diff --git a/.github/actions/go-cache/action.sh b/.github/actions/go-cache/action.sh new file mode 100755 index 000000000..9aca212aa --- /dev/null +++ b/.github/actions/go-cache/action.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +# +# This script sets up cigocacher, but should never fail the build if unsuccessful. +# It expects to run on a GitHub-hosted runner, and connects to cigocached over a +# private Azure network that is configured at the runner group level in GitHub. +# +# Usage: ./action.sh +# Inputs: +# URL: The cigocached server URL. +# Outputs: +# success: Whether cigocacher was set up successfully. + +set -euo pipefail + +if [ -z "${GITHUB_ACTIONS:-}" ]; then + echo "This script is intended to run within GitHub Actions" + exit 1 +fi + +if [ -z "$URL" ]; then + echo "No cigocached URL is set, skipping cigocacher setup" + exit 0 +fi + +JWT="$(curl -sSL -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=gocached" | jq -r .value)" +# cigocached serves a TLS cert with an FQDN, but DNS is based on VM name. +HOST_AND_PORT="${URL#http*://}" +FIRST_LABEL="${HOST_AND_PORT/.*/}" +BODY="$(jq -n --arg jwt "$JWT" '{"jwt": $jwt}')" +CIGOCACHER_TOKEN="$(curl -sSL --connect-to "$HOST_AND_PORT:$FIRST_LABEL:" -H "Content-Type: application/json" "$URL/auth/exchange-token" -d "$BODY" | jq -r .access_token)" +if [ -z "$CIGOCACHER_TOKEN" ]; then + echo "Failed token exchange with cigocached, skipping cigocacher setup" + exit 0 +fi + +# Wait until we successfully auth before building cigocacher to ensure we know +# it's worth building. +# TODO(tomhjp): bake cigocacher into runner image and use it for auth. +echo "Fetched cigocacher token successfully" +echo "::add-mask::${CIGOCACHER_TOKEN}" +./tool/go build -o /tmp/cigocacher ./cmd/cigocacher +echo "GOCACHEPROG=/tmp/cigocacher --cigocached-url $URL --token ${CIGOCACHER_TOKEN}" >> "$GITHUB_ENV" +echo "success=true" >> "$GITHUB_OUTPUT" \ No newline at end of file diff --git a/.github/actions/go-cache/action.yml b/.github/actions/go-cache/action.yml index f423896a1..69bc22d90 100644 --- a/.github/actions/go-cache/action.yml +++ b/.github/actions/go-cache/action.yml @@ -12,21 +12,15 @@ inputs: outputs: success: description: Whether cigocacher was set up successfully - value: ${{ steps.setup-env.outputs.success }} + value: ${{ steps.setup.outputs.success }} runs: using: composite steps: - - name: Setup env - id: setup-env + - name: Setup cigocacher + id: setup shell: bash + env: + URL: ${{ inputs.cigocached-url }} working-directory: ${{ inputs.checkout-path }} - run: | - ./tool/go build -o /tmp/cigocacher ./cmd/cigocacher - CIGOCACHER_TOKEN="$(/tmp/cigocacher --cigocached-url ${{ inputs.cigocached-url }} --auth)" - if [ -n "$CIGOCACHER_TOKEN" ]; then - echo "Fetched cigocacher token successfully" - echo "::add-mask::${CIGOCACHER_TOKEN}" - echo "GOCACHEPROG=/tmp/cigocacher --cigocached-url ${{ inputs.cigocached-url }} --token ${CIGOCACHER_TOKEN}" >> "$GITHUB_ENV" - echo "success=true" >> "$GITHUB_OUTPUT" - fi \ No newline at end of file + run: ${{ github.action_path }}/action.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 402c628e4..24b7a0112 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -77,7 +77,7 @@ jobs: enableCrossOsArchive: true race-root-integration: - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache strategy: fail-fast: false # don't abort the entire matrix if one element fails @@ -129,7 +129,7 @@ jobs: buildflags: "-race" shard: '3/3' - goarch: "386" # thanks yaml - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache steps: - name: checkout @@ -302,7 +302,7 @@ jobs: privileged: needs: gomod-cache - runs-on: gocached-test + runs-on: ci-linux-github-1 container: image: golang:latest options: --privileged @@ -390,7 +390,7 @@ jobs: - goos: openbsd goarch: amd64 - runs-on: gocached-test + runs-on: ci-linux-github-1 steps: - name: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -448,7 +448,7 @@ jobs: ios: # similar to cross above, but iOS can't build most of the repo. So, just # make it build a few smoke packages. - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache steps: - name: checkout @@ -493,7 +493,7 @@ jobs: - goos: illumos goarch: amd64 - runs-on: gocached-test + runs-on: ci-linux-github-1 steps: - name: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -546,7 +546,7 @@ jobs: # similar to cross above, but android fails to build a few pieces of the # repo. We should fix those pieces, they're small, but as a stepping stone, # only test the subset of android that our past smoke test checked. - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache steps: - name: checkout @@ -577,7 +577,7 @@ jobs: GOARCH: arm64 wasm: # builds tsconnect, which is the only wasm build we support - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache steps: - name: checkout @@ -633,7 +633,7 @@ jobs: find $(go env GOCACHE) -type f -mmin +90 -delete tailscale_go: # Subset of tests that depend on our custom Go toolchain. - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache steps: - name: checkout @@ -668,7 +668,7 @@ jobs: # explicit 'if' condition, because the default condition for steps is # 'success()', meaning "only run this if no previous steps failed". if: github.event_name == 'pull_request' - runs-on: gocached-test + runs-on: ci-linux-github-1 steps: - name: build fuzzers id: build @@ -724,7 +724,7 @@ jobs: path: ${{ env.artifacts_path }}/out/artifacts depaware: - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache steps: - name: checkout @@ -750,7 +750,7 @@ jobs: run: make depaware go_generate: - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache steps: - name: checkout @@ -780,7 +780,7 @@ jobs: git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1) go_mod_tidy: - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache steps: - name: checkout @@ -808,7 +808,7 @@ jobs: git diff --name-only --exit-code || (echo "Please run 'make tidy'"; exit 1) licenses: - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache steps: - name: checkout @@ -834,7 +834,7 @@ jobs: ./tool/go test -v -run=TestLicenseHeaders staticcheck: - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: gomod-cache name: staticcheck (${{ matrix.name }}) strategy: @@ -914,7 +914,7 @@ jobs: - go_mod_tidy - licenses - staticcheck - runs-on: gocached-test + runs-on: ci-linux-github-1 steps: - name: notify # Only notify slack for merged commits, not PR failures. @@ -943,7 +943,7 @@ jobs: merge_blocker: if: always() - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: - android - test @@ -971,7 +971,7 @@ jobs: # tests anywhere, really, but a flaky test here prevents merging.) check_mergeability_strict: if: always() - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: - android - cross @@ -992,7 +992,7 @@ jobs: check_mergeability: if: always() - runs-on: gocached-test + runs-on: ci-linux-github-1 needs: - check_mergeability_strict - test