* actions: pin to latest actions
- actions/checkout@9c091bb21b => v7.0.0
Adds a guardrail to prevent accidentally checking out fork pull
request code in privileged GitHub Actions contexts
(pull_request_target and PR-triggered workflow_run), with an
explicit opt-in escape hatch for advanced workflows.
- pnpm/action-setup@0ebf47130e => v6.0.9
Update pnpm to v11.7.0
- Add .github/actions/build-ui to ui changed files group
- Add .github/actions/build-ui to ui/frontend CODEOWNERS
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Add separate Saturday morning sweeps (3 AM & 5 AM ET) for IAM resources
that lack age metadata or tag support. Conditionally exclude `IAMUserPolicy`,
`IAMRolePolicy`, and policy attachments from weekday sweeps to prevent
interference with active CI runs.
Additional changes:
- Add explicit `America/New_York` timezone to workflow schedules
- Update nightly tests to run at 9 AM ET (was 1 PM UTC)
- Grant `iam:TagInstanceProfile` permission to CI service user to tag instance
profiles to build date based nuke filters.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Since moving to the standard runner labels we've seen a significant
decrease in job wait time but the smaller runners that we can get for
various jobs are too unreliable and we're seeing many disconnects.
Instead, increase the baseline runner size for build and test
workflows to large. This will likely require waiting longer but that
is almost certainly better than a runner disconnect and retry.
Signed-off-by: Ryan Cragun <me@ryan.ec>
* Use a large runner. When we get small ones the runner can get OOMed.
* Don't run the action in the context of the container so we can use
the runners Node 24 to assume the role before executing the quota
check.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Complete vault_verify_replication migration to blackbox tests
Migrate all remaining enos scenarios to use vault_run_blackbox_test:
- enos-scenario-proxy.hcl
- enos-scenario-seal-ha.hcl
- enos-scenario-upgrade.hcl
- enos-scenario-agent.hcl
- enos-scenario-autopilot.hcl
Remove vault_verify_replication module from enos-modules.hcl
All scenarios now use the blackbox test framework for replication verification.
* Update setup-enos action to v1.53
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
* feat(enos): migrate vault_verify_replication to blackbox tests
Convert vault_verify_replication from bash scripts to blackbox SDK tests.
Changes:
- Created vault/external_tests/blackbox/verify/replication_test.go with TestReplicationAvailability
- Updated enos-scenario-smoke.hcl to use vault_run_blackbox_test module
- Removed enos/modules/vault_verify_replication module and bash script
The new test verifies:
- CE: replication mode is 'disabled'
- ENT: DR and performance replication are available
Fixes: Converts bash-based verification to Go-based blackbox tests for better maintainability
* Add detailed error messages to replication test for debugging
* Add debug logging to replication test
* Exclude TestReplicationAvailability from race detection
The TestReplicationAvailability test requires a live Vault instance with
VAULT_ADDR and VAULT_TOKEN environment variables set. This test is not
compatible with race detection runs in CI which don't have these
prerequisites configured.
Add //go:build !race tag to exclude this test from race detection runs.
* Revert "Exclude TestReplicationAvailability from race detection"
This reverts commit 5afc7c1bf243e7e833864288cdd5bd16c9ed3018.
* Fix replication test to read from root namespace
The test was failing because it tried to read sys/replication/status
from within the test's isolated namespace. Replication status is only
available at the root namespace level.
Changes:
- Use WithRootNamespace() to read replication status from root
- Add proper error handling for the namespace operation
- Add api import for WithRootNamespace return type
* Add testonly build tag and update CI workflow pattern for verify tests
* Add missing ip_version parameter to vault_run_blackbox_test calls
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
* actions: expressions in composite action defaults don't work 🫢 (#15023)
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* go: remove SKIP_SETCAP env vars and add IPC_LOCK when using vault containers
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Backport community files that changed as part the enterprise only zap scenarios. This mostly includes fixes to scenario execution, retries, and blackbox SDK tests that were broken.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
I've only seen a single instance where this can fail but even if it does
it should not prevent merges in an otherwise successful run.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Use standard runner labels for all workflows. This will allow us to pull
from the hot pools for most jobs and on-demand when more are needed.
This does elimate our cost optimization but latest on-demand runners
have taken so long to provision as to be unbearable.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* updating matrix workflow format for easier visualization
* adding test to create and delete Vault AWS Roles
* refactoring functions
* testing pipeline
* testing pipeline
* testing pipeline
* testing pipeline
* finishing up role deletion test
* finishing up role deletion test
Co-authored-by: Tin Vo <tintvo08@gmail.com>
* [VAULT-42245] Add IBM license update to enos upgrade scenario (#12661)
* initial changes
* more changes
* test
* test changes
* Fix test
* try ignoring customer id
* clean up
* more clean up
* lint
* PR comments
* make edition a variable
* lint
* PR comments
* add default for customer id
* fix script and lint
* specify license file
* Apply suggestion from @ryancragun
Co-authored-by: Ryan Cragun <me@ryan.ec>
* always configure ibm license
* Update enos/modules/verify_log_secrets/main.tf
Co-authored-by: Ryan Cragun <me@ryan.ec>
* lint
---------
Co-authored-by: Ryan Cragun <me@ryan.ec>
* lint
---------
Co-authored-by: Jenny Deng <jenny.deng@hashicorp.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Add LDAP secrets engine blackbox tests
* Format
* format
* cleanup environment
* Install ldap-utils in CI for LDAP domain provisioning
* wrap in eventually
* debugging
* fix ip issues
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
- actions/cache => v5.0.4
Dep updates
- actions/download-artifact => v8.0.1
Support for CJK characters
- dorny/paths-filter => v4.0.1
Node 24, support for merge queues
- hashicorp/action-setup-enos => v1.52
Security release for downstream vuln
- pnpm/action-setup => v5.0.0
Node 24, support for native caching
- slackapi/slack-github-action => v3.0.1
Node 24, lots of internal dep updates, ability to run Slack commands
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Fix GitHub Actions expression evaluation error in build workflow
- Add hcp-setup job with explicit step-by-step parameter validation
- Replace problematic inline expressions with debuggable logic steps
- Use proper fallback values (0 instead of '') for number type inputs
- Resolve 'Unexpected value' error on scheduled runs
- Maintain existing workflow logic and conditional behavior
- Add clear logging for troubleshooting parameter resolution
* Fix type conversion for pull-request number in build workflow
- Use fromJSON() to convert string output to number type
- Resolves type mismatch error in reusable workflow input
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* actions: pull in gotestsum when executing the cloud scenario
* cloud: add 'hcp' changed-file group and trigger cloud scenario when the files change
* slightly simplify expression
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
- docker/setup-buildx-action v3.12.0 => v4.0.0
Node 24 upgrade, switch to ESM, some deprecated inputs have been
removed.
- docker/build-push-action v6.19.2 => v7.0.0
Node 24 upgrade, switch to ESM, some deprecated envs have been
removed.
- actions/setup-node v6.2.0 => v6.3.0
Bug fixes, internal dep updates, support for parsing `devEngines`.
- action-setup-enos v1.50 => v1.51
Use enos 0.0.36
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* rework UI CI workflow to partition JS tests (#11967)
* add setup-pnpm action
* remove reading vault keys from vault server output
* update ci workflow to build app and go binary first, then run tests in partitions
* fix errant tests
* address PR feedback
* Apply suggestions from code review
Co-authored-by: Ryan Cragun <me@ryan.ec>
* more feedback changes
* restore test-helper.js
* restore auth test helpers
* check in ui/tests/helpers/vault-keys.js
* use v7 of download-artifact action
* make test-ui reusable workflow
* add status job
---------
Co-authored-by: Ryan Cragun <me@ryan.ec>
* update new UI tests to run CE tests on the CE branch (#12537)
---------
Co-authored-by: Matthew Irish <39469+meirish@users.noreply.github.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* adding ibm tests for ent files
* adding debug commands
* adding code changes
* adding reload tests
* remove settings.json
* remove ryboe q
* changing isHashicorpLicense to isIBMLicense and moving DiagnoseCheckLicenseGeneration to core_util_common.go
* fix test
* reverting non-license related tests
* reverting non-license related tests
* removing hashicorp license test
* modify reload server_ent_test.go
* change ibm-license paths
* adding census reload server test
* moving LicensingEntitlementSelectionConfig to core_util_common.go
* add EntReloadLicenseAndConfig to stubs
* fix operator diagnose bug
* move bug fix into ce and ent files
* add more ibm test cases
* Update command/command_testonly/server_testonly_ent_test.go
* address comments
* make fmt
---------
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
Co-authored-by: Jenny Deng <jenny.deng@hashicorp.com>
* rough draft
* add some stuff for dynamic secrets
* add some more helpers and sample tests
* new helpers, new tests, refactoring
* Add Basic Smoke SDK Scenario (#11678)
* Add simple test for stepdown election
* Add a smoke_sdk scenario
* add script to run tests locally
* fix up a few things
* VAULT-39746 - Add Tests to Smoke SDK and Cloud Scenarios (#11795)
* Add some go verification steps in enos sdk test run script
* formatting
* Add a smoke_sdk scenario userpass secret engine create test (#11808)
* Add a smoke_sdk scenario userpass secret engine create test
* Add the some additional tests
* Add Smoke tests to Cloud Scenario (#11876)
* Add a smoke_sdk scenario userpass secret engine create test
* Add the some additional tests
* Add smoke testing to cloud
* Add test results to output and test filtering
* comment
* fix test
* fix the smoke scenario
* Address some various feedback
* missed cleanup
* remove node count dependency in the tests
* Fix test perms
* Adjust the testing and clean them up a bit
* formatting
* fmt
* fmt2
* more fmt
* formatting
* tryagain
* remove the docker/hcp divide
* use the SHA as ID
* adjust perms
* Add transit test
* skip blackbox testing in test-go
* copywrite
* Apply suggestion from @brewgator
* Add godoc
* grep cleanup
---------
Co-authored-by: Josh Black <raskchanky@gmail.com>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
Update to the latest actions. The primary motivation here is to get the
latest action-setup-enos.
- actions/cache => v5.0.3: security patches
- actions/checkout => v6.0.2: small fixes to git user-agent and tag
fetching
- hashicorp/action-setup-enos => v1.50: security patches
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
- actions/checkout -> v6.0.2: some minor changes around setting the
ACTIONS_ORCHESTRATION_ID and some fixes to `fetch-tags`.
- actions/setup-python -> v6.2.0: Node 24 compat
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* [VAULT-41857] pipeline(find-artifact): add support for finding artifacts from branches (#11799)
Add support for finding matching workflow artifacts from branches rather than PRs. This allows us to trigger custom HCP image builds from a branch rather than an PR. It also enables us to build and test the HCP image on a scheduled nightly cadence, which we've also enabled.
As part of these changes I also added support for specifying which environment you want to test and threaded it through the cloud scenario now that there are multiple variants. We also make the testing workflow workflow_dispatch-able so that we can trigger HVD testing for any custom image in any environment without building a new image.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* actions(runners): add backup self-hosted runner types
We've previously added backup runner types for various self-hosted
runners but were not exhaustive. This change adds at least one backup
instance type to each specified on-demand runner type.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
- actions/cache -> v5.0.2: A bugfix around not retrying cache entries on
429s.
- actions/setup-go -> v6.2.0: NodeJS bump and internal actions/cache
bump. We don't use the caching in setup-go so this ought to have no
impact for us.
- actions/setup-node -> v6.2.0: internal bump of actions/cache.
- pnpm/action-setup -> v4.2.0: Adds support for .npmrc file.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Sometimes our CI slack message outputs the wrong information, most
notably the data race failure when only UI tests run but the UI tests
fail. In an effort to fix this false positive I noticed that there are
several error cases we didn't consider when creating the notification.
Now we only report which failures were detected in the message.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* move from yarn to pnpm for package management
* remove lodash.template patch override
* remove .yarn folder
* update GHA to use pnpm
* add @babel/plugin-proposal-decorators
* remove .yarnrc.yml
* add lock file to copywrite ignore
* add @codemirror/view as a dep for its types
* use more strict setting about peerDeps
* address some peerDep issues with ember-power-select and ember-basic-dropdown
* enable TS compilation for the kubernetes engine
* enable TS compilation in kv engine
* ignore workspace file
* use new headless mode in CI
* update enos CI scenarios
* add qs and express resolutions
* run 'pnpm up glob' and 'pnpm up js-yaml' to upgrade those packages
* run 'pnpm up preact' because posthog-js had a vulnerable install. see https://github.com/advisories/GHSA-36hm-qxxp-pg3
* add work around for browser timeout errors in test
* update other references of yarn to pnpm
Co-authored-by: Matthew Irish <39469+meirish@users.noreply.github.com>
* Remove esoteric builds
Builds we want gone:
- NetBSD (386/amd64/arm)
- OpenBSD (386/amd64/arm)
- Solaris
- FreeBSD (arm)
- Linux (arm)
* trying to make the linter happy
Co-authored-by: Josh Black <raskchanky@gmail.com>
This change does a few things that might not be obvious:
- We stop requesting the previous runner image. This will result in us
using Docker 29 instead of 28. With this comes changes in our
container build system, most notably that container images are now
exported as OCI images. Every container runtime that we support also
supports OCI images so this ought to have no meaningful impact to
downstream users. One noticeable change is that the image layers are
now compressed so the final image size on disk will be considerably
smaller than before.
- Upgrade `hashicorp/action-setup-enos` to the latest version. This is not
strictly required for this change but as we just released a new version of
the CLI it makes sense to update it here. We should also note that recently
we released a new version of `terraform-provider-enos` which contains
necessary for this change as our docker and kind resources needed to be
updated handle OCI and Docker exported images. Previously they relied on
files that existed only in Docker images.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Update the base images for all scenarios:
- RHEL: upgrade base image for 10 to 10.1
- RHEL: upgrade base image for 9 to 9.7
- SLES: upgrade base image for 15 to 15.7
- SLES: add SLES 16.0 to the matrix
- OpenSUSE: remove OpenSUSE Leap from the matrix
I ended up removing OpenSUSE because the images that we were on were rarely updated and that resulted in very slow scenarios because of package upgrades. Also, despite the latest release being in October I didn't find any public cloud images produced for the new version of Leap. We can consider adding it back later but I'm comfortable just leaving SLES 15 and 16 in there for that test coverage.
I also ended up fixing a bug in our integration host setup where we'd provision three nodes instead of one. That ought to result in many fewer instance provisions per scenario. I also had to make a few small tweaks in how we detected whether or not SELinux is enabled, as the prior implementation did not work for SLES 16.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* use 'stable' instead of .go-version for the security scanner
if we don't do this, the security scanner might not run because it's
using a different version of Go than what we have on whatever release
branch this is running on.
* update branches the scanner runs on
Co-authored-by: Josh Black <raskchanky@gmail.com>
