tests/e2e: Migrate e2e test for s390x to GHA #295
Conversation
BbolroC
force-pushed
the
migrate-to-gha-s390x
branch
from
696f3cb
to
ed0fe0b
Compare
|
Hey @BbolroC, looks good to me. |
Hi, thank you for your comment. I'd like to add more information to further clarify the conflict I previously explained: Let's say we would like to incorporate 2 different architectures by using 2 runners named name: Example Workflow
jobs:
job1:
matrix:
os: [x86_64, s390x]
runs-on: {{ matrix.os }}
steps:
- name: Pre Step
run: echo "Running Pre Step"
if: {{ matrix.os == 's390x' }}
- name: Main Step
run: echo "Running Main Step"
- name: Post Step
if: {{ matrix.os == 's390x' }}
run: echo "Running Post Step"Thinking that the {pre,post} steps are only required for Upon further consideration, a potential resolution could involve passing a matrix element as an environment variable into a step, like: - name: Post Step
if: always()
run: echo "Dealing with a step selectively based on an environment variable `OS`"
env:
OS: {{ matrix.os }}I can confidently state that the introduction of the {pre,post} actions wouldn't pose any issues for incorporating workflows across multiple architectures. Thanks. |
.github/workflows/ci-s390x.yaml
Outdated
| steps: | ||
| - name: Adjust a permission for repo | ||
| run: | | ||
| sudo chown -R $USER:$USER $GITHUB_WORKSPACE |
There was a problem hiding this comment.
hi @BbolroC should this chown call be part of the pre-action too?
There was a problem hiding this comment.
Yeah, you are totally right. Thanks for pointing it out. I will update the PR.
FYI: this optimisation will also apply to kata GHA (kata-containers/kata-containers#8649) soon. 😉
Indeed it is a possible solution. You can use an environment variable as shown above and/or you can check the existence of a post-step script: - name: Take a post-action
if: always()
run: |
if [ -f "${HOME}/script/post_action.sh" ];then
${HOME}/script/post_action.sh cc-operator-pr
fiLikewise the pre-step. Another solution would be to decouple the post-step from this workflow. If you use the https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run event than you can get a 2nd workflow ran afterwards which could run the post-step actions. However I think this solution kind of overkill.
|
|
@ryansavino could you also jump in this discussion? Essentially @BbolroC, @portersrc and I have figured out ways to have a multi-arch and non-TEE/TEE integrated workflow for running the e2e tests. I do believe that for SEV/SNP you will need to have pre/post actions as well. |
BbolroC
force-pushed
the
migrate-to-gha-s390x
branch
from
ed0fe0b
to
25fe509
Compare
BbolroC
changed the title
|
As discussed above, the workflows introduced in this PR are incorporated into the existing x86_64 workflow The whole workflow looks like https://github.com/BbolroC/cc-operator/actions/runs/7492328011/job/20395717523. @wainersm @stevenhorsman @fidencio please take a look at this and give me a feedback. Thanks! |
BbolroC
force-pushed
the
migrate-to-gha-s390x
branch
from
25fe509
to
70c8cd1
Compare
| ./run-local.sh -r "${{ matrix.runtimeclass }}" -u | ||
| args="-u" | ||
| if [ $RUNNING_INSTANCE = "s390x" ]; then | ||
| args="" |
There was a problem hiding this comment.
@BbolroC so s390x is not going to run the undo (-u) operations from the e2e framework. Will it be done (undo) by the post-action then?
There was a problem hiding this comment.
Yes, it was concluded that the option -u is not suitable for a self-hosted runner context. The functionality of the option is delegated to the {pre,post}-action.
|
|
||
| jobs: | ||
| e2e-on-push: | ||
| if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }} |
There was a problem hiding this comment.
Very nice that you are protecting the pipeline with labels. We even talked today on #confidentia-containers-ci about securing our pipelines and this is one measurement.
| @@ -0,0 +1,17 @@ | |||
| name: ccruntime e2e test on-push | |||
| on: | |||
| pull_request_target: | |||
There was a problem hiding this comment.
Changing from pull_request to pull_request_target will change the behavior of actions/checkout@v4, i.e., it will check out the pull request tree which is not rebased with main. We will need to rebase the check'ed code ourselves to emulate the same behavior of pull_request. This is a well-known problem, we can fix it as kata CI and in a follow up PR if you prefer.
There was a problem hiding this comment.
Yeah, then I will borrow the script and place it in this PR rather than instituting it in the next PR.
| @@ -0,0 +1,17 @@ | |||
| name: ccruntime e2e test on-push | |||
There was a problem hiding this comment.
Nit: not use on-push on the workflow name, file and jobs as this workflow is triggered on pull request.
There was a problem hiding this comment.
Yes, I will rename ones relevant to this comment. Thanks for the comment.
BbolroC
force-pushed
the
migrate-to-gha-s390x
branch
3 times, most recently
from
27a0adf
to
71b3f69
Compare
BbolroC
force-pushed
the
migrate-to-gha-s390x
branch
4 times, most recently
from
8436322
to
4b8f594
Compare
This PR is to migrate the following e2e tests for s390x to GHA: - confidential-containers-operator-main-ubuntu-20.04-s390x-containerd_kata-qemu-baseline - confidential-containers-operator-main-ubuntu-20.04-s390x-containerd_kata-qemu-PR - confidential-containers-operator-main-ubuntu-20.04-s390x-SE-daily They are incorporated into the existing x86_64 test workflow `ccruntime_e2e.yaml`. The workflows incorparated are triggered not only by PR, but also nightly at 2:00 UTC. Fixes: confidential-containers#294 Signed-off-by: Hyounggyu Choi <[email protected]>
BbolroC
force-pushed
the
migrate-to-gha-s390x
branch
from
4b8f594
to
e1d7fe2
Compare
| # Recover from any previous rebase left halfway | ||
| git rebase --abort 2> /dev/null || true | ||
| if ! git rebase origin/${TARGET_BRANCH}; then | ||
| >&2 echo "Rebase failed, exiting" |
There was a problem hiding this comment.
Hey Choi, in the kata-containers version there was a different path for self-hosted runner than deleted the workspace directory to avoid merge conflicts impacting runs IIRC - is that needed here too?
There was a problem hiding this comment.
I intentionally removed those lines here, wanting to see if that is also the case for this repo. Even if that is the case again, that could be handled by {pre,post}-action, I guess.
There was a problem hiding this comment.
Great, thanks for the explanation!
|
Now, we are facing the |
Just to confirm, this is just a one off where we need to remove them as required and then after this merge we've have new jobs to make required that superceded them? |
Yes, I think so, unfortunately. If we don't like this approach, let's stop proceeding things and start re-discussing what could be a better way to trigger the tests on the expected github events for a PR in a protective (resource) way. |
I think that makes sense to take the hit now, especially given we are far away from releases. @wainersm are you happy with this? |
There was a problem hiding this comment.
Thanks for the changes, what is the problem with the required tests? I remember the discussion but still new to this repo. In different repos when GH CI did not scale we simply tested the PR locally and pushed things via cmdline (where the required conditions are not checked). Worst case we can always revert if the GH runners find the main version broken.
Yes @stevenhorsman , I'm happy with that. @BbolroC I added an entry on the agenda of our meeting today to discuss the methods we have used to protect the self-hosted runners. |
Hi @ldoktor , let me see if I can explain accurately... This PR change the current jobs so that they are triggered on a different event ( |
This is to fix 2 issues identified during the follow-up test for confidential-containers#295. - git-helper.sh misses an execution permission - actions/checkout@v4 does not fetch the code from the git ref This commit is to fix these issues. Signed-off-by: Hyounggyu Choi <[email protected]>
This PR is to migrate the AMD SEV and SNP e2e tests from Jenkins to GHA. Builds on top of PR confidential-containers#295 Signed-off-by: Adithya Krishnan Kannan<[email protected]>
This PR is to migrate the AMD SEV and SNP e2e tests from Jenkins to GHA. Builds on top of PR confidential-containers#295 Signed-off-by: Adithya Krishnan Kannan<[email protected]>
This PR is to migrate the AMD SEV and SNP e2e tests from Jenkins to GHA. Builds on top of PR confidential-containers#295 Signed-off-by: Adithya Krishnan Kannan <[email protected]>
This PR is to migrate the AMD SEV and SNP e2e tests from Jenkins to GHA. Builds on top of PR confidential-containers#295 Signed-off-by: Adithya Krishnan Kannan <[email protected]>
This PR is to migrate the AMD SEV and SNP e2e tests from Jenkins to GHA. Includes some fixes suggested by ldoktor and fitzthum. Builds on top of PR confidential-containers#295 Signed-off-by: Adithya Krishnan Kannan <[email protected]>
This PR is to migrate the following e2e tests for s390x in Jenkins to GHA:
It will be staying in a
work-in-progressstate and the workflow structure will be changed based on that ofx86_64. (i.e. a decision could be made when #260 is finalised.)The workflow itself has been tested several times
The rationale for the
{pre,post}action in the workflow is as follows:Of course, an introduction of the actions makes it hard to incorporate workflows for different architectures into one via
matrixbecauseif:for the selective run for an architecture (e.g.if: ${{ matrix.arch == 's390x' }}) conflicts withif: always()which is used for the post action. I look forward to any feedback for those two actions.There are 2 things which must be prepared before the merge:
REGISTRY_CREDENTIAL_ENCODED.Thanks.
Fixes: #294
Signed-off-by: Hyounggyu Choi [email protected]