OILS / soil / github-actions.sh View on Github | oilshell.org

139 lines, 69 significant
1#!/usr/bin/env bash
2#
3# Usage:
4# soil/github-actions.sh <function name>
5
6set -o nounset
7set -o pipefail
8set -o errexit
9
10keygen() {
11 # rsa_github_actions is private, and sent to Github to log into the server
12 # rsa_github_actions.pub is public, and put in authorized_keys on the server
13 ssh-keygen -t rsa -b 4096 -C "oilshell github-actions" -f rsa_github_actions
14}
15
16#
17# Run remotely
18#
19
20publish-html-assuming-ssh-key() {
21 local job_name=$1
22 local update_status_api=${2:-}
23
24 if true; then
25 # https://docs.github.com/en/actions/reference/environment-variables
26
27 # Recommended by the docs
28 export JOB_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
29
30 soil/web-worker.sh deploy-job-results 'github-' $GITHUB_RUN_NUMBER $job_name \
31 JOB_URL \
32 GITHUB_WORKFLOW \
33 GITHUB_RUN_ID \
34 GITHUB_RUN_NUMBER \
35 GITHUB_JOB \
36 GITHUB_ACTION \
37 GITHUB_REF \
38 GITHUB_PR_NUMBER \
39 GITHUB_PR_HEAD_REF \
40 GITHUB_PR_HEAD_SHA
41 else
42 soil/web-worker.sh deploy-test-wwz # dummy data that doesn't depend on the build
43 fi
44
45 # Calls rewrite-jobs-index and cleanup-jobs-index
46 time soil/web-worker.sh remote-event-job-done 'github-' $GITHUB_RUN_NUMBER
47
48 if test -n "$update_status_api"; then
49 soil/web-worker.sh scp-status-api "$GITHUB_RUN_ID" "$job_name"
50 soil/web-worker.sh remote-cleanup-status-api
51 fi
52}
53
54# Notes on Github secrets:
55
56# - "Secrets are environment variables that are encrypted. Anyone with
57# collaborator access to this repository can use these secrets for Actions."
58#
59# - "Secrets are not passed to workflows that are triggered by a pull request from a fork"
60#
61# TODO: We're not following the principle of least privilege! Really we should
62# have an "append-only" capability? So then pull requests from untrusted forks
63# can trigger builds?
64#
65# Instead of SSH, we should use curl to POST a .zip file to PHP script on
66# travis-ci.oilshell.org?
67
68load-secret-key() {
69 local privkey=/tmp/rsa_github_actions
70
71 if test -n "${OILS_GITHUB_KEY:-}"; then
72 echo "$OILS_GITHUB_KEY" > $privkey
73 else
74 echo '$OILS_GITHUB_KEY not set'
75 exit 1
76 fi
77
78 chmod 600 $privkey
79 eval "$(ssh-agent -s)"
80 ssh-add $privkey
81}
82
83
84# Overwrites the function in soil/travis.sh
85publish-html() {
86 ### Publish job HTML, and optionally status-api
87
88 load-secret-key
89
90 set -x
91 # $1 can be the job name
92 publish-html-assuming-ssh-key "$@"
93}
94
95publish-cpp-tarball() {
96 load-secret-key
97
98 soil/web-worker.sh publish-cpp-tarball github-
99}
100
101# Don't need this because Github Actions has it pre-installed.
102install-podman() {
103 sudo apt-get install -y podman
104 podman --version
105}
106
107run-job() {
108 ### Called by YAML config
109
110 # Unlike sourcehut, Github Actions runs one job per machine. So we fix the
111 # mount permissions and run the job in one step.
112
113 local job_name=$1
114 local docker=${2:-docker}
115
116 # I think it starts in the repo
117 # cd $REPO_ROOT
118
119 soil/host-shim.sh mount-perms $REPO_ROOT
120 echo
121 echo
122
123 soil/host-shim.sh run-job-uke $docker $REPO_ROOT $job_name
124}
125
126publish-and-exit() {
127 ### Called by YAML config
128 local job_name=$1
129 # second param is passed to publish-html
130
131 # Unlike sourcehut, Github Actions runs one job per machine. So we publish
132 # HTML and exit in one step.
133
134 publish-html "$@"
135
136 soil/host-shim.sh did-all-succeed $job_name
137}
138
139"$@"