Easier execution of GitHub Actions workflows without Red Hat subscrip…

…tions by moving building and testing RHEL images to separate job.
freeipa · Sep 28, 2024 · 62d1730 · 62d1730
1 parent 6bfc994
commit 62d1730
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 121 deletions.
diff --git a/.github/actions/decrypt-file/action.yml b/.github/actions/decrypt-file/action.yml
diff --git a/.github/actions/encrypt-file/action.yml b/.github/actions/encrypt-file/action.yml
diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
@@ -16,29 +16,15 @@ jobs:
       matrix:
         os: [ fedora-rawhide, fedora-40, fedora-39, centos-9-stream, rocky-9, rocky-8, almalinux-9, almalinux-8 ]
         docker: [ docker ]
-        include:
-          - os: rhel-9
-            docker: podman
-          - os: rhel-8
-            docker: podman
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
-      - name: Install podman 4.*
-        uses: ./.github/actions/install-podman-4
-        if: matrix.docker == 'podman'
       - name: Separate git work tree with just the files needed for build
         run: git worktree add --no-checkout ../minimize-for-build
       - name: Populate with the Dockerfile
         run: cd ../minimize-for-build && git checkout HEAD Dockerfile.${{ matrix.os }}
       - name: Populate with files referenced from the Dockerfile
         run: cd ../minimize-for-build && awk '/^(ADD|COPY)/ { for (i = 2; i < NF; i++) print $i }' Dockerfile.${{ matrix.os }} | while read f ; do git checkout HEAD $f ; done
-      - name: For RHEL builds, use entitlements
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        uses: ./.github/actions/podman-entitlement
-        with:
-          org: ${{ secrets.REDHAT_ORG }}
-          activationkey: ${{ secrets.REDHAT_ACTIVATIONKEY }}
       - name: Ensure docker images sees the named parent image
         run: awk '$1 == "FROM" { print $2 ; exit }' ../minimize-for-build/Dockerfile.${{ matrix.os }} | xargs ${{ matrix.docker }} pull
       - name: Build image
@@ -73,12 +59,6 @@ jobs:
         run: mkdir freeipa-server-${{ matrix.os }}
       - name: Save image
         run: ${{ matrix.docker }} save localhost/freeipa-server:${{ matrix.os }} | gzip > freeipa-server-${{ matrix.os }}/freeipa-server-${{ matrix.os }}.tar.gz
-      - name: For RHEL builds, encrypt the artifacts
-        uses: ./.github/actions/encrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}/freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - uses: actions/upload-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
@@ -106,20 +86,14 @@ jobs:
           - os: centos-9-stream
             readonly: --read-only
             ca: --external-ca
-        os: [ fedora-39, rhel-9, rhel-8, almalinux-9 ]
+        os: [ fedora-39, almalinux-9, rocky-8 ]
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/docker-cgroups-ubuntu-22
       - uses: actions/download-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
-      - name: Decrypt artifacts that were encrypted after build
-        uses: ./.github/actions/decrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
       - name: Run master and replica
@@ -135,7 +109,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ fedora-rawhide, fedora-40, rocky-9, almalinux-9 ]
+        os: [ fedora-rawhide, fedora-40, rocky-9, almalinux-8 ]
         readonly: [ --read-only ]
     timeout-minutes: 30
     steps:
@@ -145,12 +119,6 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
-      - name: Decrypt artifacts that were encrypted after build
-        uses: ./.github/actions/decrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
       - name: Run master and replica
@@ -178,12 +146,6 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
-      - name: Decrypt artifacts that were encrypted after build
-        uses: ./.github/actions/decrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
       - name: Disable fs.protected_regular
@@ -211,12 +173,6 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
-      - name: Decrypt artifacts that were encrypted after build
-        uses: ./.github/actions/decrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | sudo podman load
       - name: Run master and replica
@@ -232,7 +188,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ fedora-40, rhel-9, rhel-8, centos-9-stream, rocky-9, rocky-8, almalinux-8 ]
+        os: [ fedora-40, centos-9-stream, rocky-9, almalinux-8 ]
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
@@ -241,12 +197,6 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
-      - name: Decrypt artifacts that were encrypted after build
-        uses: ./.github/actions/decrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | podman load
       - name: Run master
@@ -269,8 +219,6 @@ jobs:
             data-from: fedora-39
           - os: fedora-40
             data-from: fedora-38
-          - os: rhel-8
-            data-from: centos-8
           - os: rocky-8
             data-from: centos-8
           - os: almalinux-8
@@ -282,12 +230,6 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
-      - name: Decrypt artifacts that were encrypted after build
-        uses: ./.github/actions/decrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
       - name: Populate volume with data
@@ -313,12 +255,6 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
-      - name: Decrypt artifacts that were encrypted after build
-        uses: ./.github/actions/decrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | podman load
       - name: Populate volume with data
@@ -344,12 +280,6 @@ jobs:
       - uses: actions/download-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
-      - name: Decrypt artifacts that were encrypted after build
-        uses: ./.github/actions/decrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
       - name: Populate volume with data
@@ -364,20 +294,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ fedora-rawhide, fedora-40, rhel-9, rhel-8, centos-9-stream ]
+        os: [ fedora-rawhide, fedora-40, rocky-9, almalinux-8, centos-9-stream ]
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/docker-cgroups-ubuntu-22
       - uses: actions/download-artifact@v4
         with:
           name: freeipa-server-${{ matrix.os }}
-      - name: Decrypt artifacts that were encrypted after build
-        uses: ./.github/actions/decrypt-file
-        if: ${{ startsWith(matrix.os, 'rhel-') }}
-        with:
-          file: freeipa-server-${{ matrix.os }}.tar.gz
-          secret: ${{ secrets.UPLOAD_SECRET }}
       - name: Download latest cri-dockerd
         run: curl -s ${{ github.api_url }}/repos/Mirantis/cri-dockerd/releases/latest | jq -r '.assets[].browser_download_url' | grep jammy_amd64.deb | tee /dev/stderr | xargs curl -LO
       - name: Install cri-dockerd
@@ -435,3 +359,41 @@ jobs:
           ${{ secrets.REGISTRY_TARGET_LIST }}
           EOF
 
+  test-subscription:
+    # Workaround https://github.com/actions/runner/issues/1138
+    name: Prerequisite for RHEL builds
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    outputs:
+      has_rhel_subscriptions: ${{ steps.check.outputs.has_rhel_subscriptions }}
+    steps:
+      - id: check
+        run: |
+          if [ -n "${{ secrets.REDHAT_ORG }}" -a -n "${{ secrets.REDHAT_ACTIVATIONKEY }}" ] ; then
+            echo "has_rhel_subscriptions=1" >> $GITHUB_OUTPUT
+          fi
+
+  build-test-rhel-podman:
+    name: Build and test RHEL image
+    runs-on: ubuntu-22.04
+    needs: [ test-subscription ]
+    if: needs.test-subscription.outputs.has_rhel_subscriptions == 1
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ rhel-9, rhel-8 ]
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install podman 4.*
+        uses: ./.github/actions/install-podman-4
+      - name: For RHEL builds, use entitlements
+        uses: ./.github/actions/podman-entitlement
+        with:
+          org: ${{ secrets.REDHAT_ORG }}
+          activationkey: ${{ secrets.REDHAT_ACTIVATIONKEY }}
+      - name: Build image
+        run: podman build -t localhost/freeipa-server:${{ matrix.os }} -f Dockerfile.${{ matrix.os }} .
+      - name: Run master
+        run: docker=podman tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} && podman pod ls -q | xargs podman pod rm -f
+
diff --git a/.github/workflows/run-partial-tests.yaml b/.github/workflows/run-partial-tests.yaml
@@ -29,13 +29,16 @@ jobs:
     steps:
       - id: default-matrix
         run: |
-          echo "matrix={'os': [ 'fedora-rawhide', 'fedora-40', 'fedora-39', 'centos-9-stream', 'rocky-9', 'rocky-8', 'almalinux-9', 'almalinux-8' ], \
-          'docker': [ 'docker', 'podman' ], \
-          'include': [ \
-            { 'os': 'rhel-9', 'docker': 'podman' }, \
-            { 'os': 'rhel-8', 'docker': 'podman' } \
-          ] \
-          }" | tee -a $GITHUB_OUTPUT
+          (
+          echo -n "matrix={'os': [ 'fedora-rawhide', 'fedora-40', 'fedora-39', 'centos-9-stream', 'rocky-9', 'rocky-8', 'almalinux-9', 'almalinux-8' ], \
+          'docker': [ 'docker', 'podman' ] "
+          if [ -n "${{ secrets.REDHAT_ORG }}" -a -n "${{ secrets.REDHAT_ACTIVATIONKEY }}" ] ; then
+            echo -n ", 'include': [ \
+              { 'os': 'rhel-9', 'docker': 'podman' }, \
+              { 'os': 'rhel-8', 'docker': 'podman' } \
+              ]"
+          fi
+          echo "}" ) | tee -a $GITHUB_OUTPUT
         if: github.event_name != 'workflow_dispatch' || inputs.full
       - id: dispatch-matrix
         run: |