Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an option to pass secrets to Nova MacOS job #4626

Merged
merged 9 commits into from
Oct 10, 2023
Merged

Add an option to pass secrets to Nova MacOS job #4626

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
199ac87
Mark infra failures without any associated runners as flaky
huydhn Oct 6, 2023
b349e9f
Fix test
huydhn Oct 6, 2023
e507c36
Fix typo
huydhn Oct 6, 2023
b6ea795
Add secrets-env to Nova MacOS job
huydhn Oct 10, 2023
21822fd
Fix lint
huydhn Oct 10, 2023
4d5650b
Use SECRET_ prefix
huydhn Oct 10, 2023
2255e3a
Merge branch 'main' into add-secret-env-macos
huydhn Oct 10, 2023
581a4c5
Add a test for GitHub runner
huydhn Oct 10, 2023
59392bb
Use the correct param name
huydhn Oct 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 0 additions & 95 deletions .github/scripts/run_docker_with_env_secrets.py
View file
Open in desktop

This file was deleted.

100 changes: 100 additions & 0 deletions .github/scripts/run_with_env_secrets.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
import json
import os
import re
import shutil
import subprocess
import sys


def run_cmd_or_die(cmd):
print(f"Running command: {cmd}")
p = subprocess.Popen(
"/bin/bash",
stdout=subprocess.PIPE,
stdin=subprocess.PIPE,
stderr=subprocess.STDOUT,
bufsize=1,
universal_newlines=True,
)
p.stdin.write("set -e\n")
p.stdin.write(cmd)
p.stdin.write("\nexit $?\n")
p.stdin.close()

result = ""
while p.poll() is None:
line = p.stdout.readline()
if line:
print(line, end="")
result += line

# Read any remaining output
for line in p.stdout:
print(line, end="")
result += line

exit_code = p.returncode
if exit_code != 0:
raise RuntimeError(f"Command {cmd} failed with exit code {exit_code}")
return result


def main():
all_secrets = json.loads(os.environ["ALL_SECRETS"])
secrets_names = [x for x in sys.argv[1].split(" ") if x]
if not secrets_names:
secrets_names = all_secrets.keys()
secrets_u_names = [
re.sub(r"[^a-zA-Z0-9_]", "", f"SECRET_{x.upper()}".replace("-", "_"))
for x in secrets_names
]

for sname, senv in zip(secrets_names, secrets_u_names):
try:
os.environ[senv] = str(all_secrets.get(sname, ""))
except KeyError as e:
print(f"Could not set {senv} from secret {sname}: {e}")

docker_path = shutil.which("docker")
if not docker_path:
run_cmd_or_die(f"bash { os.environ.get('RUNNER_TEMP', '') }/exec_script")
else:
container_name = (
run_cmd_or_die(
f"""
docker run \
-e PR_NUMBER \
-e RUNNER_ARTIFACT_DIR=/artifacts \
-e RUNNER_DOCS_DIR=/docs \
-e RUNNER_TEST_RESULTS_DIR=/test-results \
--env-file="{ os.environ.get('RUNNER_TEMP', '') }/github_env_{ os.environ.get('GITHUB_RUN_ID', '') }" \
`# It is unknown why the container sees a different value for this.` \
-e GITHUB_STEP_SUMMARY \
{ ' '.join([ f'-e {v}' for v in secrets_u_names ]) } \
--cap-add=SYS_PTRACE \
--detach \
--ipc=host \
--security-opt seccomp=unconfined \
--shm-size=2g \
--tty \
--ulimit stack=10485760:83886080 \
{ os.environ.get('GPU_FLAG', '') } \
-v "{ os.environ.get('GITHUB_WORKSPACE', '') }/{ os.environ.get('REPOSITORY', '') }:/{ os.environ.get('REPOSITORY', 'work') }" \
-v "{ os.environ.get('GITHUB_WORKSPACE', '') }/test-infra:/test-infra" \
-v "{ os.environ.get('RUNNER_ARTIFACT_DIR', '') }:/artifacts" \
-v "{ os.environ.get('RUNNER_DOCS_DIR', '') }:/docs" \
-v "{ os.environ.get('RUNNER_TEST_RESULTS_DIR', '') }:/test-results" \
-v "{ os.environ.get('RUNNER_TEMP', '') }/exec_script:/exec" \
-v "{ os.environ.get('GITHUB_STEP_SUMMARY', '') }":"{ os.environ.get('GITHUB_STEP_SUMMARY', '') }" \
-w /{ os.environ.get('REPOSITORY', 'work') } \
"{ os.environ.get('DOCKER_IMAGE', '') }"
""" # noqa: E501
)
.replace("\n", "")
.strip()
)
run_cmd_or_die(f"docker exec -t {container_name} /exec")


if __name__ == "__main__":
main()
2 changes: 1 addition & 1 deletion .github/workflows/linux_job.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ jobs:
echo "${SCRIPT}";
} > "${RUNNER_TEMP}/exec_script"
chmod +x "${RUNNER_TEMP}/exec_script"
python3 "${{ github.workspace }}/test-infra/.github/scripts/run_docker_with_env_secrets.py" "${{ inputs.secrets-env }}"
python3 "${{ github.workspace }}/test-infra/.github/scripts/run_with_env_secrets.py" "${{ inputs.secrets-env }}"

- name: Run script outside container
if: ${{ inputs.run-with-docker == false }}
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/macos_job.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ on:
required: false
default: ''
type: string
secrets-env:
description: "List of secrets to be exported to environment variables"
type: string
default: ''

jobs:
job:
Expand Down Expand Up @@ -129,6 +133,8 @@ jobs:
shell: bash -l {0}
continue-on-error: ${{ inputs.continue-on-error }}
working-directory: ${{ inputs.repository }}
env:
ALL_SECRETS: ${{ toJSON(secrets) }}
run: |
{
echo "#!/usr/bin/env bash";
Expand All @@ -140,7 +146,7 @@ jobs:
while read line; do
eval "export ${line}"
done < "${RUNNER_TEMP}/github_env_${GITHUB_RUN_ID}"
bash "${RUNNER_TEMP}/exec_script"
python3 "${{ github.workspace }}/test-infra/.github/scripts/run_with_env_secrets.py" "${{ inputs.secrets-env }}"

- name: Surface failing tests
if: always()
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test_linux_job.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:
- .github/workflows/linux_job.yml
- .github/workflows/test_linux_job.yml
- .github/actions/setup-linux/action.yml
- .github/scripts/run_docker_with_env_secrets.py
- .github/scripts/run_with_env_secrets.py
workflow_dispatch:

jobs:
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/test_macos_job.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ on:
paths:
- .github/workflows/macos_job.yml
- .github/workflows/test_macos_job.yml
- .github/scripts/run_with_env_secrets.py
workflow_dispatch:

jobs:
Expand Down Expand Up @@ -87,3 +88,24 @@ jobs:
download-artifact: my-cool-artifact
script: |
grep "hello" "${RUNNER_ARTIFACT_DIR}/cool_beans"
test-secrets-no-filter-var:
uses: ./.github/workflows/macos_job.yml
secrets: inherit
with:
job-name: "test-secrets-no-filter-var"
runner: macos-m1-12
test-infra-repository: ${{ github.repository }}
test-infra-ref: ${{ github.ref }}
script: |
[[ "${SECRET_NOT_A_SECRET_USED_FOR_TESTING}" == "SECRET_VALUE" ]] || exit 1
test-secrets-filter-var:
uses: ./.github/workflows/macos_job.yml
secrets: inherit
with:
job-name: "test-secrets-filter-var"
runner: macos-m1-12
secrets-env: "NOT_A_SECRET_USED_FOR_TESTING"
test-infra-repository: ${{ github.repository }}
test-infra-ref: ${{ github.ref }}
script: |
[[ "${SECRET_NOT_A_SECRET_USED_FOR_TESTING}" == "SECRET_VALUE" ]] || exit 1