1 | #!/usr/bin/env bash
|
2 | #
|
3 | # Usage:
|
4 | # soil/github-actions.sh <function name>
|
5 |
|
6 | set -o nounset
|
7 | set -o pipefail
|
8 | set -o errexit
|
9 |
|
10 | keygen() {
|
11 | # rsa_github_actions is private, and sent to Github to log into the server
|
12 | # rsa_github_actions.pub is public, and put in authorized_keys on the server
|
13 | ssh-keygen -t rsa -b 4096 -C "oilshell github-actions" -f rsa_github_actions
|
14 | }
|
15 |
|
16 | #
|
17 | # Run remotely
|
18 | #
|
19 |
|
20 | publish-html-assuming-ssh-key() {
|
21 | local job_name=$1
|
22 | local update_status_api=${2:-}
|
23 |
|
24 | if true; then
|
25 | # https://docs.github.com/en/actions/reference/environment-variables
|
26 |
|
27 | # Recommended by the docs
|
28 | export JOB_URL="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
|
29 |
|
30 | soil/web-worker.sh deploy-job-results 'github-' $GITHUB_RUN_NUMBER $job_name \
|
31 | JOB_URL \
|
32 | GITHUB_WORKFLOW \
|
33 | GITHUB_RUN_ID \
|
34 | GITHUB_RUN_NUMBER \
|
35 | GITHUB_JOB \
|
36 | GITHUB_ACTION \
|
37 | GITHUB_REF \
|
38 | GITHUB_PR_NUMBER \
|
39 | GITHUB_PR_HEAD_REF \
|
40 | GITHUB_PR_HEAD_SHA
|
41 | else
|
42 | soil/web-worker.sh deploy-test-wwz # dummy data that doesn't depend on the build
|
43 | fi
|
44 |
|
45 | # Calls rewrite-jobs-index and cleanup-jobs-index
|
46 | time soil/web-worker.sh remote-event-job-done 'github-' $GITHUB_RUN_NUMBER
|
47 |
|
48 | if test -n "$update_status_api"; then
|
49 | soil/web-worker.sh scp-status-api "$GITHUB_RUN_ID" "$job_name"
|
50 | soil/web-worker.sh remote-cleanup-status-api
|
51 | fi
|
52 | }
|
53 |
|
54 | # Notes on Github secrets:
|
55 |
|
56 | # - "Secrets are environment variables that are encrypted. Anyone with
|
57 | # collaborator access to this repository can use these secrets for Actions."
|
58 | #
|
59 | # - "Secrets are not passed to workflows that are triggered by a pull request from a fork"
|
60 | #
|
61 | # TODO: We're not following the principle of least privilege! Really we should
|
62 | # have an "append-only" capability? So then pull requests from untrusted forks
|
63 | # can trigger builds?
|
64 | #
|
65 | # Instead of SSH, we should use curl to POST a .zip file to PHP script on
|
66 | # travis-ci.oilshell.org?
|
67 |
|
68 | load-secret-key() {
|
69 | local privkey=/tmp/rsa_github_actions
|
70 |
|
71 | if test -n "${TOIL_KEY:-}"; then
|
72 | echo "$TOIL_KEY" > $privkey
|
73 | else
|
74 | echo '$TOIL_KEY not set'
|
75 | exit 1
|
76 | fi
|
77 |
|
78 | chmod 600 $privkey
|
79 | eval "$(ssh-agent -s)"
|
80 | ssh-add $privkey
|
81 | }
|
82 |
|
83 |
|
84 | # Overwrites the function in soil/travis.sh
|
85 | publish-html() {
|
86 | ### Publish job HTML, and optionally status-api
|
87 |
|
88 | load-secret-key
|
89 |
|
90 | set -x
|
91 | # $1 can be the job name
|
92 | publish-html-assuming-ssh-key "$@"
|
93 | }
|
94 |
|
95 | publish-cpp-tarball() {
|
96 | load-secret-key
|
97 |
|
98 | soil/web-worker.sh publish-cpp-tarball github-
|
99 | }
|
100 |
|
101 | # Don't need this because Github Actions has it pre-installed.
|
102 | install-podman() {
|
103 | sudo apt-get install -y podman
|
104 | podman --version
|
105 | }
|
106 |
|
107 | run-job() {
|
108 | ### Called by YAML config
|
109 |
|
110 | # Unlike sourcehut, Github Actions runs one job per machine. So we fix the
|
111 | # mount permissions and run the job in one step.
|
112 |
|
113 | local job_name=$1
|
114 | local docker=${2:-docker}
|
115 |
|
116 | # I think it starts in the repo
|
117 | # cd $REPO_ROOT
|
118 |
|
119 | soil/host-shim.sh mount-perms $REPO_ROOT
|
120 | echo
|
121 | echo
|
122 |
|
123 | soil/host-shim.sh run-job-uke $docker $REPO_ROOT $job_name
|
124 | }
|
125 |
|
126 | publish-and-exit() {
|
127 | ### Called by YAML config
|
128 | local job_name=$1
|
129 | # second param is passed to publish-html
|
130 |
|
131 | # Unlike sourcehut, Github Actions runs one job per machine. So we publish
|
132 | # HTML and exit in one step.
|
133 |
|
134 | publish-html "$@"
|
135 |
|
136 | soil/host-shim.sh did-all-succeed $job_name
|
137 | }
|
138 |
|
139 | "$@"
|