diff --git a/.github/actions/decrypt-file/action.yml b/.github/actions/decrypt-file/action.yml deleted file mode 100644 index 8bdeaf87..00000000 --- a/.github/actions/decrypt-file/action.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: 'Decrypt file using a secret (reverse of encrypt-file)' -inputs: - file: - description: 'The file to decrypt' - required: true - secret: - description: 'The secret that was used to encrypt' - required: true -runs: - using: 'composite' - steps: - - run: echo "${{ inputs.secret }}" | openssl enc -d -pass stdin -aes-256-cbc -pbkdf2 -in "${{ inputs.file }}" -out "${{ inputs.file }}.dec.${{ github.run_id }}" - shell: bash - - run: rm -f "${{ inputs.file }}" - shell: bash - - run: mv -f "${{ inputs.file }}.dec.${{ github.run_id }}" "${{ inputs.file }}" - shell: bash diff --git a/.github/actions/encrypt-file/action.yml b/.github/actions/encrypt-file/action.yml deleted file mode 100644 index b7232dd4..00000000 --- a/.github/actions/encrypt-file/action.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: 'Encrypt file with a secret' -inputs: - file: - description: 'The file to encrypt' - required: true - secret: - description: 'The secret to be used to encrypt' - required: true -runs: - using: 'composite' - steps: - - run: echo "${{ inputs.secret }}" | openssl enc -pass stdin -aes-256-cbc -pbkdf2 -in "${{ inputs.file }}" -out "${{ inputs.file }}.enc.${{ github.run_id }}" - shell: bash - - run: rm -f "${{ inputs.file }}" - shell: bash - - run: mv -f "${{ inputs.file }}.enc.${{ github.run_id }}" "${{ inputs.file }}" - shell: bash diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index d794780d..98b2fcd5 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -16,29 +16,15 @@ jobs: matrix: os: [ fedora-rawhide, fedora-40, fedora-39, centos-9-stream, rocky-9, rocky-8, almalinux-9, almalinux-8 ] docker: [ docker ] - include: - - os: rhel-9 - docker: podman - - os: rhel-8 - docker: podman timeout-minutes: 15 steps: - uses: actions/checkout@v4 - - name: Install podman 4.* - uses: ./.github/actions/install-podman-4 - if: matrix.docker == 'podman' - name: Separate git work tree with just the files needed for build run: git worktree add --no-checkout ../minimize-for-build - name: Populate with the Dockerfile run: cd ../minimize-for-build && git checkout HEAD Dockerfile.${{ matrix.os }} - name: Populate with files referenced from the Dockerfile run: cd ../minimize-for-build && awk '/^(ADD|COPY)/ { for (i = 2; i < NF; i++) print $i }' Dockerfile.${{ matrix.os }} | while read f ; do git checkout HEAD $f ; done - - name: For RHEL builds, use entitlements - if: ${{ startsWith(matrix.os, 'rhel-') }} - uses: ./.github/actions/podman-entitlement - with: - org: ${{ secrets.REDHAT_ORG }} - activationkey: ${{ secrets.REDHAT_ACTIVATIONKEY }} - name: Ensure docker images sees the named parent image run: awk '$1 == "FROM" { print $2 ; exit }' ../minimize-for-build/Dockerfile.${{ matrix.os }} | xargs ${{ matrix.docker }} pull - name: Build image @@ -73,12 +59,6 @@ jobs: run: mkdir freeipa-server-${{ matrix.os }} - name: Save image run: ${{ matrix.docker }} save localhost/freeipa-server:${{ matrix.os }} | gzip > freeipa-server-${{ matrix.os }}/freeipa-server-${{ matrix.os }}.tar.gz - - name: For RHEL builds, encrypt the artifacts - uses: ./.github/actions/encrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}/freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - uses: actions/upload-artifact@v4 with: name: freeipa-server-${{ matrix.os }} @@ -106,7 +86,7 @@ jobs: - os: centos-9-stream readonly: --read-only ca: --external-ca - os: [ fedora-39, rhel-9, rhel-8, almalinux-9 ] + os: [ fedora-39, almalinux-9, rocky-8 ] timeout-minutes: 30 steps: - uses: actions/checkout@v4 @@ -114,12 +94,6 @@ jobs: - uses: actions/download-artifact@v4 with: name: freeipa-server-${{ matrix.os }} - - name: Decrypt artifacts that were encrypted after build - uses: ./.github/actions/decrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - name: Load image run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load - name: Run master and replica @@ -135,7 +109,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ fedora-rawhide, fedora-40, rocky-9, almalinux-9 ] + os: [ fedora-rawhide, fedora-40, rocky-9, almalinux-8 ] readonly: [ --read-only ] timeout-minutes: 30 steps: @@ -145,12 +119,6 @@ jobs: - uses: actions/download-artifact@v4 with: name: freeipa-server-${{ matrix.os }} - - name: Decrypt artifacts that were encrypted after build - uses: ./.github/actions/decrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - name: Load image run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load - name: Run master and replica @@ -178,12 +146,6 @@ jobs: - uses: actions/download-artifact@v4 with: name: freeipa-server-${{ matrix.os }} - - name: Decrypt artifacts that were encrypted after build - uses: ./.github/actions/decrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - name: Load image run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load - name: Disable fs.protected_regular @@ -211,12 +173,6 @@ jobs: - uses: actions/download-artifact@v4 with: name: freeipa-server-${{ matrix.os }} - - name: Decrypt artifacts that were encrypted after build - uses: ./.github/actions/decrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - name: Load image run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | sudo podman load - name: Run master and replica @@ -232,7 +188,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ fedora-40, rhel-9, rhel-8, centos-9-stream, rocky-9, rocky-8, almalinux-8 ] + os: [ fedora-40, centos-9-stream, rocky-9, almalinux-8 ] timeout-minutes: 30 steps: - uses: actions/checkout@v4 @@ -241,12 +197,6 @@ jobs: - uses: actions/download-artifact@v4 with: name: freeipa-server-${{ matrix.os }} - - name: Decrypt artifacts that were encrypted after build - uses: ./.github/actions/decrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - name: Load image run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | podman load - name: Run master @@ -269,8 +219,6 @@ jobs: data-from: fedora-39 - os: fedora-40 data-from: fedora-38 - - os: rhel-8 - data-from: centos-8 - os: rocky-8 data-from: centos-8 - os: almalinux-8 @@ -282,12 +230,6 @@ jobs: - uses: actions/download-artifact@v4 with: name: freeipa-server-${{ matrix.os }} - - name: Decrypt artifacts that were encrypted after build - uses: ./.github/actions/decrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - name: Load image run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load - name: Populate volume with data @@ -313,12 +255,6 @@ jobs: - uses: actions/download-artifact@v4 with: name: freeipa-server-${{ matrix.os }} - - name: Decrypt artifacts that were encrypted after build - uses: ./.github/actions/decrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - name: Load image run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | podman load - name: Populate volume with data @@ -344,12 +280,6 @@ jobs: - uses: actions/download-artifact@v4 with: name: freeipa-server-${{ matrix.os }} - - name: Decrypt artifacts that were encrypted after build - uses: ./.github/actions/decrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - name: Load image run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load - name: Populate volume with data @@ -364,7 +294,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ fedora-rawhide, fedora-40, rhel-9, rhel-8, centos-9-stream ] + os: [ fedora-rawhide, fedora-40, rocky-9, almalinux-8, centos-9-stream ] timeout-minutes: 30 steps: - uses: actions/checkout@v4 @@ -372,12 +302,6 @@ jobs: - uses: actions/download-artifact@v4 with: name: freeipa-server-${{ matrix.os }} - - name: Decrypt artifacts that were encrypted after build - uses: ./.github/actions/decrypt-file - if: ${{ startsWith(matrix.os, 'rhel-') }} - with: - file: freeipa-server-${{ matrix.os }}.tar.gz - secret: ${{ secrets.UPLOAD_SECRET }} - name: Download latest cri-dockerd run: curl -s ${{ github.api_url }}/repos/Mirantis/cri-dockerd/releases/latest | jq -r '.assets[].browser_download_url' | grep jammy_amd64.deb | tee /dev/stderr | xargs curl -LO - name: Install cri-dockerd @@ -435,3 +359,41 @@ jobs: ${{ secrets.REGISTRY_TARGET_LIST }} EOF + test-subscription: + # Workaround https://github.com/actions/runner/issues/1138 + name: Prerequisite for RHEL builds + runs-on: ubuntu-latest + timeout-minutes: 1 + outputs: + has_rhel_subscriptions: ${{ steps.check.outputs.has_rhel_subscriptions }} + steps: + - id: check + run: | + if [ -n "${{ secrets.REDHAT_ORG }}" -a -n "${{ secrets.REDHAT_ACTIVATIONKEY }}" ] ; then + echo "has_rhel_subscriptions=1" >> $GITHUB_OUTPUT + fi + + build-test-rhel-podman: + name: Build and test RHEL image + runs-on: ubuntu-22.04 + needs: [ test-subscription ] + if: needs.test-subscription.outputs.has_rhel_subscriptions == 1 + strategy: + fail-fast: false + matrix: + os: [ rhel-9, rhel-8 ] + timeout-minutes: 20 + steps: + - uses: actions/checkout@v4 + - name: Install podman 4.* + uses: ./.github/actions/install-podman-4 + - name: For RHEL builds, use entitlements + uses: ./.github/actions/podman-entitlement + with: + org: ${{ secrets.REDHAT_ORG }} + activationkey: ${{ secrets.REDHAT_ACTIVATIONKEY }} + - name: Build image + run: podman build -t localhost/freeipa-server:${{ matrix.os }} -f Dockerfile.${{ matrix.os }} . + - name: Run master + run: docker=podman tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} && podman pod ls -q | xargs podman pod rm -f + diff --git a/.github/workflows/run-partial-tests.yaml b/.github/workflows/run-partial-tests.yaml index 50e46b12..b8689d30 100644 --- a/.github/workflows/run-partial-tests.yaml +++ b/.github/workflows/run-partial-tests.yaml @@ -29,13 +29,16 @@ jobs: steps: - id: default-matrix run: | - echo "matrix={'os': [ 'fedora-rawhide', 'fedora-40', 'fedora-39', 'centos-9-stream', 'rocky-9', 'rocky-8', 'almalinux-9', 'almalinux-8' ], \ - 'docker': [ 'docker', 'podman' ], \ - 'include': [ \ - { 'os': 'rhel-9', 'docker': 'podman' }, \ - { 'os': 'rhel-8', 'docker': 'podman' } \ - ] \ - }" | tee -a $GITHUB_OUTPUT + ( + echo -n "matrix={'os': [ 'fedora-rawhide', 'fedora-40', 'fedora-39', 'centos-9-stream', 'rocky-9', 'rocky-8', 'almalinux-9', 'almalinux-8' ], \ + 'docker': [ 'docker', 'podman' ] " + if [ -n "${{ secrets.REDHAT_ORG }}" -a -n "${{ secrets.REDHAT_ACTIVATIONKEY }}" ] ; then + echo -n ", 'include': [ \ + { 'os': 'rhel-9', 'docker': 'podman' }, \ + { 'os': 'rhel-8', 'docker': 'podman' } \ + ]" + fi + echo "}" ) | tee -a $GITHUB_OUTPUT if: github.event_name != 'workflow_dispatch' || inputs.full - id: dispatch-matrix run: |