUTPUT
+          echo "node_exporter_image=$(echo "$MANIFEST" | jq -r '.node_exporter_image')" >> $GITHUB_OUTPUT
+          echo "cli_url=$(echo "$MANIFEST" | jq -r '.cli_url')" >> $GITHUB_OUTPUT
+          echo "supervisor_url=$(echo "$MANIFEST" | jq -r '.supervisor_url')" >> $GITHUB_OUTPUT
+          echo "vm_image=$(echo "$MANIFEST" | jq -r '.vm_image')" >> $GITHUB_OUTPUT
+
+      - name: Generate changelog
+        id: changelog
+        run: |
+          if [ -n "${{ steps.prev_tag.outputs.tag }}" ]; then
+            # Get commits between tags, excluding automated image update commits
+            CHANGELOG=$(git log --pretty=format:"- %s (%h)" \
+              "${{ steps.prev_tag.outputs.tag }}..${RELEASE_TAG}" \
+              --grep="Update GCP runner, proxy, prometheus, and node-exporter images" --invert-grep)
+          else
+            # First release - get all commits excluding automated ones
+            CHANGELOG=$(git log --pretty=format:"- %s (%h)" \
+              --grep="Update GCP runner, proxy, prometheus, and node-exporter images" --invert-grep)
+          fi
+
+          # Handle empty changelog
+          if [ -z "$CHANGELOG" ]; then
+            CHANGELOG="- No user-facing changes in this release"
+          fi
+
+          # Write to file to preserve newlines
+          echo "$CHANGELOG" > changelog.txt
+
+      - name: Detect IAM/permission changes
+        id: iam_changes
+        run: |
+          IAM_FILES="iam.tf docs/iam.md docs/detailed_iam_reference.md docs/terraform_service_account_permissions.md"
+
+          if [ -n "${{ steps.prev_tag.outputs.tag }}" ]; then
+            # Check if any IAM-related files changed between tags
+            CHANGED_FILES=$(git diff --name-only "${{ steps.prev_tag.outputs.tag }}..${RELEASE_TAG}" -- $IAM_FILES 2>/dev/null || true)
+
+            if [ -n "$CHANGED_FILES" ]; then
+              echo "has_changes=true" >> $GITHUB_OUTPUT
+
+              # Get commits that touched IAM files
+              IAM_COMMITS=$(git log --pretty=format:"- %s (%h)" \
+                "${{ steps.prev_tag.outputs.tag }}..${RELEASE_TAG}" \
+                --grep="Update GCP runner, proxy, prometheus, and node-exporter images" --invert-grep \
+                -- $IAM_FILES)
+
+              echo "$IAM_COMMITS" > iam_changelog.txt
+              echo "Changed files: $CHANGED_FILES"
+            else
+              echo "has_changes=false" >> $GITHUB_OUTPUT
+            fi
+          else
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create release tarball
+        run: |
+          # Create tarball in /tmp to avoid "file changed as we read it" error
+          tar --exclude='.git' \
+              --exclude='.github' \
+              --exclude='.devcontainer' \
+              --exclude='.cursor' \
+              --exclude='tests' \
+              --exclude='.pre-commit-config.yaml' \
+              --exclude='changelog.txt' \
+              --exclude='iam_changelog.txt' \
+              --exclude='release_body.md' \
+              -czvf /tmp/terraform-google-ona-runner-${RELEASE_TAG}.tar.gz .
+          mv /tmp/terraform-google-ona-runner-${RELEASE_TAG}.tar.gz .
+
+      - name: Build release body
+        id: body
+        run: |
+          cat << 'EOF' > release_body.md
+          ## Container Images
+
+          | Component | Image |
+          |-----------|-------|
+          | Runner | `${{ steps.manifest.outputs.runner_image }}` |
+          | Proxy | `${{ steps.manifest.outputs.proxy_image }}` |
+          | Prometheus | `${{ steps.manifest.outputs.prometheus_image }}` |
+          | Node Exporter | `${{ steps.manifest.outputs.node_exporter_image }}` |
+
+          ## Assets
+
+          | Asset | URL |
+          |-------|-----|
+          | CLI Binary | `${{ steps.manifest.outputs.cli_url }}` |
+          | Supervisor Binary | `${{ steps.manifest.outputs.supervisor_url }}` |
+          | VM Image | `${{ steps.manifest.outputs.vm_image }}` |
+
+          EOF
+
+          # Add IAM changes section if there are any
+          if [ "${{ steps.iam_changes.outputs.has_changes }}" = "true" ]; then
+            cat << 'EOF' >> release_body.md
+          ## ⚠️ IAM/Permission Changes
+
+          This release includes changes to IAM roles or permissions. Review the following commits and update your IAM configuration if needed:
+
+          EOF
+            cat iam_changelog.txt >> release_body.md
+            echo "" >> release_body.md
+            echo "See [docs/iam.md](docs/iam.md) and [docs/terraform_service_account_permissions.md](docs/terraform_service_account_permissions.md) for the updated permission requirements." >> release_body.md
+            echo "" >> release_body.md
+          fi
+
+          cat << 'EOF' >> release_body.md
+          ## Changelog
+
+          EOF
+          cat changelog.txt >> release_body.md
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ env.RELEASE_TAG }}
+          name: ${{ env.RELEASE_TAG }}
+          body_path: release_body.md
+          files: |
+            terraform-google-ona-runner-${{ env.RELEASE_TAG }}.tar.gz
+          fail_on_unmatched_files: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Authenticate to GCP
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # pin@v3
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_POOL }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Publish release notification
+        run: |
+          MANIFEST=$(curl -sf https://storage.googleapis.com/gitpod-runner-releases/gcp/stable/manifest.json)
+
+          # Build enriched payload with terraform module changes
+          PAYLOAD=$(echo "$MANIFEST" | jq \
+            --arg iam_changes "${{ steps.iam_changes.outputs.has_changes }}" \
+            --rawfile changelog changelog.txt \
+            '. + {
+              terraform_changes: ($changelog | split("\n") | map(select(. != ""))),
+              iam_changes_detected: ($iam_changes == "true")
+            }')
+
+          gcloud pubsub topics publish gcp-runner-releases \
+            --project=gitpod-next-production \
+            --message="$PAYLOAD" \
+            --attribute="event_type=release.stable,version=${RELEASE_TAG},source=ci_stable_promotion"