Fix flaky auth test by making sure we always do syncronous authenticator writes for the test #1647
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Quickstart Workflow | |
| on: | |
| pull_request: | |
| types: | |
| - closed | |
| branches: | |
| - main | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| workflow_dispatch: | |
| inputs: | |
| release_tag: | |
| description: 'Release tag (e.g., v1.2.3)' | |
| required: true | |
| type: string | |
| permissions: | |
| contents: read | |
| jobs: | |
| release-quickstart: | |
| name: Release Quickstart Job | |
| # this is only run on the official upstream repo when a PR is merged to the | |
| # default branch "main" or a release tag is pushed or for the same | |
| # conditions in a repo fork that overrides the container image repo to push | |
| # to; merges to main trigger a quickstart release with a commit SHA suffix | |
| # featuring the previous ziti binary release version, whereas release tag | |
| # pushes trigger a quickstart release with the same tag name and the same | |
| # ziti binary release version | |
| if: (github.repository_owner == 'openziti' || vars.ZITI_QUICKSTART_IMAGE != '') && ( | |
| (startsWith(github.ref_name, 'v') && !contains(github.ref_name, '-')) || ( | |
| github.event.pull_request.merged == true | |
| && contains(github.event.pull_request.labels.*.name, 'quickstartrelease') | |
| ) || github.event_name == 'workflow_dispatch' | |
| ) | |
| runs-on: ubuntu-24.04 | |
| env: | |
| ZITI_QUICKSTART_IMAGE: ${{ vars.ZITI_QUICKSTART_IMAGE || 'docker.io/openziti/quickstart' }} | |
| # use github.ref, not github.head_ref, because this workflow should only run on merged PRs in the target/base | |
| # branch context, not the PR source branch | |
| GITHUB_REF: ${{ github.ref }} | |
| # use github.sha, not github.pull_request.head.sha, because this workflow should only run on merged PRs in the | |
| # target/base branch, not the PR source branch | |
| GITHUB_SHA: ${{ github.sha }} | |
| steps: | |
| - name: Debug action | |
| uses: hmarr/debug-action@v3.0.0 | |
| - name: Wait for other builds to complete | |
| uses: lewagon/wait-on-check-action@v1.5.0 | |
| with: | |
| ref: ${{ env.GITHUB_SHA }} | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| # seconds between polling the checks api for job statuses | |
| wait-interval: 20 | |
| # confusingly, this means "pause this step until all jobs from all workflows in same run have completed" | |
| running-workflow-name: Release Quickstart Job | |
| # comma-separated list of check names (job.<id>.name) to ignore | |
| ignore-checks: Fablab Smoketest,Fablab HA Smoketest,Publish Release Candidate Linux Packages,Publish Release Candidate Docker Images,POST Webhook,Parse Tag Regex | |
| - name: Checkout Workspace | |
| uses: actions/checkout@v6 | |
| - name: Install Go | |
| uses: ./.github/actions/setup-go | |
| - name: Install Ziti CI | |
| uses: openziti/ziti-ci@v1 | |
| - name: Set Up QEMU | |
| uses: docker/setup-qemu-action@v4 | |
| with: | |
| platforms: amd64,arm64 | |
| - name: Set Up Docker BuildKit | |
| id: buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| # it is preferable to obtain the username from a var so that | |
| # recurrences of the same string are not masked in CI output | |
| username: ${{ vars.DOCKER_HUB_API_USER || secrets.DOCKER_HUB_API_USER }} | |
| password: ${{ secrets.DOCKER_HUB_API_TOKEN }} | |
| - name: Compute the Ziti Quickstart Version String | |
| id: get_version | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_REF_NAME: ${{ github.event.inputs.release_tag || github.ref_name }} | |
| shell: bash | |
| run: | | |
| function validateSemver() { | |
| if ! [[ "${1}" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "ERROR: ${1} is not a release semver" >&2 | |
| return 1 | |
| fi | |
| } | |
| if [[ "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| # Set output parameters for release tags | |
| QUICKSTART_VERSION="${GITHUB_REF_NAME}" | |
| elif [[ "${GITHUB_REF_NAME}" =~ ^main$ ]]; then | |
| # compute the latest release version to install in the quickstart image | |
| QUICKSTART_VERSION="$($(go env GOPATH)/bin/ziti-ci -q get-current-version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION})" | |
| validateSemver "${QUICKSTART_VERSION}" | |
| # Append short SHA to identify quickstart docker images shipped on merge to main | |
| QUICKSTART_VERSION="${QUICKSTART_VERSION}-$(git rev-parse --short ${GITHUB_SHA})" | |
| else | |
| echo "ERROR: Unexpected GITHUB_REF_NAME=${GITHUB_REF_NAME}" >&2 | |
| exit 1 | |
| fi | |
| # configure the env var used by the quickstart's Dockerfile to | |
| # download the correct version of ziti for the target architecture of | |
| # each image build by trimming the hyphenated short sha suffix so that | |
| # the preceding release version of the ziti executable is installed in | |
| # the quickstart container image; ensure the QUICKSTART_VERSION | |
| # (container image tag) does not have a leading 'v' and the | |
| # ZITI_VERSION_OVERRIDE (GitHub tag ref) does have a leading 'v' | |
| QUICKSTART_VERSION="${QUICKSTART_VERSION#v}" | |
| echo QUICKSTART_VERSION="${QUICKSTART_VERSION}" | tee -a $GITHUB_OUTPUT | |
| echo ZITI_VERSION_OVERRIDE=v${QUICKSTART_VERSION%-*} | tee -a $GITHUB_OUTPUT | |
| - name: Check if Release is Highest Version | |
| id: check_highest | |
| if: startsWith(github.ref_name, 'v') || github.event.inputs.release_tag != '' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_REF_NAME: ${{ github.event.inputs.release_tag || github.ref_name }} | |
| shell: bash | |
| run: | | |
| H_HIGHEST_VERSION=$( | |
| gh release list --repo "${GITHUB_REPOSITORY}" \ | |
| --limit 999 \ | |
| --exclude-drafts \ | |
| --exclude-pre-releases \ | |
| --json tagName \ | |
| --jq '.[].tagName' \ | |
| | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ | |
| | sort -V \ | |
| | tail -1 | |
| ) | |
| CURRENT_VERSION="${GITHUB_REF_NAME}" | |
| if [[ "$CURRENT_VERSION" == "$H_HIGHEST_VERSION" ]]; then | |
| echo "highest=true" | tee -a $GITHUB_OUTPUT | |
| echo "INFO: ${CURRENT_VERSION} is the highest release version" | |
| else | |
| echo "highest=false" | tee -a $GITHUB_OUTPUT | |
| echo "INFO: ${CURRENT_VERSION} is not the highest release (highest is ${H_HIGHEST_VERSION})" | |
| echo "INFO: Skipping quickstart release for hotfix" | |
| fi | |
| # container image tag :latest is published on merge to default branch "main" and on release tags | |
| - name: Configure Quickstart Container | |
| if: steps.check_highest.outputs.highest == 'true' || github.ref_name == 'main' | |
| env: | |
| IMAGE_REPO: ${{ env.ZITI_QUICKSTART_IMAGE }} | |
| IMAGE_TAG: ${{ steps.get_version.outputs.QUICKSTART_VERSION }} | |
| id: tagprep_qs | |
| shell: bash | |
| run: | | |
| DOCKER_TAGS="${IMAGE_REPO}:${IMAGE_TAG}" | |
| DOCKER_TAGS+=",${IMAGE_REPO}:latest" | |
| echo DOCKER_TAGS="${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT | |
| - name: Build & Push Multi-Platform Quickstart Container Image to Hub | |
| if: steps.check_highest.outputs.highest == 'true' || github.ref_name == 'main' | |
| uses: docker/build-push-action@v7 | |
| with: | |
| builder: ${{ steps.buildx.outputs.name }} | |
| context: ${{ github.workspace }}/quickstart/docker/image | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.tagprep_qs.outputs.DOCKER_TAGS }} | |
| build-args: | | |
| ZITI_VERSION_OVERRIDE=${{ steps.get_version.outputs.ZITI_VERSION_OVERRIDE }} | |
| GITHUB_REPO_OWNER=${{ github.repository_owner }} | |
| GITHUB_REPO_NAME=${{ github.event.repository.name }} | |
| push: true | |
| - name: Configure Python | |
| if: steps.check_highest.outputs.highest == 'true' || github.ref_name == 'main' | |
| shell: bash | |
| run: | | |
| pip install --requirement ./dist/cloudfront/get.openziti.io/requirements.txt | |
| python --version | |
| - name: Deploy the CloudFront Function for get.openziti.io | |
| if: (github.repository_owner == 'openziti') && (steps.check_highest.outputs.highest == 'true' || github.ref_name == 'main') | |
| shell: bash | |
| run: python ./dist/cloudfront/get.openziti.io/deploy-cloudfront-function.py | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ vars.AWS_REGION || secrets.AWS_REGION }} |