Enterprise-CMCS · ben-harvey · Sep 27, 2022 · Sep 22, 2022 · Sep 26, 2022 · Sep 26, 2022
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -1,97 +1,134 @@
-name: docker-build
+name: Build and push
 
-on: [push]
+on: push
 
 jobs:
-  build:
+  set-runner-uuid:
+    name: Set runner UUID
     runs-on: ubuntu-latest
-    env:
-      DO_DEPLOY: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    outputs:
+      runner-uuid: ${{ steps.set-uuid.outputs.runner-uuid }}
     steps:
-      - uses: actions/checkout@v3
-      - uses: engineerd/[email protected]
-        with:
-          version: "v0.11.1"
-      - name: Create env var for docker tag
-        run: echo "TAG=$(date +%s)" >> "$GITHUB_ENV"
-      - name: Create env var for git sha tag
-        run: echo "HASH=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
-      - name: Create env var for ECR repo
-        run:  echo "ECR_REPOSITORY=github-actions-runner" >> "$GITHUB_ENV"
-      - name: Configure AWS Credentials
+      - name: Set UUID for the runner
+        id: set-uuid
+        run: echo "::set-output name=runner-uuid::$(uuidgen)"
+
+  build-and-run:
+    name: Build, test, and run the runner image
+    runs-on: ubuntu-latest
+    needs: set-runner-uuid
+    outputs:
+      sha-tag: ${{ steps.set-sha-tag.outputs.sha-tag }}
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: "us-east-1"
         uses: aws-actions/configure-aws-credentials@v1
-      - name: Login to Amazon ECR
+
+      - name: Log in to ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v1
-      - name: Build the Docker image
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        run: docker build . --file Dockerfile --tag $ECR_REGISTRY/$ECR_REPOSITORY:${TAG} --tag $ECR_REGISTRY/$ECR_REPOSITORY:latest --tag $ECR_REGISTRY/$ECR_REPOSITORY:${HASH}
+
+      - name: Set short SHA for tag
+        id: set-sha-tag
+        run: echo "::set-output name=sha-tag::$(git rev-parse --short "$GITHUB_SHA")"
+
+      - name: Set SHA tag for Docker image
+        run: echo "SHA_TAG=${{ steps.login-ecr.outputs.registry }}/github-actions-runner:${{ steps.set-sha-tag.outputs.sha-tag }}" >> $GITHUB_ENV
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          load: true # export a tarball so we can test the image locally before pushing
+          tags: ${{ env.SHA_TAG }}
+          cache-from: type=gha # use the GitHub Cache API
+          cache-to: type=gha,mode=max
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
         with:
-          image-ref: '${{env.ECR_REGISTRY}}/${{env.ECR_REPOSITORY}}:${{env.HASH}}'
-          format: 'table'
-          exit-code: '1'
+          image-ref: ${{ env.SHA_TAG }}
+          format: "table"
+          exit-code: "1"
           ignore-unfixed: true
-          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
-      - name: Run Dockle for docker best practices
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+
+      - name: Run Dockle image linter
         uses: hands-lab/dockle-action@v1
         env:
           DOCKLE_ACCEPT_FILE_EXTENSIONS: pem
         with:
-          image: '${{steps.login-ecr.outputs.registry}}/${{env.ECR_REPOSITORY}}:${{env.HASH}}'
-          exit-code: '1'
-      - name: Push docker image to Amazon ECR with just HASH
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        run: |
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY:${HASH}
-      - name: Setup namespace and secrets
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          image: ${{ env.SHA_TAG }}
+          exit-code: "1"
+
+      - name: Push Docker image to ECR with just SHA tag
         run: |
-          kubectl create ns gitaction
-          kubectl create secret docker-registry ecrcred \
-            --docker-server=$ECR_REGISTRY \
-            --docker-username=AWS \
-            --docker-password=$(aws ecr get-login-password) \
-            --namespace=gitaction
-          kubectl create secret generic github-secret \
-            --from-literal=PERSONAL_ACCESS_TOKEN=${{ secrets.ROBOT_MAC_FC_TOKEN }} \
-            --type='opaque' \
-            --namespace=gitaction
-      - name: Running image in kind
+          docker push ${{ env.SHA_TAG }}
+
+      - name: Run Docker image
         run: |
-          sed -i 's/LATEST_IMAGE_REF/${{steps.login-ecr.outputs.registry}}\/${{env.ECR_REPOSITORY}}:${{env.HASH}}/g' kube-manifest.yml
-          kubectl apply -f kube-manifest.yml
-          while [[ $(kubectl get pods -n gitaction -l app=runner -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for pod" && sleep 15; done
-          until kubectl logs -n gitaction -l app=runner | grep "Listening for Jobs"; do echo "waiting for runner to connect to github" && sleep 5; done
-      - name: Test GH API to see runner was actually registered and online
+          docker run --rm \
+          -e REPO_OWNER=CMSgov \
+          -e REPO_NAME=github-actions-runner-aws \
+          -e PERSONAL_ACCESS_TOKEN=${{ secrets.ROBOT_MAC_FC_TOKEN}} \
+          -e RUNNER_UUID=${{ needs.set-runner-uuid.outputs.runner-uuid }} \
+          ${{ env.SHA_TAG }}
+
+  wait-for-runner:
+    name: Wait for the runner to be ready
+    needs: set-runner-uuid
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Poll the GitHub Actions API until the runner is registered and online
         run: |
-          curl -s \
-            -H "Accept: application/vnd.github.v3+json" \
-            -u robot-mac-fc:${{ secrets.ROBOT_MAC_FC_TOKEN }} \
-            https://api.github.com/repos/CMSgov/github-actions-runner-aws/actions/runners \
-          | grep "online"
-      - name: Test our internal runner with call to separate workflow
-        uses: convictional/[email protected]
+          until \
+            curl -s \
+              -H "Accept: application/vnd.github.v3+json" \
+              -u robot-mac-fc:${{ secrets.ROBOT_MAC_FC_TOKEN }} \
+              https://api.github.com/repos/CMSgov/github-actions-runner-aws/actions/runners \
+            | jq -e '.runners | .[] | select(.name == "${{ needs.set-runner-uuid.outputs.runner-uuid }}") | .status == "online"' >/dev/null
+          do
+            echo "Waiting for runner ${{ needs.set-runner-uuid.outputs.runner-uuid }} to be ready" && sleep 10
+          done
+          echo "Runner ${{ needs.set-runner-uuid.outputs.runner-uuid }} is ready"
+
+  test-runner:
+    name: Test the runner
+    needs: [wait-for-runner, set-runner-uuid]
+    runs-on:
+      - self-hosted
+      - ${{ needs.set-runner-uuid.outputs.runner-uuid }}
+    steps:
+      - name: step 1
+        run: echo "Self-hosted runner test was successful!"
+
+  add-tag-if-main:
+    name: Add 'latest' tag to image if branch is 'main'
+    if: ${{ github.ref == 'refs/heads/main' }}
+    needs: [test-runner, build-and-run]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials
         with:
-          owner: ${{ github.repository_owner }}
-          repo: ${{ github.event.repository.name }}
-          ref: ${{ github.ref }}
-          github_token: ${{ secrets.ROBOT_MAC_FC_TOKEN }}
-          workflow_file_name: runner-test.yml
-      - name: Push docker image to Amazon ECR with all tags
-        if: ${{ fromJSON(env.DO_DEPLOY) }}
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        run: |
-          docker push $ECR_REGISTRY/$ECR_REPOSITORY --all-tags
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: "us-east-1"
+        uses: aws-actions/configure-aws-credentials@v1
+
+      - name: Add 'latest' tag to image
+        uses: abronin/ecr-retag-action@v1
+        with:
+          repository: github-actions-runner
+          tag: ${{ needs.build-and-run.outputs.sha-tag }}
+          new-tags: latest
diff --git a/.github/workflows/runner-test.yml b/.github/workflows/runner-test.yml
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -9,7 +9,8 @@ REGISTRATION_TOKEN=$(curl -s -X POST \
     -H "Authorization: token ${PERSONAL_ACCESS_TOKEN}" \
     "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/actions/runners/registration-token" | jq -r .token)
 
-UNIQUE_ID=$(uuidgen)
+# Use the RUNNER_UUID env var if it exists
+UNIQUE_ID=${RUNNER_UUID:-$(uuidgen)}
 
 # Register the runner:
 # - disable updates since we manage them manually via the container image
@@ -21,6 +22,7 @@ UNIQUE_ID=$(uuidgen)
       --url "https://github.com/${REPO_OWNER}/${REPO_NAME}" \
       --token "${REGISTRATION_TOKEN}" \
       --name "${UNIQUE_ID}" \
+      --labels "${UNIQUE_ID}" \
       --work ../work-dir \
       --replace \
       --disableupdate \

diff --git a/kube-manifest.yml b/kube-manifest.yml