upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-02-03 20:40:45 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
vault/.github/workflows/ci.yml
Vault Automation 12e793039a
[UI] - migrate to pnpm for JS package management (#11651) (#11661) 
* move from yarn to pnpm for package management

* remove lodash.template patch override

* remove .yarn folder

* update GHA to use pnpm

* add @babel/plugin-proposal-decorators

* remove .yarnrc.yml

* add lock file to copywrite ignore

* add @codemirror/view as a dep for its types

* use more strict setting about peerDeps

* address some peerDep issues with ember-power-select and ember-basic-dropdown

* enable TS compilation for the kubernetes engine

* enable TS compilation in kv engine

* ignore workspace file

* use new headless mode in CI

* update enos CI scenarios

* add qs and express resolutions

* run 'pnpm up glob' and 'pnpm up js-yaml' to upgrade those packages

* run 'pnpm up preact' because posthog-js had a vulnerable install. see https://github.com/advisories/GHSA-36hm-qxxp-pg3

* add work around for browser timeout errors in test

* update other references of yarn to pnpm

Co-authored-by: Matthew Irish <39469+meirish@users.noreply.github.com>
2026-01-09 11:45:14 -06:00

529 lines
24 KiB
YAML
Raw Blame History

name: CI
on:
pull_request:
# The default types for pull_request are [opened, synchronize, reopened]. This is insufficient
# for our needs, since we're skipping stuff on PRs in draft mode.By adding the ready_for_review
# type, when a draft pr is marked ready, we run everything, including the stuff we'd have
# skipped up until now.
types:
- opened
- synchronize
- reopened
- ready_for_review
push:
branches:
- main
- release/**
- ce/**
workflow_dispatch:
concurrency:
group: ${{ github.head_ref || github.run_id }}-ci
cancel-in-progress: true
jobs:
setup:
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
permissions: write-all # vault-auth
outputs:
changed-files: ${{ steps.changed-files.outputs.changed-files }}
checkout-ref: ${{ steps.checkout.outputs.ref }}
compute-small: ${{ steps.metadata.outputs.compute-small }}
compute-test-go: ${{ steps.metadata.outputs.compute-test-go }}
compute-test-ui: ${{ steps.metadata.outputs.compute-test-ui }}
go-tags: ${{ steps.metadata.outputs.go-tags }}
is-draft: ${{ steps.metadata.outputs.is-draft }}
is-ent-branch: ${{ steps.metadata.outputs.is-ent-branch }}
is-ent-repo: ${{ steps.metadata.outputs.is-ent-repo }}
is-fork: ${{ steps.metadata.outputs.is-fork }}
labels: ${{ steps.metadata.outputs.labels }}
workflow-trigger: ${{ steps.metadata.outputs.workflow-trigger }}
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
# Make sure we check out correct ref based on PR labels and such
- uses: ./.github/actions/checkout
id: checkout
- uses: ./.github/actions/metadata
id: metadata
# Get the elevated github token
- if: steps.metadata.outputs.is-ent-repo == 'true'
id: vault-auth
name: Vault Authenticate
run: vault-auth
- if: steps.metadata.outputs.is-ent-repo == 'true'
id: vault-secrets
name: Fetch Vault Secrets
uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/github-token token | ELEVATED_GITHUB_TOKEN;
# Determine the changed files
- uses: ./.github/actions/changed-files
id: changed-files
with:
github-token: ${{ steps.metadata.outputs.is-ent-repo != 'true' && secrets.ELEVATED_GITHUB_TOKEN || steps.vault-secrets.outputs.ELEVATED_GITHUB_TOKEN }}
- name: Ensure Go modules are cached
uses: ./.github/actions/set-up-go
with:
github-token: ${{ steps.metadata.outputs.is-ent-repo != 'true' && secrets.ELEVATED_GITHUB_TOKEN || steps.vault-secrets.outputs.ELEVATED_GITHUB_TOKEN }}
no-restore: true # don't download them on a cache hit
# Make sure all required vault tools are cached at this point. We don't want all of the Go
# tests and build jobs to build the tools and race to upload them to the cache.
- uses: ./.github/actions/install-tools
name: Ensure Vault tools are cached
with:
# Don't download them on a cache hit during setup, just make sure they're cached before
# subsequent workflows are run.
no-restore: true
test-autopilot-upgrade:
name: Run Autopilot upgrade tool
# Run the Autopilot upgrade tests if:
# - The Autopilot code has changed.
# - We're in the context of the vault enterprise repository and enterprise branch.
# - The workflow was triggered by a push to main or a PR targeting main.
#
# The reason for the main branch restriction, is that the logic for automatically determining the source versions
# to test depends on the .release/versions.hcl file, which might not be up-to-date nor exist outside of main.
# If you'd like to run the autopilot tests for a specific git checkout or set of source versions,
# you can manually trigger the workflow, see the .github/workflows/run-apupgrade-tests-ent.yml file in the ENT repo.
if: |
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'autopilot') &&
needs.setup.outputs.is-ent-branch == 'true' &&
(github.base_ref == 'main' || github.ref == 'refs/heads/main')
needs: setup
permissions:
id-token: write
contents: read
runs-on: ${{ fromJSON(needs.setup.outputs.compute-small) }}
steps:
- name: Check out the .release/versions.hcl file from Vault Enterprise repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
ref: ${{ needs.setup.outputs.checkout-ref }}
sparse-checkout: |
.release/versions.hcl
.github
- name: Get Vault versions to test
id: get-versions
env:
GH_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
run: |
# Change to the Vault Enterprise repository directory or exit if it fails
cd "${GITHUB_WORKSPACE}" || exit 1
# Extract active major versions from the versions.hcl file, which is used for managing active release branches
active_major_versions=$(grep -Eo 'version\s+"[0-9]+\.[0-9]+\.x"' .release/versions.hcl | sed -E 's/version\s+"([0-9]+\.[0-9]+)\.x"/\1/')
active_major_versions=$(sort <<< "${active_major_versions}")
# List releases from the GitHub repository, process them with sed, and sort them in reverse order
releases=$(gh -R hashicorp/vault-enterprise release list --exclude-drafts --exclude-pre-releases --json=name --jq '.[].name' | \
sed -E 's/^v([0-9]+\.[0-9]+\.[0-9]+(\-rc[0-9]+)?)\+ent$/\1/' | \
sort -r)
# Initialize a variable to collect matched versions
matched_versions=""
# Read each version from the active major versions and match it against the newest release available
while IFS= read -r version; do
match=$(grep -m 1 "^${version}" <<< "${releases}" || true)
if [ -n "${match}" ]; then
if [ -n "${matched_versions}" ]; then
matched_versions+=","
fi
# Append the matched version to the variable, adding the +ent suffix, which is used for Vault Enterprise releases
matched_versions+="${match}+ent"
fi
done <<< "${active_major_versions}"
# Export the matched versions as a comma-separated string to an environment variable
echo "VAULT_SOURCE_VERSIONS=${matched_versions}" >> "${GITHUB_ENV}"
- name: Run Autopilot upgrade tests
uses: ./.github/actions/run-apupgrade-tests
env:
GOPATH: /home/runner/go
GOPRIVATE: github.com/hashicorp/*
with:
checkout-ref: ${{ needs.setup.outputs.checkout-ref }}
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
source-versions: ${{ env.VAULT_SOURCE_VERSIONS }}
test-go:
# Run Go tests if the vault app changed
if: |
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app') ||
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'gotoolchain') ||
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'pipeline')
name: Run Go tests
needs: setup
uses: ./.github/workflows/test-go.yml
with:
# The regular Go tests use an extra runner to execute the binary-dependent tests. We isolate
# them there so that the other tests aren't slowed down waiting for a binary build.
binary-tests: true
checkout-ref: ${{ needs.setup.outputs.checkout-ref }}
go-arch: amd64
go-tags: '${{ needs.setup.outputs.go-tags }},deadlock'
name: standard
runs-on: ${{ needs.setup.outputs.compute-test-go }}
runs-on-small: ${{ needs.setup.outputs.compute-small }}
test-timing-cache-key: go-test-timing-standard-${{ needs.setup.outputs.is-ent-branch && 'ent' || 'ce' }}
total-runners: 16
secrets: inherit
test-go-testonly:
# Run Go tests tagged with "testonly" if the vault app changed
if: |
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app') ||
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'gotoolchain')
name: Run Go tests tagged with testonly
needs: setup
uses: ./.github/workflows/test-go.yml
with:
checkout-ref: ${{ needs.setup.outputs.checkout-ref }}
go-arch: amd64
go-tags: '${{ needs.setup.outputs.go-tags }},deadlock,testonly'
name: testonly
runs-on: ${{ needs.setup.outputs.compute-test-go }}
runs-on-small: ${{ needs.setup.outputs.compute-small }}
testonly: true
test-timing-cache-restore: false
test-timing-cache-save: false
total-runners: 2 # test runners cannot be less than 2
secrets: inherit
test-go-race:
# Run Go test with the data race detector enabled if the vault app changed and we're out of
# drafts mode.
if: |
needs.setup.outputs.is-draft == 'false' &&
(
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app') ||
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'gotoolchain')
)
name: Run Go tests with data race detection
needs: setup
uses: ./.github/workflows/test-go.yml
with:
checkout-ref: ${{ needs.setup.outputs.checkout-ref }}
env-vars: |
{
"VAULT_CI_GO_TEST_RACE": 1
}
extra-flags: '-race'
name: race
go-arch: amd64
go-tags: ${{ needs.setup.outputs.go-tags }}
runs-on: ${{ needs.setup.outputs.compute-test-go }}
runs-on-small: ${{ needs.setup.outputs.compute-small }}
test-timing-cache-key: go-test-timing-race-${{ needs.setup.outputs.is-ent-branch && 'ent' || 'ce' }}
total-runners: 16
secrets: inherit
test-go-fips:
name: Run Go tests with FIPS configuration
# Run the Go tests with fips if the vault app changed, we're in the context vault enterprise
# and our trigger is a merge to main or releases/* or if the 'fips' label is present on a PR.
if: |
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'app') &&
needs.setup.outputs.is-ent-branch == 'true' &&
(
needs.setup.outputs.workflow-trigger == 'push' || contains(needs.setup.outputs.labels, 'fips')
)
needs: setup
uses: ./.github/workflows/test-go.yml
with:
checkout-ref: ${{ needs.setup.outputs.checkout-ref }}
env-vars: |
{
"GOEXPERIMENT": "boringcrypto"
}
name: fips
go-arch: amd64
go-tags: '${{ needs.setup.outputs.go-tags }},deadlock,cgo,fips,fips_140_3'
runs-on: ${{ needs.setup.outputs.compute-test-go }}
runs-on-small: ${{ needs.setup.outputs.compute-small }}
test-timing-cache-key: go-test-timing-fips
total-runners: 16
secrets: inherit
test-ui:
name: Test UI
# Run the UI tests if our UI has changed, or a 'ui' label is present, or our workflow trigger
# was triggered by a merge to main or releases/*.
if: |
contains(fromJSON(needs.setup.outputs.changed-files).groups, 'ui') ||
needs.setup.outputs.workflow-trigger == 'push' ||
contains(needs.setup.outputs.labels, 'ui')
needs: setup
permissions:
id-token: write
contents: read
runs-on: ${{ fromJSON(needs.setup.outputs.compute-test-ui) }}
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
name: status
with:
ref: ${{ needs.setup.outputs.checkout-ref }}
- uses: ./.github/actions/set-up-go
with:
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
- name: Install PNPM
uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
with:
run_install: false
package_json_file: './ui/package.json'
# Setup node.js with caching using the pnpm-lock.yaml file
- uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
with:
node-version-file: './ui/package.json'
cache: pnpm
cache-dependency-path: ui/pnpm-lock.yaml
- uses: browser-actions/setup-chrome@b94431e051d1c52dcbe9a7092a4f10f827795416 # v2.1.0
with:
# Temporarily pin our Chrome version while we sort out a broken test on latest
chrome-version: 1314712
- name: ui-dependencies
working-directory: ./ui
run: |
pnpm i
npm rebuild node-sass
- if: needs.setup.outputs.is-ent-repo != 'true'
name: Rebuild font cache on Github hosted runner
# Fix `Fontconfig error: No writable cache directories` error on Github hosted runners
# This seems to have been introduced with this runner image: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240818.1
# Hopefully this will resolve itself at some point with a newer image and we can remove it
run: fc-cache -f -v
- if: needs.setup.outputs.is-ent-repo == 'true'
id: vault-auth
name: Authenticate to Vault
run: vault-auth
- if: needs.setup.outputs.is-ent-repo == 'true'
id: secrets
name: Fetch secrets
uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/hashicorp/vault-enterprise/github-token username-and-token | PRIVATE_REPO_GITHUB_TOKEN;
kv/data/github/hashicorp/vault-enterprise/license license_1 | VAULT_LICENSE;
kv/data/github/${{ github.repository }}/datadog-ci DATADOG_API_KEY;
- if: needs.setup.outputs.is-ent-repo == 'true'
name: Set up Git
run: git config --global url."https://${{ steps.secrets.outputs.PRIVATE_REPO_GITHUB_TOKEN }}@github.com".insteadOf https://github.com
- uses: ./.github/actions/install-tools
- name: build-go-dev
run: |
rm -rf ./pkg
mkdir ./pkg
make prep dev
- name: test-ui
env:
VAULT_LICENSE: ${{ steps.secrets.outputs.VAULT_LICENSE }}
run: |
export PATH="${PWD}/bin:${PATH}"
# Run Ember tests
cd ui
mkdir -p test-results/qunit
pnpm ${{ needs.setup.outputs.is-ent-branch == 'true' && 'test' || 'test:oss' }}
- if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: test-results-ui
path: ui/test-results
- name: Prepare datadog-ci
if: (github.repository == 'hashicorp/vault' || github.repository == 'hashicorp/vault-enterprise') && (success() || failure())
continue-on-error: true
run: |
if type datadog-ci > /dev/null 2>&1; then
exit 0
fi
# Curl does not always exit 1 if things go wrong. To determine if this is successful
# we'll silence all non-error output and check the results to determine success.
if ! out="$(curl -sSL --fail https://github.com/DataDog/datadog-ci/releases/latest/download/datadog-ci_linux-x64 --output /usr/local/bin/datadog-ci 2>&1)"; then
printf "failed to download datadog-ci: %s" "$out"
fi
if [[ -n "$out" ]]; then
printf "failed to download datadog-ci: %s" "$out"
fi
chmod +x /usr/local/bin/datadog-ci
- name: Upload test results to DataDog
if: success() || failure()
continue-on-error: true
env:
DD_ENV: ci
run: |
if [[ ${{ github.repository }} == 'hashicorp/vault' ]]; then
export DATADOG_API_KEY=${{ secrets.DATADOG_API_KEY }}
fi
datadog-ci junit upload --service "$GITHUB_REPOSITORY" 'ui/test-results/qunit/results.xml'
- if: always()
uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2.4
with:
paths: "ui/test-results/qunit/results.xml"
show: "fail"
tests-completed:
needs:
- setup
- test-autopilot-upgrade
- test-go
- test-go-testonly
- test-go-race
- test-go-fips
- test-ui
if: always()
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
permissions: write-all # Ensure we have id-token:write access for vault-auth.
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
# Determine the overall status of our required test jobs.
- name: Determine status
id: status
run: |
# Determine the overall status of the job. We allow fips and race tests to fail so we
# don't consider their result here.
#
# Encode the needs context into JSON, filter out unrequired workflows, shape the result
# into a more useful schema. Determine the overall status by comparing the total number of
# successful results with the number of required jobs.
if results=$(jq -rec 'del(.["test-go-fips"], .["test-go-race"]) as $required
| $required | keys as $jobs
| reduce $jobs[] as $job ([]; . + [{job: $job}+$required[$job]])' <<< '${{ toJSON(needs) }}'
); then
# Determine if all of our required jobs have succeeded.
if jq -rec 'length as $expected
| [.[] | select((.result == "success") or (.result == "skipped"))] | length as $got
| $expected == $got' <<< "$results"; then
msg="All required test jobs succeeded!"
result="success"
else
msg="One or more required test jobs failed!"
result="failed"
fi
else
msg="Failed to decode and filter test results"
result="failed"
results="''"
fi
{
echo "msg=${msg}"
echo "result=${result}"
echo "results<<EOFRESULTS"$'\n'"${results}"$'\n'EOFRESULTS
} | tee -a "$GITHUB_OUTPUT"
- if: needs.setup.outputs.is-ent-repo == 'true'
id: vault-auth
name: Vault Authenticate
run: vault-auth
- if: needs.setup.outputs.is-ent-repo == 'true'
id: secrets
name: Fetch Vault Secrets
uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
with:
url: ${{ steps.vault-auth.outputs.addr }}
caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
token: ${{ steps.vault-auth.outputs.token }}
secrets: |
kv/data/github/${{ github.repository }}/slack feed-vault-ci-official-webhook-url | slackbot-webhook-url;
- id: slackbot-webhook-url
run:
echo "slackbot-webhook-url=${{ needs.setup.outputs.is-ent-repo != 'true' && secrets.FEED_VAULT_CI_OFFICIAL_WEBHOOK_URL || steps.secrets.outputs.slackbot-webhook-url }}" >> "$GITHUB_OUTPUT"
- if: |
always() &&
needs.setup.outputs.workflow-trigger == 'push' &&
(
needs.test-go.result == 'failure' ||
needs.test-go-race.result == 'failure' ||
needs.test-go-race.outputs.data-race-result == 'failure' ||
needs.test-go-testonly.result == 'failure' ||
needs.test-ui.result == 'failure'
)
name: Notify build failures in Slack
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
with:
errors: true # exit with an error if the payload is invalid
retries: rapid # retry if we're being rated limited
webhook: ${{ steps.slackbot-webhook-url.outputs.slackbot-webhook-url }}
webhook-type: incoming-webhook
payload: |
text: ${{ needs.setup.outputs.is-ent-branch == 'true' && 'vault-enterprise' || 'vault' }} test failures on ${{ github.ref_name }}
blocks:
- type: header
text:
type: plain_text
text: ':flashing-light: ${{ needs.setup.outputs.is-ent-branch == 'true' && 'vault-enterprise' || 'vault' }} test failures on ${{ github.ref_name }} :flashing-light:'
emoji: true
- type: divider
- type: section
text:
type: mrkdwn
text: |
${{ needs.test-go.result != 'failure' && ':white_check_mark:' || ':x:' }} Go tests
${{ needs.test-go-race.result != 'failure' && ':white_check_mark:' || ':x:' }} Go race tests
${{ needs.test-go-race.outputs.data-race-result != 'success' && ':x: Data race detected' || ':white_check_mark: No race detected' }}
${{ needs.test-go-testonly.result != 'failure' && ':white_check_mark:' || ':x:' }} Go testonly tests
${{ needs.test-ui.result != 'failure' && ':white_check_mark:' || ':x:' }} UI tests
accessory:
type: button
text:
type: plain_text
text: View Failing Workflow
emoji: true
url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
# Only create the PR summary if it's a pull request and it is not a fork as we need access
# to secrets.
- if: ${{ needs.setup.outputs.is-fork == 'false' }}
name: Download failure summaries
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
pattern: failure-summary-*.md
path: failure-summaries
merge-multiple: true
- if: ${{ needs.setup.outputs.is-fork == 'false' }}
id: prepare-failure-summary
name: Prepare failure summary
run: |
# Sort all of the summary table rows and push them to a temp file.
temp_file_name=temp-$(date +%s)
cat failure-summaries/*.md | sort >> "$temp_file_name"
# If there are test failures, present them in a format of a GitHub Markdown table.
if [ -s "$temp_file_name" ]; then
# Here we create the headings for the summary table
{
echo "| Test Type | Package | Test | Elapsed | Runner Index | Logs |"
echo "| --------- | ------- | ---- | ------- | ------------ | ---- |"
cat "$temp_file_name"
} >> "$GITHUB_STEP_SUMMARY"
else
if [ "${{ steps.status.outputs.result }}" == 'success' ]; then
echo "### All required Go tests passed! :white_check_mark:" >> "$GITHUB_STEP_SUMMARY"
fi
fi
{
echo 'table-test-results<<EOFTABLE'
cat "$temp_file_name"
echo EOFTABLE
} | tee -a "$GITHUB_OUTPUT"
- name: Create comment
if: github.head_ref != '' && needs.setup.outputs.is-fork == 'false'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
RUN_ID: ${{ github.run_id }}
REPO: ${{ github.event.repository.name }}
RESULT: ${{ steps.status.outputs.result }}
TABLE_DATA: ${{ steps.prepare-failure-summary.outputs.table-test-results }}
run: ./.github/scripts/report-ci-status.sh
- if: always() && steps.status.outputs.result != 'success'
name: Check for failed status
run: |
echo "${{ steps.status.outputs.msg }}: ${{ steps.status.outputs.results }}"
exit 1
Reference in a new issue View git blame Copy permalink