2022-11-11 15:14:43 -05:00
|
|
|
#!/usr/bin/env bash
|
2023-03-15 12:00:52 -04:00
|
|
|
# Copyright (c) HashiCorp, Inc.
|
2023-08-10 21:14:03 -04:00
|
|
|
# SPDX-License-Identifier: BUSL-1.1
|
2023-03-15 12:00:52 -04:00
|
|
|
|
2022-11-11 15:14:43 -05:00
|
|
|
|
2022-12-12 15:46:04 -05:00
|
|
|
# The ci-helper is used to determine build metadata, build Vault binaries,
|
|
|
|
|
# package those binaries into artifacts, and execute tests with those artifacts.
|
2022-11-11 15:14:43 -05:00
|
|
|
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
|
|
|
|
# We don't want to get stuck in some kind of interactive pager
|
|
|
|
|
export GIT_PAGER=cat
|
|
|
|
|
|
|
|
|
|
# Get the build date from the latest commit since it can be used across all
|
|
|
|
|
# builds
|
|
|
|
|
function build_date() {
|
|
|
|
|
# It's tricky to do an RFC3339 format in a cross platform way, so we hardcode UTC
|
|
|
|
|
: "${DATE_FORMAT:="%Y-%m-%dT%H:%M:%SZ"}"
|
|
|
|
|
git show --no-show-signature -s --format=%cd --date=format:"$DATE_FORMAT" HEAD
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Get the revision, which is the latest commit SHA
|
|
|
|
|
function build_revision() {
|
|
|
|
|
git rev-parse HEAD
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Determine our repository by looking at our origin URL
|
|
|
|
|
function repo() {
|
|
|
|
|
basename -s .git "$(git config --get remote.origin.url)"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Determine the artifact basename based on metadata
|
|
|
|
|
function artifact_basename() {
|
|
|
|
|
: "${PKG_NAME:="vault"}"
|
|
|
|
|
: "${GOOS:=$(go env GOOS)}"
|
|
|
|
|
: "${GOARCH:=$(go env GOARCH)}"
|
[QT-637] Streamline our build pipeline (#24892)
Context
-------
Building and testing Vault artifacts on pull requests and merges is
responsible for about 1/3rd of our overall spend on Vault CI. Of the
artifacts that we ship as part of a release, we do Enos testing scenarios
on the `linux/amd64` and `linux/arm64` binaries and their derivative
artifacts. The extended build artifacts for non-Linux platforms or less
common machine architectures are not tested at this time. They are built,
notarized, and signed as part of every pull request update and merge. As
we don't actually test these artifacts, the only gain we get from this
rather expensive behavior is that we wont merge a change that would prevent
Vault from building on one of the extended targets. Extended platform or
architecture changes are quite rare, so performing this work as frequently
as we do is costly in both monetary and developer time for little relative
safety benefit.
Goals
-----
Rethink and implement how and when we build binaries and artifacts of Vault
so that we can spend less money on repetitive work and while also reducing
the time it takes for the build and test pipelines to complete.
Solution
--------
Instead of building all release artifacts on every push, we'll opt to build
only our testable (core) artifacts. With this change we are introducing a
bit of risk. We could merge a change that breaks an extended platform and
only find out after the fact when we trigger a complete build for a release.
We'll hedge against that risk by building all of the release targets on a
scheduled cadence to ensure that they are still buildable.
We'll make building all of the targets optional on any pull request by
use of a `build/all` label on the pull request.
Further considerations
----------------------
* We want to reduce the total number of workflows and runners for all of our
pipelines if possible. As each workflow runner has infrastructure cost and
runner time penalties, using a single runner over many is often preferred.
* Many of our jobs runners have been optimized for cost and performance. We
should simplify the choices of which runners to use.
* CRT requires us to use the same build workflow in both CE and Ent.
Historically that meant that modifying `build.yml` in CE would result in a
merge conflict with `build.yml` in Ent, and break our merge workflows.
* Workflow flow control in both `build.yml` and `ci.yml` can be quite
complicated, as each needs to maintain compatibility whether executed as CE
or Ent, and when triggered with various Github events like pull_request,
push, and workflow_call, each with their own requirements.
* Many jobs utilize similar patterns of flow control and metadata but are not
reusable.
* Workflow call depth has a maximum of four, so we need to be quite
considerate when calling other workflows.
* Called workflows can only have 10 inputs.
Implementation
--------------
* Refactor the `build.yml` workflow to be agnostic to whether or not it is
executing in CE or Ent. That makes future updates to the build much easier
as we won't have to worry about merge conflicts when the change is merged
downstream.
* Extract common steps in workflows into composite actions that we can reuse.
* Fix bugs where some but not all workflows would use different Git
references when building and testing a pull request.
* We rewrite the application, docs, and UI change helpers as a composite
action. This allows us to re-use this logic to make consistent behavior
choices across build and CI.
* We combine several `build.yml` and `ci.yml` jobs into our final job.
This reduces the number of workflows required for the same behavior while
saving time overall.
* Update most of our action pins.
Results
-------
| Metric | Before | After | Diff |
|-------------------|----------|---------|-------|
| Duration: | ~14-18m | ~15-18m | ~ = |
| Workflows: | 43 | 18 | - 58% |
| Billable time: | ~1h15m | 16m | - 79% |
| Saved artifacts: | 34 | 12 | - 65% |
Infra costs should map closely to billable time.
Network I/O costs should map closely to the workflow count.
Storage costs should map directly with saved artifacts.
We could probably get parity with duration by getting more clever with
our UBI container build, as that's where we're seeing the increase. I'm
not yet concerned as it takes roughly the same time for this job to
complete as it did before.
While the CI workflow was not the focus on the PR, some shared
refactoring does show some marginal improvements there.
| Metric | Before | After | Diff |
|-------------------|----------|----------|--------|
| Duration: | ~24m | ~12.75m | - 15% |
| Workflows: | 55 | 47 | - 8% |
| Billable time: | ~4h20m | ~3h36m | - 7% |
Further focus on streamlining the CI workflows would likely result in a
few more marginal improvements, but nothing on the order like we've seen
with the build workflow.
Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-02-06 16:11:33 -05:00
|
|
|
: "${VERSION_METADATA:="ce"}"
|
2022-11-11 15:14:43 -05:00
|
|
|
|
2023-09-06 12:08:48 -04:00
|
|
|
: "${VERSION:=""}"
|
|
|
|
|
if [ -z "$VERSION" ]; then
|
|
|
|
|
echo "You must specify the VERSION variable for this command" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
[QT-637] Streamline our build pipeline (#24892)
Context
-------
Building and testing Vault artifacts on pull requests and merges is
responsible for about 1/3rd of our overall spend on Vault CI. Of the
artifacts that we ship as part of a release, we do Enos testing scenarios
on the `linux/amd64` and `linux/arm64` binaries and their derivative
artifacts. The extended build artifacts for non-Linux platforms or less
common machine architectures are not tested at this time. They are built,
notarized, and signed as part of every pull request update and merge. As
we don't actually test these artifacts, the only gain we get from this
rather expensive behavior is that we wont merge a change that would prevent
Vault from building on one of the extended targets. Extended platform or
architecture changes are quite rare, so performing this work as frequently
as we do is costly in both monetary and developer time for little relative
safety benefit.
Goals
-----
Rethink and implement how and when we build binaries and artifacts of Vault
so that we can spend less money on repetitive work and while also reducing
the time it takes for the build and test pipelines to complete.
Solution
--------
Instead of building all release artifacts on every push, we'll opt to build
only our testable (core) artifacts. With this change we are introducing a
bit of risk. We could merge a change that breaks an extended platform and
only find out after the fact when we trigger a complete build for a release.
We'll hedge against that risk by building all of the release targets on a
scheduled cadence to ensure that they are still buildable.
We'll make building all of the targets optional on any pull request by
use of a `build/all` label on the pull request.
Further considerations
----------------------
* We want to reduce the total number of workflows and runners for all of our
pipelines if possible. As each workflow runner has infrastructure cost and
runner time penalties, using a single runner over many is often preferred.
* Many of our jobs runners have been optimized for cost and performance. We
should simplify the choices of which runners to use.
* CRT requires us to use the same build workflow in both CE and Ent.
Historically that meant that modifying `build.yml` in CE would result in a
merge conflict with `build.yml` in Ent, and break our merge workflows.
* Workflow flow control in both `build.yml` and `ci.yml` can be quite
complicated, as each needs to maintain compatibility whether executed as CE
or Ent, and when triggered with various Github events like pull_request,
push, and workflow_call, each with their own requirements.
* Many jobs utilize similar patterns of flow control and metadata but are not
reusable.
* Workflow call depth has a maximum of four, so we need to be quite
considerate when calling other workflows.
* Called workflows can only have 10 inputs.
Implementation
--------------
* Refactor the `build.yml` workflow to be agnostic to whether or not it is
executing in CE or Ent. That makes future updates to the build much easier
as we won't have to worry about merge conflicts when the change is merged
downstream.
* Extract common steps in workflows into composite actions that we can reuse.
* Fix bugs where some but not all workflows would use different Git
references when building and testing a pull request.
* We rewrite the application, docs, and UI change helpers as a composite
action. This allows us to re-use this logic to make consistent behavior
choices across build and CI.
* We combine several `build.yml` and `ci.yml` jobs into our final job.
This reduces the number of workflows required for the same behavior while
saving time overall.
* Update most of our action pins.
Results
-------
| Metric | Before | After | Diff |
|-------------------|----------|---------|-------|
| Duration: | ~14-18m | ~15-18m | ~ = |
| Workflows: | 43 | 18 | - 58% |
| Billable time: | ~1h15m | 16m | - 79% |
| Saved artifacts: | 34 | 12 | - 65% |
Infra costs should map closely to billable time.
Network I/O costs should map closely to the workflow count.
Storage costs should map directly with saved artifacts.
We could probably get parity with duration by getting more clever with
our UBI container build, as that's where we're seeing the increase. I'm
not yet concerned as it takes roughly the same time for this job to
complete as it did before.
While the CI workflow was not the focus on the PR, some shared
refactoring does show some marginal improvements there.
| Metric | Before | After | Diff |
|-------------------|----------|----------|--------|
| Duration: | ~24m | ~12.75m | - 15% |
| Workflows: | 55 | 47 | - 8% |
| Billable time: | ~4h20m | ~3h36m | - 7% |
Further focus on streamlining the CI workflows would likely result in a
few more marginal improvements, but nothing on the order like we've seen
with the build workflow.
Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-02-06 16:11:33 -05:00
|
|
|
local version
|
|
|
|
|
version="$VERSION"
|
|
|
|
|
if [ "$VERSION_METADATA" != "ce" ]; then
|
|
|
|
|
version="${VERSION}+${VERSION_METADATA}"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "${PKG_NAME}_${version}_${GOOS}_${GOARCH}"
|
2023-09-06 12:08:48 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Bundle the dist directory into a zip
|
|
|
|
|
function bundle() {
|
|
|
|
|
: "${BUNDLE_PATH:=$(repo_root)/vault.zip}"
|
[QT-637] Streamline our build pipeline (#24892)
Context
-------
Building and testing Vault artifacts on pull requests and merges is
responsible for about 1/3rd of our overall spend on Vault CI. Of the
artifacts that we ship as part of a release, we do Enos testing scenarios
on the `linux/amd64` and `linux/arm64` binaries and their derivative
artifacts. The extended build artifacts for non-Linux platforms or less
common machine architectures are not tested at this time. They are built,
notarized, and signed as part of every pull request update and merge. As
we don't actually test these artifacts, the only gain we get from this
rather expensive behavior is that we wont merge a change that would prevent
Vault from building on one of the extended targets. Extended platform or
architecture changes are quite rare, so performing this work as frequently
as we do is costly in both monetary and developer time for little relative
safety benefit.
Goals
-----
Rethink and implement how and when we build binaries and artifacts of Vault
so that we can spend less money on repetitive work and while also reducing
the time it takes for the build and test pipelines to complete.
Solution
--------
Instead of building all release artifacts on every push, we'll opt to build
only our testable (core) artifacts. With this change we are introducing a
bit of risk. We could merge a change that breaks an extended platform and
only find out after the fact when we trigger a complete build for a release.
We'll hedge against that risk by building all of the release targets on a
scheduled cadence to ensure that they are still buildable.
We'll make building all of the targets optional on any pull request by
use of a `build/all` label on the pull request.
Further considerations
----------------------
* We want to reduce the total number of workflows and runners for all of our
pipelines if possible. As each workflow runner has infrastructure cost and
runner time penalties, using a single runner over many is often preferred.
* Many of our jobs runners have been optimized for cost and performance. We
should simplify the choices of which runners to use.
* CRT requires us to use the same build workflow in both CE and Ent.
Historically that meant that modifying `build.yml` in CE would result in a
merge conflict with `build.yml` in Ent, and break our merge workflows.
* Workflow flow control in both `build.yml` and `ci.yml` can be quite
complicated, as each needs to maintain compatibility whether executed as CE
or Ent, and when triggered with various Github events like pull_request,
push, and workflow_call, each with their own requirements.
* Many jobs utilize similar patterns of flow control and metadata but are not
reusable.
* Workflow call depth has a maximum of four, so we need to be quite
considerate when calling other workflows.
* Called workflows can only have 10 inputs.
Implementation
--------------
* Refactor the `build.yml` workflow to be agnostic to whether or not it is
executing in CE or Ent. That makes future updates to the build much easier
as we won't have to worry about merge conflicts when the change is merged
downstream.
* Extract common steps in workflows into composite actions that we can reuse.
* Fix bugs where some but not all workflows would use different Git
references when building and testing a pull request.
* We rewrite the application, docs, and UI change helpers as a composite
action. This allows us to re-use this logic to make consistent behavior
choices across build and CI.
* We combine several `build.yml` and `ci.yml` jobs into our final job.
This reduces the number of workflows required for the same behavior while
saving time overall.
* Update most of our action pins.
Results
-------
| Metric | Before | After | Diff |
|-------------------|----------|---------|-------|
| Duration: | ~14-18m | ~15-18m | ~ = |
| Workflows: | 43 | 18 | - 58% |
| Billable time: | ~1h15m | 16m | - 79% |
| Saved artifacts: | 34 | 12 | - 65% |
Infra costs should map closely to billable time.
Network I/O costs should map closely to the workflow count.
Storage costs should map directly with saved artifacts.
We could probably get parity with duration by getting more clever with
our UBI container build, as that's where we're seeing the increase. I'm
not yet concerned as it takes roughly the same time for this job to
complete as it did before.
While the CI workflow was not the focus on the PR, some shared
refactoring does show some marginal improvements there.
| Metric | Before | After | Diff |
|-------------------|----------|----------|--------|
| Duration: | ~24m | ~12.75m | - 15% |
| Workflows: | 55 | 47 | - 8% |
| Billable time: | ~4h20m | ~3h36m | - 7% |
Further focus on streamlining the CI workflows would likely result in a
few more marginal improvements, but nothing on the order like we've seen
with the build workflow.
Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-02-06 16:11:33 -05:00
|
|
|
echo "--> Bundling dist/* to $BUNDLE_PATH..."
|
2023-09-06 12:08:48 -04:00
|
|
|
zip -r -j "$BUNDLE_PATH" dist/
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Determine the root directory of the repository
|
|
|
|
|
function repo_root() {
|
|
|
|
|
git rev-parse --show-toplevel
|
2022-11-11 15:14:43 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Build the UI
|
|
|
|
|
function build_ui() {
|
|
|
|
|
local repo_root
|
|
|
|
|
repo_root=$(repo_root)
|
|
|
|
|
|
|
|
|
|
pushd "$repo_root"
|
|
|
|
|
mkdir -p http/web_ui
|
|
|
|
|
popd
|
|
|
|
|
pushd "$repo_root/ui"
|
2023-05-02 21:36:15 -04:00
|
|
|
yarn install
|
2022-11-11 15:14:43 -05:00
|
|
|
npm rebuild node-sass
|
2023-05-02 21:36:15 -04:00
|
|
|
yarn run build
|
2022-11-11 15:14:43 -05:00
|
|
|
popd
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Build Vault
|
|
|
|
|
function build() {
|
|
|
|
|
local revision
|
|
|
|
|
local build_date
|
|
|
|
|
local ldflags
|
|
|
|
|
local msg
|
|
|
|
|
|
|
|
|
|
# Get or set our basic build metadata
|
|
|
|
|
revision=$(build_revision)
|
2023-09-06 12:08:48 -04:00
|
|
|
build_date=$(build_date) #
|
|
|
|
|
: "${BIN_PATH:="dist/"}" #if not run by actions-go-build (enos local) then set this explicitly
|
2022-11-11 15:14:43 -05:00
|
|
|
: "${GO_TAGS:=""}"
|
2023-05-04 16:23:06 -04:00
|
|
|
: "${REMOVE_SYMBOLS:=""}"
|
2022-11-11 15:14:43 -05:00
|
|
|
|
2023-09-08 14:46:32 -04:00
|
|
|
(unset GOOS; unset GOARCH; go generate ./...)
|
2023-07-06 12:35:06 -04:00
|
|
|
|
2022-11-11 15:14:43 -05:00
|
|
|
# Build our ldflags
|
[QT-637] Streamline our build pipeline (#24892)
Context
-------
Building and testing Vault artifacts on pull requests and merges is
responsible for about 1/3rd of our overall spend on Vault CI. Of the
artifacts that we ship as part of a release, we do Enos testing scenarios
on the `linux/amd64` and `linux/arm64` binaries and their derivative
artifacts. The extended build artifacts for non-Linux platforms or less
common machine architectures are not tested at this time. They are built,
notarized, and signed as part of every pull request update and merge. As
we don't actually test these artifacts, the only gain we get from this
rather expensive behavior is that we wont merge a change that would prevent
Vault from building on one of the extended targets. Extended platform or
architecture changes are quite rare, so performing this work as frequently
as we do is costly in both monetary and developer time for little relative
safety benefit.
Goals
-----
Rethink and implement how and when we build binaries and artifacts of Vault
so that we can spend less money on repetitive work and while also reducing
the time it takes for the build and test pipelines to complete.
Solution
--------
Instead of building all release artifacts on every push, we'll opt to build
only our testable (core) artifacts. With this change we are introducing a
bit of risk. We could merge a change that breaks an extended platform and
only find out after the fact when we trigger a complete build for a release.
We'll hedge against that risk by building all of the release targets on a
scheduled cadence to ensure that they are still buildable.
We'll make building all of the targets optional on any pull request by
use of a `build/all` label on the pull request.
Further considerations
----------------------
* We want to reduce the total number of workflows and runners for all of our
pipelines if possible. As each workflow runner has infrastructure cost and
runner time penalties, using a single runner over many is often preferred.
* Many of our jobs runners have been optimized for cost and performance. We
should simplify the choices of which runners to use.
* CRT requires us to use the same build workflow in both CE and Ent.
Historically that meant that modifying `build.yml` in CE would result in a
merge conflict with `build.yml` in Ent, and break our merge workflows.
* Workflow flow control in both `build.yml` and `ci.yml` can be quite
complicated, as each needs to maintain compatibility whether executed as CE
or Ent, and when triggered with various Github events like pull_request,
push, and workflow_call, each with their own requirements.
* Many jobs utilize similar patterns of flow control and metadata but are not
reusable.
* Workflow call depth has a maximum of four, so we need to be quite
considerate when calling other workflows.
* Called workflows can only have 10 inputs.
Implementation
--------------
* Refactor the `build.yml` workflow to be agnostic to whether or not it is
executing in CE or Ent. That makes future updates to the build much easier
as we won't have to worry about merge conflicts when the change is merged
downstream.
* Extract common steps in workflows into composite actions that we can reuse.
* Fix bugs where some but not all workflows would use different Git
references when building and testing a pull request.
* We rewrite the application, docs, and UI change helpers as a composite
action. This allows us to re-use this logic to make consistent behavior
choices across build and CI.
* We combine several `build.yml` and `ci.yml` jobs into our final job.
This reduces the number of workflows required for the same behavior while
saving time overall.
* Update most of our action pins.
Results
-------
| Metric | Before | After | Diff |
|-------------------|----------|---------|-------|
| Duration: | ~14-18m | ~15-18m | ~ = |
| Workflows: | 43 | 18 | - 58% |
| Billable time: | ~1h15m | 16m | - 79% |
| Saved artifacts: | 34 | 12 | - 65% |
Infra costs should map closely to billable time.
Network I/O costs should map closely to the workflow count.
Storage costs should map directly with saved artifacts.
We could probably get parity with duration by getting more clever with
our UBI container build, as that's where we're seeing the increase. I'm
not yet concerned as it takes roughly the same time for this job to
complete as it did before.
While the CI workflow was not the focus on the PR, some shared
refactoring does show some marginal improvements there.
| Metric | Before | After | Diff |
|-------------------|----------|----------|--------|
| Duration: | ~24m | ~12.75m | - 15% |
| Workflows: | 55 | 47 | - 8% |
| Billable time: | ~4h20m | ~3h36m | - 7% |
Further focus on streamlining the CI workflows would likely result in a
few more marginal improvements, but nothing on the order like we've seen
with the build workflow.
Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-02-06 16:11:33 -05:00
|
|
|
msg="--> Building Vault revision $revision, built $build_date..."
|
2022-11-11 15:14:43 -05:00
|
|
|
|
2023-04-21 13:15:56 -04:00
|
|
|
# Keep the symbol and dwarf information by default
|
2023-05-04 16:23:06 -04:00
|
|
|
if [ -n "$REMOVE_SYMBOLS" ]; then
|
2023-04-21 13:15:56 -04:00
|
|
|
ldflags="-s -w "
|
2022-11-11 15:14:43 -05:00
|
|
|
else
|
2023-05-04 16:23:06 -04:00
|
|
|
ldflags=""
|
2022-11-11 15:14:43 -05:00
|
|
|
fi
|
|
|
|
|
|
2023-09-06 12:08:48 -04:00
|
|
|
ldflags="${ldflags} -X github.com/hashicorp/vault/version.GitCommit=$revision -X github.com/hashicorp/vault/version.BuildDate=$build_date"
|
2022-11-11 15:14:43 -05:00
|
|
|
|
2023-09-06 12:08:48 -04:00
|
|
|
if [[ ${VERSION_METADATA+x} ]]; then
|
|
|
|
|
msg="${msg}, metadata ${VERSION_METADATA}"
|
|
|
|
|
ldflags="${ldflags} -X github.com/hashicorp/vault/version.VersionMetadata=$VERSION_METADATA"
|
2022-11-11 15:14:43 -05:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Build vault
|
|
|
|
|
echo "$msg"
|
|
|
|
|
pushd "$(repo_root)"
|
|
|
|
|
mkdir -p dist
|
|
|
|
|
mkdir -p out
|
|
|
|
|
set -x
|
[QT-637] Streamline our build pipeline (#24892)
Context
-------
Building and testing Vault artifacts on pull requests and merges is
responsible for about 1/3rd of our overall spend on Vault CI. Of the
artifacts that we ship as part of a release, we do Enos testing scenarios
on the `linux/amd64` and `linux/arm64` binaries and their derivative
artifacts. The extended build artifacts for non-Linux platforms or less
common machine architectures are not tested at this time. They are built,
notarized, and signed as part of every pull request update and merge. As
we don't actually test these artifacts, the only gain we get from this
rather expensive behavior is that we wont merge a change that would prevent
Vault from building on one of the extended targets. Extended platform or
architecture changes are quite rare, so performing this work as frequently
as we do is costly in both monetary and developer time for little relative
safety benefit.
Goals
-----
Rethink and implement how and when we build binaries and artifacts of Vault
so that we can spend less money on repetitive work and while also reducing
the time it takes for the build and test pipelines to complete.
Solution
--------
Instead of building all release artifacts on every push, we'll opt to build
only our testable (core) artifacts. With this change we are introducing a
bit of risk. We could merge a change that breaks an extended platform and
only find out after the fact when we trigger a complete build for a release.
We'll hedge against that risk by building all of the release targets on a
scheduled cadence to ensure that they are still buildable.
We'll make building all of the targets optional on any pull request by
use of a `build/all` label on the pull request.
Further considerations
----------------------
* We want to reduce the total number of workflows and runners for all of our
pipelines if possible. As each workflow runner has infrastructure cost and
runner time penalties, using a single runner over many is often preferred.
* Many of our jobs runners have been optimized for cost and performance. We
should simplify the choices of which runners to use.
* CRT requires us to use the same build workflow in both CE and Ent.
Historically that meant that modifying `build.yml` in CE would result in a
merge conflict with `build.yml` in Ent, and break our merge workflows.
* Workflow flow control in both `build.yml` and `ci.yml` can be quite
complicated, as each needs to maintain compatibility whether executed as CE
or Ent, and when triggered with various Github events like pull_request,
push, and workflow_call, each with their own requirements.
* Many jobs utilize similar patterns of flow control and metadata but are not
reusable.
* Workflow call depth has a maximum of four, so we need to be quite
considerate when calling other workflows.
* Called workflows can only have 10 inputs.
Implementation
--------------
* Refactor the `build.yml` workflow to be agnostic to whether or not it is
executing in CE or Ent. That makes future updates to the build much easier
as we won't have to worry about merge conflicts when the change is merged
downstream.
* Extract common steps in workflows into composite actions that we can reuse.
* Fix bugs where some but not all workflows would use different Git
references when building and testing a pull request.
* We rewrite the application, docs, and UI change helpers as a composite
action. This allows us to re-use this logic to make consistent behavior
choices across build and CI.
* We combine several `build.yml` and `ci.yml` jobs into our final job.
This reduces the number of workflows required for the same behavior while
saving time overall.
* Update most of our action pins.
Results
-------
| Metric | Before | After | Diff |
|-------------------|----------|---------|-------|
| Duration: | ~14-18m | ~15-18m | ~ = |
| Workflows: | 43 | 18 | - 58% |
| Billable time: | ~1h15m | 16m | - 79% |
| Saved artifacts: | 34 | 12 | - 65% |
Infra costs should map closely to billable time.
Network I/O costs should map closely to the workflow count.
Storage costs should map directly with saved artifacts.
We could probably get parity with duration by getting more clever with
our UBI container build, as that's where we're seeing the increase. I'm
not yet concerned as it takes roughly the same time for this job to
complete as it did before.
While the CI workflow was not the focus on the PR, some shared
refactoring does show some marginal improvements there.
| Metric | Before | After | Diff |
|-------------------|----------|----------|--------|
| Duration: | ~24m | ~12.75m | - 15% |
| Workflows: | 55 | 47 | - 8% |
| Billable time: | ~4h20m | ~3h36m | - 7% |
Further focus on streamlining the CI workflows would likely result in a
few more marginal improvements, but nothing on the order like we've seen
with the build workflow.
Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-02-06 16:11:33 -05:00
|
|
|
go env
|
2022-11-11 15:14:43 -05:00
|
|
|
go build -v -tags "$GO_TAGS" -ldflags "$ldflags" -o dist/
|
|
|
|
|
set +x
|
|
|
|
|
popd
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-17 11:18:38 -04:00
|
|
|
# ENT: Prepare legal requirements for packaging
|
|
|
|
|
function prepare_ent_legal() {
|
2022-11-11 15:14:43 -05:00
|
|
|
: "${PKG_NAME:="vault"}"
|
|
|
|
|
|
|
|
|
|
pushd "$(repo_root)"
|
|
|
|
|
mkdir -p dist
|
|
|
|
|
curl -o dist/EULA.txt https://eula.hashicorp.com/EULA.txt
|
|
|
|
|
curl -o dist/TermsOfEvaluation.txt https://eula.hashicorp.com/TermsOfEvaluation.txt
|
|
|
|
|
mkdir -p ".release/linux/package/usr/share/doc/$PKG_NAME"
|
|
|
|
|
cp dist/EULA.txt ".release/linux/package/usr/share/doc/$PKG_NAME/EULA.txt"
|
|
|
|
|
cp dist/TermsOfEvaluation.txt ".release/linux/package/usr/share/doc/$PKG_NAME/TermsOfEvaluation.txt"
|
|
|
|
|
popd
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-17 11:18:38 -04:00
|
|
|
# CE: Prepare legal requirements for packaging
|
|
|
|
|
function prepare_ce_legal() {
|
|
|
|
|
: "${PKG_NAME:="vault"}"
|
|
|
|
|
|
|
|
|
|
pushd "$(repo_root)"
|
|
|
|
|
|
|
|
|
|
mkdir -p dist
|
|
|
|
|
cp LICENSE dist/LICENSE.txt
|
|
|
|
|
|
|
|
|
|
mkdir -p ".release/linux/package/usr/share/doc/$PKG_NAME"
|
|
|
|
|
cp LICENSE ".release/linux/package/usr/share/doc/$PKG_NAME/LICENSE.txt"
|
|
|
|
|
|
|
|
|
|
popd
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-08 14:46:32 -04:00
|
|
|
# Package version converts a vault version string into a compatible representation for system
|
|
|
|
|
# packages.
|
|
|
|
|
function version_package() {
|
|
|
|
|
awk '{ gsub("-","~",$1); print $1 }' <<< "$VAULT_VERSION"
|
2022-12-12 15:46:04 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Run the CI Helper
|
2022-11-11 15:14:43 -05:00
|
|
|
function main() {
|
|
|
|
|
case $1 in
|
|
|
|
|
artifact-basename)
|
|
|
|
|
artifact_basename
|
|
|
|
|
;;
|
|
|
|
|
build)
|
|
|
|
|
build
|
|
|
|
|
;;
|
|
|
|
|
build-ui)
|
|
|
|
|
build_ui
|
|
|
|
|
;;
|
|
|
|
|
bundle)
|
|
|
|
|
bundle
|
|
|
|
|
;;
|
|
|
|
|
date)
|
|
|
|
|
build_date
|
|
|
|
|
;;
|
2024-05-17 11:18:38 -04:00
|
|
|
prepare-ent-legal)
|
|
|
|
|
prepare_ent_legal
|
|
|
|
|
;;
|
|
|
|
|
prepare-ce-legal)
|
|
|
|
|
prepare_ce_legal
|
2022-11-11 15:14:43 -05:00
|
|
|
;;
|
|
|
|
|
revision)
|
|
|
|
|
build_revision
|
|
|
|
|
;;
|
2022-12-12 15:46:04 -05:00
|
|
|
version-package)
|
|
|
|
|
version_package
|
|
|
|
|
;;
|
2022-11-11 15:14:43 -05:00
|
|
|
*)
|
|
|
|
|
echo "unknown sub-command" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
main "$@"
|
