Initial setup mash

.github/dependabot.yaml

@@ -0,0 +1,16 @@
+# dependabot.yaml reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+#
+# Notes:
+# - Status and logs from dependabot are provided at
+#   https://github.com/2i2c-org/binderhub-service/network/updates.
+# - YAML anchors are not supported here or in GitHub Workflows.
+#
+version: 2
+updates:
+  # Maintain dependencies in our GitHub Workflows
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: monthly
+      time: "05:00"
+      timezone: "Etc/UTC"

.github/workflows/release.yaml

@@ -0,0 +1,110 @@
+# This is a GitHub workflow defining a set of jobs with a set of steps.
+# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+#
+name: Release
+
+on:
+  pull_request:
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/workflows/*"
+      - "!.github/workflows/release.yaml"
+  push:
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/workflows/*"
+      - "!.github/workflows/release.yaml"
+    branches-ignore:
+      - "dependabot/**"
+      - "pre-commit-ci-update-config"
+      - "update-*"
+    tags:
+      - "**"
+
+jobs:
+  # Builds and pushes docker images to quay.io and packages the Helm chart and
+  # publishes it at 2i2c-org/binderhub-service@gh-pages which is a Helm chart
+  # repository with a index.yaml file and packaged Helm charts.
+  #
+  # ref: https://2i2c.org/binderhub-service/index.yaml
+  #
+  release:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # chartpress needs git history
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+
+      - name: Decide to publish or not
+        id: publishing
+        shell: python
+        run: |
+          import os
+          repo = "${{ github.repository }}"
+          event = "${{ github.event_name }}"
+          ref = "${{ github.event.ref }}"
+          publishing = ""
+          if (
+              repo == "2i2c-org/binderhub-service"
+              and event == "push"
+              and (
+                  ref.startswith("refs/tags/")
+                  or ref == "refs/heads/main"
+              )
+          ):
+              publishing = "true"
+              print("Publishing chart")
+          print(f"::set-output name=publishing::{publishing}")
+
+      - name: Set up QEMU (for docker buildx)
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx (for chartpress multi-arch builds)
+        uses: docker/setup-buildx-action@v2
+
+      - name: Install chart publishing dependencies (chartpress, pyyaml, helm)
+        run: |
+          pip install chartpress pyyaml
+          pip list
+
+          # helm is already installed
+          helm version
+
+      - name: Generate values.schema.json from values.schema.yaml
+        run: ./tools/generate-json-schema.py
+
+        # chartpress will make a commit when pushing to gh-pages, so we need to
+        # configure a git user.
+      - name: Configure a git user
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "GitHub Actions user"
+
+      - name: Setup docker push rights to quay.io
+        if: steps.publishing.outputs.publishing
+        run: docker login -u "${{ secrets.DOCKER_USERNAME }}" -p "${{ secrets.DOCKER_PASSWORD }}" quay.io
+
+      - name: Publish images and chart with chartpress
+        if: steps.publishing.outputs.publishing
+        run: ./ci/publish
+        env:
+          GITHUB_REPOSITORY: "${{ github.repository }}"
+
+      - name: Package chart for actions/upload-artifact
+        if: steps.publishing.outputs.publishing == ''
+        run: helm package binderhub-service
+
+      # ref: https://github.com/actions/upload-artifact
+      - uses: actions/upload-artifact@v3
+        if: steps.publishing.outputs.publishing == ''
+        with:
+          name: binderhub-service-${{ github.sha }}
+          path: "binderhub-service-*.tgz"
+          if-no-files-found: error

.github/workflows/test-chart.yaml

@@ -0,0 +1,166 @@
+# This is a GitHub workflow defining a set of jobs with a set of steps.
+# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+#
+name: Test chart
+
+on:
+  pull_request:
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/workflows/*"
+      - "!.github/workflows/test-chart.yaml"
+  push:
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/workflows/*"
+      - "!.github/workflows/test-chart.yaml"
+    branches-ignore:
+      - "dependabot/**"
+      - "pre-commit-ci-update-config"
+      - "update-*"
+  workflow_dispatch:
+
+jobs:
+  lint_and_validate_rendered_templates:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: pip install chartpress yamllint
+
+      - name: Lint and validate
+        run: tools/templates/lint-and-validate.py
+
+      - name: Lint and validate (--strict, accept failure)
+        run: tools/templates/lint-and-validate.py --strict
+        continue-on-error: true
+
+  lint_and_validate_templates_with_schema:
+    runs-on: ubuntu-22.04
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # We run this job with the latest lowest helm version we support.
+        #
+        include:
+          - helm-version: "" # latest
+          - helm-version: v3.8.0 # minimal required version
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+
+      - name: Install helm ${{ matrix.helm-version }}
+        run: |
+          curl -sf https://raw.githubusercontent.com/helm/helm/HEAD/scripts/get-helm-3 | DESIRED_VERSION=${{ matrix.helm-version }} bash
+
+      - name: Install dependencies
+        run: |
+          pip install pyyaml
+
+      - name: Generate values.schema.json
+        run: tools/generate-json-schema.py
+
+      - name: Helm lint (values.yaml)
+        run: helm lint ./binderhub-service
+
+      - name: Helm lint (lint-and-validate-values.yaml)
+        run: helm lint ./binderhub-service --values tools/templates/lint-and-validate-values.yaml
+
+      # FIXME: We can probably emit a GitHub workflow warning if these fail
+      #        instead having them show as green without a warning or similar
+      #
+      # NOTE: --strict means that any warning is considered an error, and there
+      #       are several warnings that we should ignore.
+      #
+      - name: Helm lint --strict (values.yaml)
+        run: helm lint --strict ./binderhub-service
+        continue-on-error: true
+
+      - name: Helm lint --strict (lint-and-validate-values.yaml)
+        run: helm lint --strict ./binderhub-service
+        continue-on-error: true
+
+  test:
+    runs-on: ubuntu-22.04
+    timeout-minutes: 20
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # We run this job multiple times with different parameterization
+        # specified below, these parameters have no meaning on their own and
+        # gain meaning on how job steps use them.
+        #
+        # k3s-version: https://github.com/rancher/k3s/tags
+        # k3s-channel: https://update.k3s.io/v1-release/channels
+        #
+        include:
+          - k3s-channel: latest
+          - k3s-channel: stable
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # chartpress needs git history
+          fetch-depth: 0
+
+      # Starts a k8s cluster with NetworkPolicy enforcement and installs both
+      # kubectl and helm
+      #
+      # ref: https://github.com/jupyterhub/action-k3s-helm/
+      - uses: jupyterhub/action-k3s-helm@v3
+        with:
+          k3s-channel: ${{ matrix.k3s-channel }}
+          metrics-enabled: false
+          traefik-enabled: false
+          docker-enabled: true
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: |
+          pip install -r dev-requirements.txt
+          pip list
+
+      # Build our images if needed and update Chart.yaml and values.yaml with
+      # version and tags
+      - run: chartpress
+
+      - name: Generate values.schema.json from values.schema.yaml
+        run: tools/generate-json-schema.py
+
+      # Validate rendered helm templates against the k8s api-server with the
+      # dedicated lint-and-validate-values.yaml config.
+      - name: "Helm template --validate (with lint and validate config)"
+        run: |
+          helm template --validate binderhub-service ./binderhub-service \
+              --values tools/templates/lint-and-validate-values.yaml
+
+      - name: Install local chart
+        run: |
+          helm upgrade --install binderhub-service ./binderhub-service \
+              --values dev-config.yaml
+
+      # ref: https://github.com/jupyterhub/action-k8s-await-workloads
+      - uses: jupyterhub/action-k8s-await-workloads@v2
+        with:
+          timeout: 150
+          max-restarts: 1
+
+      # ref: https://github.com/jupyterhub/action-k8s-namespace-report
+      - uses: jupyterhub/action-k8s-namespace-report@v1
+        if: always()
+        with:
+          important-workloads: deploy/binderhub

.github/workflows/test-docs.yaml

@@ -0,0 +1,37 @@
+# This is a GitHub workflow defining a set of jobs with a set of steps.
+# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+#
+name: Test docs
+
+on:
+  pull_request:
+    paths:
+      - "docs/**"
+      - "**/schema.yaml"
+      - "**/test-docs.yaml"
+  push:
+    paths:
+      - "docs/**"
+      - "**/schema.yaml"
+      - "**/test-docs.yaml"
+    branches-ignore:
+      - "dependabot/**"
+      - "pre-commit-ci-update-config"
+      - "update-*"
+  workflow_dispatch:
+
+jobs:
+  linkcheck:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+
+      - run: pip install -r docs/requirements.txt
+
+      - name: make linkcheck
+        run: |
+          cd docs
+          make linkcheck SPHINXOPTS='--color -W --keep-going'

.github/workflows/watch-dependencies.yaml

@@ -0,0 +1,52 @@
+# This is a GitHub workflow defining a set of jobs with a set of steps.
+# ref: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+#
+# This Workflow watches dependencies and automatically creates PRs to update
+# them.
+#
+# - Refreeze images/*/requirements.txt based on images/*/requirements.in
+#
+name: Watch dependencies
+
+on:
+  push:
+    paths:
+      - "images/*/requirements.in"
+      - ".github/workflows/watch-dependencies.yaml"
+    branches: ["main"]
+  schedule:
+    # Run at 05:00 on day-of-month 1, ref: https://crontab.guru/#0_5_1_*_*
+    - cron: "0 5 1 * *"
+  workflow_dispatch:
+
+jobs:
+  refreeze-dockerfile-requirements-txt:
+    if: github.repository == '2i2c-org/binderhub-service'
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Refreeze requirements.txt based on requirements.in
+        run: ci/refreeze
+
+      - name: git diff
+        run: git --no-pager diff --color=always
+
+      # ref: https://github.com/peter-evans/create-pull-request
+      - uses: peter-evans/create-pull-request@v4
+        with:
+          branch: update-image-requirements
+          labels: dependencies
+          commit-message: "binderhub-service image: refreeze requirements.txt"
+          title: "binderhub-service image: refreeze requirements.txt"
+          body: >-
+            The binderhub-service image's requirements.txt has been refrozen
+            based on requirements.in.
+
+            The push to this branch was made by a bot account so all tests
+            aren't triggered to run. Close and re-open this PR to trigger them
+            manually.