soil/github-actions.sh

OILS / soil / github-actions.sh View on Github | oilshell.org

139 lines, 69 significant

1	#!/usr/bin/env bash
2	#
3	# Usage:
4	# soil/github-actions.sh <function name>
5
6	set -o nounset
7	set -o pipefail
8	set -o errexit
9
10	keygen() {
11	# rsa_github_actions is private, and sent to Github to log into the server
12	# rsa_github_actions.pub is public, and put in authorized_keys on the server
13	ssh-keygen -t rsa -b 4096 -C "oilshell github-actions" -f rsa_github_actions
14	}
15
16	#
17	# Run remotely
18	#
19
20	publish-html-assuming-ssh-key() {
21	local job_name=$1
22	local update_status_api=${2:-}
23
24	if true; then
25	# https://docs.github.com/en/actions/reference/environment-variables
26
27	# Recommended by the docs
28	export JOB_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
29
30	soil/web-worker.sh deploy-job-results 'github-' $GITHUB_RUN_NUMBER $job_name \
31	JOB_URL \
32	GITHUB_WORKFLOW \
33	GITHUB_RUN_ID \
34	GITHUB_RUN_NUMBER \
35	GITHUB_JOB \
36	GITHUB_ACTION \
37	GITHUB_REF \
38	GITHUB_PR_NUMBER \
39	GITHUB_PR_HEAD_REF \
40	GITHUB_PR_HEAD_SHA
41	else
42	soil/web-worker.sh deploy-test-wwz # dummy data that doesn't depend on the build
43	fi
44
45	# Calls rewrite-jobs-index and cleanup-jobs-index
46	time soil/web-worker.sh remote-event-job-done 'github-' $GITHUB_RUN_NUMBER
47
48	if test -n "$update_status_api"; then
49	soil/web-worker.sh scp-status-api "$GITHUB_RUN_ID" "$job_name"
50	soil/web-worker.sh remote-cleanup-status-api
51	fi
52	}
53
54	# Notes on Github secrets:
55
56	# - "Secrets are environment variables that are encrypted. Anyone with
57	# collaborator access to this repository can use these secrets for Actions."
58	#
59	# - "Secrets are not passed to workflows that are triggered by a pull request from a fork"
60	#
61	# TODO: We're not following the principle of least privilege! Really we should
62	# have an "append-only" capability? So then pull requests from untrusted forks
63	# can trigger builds?
64	#
65	# Instead of SSH, we should use curl to POST a .zip file to PHP script on
66	# travis-ci.oilshell.org?
67
68	load-secret-key() {
69	local privkey=/tmp/rsa_github_actions
70
71	if test -n "${OILS_GITHUB_KEY:-}"; then
72	echo "$OILS_GITHUB_KEY" > $privkey
73	else
74	echo '$OILS_GITHUB_KEY not set'
75	exit 1
76	fi
77
78	chmod 600 $privkey
79	eval "$(ssh-agent -s)"
80	ssh-add $privkey
81	}
82
83
84	# Overwrites the function in soil/travis.sh
85	publish-html() {
86	### Publish job HTML, and optionally status-api
87
88	load-secret-key
89
90	set -x
91	# $1 can be the job name
92	publish-html-assuming-ssh-key "$@"
93	}
94
95	publish-cpp-tarball() {
96	load-secret-key
97
98	soil/web-worker.sh publish-cpp-tarball github-
99	}
100
101	# Don't need this because Github Actions has it pre-installed.
102	install-podman() {
103	sudo apt-get install -y podman
104	podman --version
105	}
106
107	run-job() {
108	### Called by YAML config
109
110	# Unlike sourcehut, Github Actions runs one job per machine. So we fix the
111	# mount permissions and run the job in one step.
112
113	local job_name=$1
114	local docker=${2:-docker}
115
116	# I think it starts in the repo
117	# cd $REPO_ROOT
118
119	soil/host-shim.sh mount-perms $REPO_ROOT
120	echo
121	echo
122
123	soil/host-shim.sh run-job-uke $docker $REPO_ROOT $job_name
124	}
125
126	publish-and-exit() {
127	### Called by YAML config
128	local job_name=$1
129	# second param is passed to publish-html
130
131	# Unlike sourcehut, Github Actions runs one job per machine. So we publish
132	# HTML and exit in one step.
133
134	publish-html "$@"
135
136	soil/host-shim.sh did-all-succeed $job_name
137	}
138
139	"$@"