From 77c103b3a9515e79e2465a3f91f6aef0064c55e4 Mon Sep 17 00:00:00 2001 From: Daniel Genis Date: Fri, 8 May 2026 11:42:40 +0200 Subject: [PATCH] chore: update jsonnet --- .github/jsonnet/GIT_VERSION | 1 + .github/jsonnet/actions.jsonnet | 16 +++++ .github/jsonnet/base.jsonnet | 7 ++- .github/jsonnet/clusters.jsonnet | 2 +- .github/jsonnet/deployment.jsonnet | 4 +- .github/jsonnet/helm.jsonnet | 18 ++++++ .github/jsonnet/images.jsonnet | 2 +- .github/jsonnet/index.jsonnet | 1 + .github/jsonnet/misc.jsonnet | 31 ++++++---- .github/jsonnet/newrelic.jsonnet | 3 + .github/jsonnet/notifications.jsonnet | 7 ++- .github/jsonnet/onepassword.jsonnet | 5 +- .github/jsonnet/pnpm.jsonnet | 15 +++-- .github/jsonnet/pulumi.jsonnet | 42 ++++++++++--- .github/jsonnet/ruby.jsonnet | 17 ++++- .github/jsonnet/yarn.jsonnet | 12 ++-- .github/workflows/Build Agent Images.yml | 34 +++++----- .github/workflows/CI.yml | 62 +++++++++---------- .github/workflows/Release.yml | 8 +-- .github/workflows/create-merge-deployment.yml | 6 +- 20 files changed, 195 insertions(+), 98 deletions(-) create mode 100644 .github/jsonnet/GIT_VERSION create mode 100644 .github/jsonnet/actions.jsonnet diff --git a/.github/jsonnet/GIT_VERSION b/.github/jsonnet/GIT_VERSION new file mode 100644 index 00000000..ff477d68 --- /dev/null +++ b/.github/jsonnet/GIT_VERSION @@ -0,0 +1 @@ +1e5064bfee9299e657d1d478626dfb60036ea580 diff --git a/.github/jsonnet/actions.jsonnet b/.github/jsonnet/actions.jsonnet new file mode 100644 index 00000000..e1ce7b83 --- /dev/null +++ b/.github/jsonnet/actions.jsonnet @@ -0,0 +1,16 @@ +/** + * GitHub Action plugin references + * + * Centralised SHA-pinned references for external GitHub Actions used across workflows. + * Pinning to a SHA (rather than a tag) protects against supply-chain attacks where a + * tag is moved to point at a malicious commit. The trailing comment records the + * human-readable version that the SHA corresponds to at the time of pinning. + */ +{ + checkout_action: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd', // v6 + gcp_auth_action: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093', // v3 + gcp_setup_gcloud_action: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db', // v3 + pulumi_action: 'pulumi/actions@cd99a7f8865434dd3532b586a26f9ebea596894f', // v5 + onepassword_load_secrets_action: '1password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259', // v4 + slack_action: 'act10ns/slack@d96404edccc6d6467fc7f8134a420c851b1e9054', // v2 +} diff --git a/.github/jsonnet/base.jsonnet b/.github/jsonnet/base.jsonnet index 37509314..3aa91c35 100644 --- a/.github/jsonnet/base.jsonnet +++ b/.github/jsonnet/base.jsonnet @@ -41,6 +41,7 @@ local misc = import 'misc.jsonnet'; * @param {object} [concurrency=null] - Job-level concurrency settings * @param {boolean} [continueOnError=null] - Whether to continue workflow if job fails * @param {object} [env=null] - Environment variables for all steps in the job + * @param {object} [strategy=null] - GitHub Actions matrix strategy (e.g., {matrix: {shard: [1,2,3]}, 'fail-fast': false}) * @returns {jobs} - GitHub Actions job definition */ ghJob( @@ -58,6 +59,7 @@ local misc = import 'misc.jsonnet'; concurrency=null, continueOnError=null, env=null, + strategy=null, ):: { [name]: { @@ -82,7 +84,8 @@ local misc = import 'misc.jsonnet'; (if permissions == null then {} else { permissions: permissions }) + (if concurrency == null then {} else { concurrency: concurrency }) + (if continueOnError == null then {} else { 'continue-on-error': continueOnError }) + - (if env == null then {} else { env: env }), + (if env == null then {} else { env: env }) + + (if strategy == null then {} else { strategy: strategy }), }, /** @@ -159,7 +162,7 @@ local misc = import 'misc.jsonnet'; * @docs https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idsteps * * @param {string} name - Display name for the step in the GitHub UI - * @param {string} uses - The action to use (e.g., 'actions/checkout@v4', './path/to/action') + * @param {string} uses - The action to use (e.g., 'actions/checkout@v6', './path/to/action') * @param {object} [env=null] - Environment variables for this step * @param {object} [with=null] - Input parameters to pass to the action * @param {string} [id=null] - Unique identifier for this step (used to reference outputs) diff --git a/.github/jsonnet/clusters.jsonnet b/.github/jsonnet/clusters.jsonnet index eb755a36..e4d01a18 100644 --- a/.github/jsonnet/clusters.jsonnet +++ b/.github/jsonnet/clusters.jsonnet @@ -2,7 +2,7 @@ local misc = import 'misc.jsonnet'; /** * Kubernetes Cluster Configuration - * + * * This module defines configuration for different Kubernetes clusters used for deployments. * Each cluster configuration includes project information, authentication secrets, and * node selector settings for job scheduling. diff --git a/.github/jsonnet/deployment.jsonnet b/.github/jsonnet/deployment.jsonnet index 1d3c0b0c..61e066de 100644 --- a/.github/jsonnet/deployment.jsonnet +++ b/.github/jsonnet/deployment.jsonnet @@ -122,7 +122,7 @@ local notifications = import 'notifications.jsonnet'; function(deploymentTarget) base.action( 'publish-deploy-' + deploymentTarget + '-event', - 'chrnorm/deployment-action@v2', + 'chrnorm/deployment-action@500aa6a23c81ffa1acf71072aee3cfa2cc2e556a', // v2 ifClause=ifClause, with={ token: misc.secret('VIRKO_GITHUB_TOKEN'), @@ -173,7 +173,7 @@ local notifications = import 'notifications.jsonnet'; updateDeploymentStatus(status='${{ job.status }}'):: base.action( 'Update deployment status', - 'chrnorm/deployment-status@v2', + 'chrnorm/deployment-status@6df8d036fd2fee9eb82936733953da1f8382b41e', // v2 with={ state: status, ['deployment-id']: '${{ github.event.deployment.id }}', diff --git a/.github/jsonnet/helm.jsonnet b/.github/jsonnet/helm.jsonnet index 47651d39..40befeca 100644 --- a/.github/jsonnet/helm.jsonnet +++ b/.github/jsonnet/helm.jsonnet @@ -132,6 +132,7 @@ local services = import 'services.jsonnet'; * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m') + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - Complete GitHub Actions job for production deployment */ helmDeployProdJob( @@ -145,9 +146,11 @@ local services = import 'services.jsonnet'; fetchDependencies=false, wait=false, timeout=null, + runsOn=null, ):: base.ghJob( 'deploy-prod', + runsOn=runsOn, ifClause="${{ github.event.deployment.environment == '" + environment + "' }}", image=image, useCredentials=useCredentials, @@ -213,6 +216,7 @@ local services = import 'services.jsonnet'; * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m') + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - Complete GitHub Actions job for test deployment */ helmDeployTestJob( @@ -225,9 +229,11 @@ local services = import 'services.jsonnet'; fetchDependencies=false, wait=false, timeout=null, + runsOn=null, ):: base.ghJob( 'deploy-test', + runsOn=runsOn, ifClause="${{ github.event.deployment.environment == 'test' }}", image=image, useCredentials=useCredentials, @@ -296,6 +302,7 @@ local services = import 'services.jsonnet'; * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m') + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - Complete GitHub Actions job for PR deployment */ helmDeployPRJob( @@ -308,9 +315,11 @@ local services = import 'services.jsonnet'; fetchDependencies=false, wait=false, timeout=null, + runsOn=null, ):: base.ghJob( 'deploy-pr', + runsOn=runsOn, image=image, useCredentials=useCredentials, steps=[ @@ -369,6 +378,7 @@ local services = import 'services.jsonnet'; * @param {boolean} [fetchDependencies=fetchDependencies] - Whether to fetch Helm dependencies * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m') + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - Complete GitHub Actions job for PR cleanup */ helmDeletePRJob( @@ -380,9 +390,11 @@ local services = import 'services.jsonnet'; fetchDependencies=fetchDependencies, wait=false, timeout=null, + runsOn=null, ):: base.ghJob( 'helm-delete-pr', + runsOn=runsOn, image=images.default_job_image, useCredentials=false, steps=[ @@ -483,6 +495,7 @@ local services = import 'services.jsonnet'; * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m') + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - Complete GitHub Actions job for canary deployment */ helmDeployCanaryJob( @@ -495,9 +508,11 @@ local services = import 'services.jsonnet'; fetchDependencies=false, wait=false, timeout=null, + runsOn=null, ):: base.ghJob( 'deploy-canary', + runsOn=runsOn, image=image, useCredentials=useCredentials, ifClause="${{ github.event.deployment.environment == 'canary' }}", @@ -566,6 +581,7 @@ local services = import 'services.jsonnet'; * @param {boolean} [fetchDependencies=false] - Whether to fetch Helm dependencies * @param {boolean} [wait=false] - Whether to wait for resources to be ready before marking the release as successful * @param {string} [timeout=null] - Time to wait for resources (pods) to become ready (e.g., '5m') + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - Complete GitHub Actions job to kill canary deployment */ helmKillCanaryJob( @@ -576,9 +592,11 @@ local services = import 'services.jsonnet'; fetchDependencies=false, wait=false, timeout=null, + runsOn=null, ):: base.ghJob( 'kill-canary', + runsOn=runsOn, ifClause="${{ github.event.deployment.environment == 'kill-canary' || github.event.deployment.environment == 'production' }}", image=images.default_job_image, useCredentials=false, diff --git a/.github/jsonnet/images.jsonnet b/.github/jsonnet/images.jsonnet index ddef17e0..c3ef14e4 100644 --- a/.github/jsonnet/images.jsonnet +++ b/.github/jsonnet/images.jsonnet @@ -6,7 +6,7 @@ * Images are primarily hosted on Google Cloud registries (GCR and Artifact Registry). */ { - jsonnet_bin_image: 'europe-docker.pkg.dev/unicorn-985/private-images/docker-images_jsonnet:v1', + jsonnet_bin_image: 'europe-docker.pkg.dev/unicorn-985/private-images/docker-images_jsonnet:v2', helm_action_image: 'docker://europe-docker.pkg.dev/unicorn-985/public-images/helm-action:v4', mysql_action_image: 'docker://europe-docker.pkg.dev/unicorn-985/public-images/docker-images_mysql-cloner-action:v2', docker_action_image: 'docker://europe-docker.pkg.dev/unicorn-985/public-images/push-to-gcr-github-action:v1', diff --git a/.github/jsonnet/index.jsonnet b/.github/jsonnet/index.jsonnet index b9b901fc..b5e7874c 100644 --- a/.github/jsonnet/index.jsonnet +++ b/.github/jsonnet/index.jsonnet @@ -1,4 +1,5 @@ (import 'base.jsonnet') + +{ actions: import 'actions.jsonnet' } + { clusters: import 'clusters.jsonnet' } + (import 'databases.jsonnet') + (import 'docker.jsonnet') + diff --git a/.github/jsonnet/misc.jsonnet b/.github/jsonnet/misc.jsonnet index 74c8b45f..69be3a00 100644 --- a/.github/jsonnet/misc.jsonnet +++ b/.github/jsonnet/misc.jsonnet @@ -1,3 +1,4 @@ +local actions = import 'actions.jsonnet'; local base = import 'base.jsonnet'; local images = import 'images.jsonnet'; @@ -72,13 +73,13 @@ local images = import 'images.jsonnet'; sshSteps + base.action( 'Check out repository code via ssh', - 'actions/checkout@v4', + actions.checkout_action, with=with + (if preferSshClone then { 'ssh-key': '${{ secrets.VIRKO_GITHUB_SSH_KEY }}' } else {}), ifClause='${{ ' + (if ifClause == null then '' else '( ' + localIfClause + ' ) && ') + " ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}", ) + base.action( 'Check out repository code via https', - 'actions/checkout@v4', + actions.checkout_action, with=with, ifClause='${{ ' + (if ifClause == null then '' else '( ' + localIfClause + ' ) && ') + " ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}", ) + @@ -102,7 +103,7 @@ local images = import 'images.jsonnet'; (if includeSubmodules then { submodules: 'recursive' } else {}); base.action( 'Check out repository code', - 'actions/checkout@v4', + actions.checkout_action, with=with, ifClause=ifClause ) + @@ -187,8 +188,9 @@ local images = import 'images.jsonnet'; echo "Possible reasons:"; echo " - You updated jsonnet files, but did not regenerate the workflows."; echo " To regenerate jsonnet run: 'rm .github/workflows/*; jsonnet -m .github/workflows/ -S .github.jsonnet'"; - echo " - You used the wrong jsonnet binary. In this case, the newlines at the end of the files differ."; - echo " To fix, install the go binary. On mac, run 'brew uninstall jsonnet && brew install go-jsonnet'"; + echo " - You used the wrong jsonnet binary (version). In this case, the newlines at the end of the files differ."; + echo " - You must use go-jsonnet version 0.22 or higher. Earlier versions do not generate the yml with trailing newline." + echo " To fix, install the go binary (^0.22). On mac, run 'brew uninstall jsonnet && brew install go-jsonnet'"; exit 1; ||| ), @@ -205,6 +207,7 @@ local images = import 'images.jsonnet'; * @param {string} [bodyUpdateAction='suffix'] - How to update the body ('suffix', 'prefix', 'replace') * @param {string} [titleUpdateAction='prefix'] - How to update the title ('suffix', 'prefix', 'replace') * @param {object} [otherOptions={}] - Additional options to pass to the action + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {workflows} - GitHub Actions pipeline for automatic PR description updates */ updatePRDescriptionPipeline( @@ -215,6 +218,7 @@ local images = import 'images.jsonnet'; bodyUpdateAction='suffix', titleUpdateAction='prefix', otherOptions={}, + runsOn=null, ):: base.pipeline( 'update-pr-description', @@ -224,6 +228,7 @@ local images = import 'images.jsonnet'; jobs=[ base.ghJob( 'update-pr-description', + runsOn=runsOn, steps=[ base.action( 'update-pr-description', @@ -417,7 +422,7 @@ local images = import 'images.jsonnet'; image=null, runsOn='ubuntu-latest', steps=[ - base.action('checkout', 'actions/checkout@v4'), + base.action('checkout', actions.checkout_action), base.action( 'Run delete-old-branches-action', 'beatlabs/delete-old-branches-action@4eeeb8740ff8b3cb310296ddd6b43c3387734588', @@ -472,7 +477,7 @@ local images = import 'images.jsonnet'; base.step('git safe directory', 'git config --global --add safe.directory $PWD'), base.action( 'check-for-changes', - uses='dorny/paths-filter@v2', + uses='dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d', // v4 id='changes', with={ filters: ||| @@ -492,9 +497,10 @@ local images = import 'images.jsonnet'; * * @param {string} name - The name of the GitHub job * @param {array} jobs - Array of job objects to wait for + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job that waits for the given jobs to finish */ - awaitJob(name, jobs):: + awaitJob(name, jobs, runsOn=null):: local dependingJobs = std.flatMap( function(job) local jobNameArray = std.objectFields(job); @@ -504,6 +510,7 @@ local images = import 'images.jsonnet'; [ base.ghJob( 'await-' + name, + runsOn=runsOn, ifClause='${{ always() }}', needs=dependingJobs, useCredentials=false, @@ -567,18 +574,20 @@ local images = import 'images.jsonnet'; * Useful for automatically approving renovate PRs or other trusted automation. * * @param {array} [users=['gynzy-virko']] - Array of usernames to auto-approve PRs for + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {workflows} - GitHub Actions pipeline that auto-approves PRs from specified users */ - autoApprovePRs(users=['gynzy-virko']):: + autoApprovePRs(users=['gynzy-virko'], runsOn=null):: base.pipeline( 'auto-approve-prs', [ base.ghJob( 'auto-approve', + runsOn=runsOn, steps=[ base.action( 'auto-approve-prs', - 'hmarr/auto-approve-action@v4', + 'hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7', // v4 ), ], useCredentials=false, @@ -699,7 +708,7 @@ local images = import 'images.jsonnet'; steps=[ base.action( 'Close stale PRs', - 'actions/stale@v10', + 'actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f', // v10 with={ 'days-before-stale': daysBeforeStale, 'days-before-close': daysBeforeClose, diff --git a/.github/jsonnet/newrelic.jsonnet b/.github/jsonnet/newrelic.jsonnet index 0eff29fc..660296f8 100644 --- a/.github/jsonnet/newrelic.jsonnet +++ b/.github/jsonnet/newrelic.jsonnet @@ -14,6 +14,7 @@ local pnpm = import 'pnpm.jsonnet'; * @param {string} [image='mirror.gcr.io/node:20.17'] - Docker image to use for the job * @param {boolean} [useCredentials=false] - Whether to use Docker registry credentials * @param {string} [packageManager='yarn'] - Package manager to use ('yarn' or 'pnpm') + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job definition for New Relic deployment notification */ postReleaseToNewRelicJob( @@ -23,9 +24,11 @@ local pnpm = import 'pnpm.jsonnet'; image='mirror.gcr.io/node:20.17', useCredentials=false, packageManager='yarn', + runsOn=null, ):: base.ghJob( 'post-newrelic-release', + runsOn=runsOn, image=image, useCredentials=useCredentials, ifClause="${{ github.event.deployment.environment == 'production' }}", diff --git a/.github/jsonnet/notifications.jsonnet b/.github/jsonnet/notifications.jsonnet index 1bec39a7..1a3f8f0b 100644 --- a/.github/jsonnet/notifications.jsonnet +++ b/.github/jsonnet/notifications.jsonnet @@ -1,3 +1,4 @@ +local actions = import 'actions.jsonnet'; local base = import 'base.jsonnet'; { @@ -12,7 +13,7 @@ local base = import 'base.jsonnet'; notifiyDeployFailure(channel='#dev-deployments', name='notify-failure', environment='production'):: base.action( name, - 'act10ns/slack@v2', + actions.slack_action, with={ status: '${{ job.status }}', channel: channel, @@ -34,7 +35,7 @@ local base = import 'base.jsonnet'; sendSlackMessage(channel='#dev-deployments', stepName='sendSlackMessage', message=null, ifClause=null):: base.action( stepName, - 'act10ns/slack@v2', + actions.slack_action, with={ status: 'starting', channel: channel, @@ -59,7 +60,7 @@ local base = import 'base.jsonnet'; newrelicCreateDeploymentMarker(entityGuid, stepName='newrelic-deployment', ifClause=null):: base.action( stepName, - 'newrelic/deployment-marker-action@v2.5.0', + 'newrelic/deployment-marker-action@60142df2a3f5c23d3294486f474299b8f490cd90', // v2.5.0 with={ apiKey: $.secret('NEWRELIC_API_KEY'), guid: entityGuid, diff --git a/.github/jsonnet/onepassword.jsonnet b/.github/jsonnet/onepassword.jsonnet index f17073d7..7dc4103f 100644 --- a/.github/jsonnet/onepassword.jsonnet +++ b/.github/jsonnet/onepassword.jsonnet @@ -1,3 +1,4 @@ +local actions = import 'actions.jsonnet'; local base = import 'base.jsonnet'; local misc = import 'misc.jsonnet'; @@ -32,7 +33,7 @@ local misc = import 'misc.jsonnet'; local prefixedSecrets = std.mapWithKey(function(key, value) 'op://Pulumi Prod/' + value, secrets); base.action( stepName, - '1password/load-secrets-action@v2.0.0', + actions.onepassword_load_secrets_action, id=stepName, with={ 'export-env': false, @@ -72,7 +73,7 @@ local misc = import 'misc.jsonnet'; local prefixedSecrets = std.mapWithKey(function(key, value) 'op://Pulumi Test/' + value, secrets); base.action( stepName, - '1password/load-secrets-action@v2.0.0', + actions.onepassword_load_secrets_action, id=stepName, with={ 'export-env': false, diff --git a/.github/jsonnet/pnpm.jsonnet b/.github/jsonnet/pnpm.jsonnet index 76b0fc19..cbb0ca3f 100644 --- a/.github/jsonnet/pnpm.jsonnet +++ b/.github/jsonnet/pnpm.jsonnet @@ -1,3 +1,4 @@ +local actions = import 'actions.jsonnet'; local base = import 'base.jsonnet'; local cache = import 'cache.jsonnet'; local misc = import 'misc.jsonnet'; @@ -19,7 +20,7 @@ local yarn = import 'yarn.jsonnet'; install(args=[], with={}, version='10', prod=false, storeDir=null, ifClause=null, workingDirectory=null):: base.action( 'Install pnpm tool', - 'pnpm/action-setup@v4', + 'pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320', // v5 with= { version: version } + with, @@ -123,14 +124,16 @@ local yarn = import 'yarn.jsonnet'; * @param {boolean} [useCredentials=null] - Whether to use Docker registry credentials * @param {boolean} [setupPnpm=true] - Whether to set up and install pnpm itself before installing all packages * @param {string} [source=null] - Registry source ('gynzy' or 'github') + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {workflows} - Complete GitHub Actions pipeline configuration */ - updatePnpmCachePipeline(cacheName, appsDir='packages', image=null, useCredentials=null, setupPnpm=true, source=null):: + updatePnpmCachePipeline(cacheName, appsDir='packages', image=null, useCredentials=null, setupPnpm=true, source=null, runsOn=null):: base.pipeline( 'update-pnpm-cache', [ base.ghJob( 'update-pnpm-cache', + runsOn=runsOn, image=image, useCredentials=useCredentials, ifClause="${{ github.event.deployment.environment == 'production' || github.event.deployment.environment == 'prod' }}", @@ -142,13 +145,13 @@ local yarn = import 'yarn.jsonnet'; ), base.action( 'setup auth', - 'google-github-actions/auth@v2', + actions.gcp_auth_action, with={ credentials_json: misc.secret('SERVICE_JSON'), }, id='auth', ), - base.action('setup-gcloud', 'google-github-actions/setup-gcloud@v2'), + base.action('setup-gcloud', actions.gcp_setup_gcloud_action), cache.uploadCache( cacheName=cacheName, tarCommand='tar -c .pnpm-store', @@ -167,14 +170,16 @@ local yarn = import 'yarn.jsonnet'; * @param {boolean} [setupPnpm=true] - Whether to set up and install pnpm itself * @param {array} [pnpmInstallArgs=[]] - Additional arguments for pnpm install * @param {string} [auditLevel='moderate'] - Minimum severity level to fail the job ('low', 'moderate', 'high', 'critical') + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {workflows} - Complete GitHub Actions pipeline configuration */ - pnpmAuditPipeline(cacheName=null, image=null, setupPnpm=true, pnpmInstallArgs=[], auditLevel='moderate'):: + pnpmAuditPipeline(cacheName=null, image=null, setupPnpm=true, pnpmInstallArgs=[], auditLevel='moderate', runsOn=null):: base.pipeline( 'pnpm-audit', [ base.ghJob( 'pnpm-audit', + runsOn=runsOn, image=image, steps=[ self.checkoutAndPnpm( diff --git a/.github/jsonnet/pulumi.jsonnet b/.github/jsonnet/pulumi.jsonnet index d12070ff..33ba2f8b 100644 --- a/.github/jsonnet/pulumi.jsonnet +++ b/.github/jsonnet/pulumi.jsonnet @@ -1,3 +1,4 @@ +local actions = import 'actions.jsonnet'; local base = import 'base.jsonnet'; local images = import 'images.jsonnet'; local misc = import 'misc.jsonnet'; @@ -10,15 +11,15 @@ local yarn = import 'yarn.jsonnet'; local pulumiSetupSteps = base.action( 'auth', - uses='google-github-actions/auth@v2', + uses=actions.gcp_auth_action, id='auth', with={ credentials_json: misc.secret('PULUMI_SERVICE_ACCOUNT'), } ) + - base.action('setup-gcloud', uses='google-github-actions/setup-gcloud@v2') + - base.action('pulumi-cli-setup', 'pulumi/actions@v5') + - base.action('jsonnet-setup', 'kobtea/setup-jsonnet-action@v1') + + base.action('setup-gcloud', uses=actions.gcp_setup_gcloud_action) + + base.action('pulumi-cli-setup', actions.pulumi_action) + + base.action('jsonnet-setup', 'kobtea/setup-jsonnet-action@78f57bb20bd6cf4914c27dd44610a7d923455ecf') + // v2 misc.install1Password() + misc.getLockStep(lockName='lock-pulumi', lockTimeout='1200'); @@ -64,7 +65,7 @@ local pulumiDefaultEnvironment(stack) = { ):: base.action( name=stepName, - uses='pulumi/actions@v5', + uses=actions.pulumi_action, with={ command: 'preview', 'stack-name': stack, @@ -94,7 +95,7 @@ local pulumiDefaultEnvironment(stack) = { ):: base.action( name=stepName, - uses='pulumi/actions@v5', + uses=actions.pulumi_action, with={ command: 'up', 'stack-name': stack, @@ -127,7 +128,7 @@ local pulumiDefaultEnvironment(stack) = { base.action( name=stepName, - uses='pulumi/actions@v5', + uses=actions.pulumi_action, with={ command: 'destroy', remove: true, @@ -151,6 +152,7 @@ local pulumiDefaultEnvironment(stack) = { * @param {object} [environmentVariables={}] - Additional environment variables * @param {array} [additionalSetupSteps=[]] - Extra setup steps before Pulumi preview * @param {boolean} [ignoreEngines=false] - Whether to ignore Node.js engine requirements + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - Complete GitHub Actions job for Pulumi preview */ pulumiPreviewJob( @@ -164,9 +166,11 @@ local pulumiDefaultEnvironment(stack) = { environmentVariables={}, additionalSetupSteps=[], ignoreEngines=false, + runsOn=null, ):: base.ghJob( 'pulumi-preview-' + stack, + runsOn=runsOn, image=image, useCredentials=false, steps=[ @@ -267,6 +271,7 @@ local pulumiDefaultEnvironment(stack) = { * @param {boolean} [ignoreEngines=false] - Whether to ignore Node.js engine requirements * @param {string} [packageManager='yarn'] - Package manager to use ('yarn' or 'pnpm') * @param {array} [pnpmInstallArgs=[]] - Additional arguments for pnpm install + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job that previews both test and production stacks */ pulumiPreviewTestAndProdJob( @@ -283,9 +288,11 @@ local pulumiDefaultEnvironment(stack) = { ignoreEngines=false, packageManager='yarn', pnpmInstallArgs=[], + runsOn=null, ):: base.ghJob( 'pulumi-preview', + runsOn=runsOn, image=image, useCredentials=false, steps=[ @@ -318,6 +325,7 @@ local pulumiDefaultEnvironment(stack) = { * @param {boolean} [ignoreEngines=false] - Whether to ignore Node.js engine requirements * @param {string} [packageManager='yarn'] - Package manager to use ('yarn' or 'pnpm') * @param {array} [pnpmInstallArgs=[]] - Additional arguments for pnpm install + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job for Pulumi deployment with failure notifications */ pulumiDeployJob( @@ -336,9 +344,11 @@ local pulumiDefaultEnvironment(stack) = { ignoreEngines=false, packageManager='yarn', pnpmInstallArgs=[], + runsOn=null, ):: base.ghJob( name=jobName, + runsOn=runsOn, ifClause=ifClause, image=image, useCredentials=false, @@ -369,6 +379,7 @@ local pulumiDefaultEnvironment(stack) = { * @param {array} [additionalSetupSteps=[]] - Extra setup steps * @param {boolean} [ignoreEngines=false] - Whether to ignore Node.js engine requirements * @param {string} [packageManager='yarn'] - Package manager to use + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job for test environment deployment */ pulumiDeployTestJob( @@ -384,9 +395,11 @@ local pulumiDefaultEnvironment(stack) = { additionalSetupSteps=[], ignoreEngines=false, packageManager='yarn', + runsOn=null, ):: self.pulumiDeployJob( stack, + runsOn=runsOn, pulumiDir=pulumiDir, yarnDir=yarnDir, yarnNpmSource=yarnNpmSource, @@ -415,6 +428,7 @@ local pulumiDefaultEnvironment(stack) = { * @param {array} [additionalSetupSteps=[]] - Extra setup steps * @param {boolean} [ignoreEngines=false] - Whether to ignore Node.js engine requirements * @param {string} [packageManager='yarn'] - Package manager to use + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job for production deployment */ pulumiDeployProdJob( @@ -430,9 +444,11 @@ local pulumiDefaultEnvironment(stack) = { additionalSetupSteps=[], ignoreEngines=false, packageManager='yarn', + runsOn=null, ):: self.pulumiDeployJob( stack, + runsOn=runsOn, pulumiDir=pulumiDir, yarnDir=yarnDir, yarnNpmSource=yarnNpmSource, @@ -466,6 +482,7 @@ local pulumiDefaultEnvironment(stack) = { * @param {boolean} [ignoreEngines=false] - Whether to ignore Node.js engine requirements * @param {string} [packageManager='yarn'] - Package manager to use ('yarn' or 'pnpm') * @param {array} [pnpmInstallArgs=[]] - Additional arguments for pnpm install + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job for Pulumi infrastructure destruction */ pulumiDestroyJob( @@ -484,9 +501,11 @@ local pulumiDefaultEnvironment(stack) = { ignoreEngines=false, packageManager='yarn', pnpmInstallArgs=[], + runsOn=null, ):: base.ghJob( name=jobName, + runsOn=runsOn, ifClause=ifClause, image=image, useCredentials=false, @@ -520,6 +539,7 @@ local pulumiDefaultEnvironment(stack) = { * @param {object} [environmentVariables={}] - Additional environment variables * @param {array} [additionalSetupSteps=[]] - Extra setup steps for all jobs * @param {boolean} [ignoreEngines=false] - Whether to ignore Node.js engine requirements + * @param {string} [runsOn=null] - GitHub Actions runner to use for the jobs * @returns {workflows} - Complete set of Pulumi preview and deployment pipelines */ pulumiDefaultPipeline( @@ -535,6 +555,7 @@ local pulumiDefaultEnvironment(stack) = { environmentVariables={}, additionalSetupSteps=[], ignoreEngines=false, + runsOn=null, ):: base.pipeline( 'pulumi-preview', @@ -551,6 +572,7 @@ local pulumiDefaultEnvironment(stack) = { environmentVariables=environmentVariables, additionalSetupSteps=additionalSetupSteps, ignoreEngines=ignoreEngines, + runsOn=runsOn, ), ], ) + @@ -567,7 +589,8 @@ local pulumiDefaultEnvironment(stack) = { environmentVariables=environmentVariables, additionalSetupSteps=additionalSetupSteps, ifClause=if deployTestWithProd then "${{ github.event.deployment.environment == 'test' || github.event.deployment.environment == 'prod' || github.event.deployment.environment == 'production' }}" else "${{ github.event.deployment.environment == 'test' }}", - ignoreEngines=ignoreEngines + ignoreEngines=ignoreEngines, + runsOn=runsOn, ), self.pulumiDeployProdJob( pulumiDir=pulumiDir, @@ -579,7 +602,8 @@ local pulumiDefaultEnvironment(stack) = { stack=productionStack, environmentVariables=environmentVariables, additionalSetupSteps=additionalSetupSteps, - ignoreEngines=ignoreEngines + ignoreEngines=ignoreEngines, + runsOn=runsOn, ), ], event='deployment', diff --git a/.github/jsonnet/ruby.jsonnet b/.github/jsonnet/ruby.jsonnet index 1e56d6d5..d19f2bf5 100644 --- a/.github/jsonnet/ruby.jsonnet +++ b/.github/jsonnet/ruby.jsonnet @@ -1,3 +1,4 @@ +local actions = import 'actions.jsonnet'; local base = import 'base.jsonnet'; local database = import 'databases.jsonnet'; local docker = import 'docker.jsonnet'; @@ -26,6 +27,7 @@ local servicesImport = import 'services.jsonnet'; * @param {boolean} migrateOptions.enabled - Whether to run migrations * @param {string} migrateOptions.RAILS_ENV - Rails environment * @param {string} rubyImageName - Ruby base image for the job (required) + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {workflows} - Complete GitHub Actions pipeline for Ruby PR deployment */ rubyDeployPRPipeline( @@ -38,6 +40,7 @@ local servicesImport = import 'services.jsonnet'; mysqlCloneOptions={}, migrateOptions={}, rubyImageName=null, + runsOn=null, ):: assert rubyImageName != null; local mysqlCloneOptionsWithDefaults = { @@ -64,6 +67,7 @@ local servicesImport = import 'services.jsonnet'; [ base.ghJob( 'deploy-pr', + runsOn=runsOn, image=rubyImageName, steps=[ misc.checkout(ref='${{ github.event.pull_request.head.sha }}'), @@ -129,6 +133,7 @@ local servicesImport = import 'services.jsonnet'; * @param {object} [extra_env={}] - Additional environment variables * @param {object} [services] - Database services configuration * @param {string} rubyImageName - Ruby base image for the job (required) + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job for API documentation deployment */ deployApiDocs( @@ -138,10 +143,12 @@ local servicesImport = import 'services.jsonnet'; extra_env={}, services={ db: servicesImport.mysql8service(database='ci', password='ci', root_password='1234test', username='ci', version='8.4') }, rubyImageName=null, + runsOn=null, ):: assert rubyImageName != null; base.ghJob( 'apidocs', + runsOn=runsOn, image=rubyImageName, ifClause="${{ github.event.deployment.environment == 'production' }}", steps=[ @@ -165,13 +172,13 @@ local servicesImport = import 'services.jsonnet'; ), base.action( 'setup auth', - 'google-github-actions/auth@v2', + actions.gcp_auth_action, with={ credentials_json: misc.secret('GCE_JSON'), }, id='auth', ), - base.action('setup-gcloud', 'google-github-actions/setup-gcloud@v2'), + base.action('setup-gcloud', actions.gcp_setup_gcloud_action), base.step('deploy-api-docs', 'gsutil -m cp -r doc/api/** gs://apidocs.gynzy.com/' + serviceName + '/'), ], services=(if enableDatabase then services else null), @@ -240,6 +247,7 @@ local servicesImport = import 'services.jsonnet'; * @param {object} [migrateOptions={}] - Rails migration options * @param {bool} wait [true] - let helm wait for pods to come online otherwise fail the job * @param {timeout} [10m] - how long to wait until the pods come online + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job for test environment deployment */ rubyDeployTestJob( @@ -252,6 +260,7 @@ local servicesImport = import 'services.jsonnet'; migrateOptions={}, wait=true, timeout='10m', + runsOn=null, ):: assert image != null; local migrateOptionsWithDefaults = { @@ -266,6 +275,7 @@ local servicesImport = import 'services.jsonnet'; base.ghJob( 'deploy-test', + runsOn=runsOn, ifClause="${{ github.event.deployment.environment == 'test' }}", image=image, useCredentials=useCredentials, @@ -291,6 +301,7 @@ local servicesImport = import 'services.jsonnet'; * @param {object} [migrateOptions={}] - Rails migration options * @param {bool} wait [true] - let helm wait for pods to come online otherwise fail the job * @param {timeout} [10m] - how long to wait until the pods come online + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {jobs} - GitHub Actions job for production deployment with failure notifications */ rubyDeployProdJob( @@ -303,6 +314,7 @@ local servicesImport = import 'services.jsonnet'; migrateOptions={}, wait=true, timeout='10m', + runsOn=null, ):: assert image != null; local migrateOptionsWithDefaults = { @@ -317,6 +329,7 @@ local servicesImport = import 'services.jsonnet'; base.ghJob( 'deploy-prod', + runsOn=runsOn, ifClause="${{ github.event.deployment.environment == 'production' }}", image=image, useCredentials=useCredentials, diff --git a/.github/jsonnet/yarn.jsonnet b/.github/jsonnet/yarn.jsonnet index 6dbe7851..6905ff2d 100644 --- a/.github/jsonnet/yarn.jsonnet +++ b/.github/jsonnet/yarn.jsonnet @@ -1,6 +1,6 @@ +local actions = import 'actions.jsonnet'; local base = import 'base.jsonnet'; local cache = import 'cache.jsonnet'; -local images = import 'images.jsonnet'; local misc = import 'misc.jsonnet'; { @@ -127,14 +127,16 @@ local misc = import 'misc.jsonnet'; * @param {string} [image=null] - Docker image to use for the job * @param {boolean} [useCredentials=null] - Whether to use Docker registry credentials * @param {boolean} [ignoreEngines=false] - Whether to ignore engine version checks + * @param {string} [runsOn=null] - GitHub Actions runner to use for the job * @returns {workflows} - Complete GitHub Actions pipeline configuration */ - updateYarnCachePipeline(cacheName, appsDir='packages', image=null, useCredentials=null, ignoreEngines=false):: + updateYarnCachePipeline(cacheName, appsDir='packages', image=null, useCredentials=null, ignoreEngines=false, runsOn=null):: base.pipeline( 'update-yarn-cache', [ base.ghJob( 'update-yarn-cache', + runsOn=runsOn, image=image, useCredentials=useCredentials, ifClause="${{ github.event.deployment.environment == 'production' || github.event.deployment.environment == 'prod' }}", @@ -144,13 +146,13 @@ local misc = import 'misc.jsonnet'; self.yarn(ignoreEngines=ignoreEngines), base.action( 'setup auth', - 'google-github-actions/auth@v2', + actions.gcp_auth_action, with={ credentials_json: misc.secret('SERVICE_JSON'), }, id='auth', ), - base.action('setup-gcloud', 'google-github-actions/setup-gcloud@v2'), + base.action('setup-gcloud', actions.gcp_setup_gcloud_action), cache.uploadCache( cacheName=cacheName, tarCommand='ls "' + appsDir + '/*/node_modules" -1 -d 2>/dev/null | xargs tar -c .yarncache node_modules', @@ -259,7 +261,7 @@ local misc = import 'misc.jsonnet'; [self.checkoutAndYarn(ref=gitCloneRef, fullClone=false)] + (if onChangedFiles != false then misc.testForChangedFiles({ package: onChangedFiles }, headRef=changedFilesHeadRef, baseRef=changedFilesBaseRef) else []) + (if checkVersionBump then [ - base.action('check-version-bump', uses='del-systems/check-if-version-bumped@v1', with={ + base.action('check-version-bump', uses='del-systems/check-if-version-bumped@d5d13ffd75dc8aa9c2e1dca10d9bb27be10307b2', with={ // check-if-version-bumped@d5d13 == v2 token: '${{ github.token }}', }, ifClause=ifClause), ] else []) + diff --git a/.github/workflows/Build Agent Images.yml b/.github/workflows/Build Agent Images.yml index 5eeeea32..40dc835f 100644 --- a/.github/workflows/Build Agent Images.yml +++ b/.github/workflows/Build Agent Images.yml @@ -48,13 +48,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -121,13 +121,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -195,13 +195,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -269,13 +269,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -343,13 +343,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -417,13 +417,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -491,13 +491,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -565,13 +565,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -591,4 +591,4 @@ "timeout-minutes": 30 "name": "Build Agent Images" "on": - "workflow_dispatch": null \ No newline at end of file + "workflow_dispatch": null diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml index 4ff72fd4..7e08493f 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/CI.yml @@ -48,14 +48,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -123,14 +123,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -199,14 +199,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -275,14 +275,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -351,14 +351,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -427,14 +427,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -503,14 +503,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -579,14 +579,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -653,14 +653,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -726,14 +726,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -799,13 +799,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -865,14 +865,14 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ref": "${{ github.event.pull_request.head.sha || github.sha }}" "submodules": "recursive" @@ -938,13 +938,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -1004,13 +1004,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -1070,13 +1070,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -1092,4 +1092,4 @@ "on": "pull_request": "branches": - - "gynzy" \ No newline at end of file + - "gynzy" diff --git a/.github/workflows/Release.yml b/.github/workflows/Release.yml index 70161f7c..1f2c0466 100644 --- a/.github/workflows/Release.yml +++ b/.github/workflows/Release.yml @@ -49,13 +49,13 @@ echo "sshBinaryExists=false" >> $GITHUB_OUTPUT; - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'true' && steps.check-binaries.outputs.gitBinaryExists == 'true' ) }}" "name": "Check out repository code via ssh" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "ssh-key": "${{ secrets.VIRKO_GITHUB_SSH_KEY }}" "submodules": "recursive" - "if": "${{ ( steps.check-binaries.outputs.sshBinaryExists == 'false' || steps.check-binaries.outputs.gitBinaryExists == 'false' ) }}" "name": "Check out repository code via https" - "uses": "actions/checkout@v4" + "uses": "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" "with": "submodules": "recursive" - "name": "git safe directory" @@ -79,11 +79,11 @@ "wait": "false" - "if": "${{ always() }}" "name": "Update deployment status" - "uses": "chrnorm/deployment-status@v2" + "uses": "chrnorm/deployment-status@6df8d036fd2fee9eb82936733953da1f8382b41e" "with": "deployment-id": "${{ github.event.deployment.id }}" "state": "${{ job.status }}" "token": "${{ secrets.GITHUB_TOKEN }}" "timeout-minutes": 30 "name": "Release" -"on": "deployment" \ No newline at end of file +"on": "deployment" diff --git a/.github/workflows/create-merge-deployment.yml b/.github/workflows/create-merge-deployment.yml index e89fd4f4..bde19bce 100644 --- a/.github/workflows/create-merge-deployment.yml +++ b/.github/workflows/create-merge-deployment.yml @@ -30,7 +30,7 @@ fi - "if": "${{ github.event.pull_request.base.ref == github.event.pull_request.base.repo.default_branch && steps.assert-merge-sha-is-latest-commit.outputs.CREATE_DEPLOY_EVENT == 'true' }}" "name": "publish-deploy-production-event" - "uses": "chrnorm/deployment-action@v2" + "uses": "chrnorm/deployment-action@500aa6a23c81ffa1acf71072aee3cfa2cc2e556a" "with": "auto-merge": "false" "description": "Auto deploy production on PR merge. pr: ${{ github.event.number }} ref: ${{ github.event.pull_request.head.sha }}" @@ -40,7 +40,7 @@ "token": "${{ secrets.VIRKO_GITHUB_TOKEN }}" - "if": "${{ github.event.pull_request.base.ref == github.event.pull_request.base.repo.default_branch && steps.assert-merge-sha-is-latest-commit.outputs.CREATE_DEPLOY_EVENT == 'true' }}" "name": "sendSlackMessage" - "uses": "act10ns/slack@v2" + "uses": "act10ns/slack@d96404edccc6d6467fc7f8134a420c851b1e9054" "with": "channel": "#dev-deployments" "message": "Deploy to production of started!\nTitle: ${{ github.event.pull_request.title }}\nBranch: ${{ github.head_ref }}" @@ -51,4 +51,4 @@ "on": "pull_request": "types": - - "closed" \ No newline at end of file + - "closed"