forked from rancher/terraform-rancher2-aws
-
Notifications
You must be signed in to change notification settings - Fork 0
172 lines (165 loc) · 7.5 KB
/
release.yaml
File metadata and controls
172 lines (165 loc) · 7.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: release
on:
push:
branches:
- main
env:
AWS_REGION: us-west-2
AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
AWS_MAX_ATTEMPTS: 100
AWS_RETRY_MODE: adaptive
permissions: write-all
jobs:
release:
runs-on: ubuntu-latest
outputs:
release_pr: ${{ steps.release-please.outputs.pr }}
steps:
- uses: googleapis/release-please-action@v4
id: release-please
with:
release-type: terraform-module
- name: Install Let's Encrypt Roots and Intermediate Certificates
if: steps.release-please.outputs.pr
run: |
# https://letsencrypt.org/certificates/
sudo apt-get update -y
sudo apt-get install -y ca-certificates wget openssl libssl-dev
wget https://letsencrypt.org/certs/isrgrootx1.pem # rsa
sudo cp isrgrootx1.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/isrg-root-x2.pem # ecdsa
sudo cp isrg-root-x2.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r11.pem
sudo cp r11.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/r10.pem
sudo cp r10.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e5.pem
sudo cp e5.pem /usr/local/share/ca-certificates/
wget https://letsencrypt.org/certs/2024/e6.pem
sudo cp e6.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
- name: Verify Lets Encrypt CA Functionality
if: steps.release-please.outputs.pr
run: |
# Function to check if Let's Encrypt CA is effectively used by openssl
check_letsencrypt_ca() {
# Try to verify a known Let's Encrypt certificate (you can use any valid one)
if openssl s_client -showcerts -connect letsencrypt.org:443 < /dev/null | openssl x509 -noout -issuer | grep -q "Let's Encrypt"; then
return 0 # Success
else
return 1 # Failure
fi
}
if check_letsencrypt_ca; then
echo "Let's Encrypt CA is functioning correctly."
else
echo "Error: Let's Encrypt CA is not being used for verification."
exit 1
fi
- uses: actions/github-script@v8
if: steps.release-please.outputs.pr
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
github.rest.issues.createComment({
issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }},
owner: "${{ github.repository_owner }}",
repo: "${{ github.event.repository.name }}",
body: "Please make sure e2e tests pass before merging this PR! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
})
test:
needs:
- release
if: needs.release.outputs.release_pr
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
token: ${{secrets.GITHUB_TOKEN}}
fetch-depth: 0
- id: aws-creds
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{env.AWS_ROLE}}
role-session-name: ${{github.run_id}}
aws-region: ${{env.AWS_REGION}}
role-duration-seconds: 28800 # 8 hours
output-credentials: true
- name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: run_tests
shell: '/home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep IDENTIFIER --keep GITHUB_TOKEN --keep GITHUB_OWNER --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
env:
AWS_ACCESS_KEY_ID: ${{ steps.aws-creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.aws-creds.outputs.aws-session-token }}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
ZONE: ${{secrets.ZONE}}
IDENTIFIER: ${{github.run_id}}
run: |
# nix ignores environment variables that are not specifically kept
export AWS_MAX_ATTEMPTS="100"
export AWS_RETRY_MODE="adaptive"
export GITHUB_OWNER="rancher"
export ACME_SERVER_URL="https://acme-v02.api.letsencrypt.org/directory"
export RANCHER_INSECURE="false"
./run_tests.sh -s
cleanup:
needs:
- release
- test
if: always() && needs.release.outputs.release_pr
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
with:
token: ${{secrets.GITHUB_TOKEN}}
fetch-depth: 0
- id: aws-creds
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{env.AWS_ROLE}}
role-session-name: ${{github.run_id}}-cleanup
aws-region: ${{env.AWS_REGION}}
role-duration-seconds: 3600 # 1 hour
output-credentials: true
- name: install-nix
run: |
curl -L https://nixos.org/nix/install | sh
source /home/runner/.nix-profile/etc/profile.d/nix.sh
nix --version
which nix
- name: cleanup
shell: '/home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep IDENTIFIER --keep GITHUB_TOKEN --keep GITHUB_OWNER --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
env:
AWS_ACCESS_KEY_ID: ${{ steps.aws-creds.outputs.aws-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.aws-creds.outputs.aws-session-token }}
IDENTIFIER: ${{github.run_id}}
run: |
export AWS_MAX_ATTEMPTS="100"
./run_tests.sh -c $IDENTIFIER
report:
needs:
- release
- test
- cleanup
if: success() && needs.release.outputs.release_pr #Ensure the test jobs succeeded, and that a release PR was created.
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v8
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
github.rest.issues.createComment({
issue_number: ${{ fromJson(needs.release.outputs.release_pr).number }},
owner: "${{ github.repository_owner }}",
repo: "${{ github.event.repository.name }}",
body: "End to End Tests Passed! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
})