[CMSP-726] switch to gha (#116)

* add a test workflow * also run on release * add git config * add the docker-updatinator image * use v2 checkout(?) * add write permissions to the bot * run as root if this doesn't work, i will remove the updatinator container and re-test with the write permissions granted * add an ssh key to authenticate for whoami test * login to github with the right token * remove quay container and just use gh * set auth token perms to read all although we're overriding the token later, so this might not do anything * remove permissions entirely we shouldn't need it if we're overwriting the GITHUB_TOKEN * re-add write permissions * move the git config higher and output the status to see if we can figure out why we're getting bad credentials again * export the gh token * unset the existing GITHUB_TOKEN before using ours * make it a separate step also remove the permissions which might be why we're getting the message, too * also unset and export GH_TOKEN * use the actual token rather than variable we exported * allow ssh for debugging * move tmate to after failing test * allow other users to ssh in * maybe switching to false will actually let us log in? * try not running whoami we'll probably fail the tests but we can see if it's needed * I guess put stuff in here since we committed it to vc * add unset to the regular script * remove typo * remove --with-token * set tokens as env variables in the job * remove tmate couldn't get it to work * add tokens to test steps, too * unset tokens again * maybe don't need to auth? * okay, let's whoami with this token * use php 7.4 * install php 7.4 earlier * add mariadb for wp tests * add custom db name * define empty password for root user * use the updatinator container * grant write permissiosn * use container as root * pass env variables into the test step * install wp-cli * remove the root password since it's not part of the fixture * test the database * set root password to empty * try connecting with root password * set password to empty string * more database setup * change how we set the password * don't use PASSWORD() * remove the password for the blank password test * don't create the database * remove test workflow since it's converted to gha * rename deploy to publish * set test to run on tag creation rather than release creation * send dispatch so releases are chained from tests * change the trigger to repository_dispatch this should trigger only on tag creation after the tests have run * change the job name to publish * setup php this is mostly for composer purposes * get the tag name that was just created * publish the release * build the update-tool.phar * upload the phar to the release * delete circle workflow * Use GitHub test badge * update notes * use checkout@v3 * use a non-deprecated release action * one does not simply create a new tag Co-authored-by: Phil Tyler <[email protected]> --------- Co-authored-by: Phil Tyler <[email protected]>
pantheon-systems · Jan 11, 2024 · 5cbbbfa · 5cbbbfa
1 parent d26aaf4
commit 5cbbbfa
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 58 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,29 @@
+name: Deploy
+on:
+  repository_dispatch:
+    types: [tests-passed]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '7.4'
+      - name: Get tag name
+        id: tag_name
+        run: echo ::set-output name=tag::${GITHUB_REF#refs/tags/}
+      - name: Build phar
+        run: |
+          composer install
+          composer phar:build
+      - name: Publish Release
+        uses: ncipollo/release-action@v1
+        with:
+          artifacts: 'update-tool.phar'
+          artifactErrorsFailBuild: true
+          body: Version ${{ steps.tag_name.outputs.tag }}
+          generateReleaseNotes: true
+          makeLatest: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,76 @@
+name: Test
+on:
+  pull_request:
+  push:
+    tags:
+      - '*'
+
+permissions: write-all
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    services:
+      mariadb:
+        image: mariadb:10.5
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set PHP version
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 7.4
+      - name: Setup MySQL
+        run: |
+          sudo systemctl start mysql
+          mysqladmin -h 127.0.0.1 -u root -proot status
+          echo "Setting the root password to empty"
+          mysql -h 127.0.0.1 -u root -proot -e "USE mysql; UPDATE user SET authentication_string='' WHERE User='root'; FLUSH PRIVILEGES;"
+          echo "Testing blank password"
+          mysqladmin -h 127.0.0.1 -u root status
+      - name: Install Composer Dependencies
+        run: composer install --prefer-dist --no-progress --no-suggest
+      - name: Install SSH key
+        uses: webfactory/[email protected]
+        with:
+          ssh-private-key: ${{ secrets.PANTHEON_UPSTREAM_SSH_KEY }}
+      - name: Unset GitHub Tokens
+        shell: bash
+        run: |
+          unset GITHUB_TOKEN
+          unset GH_TOKEN
+      - name: Run Update Tool Whoami
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.PANTHEON_UPSTREAM_AUTH_TOKEN }}
+          GH_TOKEN: ${{ secrets.PANTHEON_UPSTREAM_AUTH_TOKEN }}
+        run: |
+          echo "Set git config"
+          git config --global user.email "[email protected]"
+          git config --global user.name "Pantheon Automation"
+          echo "Login with gh auth"
+          # gh auth login
+          gh auth status
+          ./update-tool whoami
+      - name: Install WP-CLI
+        run: |
+          curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+          chmod +x wp-cli.phar
+          sudo mv wp-cli.phar /usr/local/bin/wp
+          wp --info
+      - name: Run tests
+        env:
+          GITHUB_TOKEN: ${{ secrets.PANTHEON_UPSTREAM_AUTH_TOKEN }}
+          GH_TOKEN: ${{ secrets.PANTHEON_UPSTREAM_AUTH_TOKEN }}
+          DB_USER: root
+          DB_NAME: updatinate-wp-db
+        run: composer test
+  send-dispatch:
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Dispatch
+        uses: peter-evans/repository-dispatch@v1
+        with:
+          token: ${{ secrets.PANTHEON_UPSTREAM_AUTH_TOKEN }}
+          repository: pantheon-systems/update-tool
+          event-type: tests-passed
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 Fast and smart. Update Tool checks for available software updates and creates pull requests.
 
-[![CircleCI](https://dl.circleci.com/status-badge/img/gh/pantheon-systems/update-tool/tree/master.svg?style=svg)](https://dl.circleci.com/status-badge/redirect/gh/pantheon-systems/update-tool/tree/master)
+[![Test](https://github.com/pantheon-systems/update-tool/actions/workflows/test.yml/badge.svg)](https://github.com/pantheon-systems/update-tool/actions/workflows/test.yml)
 [![Actively Maintained](https://img.shields.io/badge/Pantheon-Actively_Maintained-yellow?logo=pantheon&color=FFDC28)](https://pantheon.io/docs/oss-support-levels#actively-maintained-support)
 [![License](https://img.shields.io/badge/license-MIT-408677.svg)](LICENSE)
 
@@ -29,7 +29,7 @@ The authentication credentials you will need can be found in the production Vaul
 
 *Production:* In production, this tool uses the credentials defined in the [pantheon-systems/updatinator](https://github.com/pantheon-systems/updatinator) project.
 
-*Testing:* CircleCI needs a GitHub token for a service account that has access to the projects in the [test-configurations.yml](tests/fixtures/home/test-configuration.yml) fixtures file. Currently, the github user pantheon-ci-bot is being used. Access it via:
+*Testing:* GitHub Actions needs a GitHub token for a service account that has access to the projects in the [test-configurations.yml](tests/fixtures/home/test-configuration.yml) fixtures file. Currently, the GitHub user `pantheon-ci-bot` is being used. Access it via:
 
 ```
 pvault production read secret/github/access-tokens/pantheon-ci-bot
@@ -57,10 +57,10 @@ The test suite may be run locally by way of some simple composer scripts:
 
 ### Releasing
 
-To release a new version of the Update Tool, run:
+To release a new version of the Update Tool, create a new tag at the appropriate version. This will trigger the tests to run again. Assuming the tests pass, that sends a release dispatch that triggers another GitHub Action to publish the release and upload the `update-tool.phar` to the release.
 
-- `composer release`
+Rebuild [pantheon-systems/docker-updatinator](https://github.com/pantheon-systems/docker-updatinator) to deploy a new version of the tool to the automation processes.
 
-This will release a stable version of whatever is indicated in the VERSION file. e.g. if VERSION contains `1.0.3-dev`, then version `1.0.3` will be tagged and released, and the VERSION file will be updated to `1.0.4-dev`. To release version `1.1.0` instead, manually edit the VERSION file to `1.1.0-dev` and then run `composer release`.
+Alternately, you can use the Composer script `composer release`.
 
-The update-tool.phar file will be uploaded to GitHub on every release. Rebuild [pantheon-systems/docker-updatinator](https://github.com/pantheon-systems/docker-updatinator) to deploy a new version of the tool to the automation processes.
+This will release a stable version of whatever is indicated in the VERSION file. e.g. if VERSION contains `1.0.3-dev`, then version `1.0.3` will be tagged and released, and the VERSION file will be updated to `1.0.4-dev`. To release version `1.1.0` instead, manually edit the VERSION file to `1.1.0-dev` and then run `composer release`. This requires maintaining the `VERSION` file which historically has not been consistently updated, and simply creating the tag and allowing automation to handle the release is a more straightforward process.