From b4f25533379a0b2c00626c70b53cd6c1b3abedaa Mon Sep 17 00:00:00 2001 From: Noach Magedman Date: Wed, 29 Nov 2023 10:55:44 +0200 Subject: [PATCH] PATCH: GitHubCI Configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tailor the GitHubCI workflow to match our needs. Tweak some jobs: - checks (linter and type-checking) - Advisory only! Don't block the build/test/deploy process just because the linter is OCD on code layout. They can even run in parallel to the build. - build - Always run Reset Meteor task. Not sure though what difference it makes. - test-* - Disabled most of them, since they assume usage of Docker images. - Advisory only! Don't block the deploy for them. We can even deploy (copy to S3) while the tests are still running. - Strangely, they test on 4.4 and 6.0, but not 5.0 (which we run). I was going to change it to 5.0, but decided to minimize my changes, especially since I don't know what side-effects changing it might have. - deploy - Always run, not just releases and the `develop` branch - Save a `-latest` build, in addition to the versionized one - Skip the code signing/registration steps - Upload to *our* S3 bucket, not upstream’s - This is the bulk of the edits! ~~Delete~~ Disable jobs we aren't interested in: - build-prod - Q: How is this different from `build`? A: 1. This waits for tests-done. `build` does not. 2. `build` has `coverage:true`, although that only kicks in for PRs. Nonetheless, I changed build.coverage to false. - build-gh-docker-coverage - build-gh-docker - test-api - test-ui - test-api-ee - build-docker-preview - docker-image-publish - services-docker-image-publish - notify-services - trigger-dependent-workflows Delete the other workflow files: - We don't need them - Keep only ci.yml and its extracted ci-*.yml files --- .github/workflows/ci-code-check.yml | 1 + .github/workflows/ci-test-e2e.yml | 1 + .github/workflows/ci-test-unit.yml | 1 + .github/workflows/ci.yml | 41 +++++++------- .github/workflows/codeql-analysis.yml | 51 ------------------ .github/workflows/new-release.yml | 53 ------------------- .github/workflows/pr-title-checker.yml | 17 ------ .github/workflows/publish-release.yml | 42 --------------- .github/workflows/stale.yml | 20 ------- .../vulnerabilities-jira-integration.yml | 22 -------- 10 files changed, 25 insertions(+), 224 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml delete mode 100644 .github/workflows/new-release.yml delete mode 100644 .github/workflows/pr-title-checker.yml delete mode 100644 .github/workflows/publish-release.yml delete mode 100644 .github/workflows/stale.yml delete mode 100644 .github/workflows/vulnerabilities-jira-integration.yml diff --git a/.github/workflows/ci-code-check.yml b/.github/workflows/ci-code-check.yml index 75deb399d2f2..f7bb3881b319 100644 --- a/.github/workflows/ci-code-check.yml +++ b/.github/workflows/ci-code-check.yml @@ -12,6 +12,7 @@ env: jobs: code-check: + continue-on-error: true runs-on: ubuntu-20.04 name: ${{ matrix.check == 'ts' && 'TypeScript' || 'Code Lint' }} diff --git a/.github/workflows/ci-test-e2e.yml b/.github/workflows/ci-test-e2e.yml index e70d4c80217e..7999991dcdeb 100644 --- a/.github/workflows/ci-test-e2e.yml +++ b/.github/workflows/ci-test-e2e.yml @@ -68,6 +68,7 @@ env: jobs: test: + continue-on-error: true runs-on: ubuntu-20.04 env: RC_DOCKERFILE: ${{ matrix.mongodb-version == '6.0' && inputs.rc-dockerfile-alpine || inputs.rc-dockerfile }} diff --git a/.github/workflows/ci-test-unit.yml b/.github/workflows/ci-test-unit.yml index 066cc2e3773e..dcb05489a57e 100644 --- a/.github/workflows/ci-test-unit.yml +++ b/.github/workflows/ci-test-unit.yml @@ -16,6 +16,7 @@ env: jobs: test: + continue-on-error: true runs-on: ubuntu-20.04 name: Unit Tests diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dc38dcd7fe65..7b30cbba3cb2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,7 +7,7 @@ on: branches: '**' push: branches: - - develop + - '**' concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} @@ -143,12 +143,12 @@ jobs: - uses: ./.github/actions/meteor-build with: node-version: ${{ needs.release-versions.outputs.node-version }} - coverage: true + coverage: false build-prod: + if: false name: πŸ“¦ Meteor Build - official needs: [tests-done, release-versions, packages-build] - if: (github.event_name == 'release' || github.ref == 'refs/heads/develop') runs-on: ubuntu-20.04 steps: @@ -170,6 +170,7 @@ jobs: coverage: false build-gh-docker-coverage: + if: false name: 🚒 Build Docker Images for Testing needs: [build, release-versions] runs-on: ubuntu-20.04 @@ -199,6 +200,7 @@ jobs: platform: ${{ matrix.platform }} build-gh-docker: + if: false name: 🚒 Build Docker Images for Production needs: [build-prod, release-versions] runs-on: ubuntu-20.04 @@ -253,6 +255,7 @@ jobs: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} test-api: + if: false name: πŸ”¨ Test API (CE) needs: [checks, build-gh-docker-coverage, release-versions] @@ -272,6 +275,7 @@ jobs: CR_PAT: ${{ secrets.CR_PAT }} test-ui: + if: false name: πŸ”¨ Test UI (CE) needs: [checks, build-gh-docker-coverage, release-versions] @@ -298,6 +302,7 @@ jobs: REPORTER_ROCKETCHAT_URL: ${{ secrets.REPORTER_ROCKETCHAT_URL }} test-api-ee: + if: false name: πŸ”¨ Test API (EE) needs: [checks, build-gh-docker-coverage, release-versions] @@ -320,6 +325,7 @@ jobs: CR_PAT: ${{ secrets.CR_PAT }} test-ui-ee: + if: false name: πŸ”¨ Test UI (EE) needs: [checks, build-gh-docker-coverage, release-versions] @@ -358,10 +364,9 @@ jobs: echo finished deploy: - name: πŸš€ Publish build assets + name: πŸš€ Copy to S3 # The actual deployment to our servers is done via Jenkins runs-on: ubuntu-20.04 - if: github.event_name == 'release' || github.ref == 'refs/heads/develop' - needs: [build-gh-docker, release-versions] + needs: [build, release-versions] steps: - uses: Bhacaz/checkout-files@v2 @@ -377,10 +382,9 @@ jobs: - name: Publish assets env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: 'us-east-1' - GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USER_GITHUB_ROCKETCHAT_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_USER_GITHUB_ROCKETCHAT_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: us-west-2 run: | REPO_VERSION=$(node -p "require('./package.json').version") @@ -394,26 +398,22 @@ jobs: ROCKET_DEPLOY_DIR="/tmp/deploy" FILENAME="$ROCKET_DEPLOY_DIR/rocket.chat-$ARTIFACT_NAME.tgz"; + FILENAME_LATEST="$ROCKET_DEPLOY_DIR/rocket.chat-latest.tgz"; - aws s3 cp s3://rocketchat/sign.key.gpg .github/sign.key.gpg mkdir -p $ROCKET_DEPLOY_DIR - cp .github/sign.key.gpg /tmp - gpg --yes --batch --passphrase=$GPG_PASSWORD /tmp/sign.key.gpg - gpg --allow-secret-key-import --import /tmp/sign.key - rm /tmp/sign.key ln -s /tmp/build/Rocket.Chat.tar.gz "$FILENAME" - gpg --armor --detach-sign "$FILENAME" + ln -s /tmp/build/Rocket.Chat.tar.gz "$FILENAME_LATEST" - aws s3 cp $ROCKET_DEPLOY_DIR/ s3://download.rocket.chat/build/ --recursive + aws s3 cp $ROCKET_DEPLOY_DIR/ s3://seekingalpha-rocketchat-builds/ --recursive build-docker-preview: + if: false name: 🚒 Build Docker Image (preview) runs-on: ubuntu-20.04 needs: [build, checks, release-versions] - if: github.event_name == 'release' || github.ref == 'refs/heads/develop' steps: - uses: actions/checkout@v4 @@ -440,6 +440,7 @@ jobs: password: ${{ secrets.CR_PAT }} docker-image-publish: + if: false name: πŸš€ Publish Docker Image (main) runs-on: ubuntu-20.04 needs: [deploy, build-docker-preview, release-versions] @@ -551,6 +552,7 @@ jobs: echo "::endgroup::" services-docker-image-publish: + if: false name: πŸš€ Publish Docker Image (services) runs-on: ubuntu-20.04 needs: [deploy, release-versions] @@ -640,6 +642,7 @@ jobs: echo "::endgroup::" notify-services: + if: false name: πŸš€ Notify external services runs-on: ubuntu-20.04 needs: @@ -700,8 +703,8 @@ jobs: -d '{"tag":"'$GIT_TAG'"}' trigger-dependent-workflows: + if: false runs-on: ubuntu-latest - if: github.event_name == 'release' needs: - services-docker-image-publish - docker-image-publish diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 483b404a6dc8..000000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: 'Code scanning - action' - -on: - push: - pull_request: - schedule: - - cron: '0 13 * * *' - -jobs: - CodeQL-Build: - # CodeQL runs on ubuntu-latest and windows-latest - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - # Override language selection by uncommenting this and choosing your languages - with: - languages: javascript - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹ️ Command-line programs to run using the OS shell. - # πŸ“š https://git.io/JvXDl - - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/new-release.yml b/.github/workflows/new-release.yml deleted file mode 100644 index f10578d5879f..000000000000 --- a/.github/workflows/new-release.yml +++ /dev/null @@ -1,53 +0,0 @@ -name: Start new release - -on: - workflow_dispatch: - inputs: - name: - type: choice - description: Release type - default: next - required: true - options: - - next - - patch - - cut - base-ref: - description: Base version - default: develop - required: false - -env: - HUSKY: 0 - -jobs: - new-release: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ github.event.inputs.base-ref }} - fetch-depth: 0 - token: ${{ secrets.CI_PAT }} - - - name: Setup NodeJS - uses: ./.github/actions/setup-node - with: - node-version: 14.21.3 - cache-modules: true - install: true - - - uses: dtinth/setup-github-actions-caching-for-turbo@v1 - - - name: Build packages - run: yarn build - - - name: 'Start release: ${{ github.event.inputs.name }}' - uses: ./packages/release-action - with: - action: ${{ github.event.inputs.name }} - base-ref: ${{ github.event.inputs.base-ref }} - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - GITHUB_TOKEN: ${{ secrets.CI_PAT }} diff --git a/.github/workflows/pr-title-checker.yml b/.github/workflows/pr-title-checker.yml deleted file mode 100644 index 356ac10c9759..000000000000 --- a/.github/workflows/pr-title-checker.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: 'PR Title Checker' -on: - pull_request_target: - types: - - opened - - edited - - synchronize - - labeled - - unlabeled - -jobs: - check: - runs-on: ubuntu-latest - steps: - - uses: thehanimo/pr-title-checker@v1.3.7 - with: - GITHUB_TOKEN: ${{ secrets.RC_TITLE_CHECKER }} diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml deleted file mode 100644 index e133a3153722..000000000000 --- a/.github/workflows/publish-release.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Publish Final Release - -on: - push: - branches: - - master - -concurrency: ${{ github.workflow }}-${{ github.ref }} - -env: - HUSKY: 0 - -jobs: - release: - name: Release - runs-on: ubuntu-latest - steps: - - name: Checkout Repo - uses: actions/checkout@v4 - with: - fetch-depth: 0 - token: ${{ secrets.CI_PAT }} - - - name: Setup NodeJS - uses: ./.github/actions/setup-node - with: - node-version: 14.21.3 - cache-modules: true - install: true - - - uses: dtinth/setup-github-actions-caching-for-turbo@v1 - - - name: Build packages - run: yarn build - - - name: Publish final release - uses: ./packages/release-action - with: - action: publish-final - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - GITHUB_TOKEN: ${{ secrets.CI_PAT }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index b074212964eb..000000000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Close inactive issues -on: - schedule: - - cron: "0 */6 * * *" - -jobs: - close-issues: - runs-on: ubuntu-latest - permissions: - issues: write - steps: - - uses: actions/stale@v5 - with: - days-before-issue-stale: 10 - days-before-issue-close: 4 - any-of-labels: 'stat: need more info,stat: waiting response' - stale-issue-label: "stat: no response" - stale-issue-message: "This issue has been marked as stale because there has been no further activity in the last 10 days. If the issue remains stale for the next 4 days (a total of 14 days with no activity), then it will be assumed that the question has been resolved and the issue will be automatically closed." - close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale." - repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/vulnerabilities-jira-integration.yml b/.github/workflows/vulnerabilities-jira-integration.yml deleted file mode 100644 index 2daeb533937d..000000000000 --- a/.github/workflows/vulnerabilities-jira-integration.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Github vulnerabilities and jira board integration - -on: - schedule: - - cron: '0 1 * * *' - -jobs: - IntegrateSecurityVulnerabilities: - runs-on: ubuntu-latest - steps: - - name: "Github vulnerabilities and jira board integration" - uses: RocketChat/github-vulnerabilities-jira-integration@v0.3 - env: - JIRA_URL: https://rocketchat.atlassian.net/ - JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }} - GITHUB_TOKEN: ${{ secrets._GITHUB_TOKEN }} - JIRA_EMAIL: security-team-accounts@rocket.chat - JIRA_PROJECT_ID: GJIT - UID_CUSTOMFIELD_ID: customfield_10059 - JIRA_COMPLETE_PHASE_ID: 31 - JIRA_START_PHASE_ID: 11 -