terraform-rancher2-aws/.github/workflows/release.yaml at 611400b718ba2794ff22481318b039a6a6ec53ae · rancher/terraform-rancher2-aws · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: release

on:
  push:
    branches:
    - main

env:
  AWS_REGION: us-west-2
  AWS_ROLE: arn:aws:iam::270074865685:role/terraform-module-ci-test
  GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
  ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
  AWS_MAX_ATTEMPTS: 100
  AWS_RETRY_MODE: adaptive

permissions: write-all

jobs:
  release:
    runs-on: ubuntu-latest
    outputs:
      release_pr: ${{ steps.release-please.outputs.pr }}
    steps:
      - uses: googleapis/release-please-action@v4
        id: release-please
        with:
          release-type: terraform-module
      - name: Install Let's Encrypt Roots and Intermediate Certificates
        if: steps.release-please.outputs.pr
        run: |
          # https://letsencrypt.org/certificates/
          sudo apt-get update -y
          sudo apt-get install -y ca-certificates wget openssl libssl-dev
          wget https://letsencrypt.org/certs/isrgrootx1.pem # rsa
          sudo cp isrgrootx1.pem /usr/local/share/ca-certificates/
          wget https://letsencrypt.org/certs/isrg-root-x2.pem # ecdsa
          sudo cp isrg-root-x2.pem /usr/local/share/ca-certificates/
          wget https://letsencrypt.org/certs/2024/r11.pem
          sudo cp r11.pem /usr/local/share/ca-certificates/
          wget https://letsencrypt.org/certs/2024/r10.pem
          sudo cp r10.pem /usr/local/share/ca-certificates/
          wget https://letsencrypt.org/certs/2024/e5.pem
          sudo cp e5.pem /usr/local/share/ca-certificates/
          wget https://letsencrypt.org/certs/2024/e6.pem
          sudo cp e6.pem /usr/local/share/ca-certificates/
          sudo update-ca-certificates
      - name: Verify Lets Encrypt CA Functionality
        if: steps.release-please.outputs.pr
        run: |
          # Function to check if Let's Encrypt CA is effectively used by openssl
          check_letsencrypt_ca() {
            # Try to verify a known Let's Encrypt certificate (you can use any valid one)
            if openssl s_client -showcerts -connect letsencrypt.org:443 < /dev/null | openssl x509 -noout -issuer | grep -q "Let's Encrypt"; then
              return 0 # Success
            else
              return 1 # Failure
            fi
          }
          if check_letsencrypt_ca; then
            echo "Let's Encrypt CA is functioning correctly."
          else
            echo "Error: Let's Encrypt CA is not being used for verification."
            exit 1
          fi
      - uses: actions/github-script@v8
        if: steps.release-please.outputs.pr
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
            github.rest.issues.createComment({
              issue_number: ${{ fromJson(steps.release-please.outputs.pr).number }},
              owner: "${{ github.repository_owner }}",
              repo: "${{ github.event.repository.name }}",
              body: "Please make sure e2e tests pass before merging this PR! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
            })
      - id: aws-creds
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: ${{env.AWS_ROLE}}
          role-session-name: ${{github.run_id}}
          aws-region: ${{env.AWS_REGION}}
          role-duration-seconds: 14400 # 4 hours
          output-credentials: true
      - name: install-nix
        run: |
          curl -L https://nixos.org/nix/install | sh
          source /home/runner/.nix-profile/etc/profile.d/nix.sh
          nix --version
          which nix
      - name: run_tests
        shell: '/home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep IDENTIFIER --keep GITHUB_TOKEN --keep GITHUB_OWNER --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
        env:
          AWS_ACCESS_KEY_ID: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          AWS_SECRET_ACCESS_KEY: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          AWS_SESSION_TOKEN: ${{ steps.aws-creds.outputs.aws-session-token }}
          AWS_MAX_ATTEMPTS: 100
          AWS_RETRY_MODE: adaptive
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
          GITHUB_OWNER: rancher
          IDENTIFIER: ${{github.run_id}}
          ZONE: ${{secrets.ZONE}}
          ACME_SERVER_URL: https://acme-v02.api.letsencrypt.org/directory
          RANCHER_INSECURE: false
        run: |
          # should take around 4 hours
          ./run_tests.sh

  cleanup:
    needs:
      - release
    if: always() && needs.release.outputs.release_pr
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          token: ${{secrets.GITHUB_TOKEN}}
          fetch-depth: 0
      - id: aws-creds
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: ${{env.AWS_ROLE}}
          role-session-name: ${{github.run_id}}-cleanup
          aws-region: ${{env.AWS_REGION}}
          role-duration-seconds: 3600 # 1 hour
          output-credentials: true
      - name: install-nix
        run: |
          curl -L https://nixos.org/nix/install | sh
          source /home/runner/.nix-profile/etc/profile.d/nix.sh
          nix --version
          which nix
      - name: cleanup
        shell: '/home/runner/.nix-profile/bin/nix develop --ignore-environment --extra-experimental-features nix-command --extra-experimental-features flakes --keep HOME --keep SSH_AUTH_SOCK --keep IDENTIFIER --keep GITHUB_TOKEN --keep GITHUB_OWNER --keep ZONE --keep AWS_ROLE --keep AWS_REGION --keep AWS_DEFAULT_REGION --keep AWS_ACCESS_KEY_ID --keep AWS_SECRET_ACCESS_KEY --keep AWS_SESSION_TOKEN --keep UPDATECLI_GPGTOKEN --keep UPDATECLI_GITHUB_TOKEN --keep UPDATECLI_GITHUB_ACTOR --keep GPG_SIGNING_KEY --keep NIX_SSL_CERT_FILE --keep NIX_ENV_LOADED --keep TERM --command bash -e {0}'
        env:
          AWS_ACCESS_KEY_ID: ${{ steps.aws-creds.outputs.aws-access-key-id }}
          AWS_SECRET_ACCESS_KEY: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
          AWS_SESSION_TOKEN: ${{ steps.aws-creds.outputs.aws-session-token }}
          AWS_MAX_ATTEMPTS: 100
          IDENTIFIER: ${{github.run_id}}
        run: |
          ./run_tests.sh -c $IDENTIFIER

  report:
    needs:
      - release
      - cleanup
    if: success() && needs.release.outputs.release_pr #Ensure the test jobs succeeded, and that a release PR was created.
    runs-on: ubuntu-latest
    steps:
      - uses: actions/github-script@v8
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
            github.rest.issues.createComment({
              issue_number: ${{ fromJson(needs.release.outputs.release_pr).number }},
              owner: "${{ github.repository_owner }}",
              repo: "${{ github.event.repository.name }}",
              body: "End to End Tests Passed! \n ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
            })