Move from drone to GHA for kdm 2.7 (#1429)

.github/runs-on.yml

@@ -0,0 +1 @@
+_extends: .github-private

.github/workflows/fossa.yaml

@@ -0,0 +1,28 @@
+name: Fossa Scan
+
+on:
+  push: 
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+
+jobs:
+  fossa:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    timeout-minutes: 20
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Read FOSSA token
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY
+      - name: FOSSA scan
+        uses: fossas/fossa-action@main
+        with:
+          api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }}
+          run-tests: false

.github/workflows/provisioning-tests.yaml

@@ -0,0 +1,78 @@
+name: Provisioning tests
+
+on:
+  push: 
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+  pull_request:
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+
+jobs:
+  provisioning-test:
+    permissions:
+      contents: read
+    runs-on: runs-on,runner=4cpu-linux-x64,image=legacy-cgroups-for-x64,run-id=${{ github.run_id }}
+    container: 
+      image: rancher/dapper:v0.6.0
+      options: --privileged
+    timeout-minutes: 90
+    strategy:
+      matrix:
+        dist: [rke2, k3s]
+        k8s-minor: [23, 24, 25, 26, 27]
+      fail-fast: false
+    steps:
+      - name: Force Install GIT latest
+        run: |
+          apk add git --update-cache
+          git --version
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+      - name: Provisioning test
+        run: |
+          dapper provisioning-tests
+        env:
+          V2PROV_TEST_DIST: ${{ matrix.dist }}
+          V2PROV_TEST_RUN_REGEX: "^Test_Provisioning_.*$"
+          KDM_TEST_K8S_MINOR: ${{ matrix.k8s-minor }}
+          PREV_COMMIT_PR_SHA: ${{ github.event.pull_request.base.sha }}
+          PREV_COMMIT_PUSH_SHA: ${{ github.event.before }}
+
+  provisioning-operations-test:
+    permissions:
+      contents: read
+    runs-on: runs-on,runner=4cpu-linux-x64,image=legacy-cgroups-for-x64,run-id=${{ github.run_id }}
+    container: 
+      image: rancher/dapper:v0.6.0
+      options: --privileged
+    timeout-minutes: 90
+    strategy:
+      fail-fast: false
+      matrix:
+        dist: [rke2, k3s]
+        k8s-minor: [23, 24, 25, 26, 27]
+    steps:
+      - name: Force Install GIT latest
+        run: |
+          apk add git --update-cache
+          git --version
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+      - name: Provisioning Operations tests
+        run: |
+          dapper provisioning-tests
+        env:
+          V2PROV_TEST_DIST: ${{ matrix.dist }}
+          V2PROV_TEST_RUN_REGEX: "^Test_Operation_SetA_.*$"
+          KDM_TEST_K8S_MINOR: ${{ matrix.k8s-minor }}
+          PREV_COMMIT_PR_SHA: ${{ github.event.pull_request.base.sha }}
+          PREV_COMMIT_PUSH_SHA: ${{ github.event.before }}

.github/workflows/workflow.yaml

@@ -0,0 +1,105 @@
+name: Main workflow
+
+on:
+  push: 
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+  pull_request:
+    branches:
+      - 'dev-v*'
+      - 'release-v*'
+
+jobs:
+  validate:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    container: 
+      image: rancher/dapper:v0.6.0
+    steps:
+      - name: Force Install GIT latest
+        run: |
+          apk add git --update-cache
+          git --version
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Validate
+        run: dapper ci
+
+  mirror-images:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: validate
+    container: 
+      image: rancher/dapper:v0.6.0
+    if: github.event_name == 'push' && startsWith(github.ref_name, 'release-v')
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Retrieve Registy secrets from vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/registry-endpoint/credentials token | REGISTRY_ENDPOINT ;
+            secret/data/github/repo/${{ github.repository }}/registry-username/credentials token | REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/registry-password/credentials token | REGISTRY_PASSWORD
+      - name: Validate
+        run: dapper mirror-images
+
+  upload:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: validate
+    if: github.event_name == 'push'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Retrieve Google auth from vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/google-auth/rancher/credentials token | GOOGLE_AUTH ;
+      - name: Authenticate with Google Cloud
+        uses: 'google-github-actions/auth@v2'
+        with:
+          credentials_json: '${{ env.GOOGLE_AUTH }}'
+      - name: Upload to Google Cloud Storage
+        uses: google-github-actions/upload-cloud-storage@v2
+        with:
+          path: data/
+          destination: releases.rancher.com/kontainer-driver-metadata/${{ github.ref_name }}
+          parent: false
+          predefinedAcl: publicRead
+          headers: |-
+            cache-control: public,no-cache,proxy-revalidate
+
+  dispatch:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: upload
+    if: github.event_name == 'push' && (github.ref_name == 'release-v2.7' || github.ref_name == 'dev-v2.7')
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Retrieve token from vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/github-token/credentials token | PAT_TOKEN
+      - name: Run dispatch
+        run: |
+          echo ${{ env.PAT_TOKEN }} | gh auth login --with-token
+          gh workflow run "Go Generate" --repo rancher/rke --ref release/v1.4 -F source_author=${{ github.actor }}

Dockerfile.dapper

@@ -71,14 +71,15 @@ RUN if [[ "${ARCH}" == "amd64" ]]; then \
         curl -sL https://github.com/regclient/regclient/releases/download/v0.4.8/regsync-linux-amd64 -o /bin/regsync && chmod +x /bin/regsync; \
     fi
 
-ENV DAPPER_ENV REPO TAG CI DRONE_BUILD_NUMBER DRONE_BUILD_EVENT DRONE_TAG DRONE_COMMIT_BEFORE \
+ENV DAPPER_ENV REPO TAG CI \
+    PREV_COMMIT_PR_SHA PREV_COMMIT_PUSH_SHA GITHUB_EVENT_NAME GITHUB_RUN_NUMBER GITHUB_REF_TYPE GITHUB_REF_NAME \
     REGISTRY_ENDPOINT REGISTRY_USERNAME REGISTRY_PASSWORD \
     V2PROV_TEST_DIST V2PROV_TEST_RUN_REGEX KDM_TEST_K8S_MINOR DEBUG
 ENV DAPPER_SOURCE /go/src/github.com/rancher/kontainer-driver-metadata
 ENV DAPPER_DOCKER_SOCKET true
 ARG CI
-ARG DRONE_BUILD_NUMBER
-ENV DAPPER_RUN_ARGS "--privileged --label CI=${CI} --label DRONE_BUILD_NUMBER=${DRONE_BUILD_NUMBER}"
+ARG GITHUB_RUN_NUMBER
+ENV DAPPER_RUN_ARGS "--privileged --label CI=${CI} --label DRONE_BUILD_NUMBER=${GITHUB_RUN_NUMBER}"
 ENV HOME ${DAPPER_SOURCE}
 ENV GOPATH /go
 VOLUME /var/lib/rancher

scripts/provisioning-tests

@@ -26,6 +26,16 @@ if [ -z "${CHANNELS_FILE}" ]; then
   esac
 fi
 
+# Set previous commit SHA
+if [ "${GITHUB_EVENT_NAME}" == "push" ]; then
+  export PREV_COMMIT_SHA=${PREV_COMMIT_PUSH_SHA}
+elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
+  export PREV_COMMIT_SHA=${PREV_COMMIT_PR_SHA}
+fi
+
+# To be removed/changed once drone setup is removed from rancher/rancher repo. 
+export DRONE_BUILD_NUMBER=${GITHUB_RUN_NUMBER}
+
 if ! ./scripts/test-run-required.sh; then
   exit
 fi
@@ -64,7 +74,7 @@ if [ -z "${SOME_K8S_VERSION}" ]; then
     # Get git diff in relevant channel file, find all added versions matching k8s minor, and get the last one
     # There should never be a version of a given distro with multiple patches on the same minor added at the same time
     # This command should be in sync with the one in test-run-required.sh
-    SOME_K8S_VERSION=$(git --no-pager diff --no-color -G "^  - version:" $DRONE_COMMIT_BEFORE -- "$CHANNELS_FILE" | grep -P "(^\+\s+- version: v1.$KDM_TEST_K8S_MINOR)" | sed 's/\(^\+\s\+- version: \)//' | tail -n 1)
+    SOME_K8S_VERSION=$(git --no-pager diff --no-color -G "^  - version:" $PREV_COMMIT_SHA -- "$CHANNELS_FILE" | grep -P "(^\+\s+- version: v1.$KDM_TEST_K8S_MINOR)" | sed 's/\(^\+\s\+- version: \)//' | tail -n 1)
   else
     # Only possible when not running in CI and env var is not provided, in this case just use latest from data.json
     SOME_K8S_VERSION=$(jq -r ".$V2PROV_TEST_DIST.releases[-1].version" <"$METADATA_DIR/data.json")
@@ -80,7 +90,7 @@ cd "$RANCHER_DIR"
 # Uncomment to get provisioning tests to write commands being run to stdout
 #sed -i '2s/set -e/set -ex/' ./scripts/provisioning-tests
 
-# Uncomment to get startup logs. Don't leave them on because it slows drone down too much
+# Uncomment to get startup logs. Don't leave them on because it slows github actions down too much
 #sed -i '110s/#//' ./scripts/provisioning-tests
 #sed -i '111s/#//' ./scripts/provisioning-tests
 #sed -i '141s/#//' ./scripts/provisioning-tests

scripts/test-run-required.sh

@@ -2,7 +2,7 @@
 set -ex
 
 echo "Checking if rancher integration testing is required"
-echo "Environment variable DRONE_BUILD_EVENT is ${DRONE_BUILD_EVENT}"
+echo "Environment variable GITHUB_EVENT_NAME is ${GITHUB_EVENT_NAME}"
 
 if [ -z "$CI" ]; then
   echo "Not running in CI, rancher integration testing is required"
@@ -14,15 +14,15 @@ if [ -z "$KDM_TEST_K8S_MINOR" ]; then
   exit 1
 fi
 
-if [ -z "$DRONE_COMMIT_BEFORE" ]; then
-  echo "Error: DRONE_COMMIT_BEFORE not defined. This should not be happening in CI"
+if [ -z "$PREV_COMMIT_SHA" ]; then
+  echo "Error: PREV_COMMIT_SHA not defined. This should not be happening in CI"
   exit 1
 fi
 
-# Only run check if Drone build event is 'push' or 'pull_request'
-if [ "${DRONE_BUILD_EVENT}" = "push" ] || [ "${DRONE_BUILD_EVENT}" = "pull_request" ]; then
+# Only run check if Github build event is 'push' or 'pull_request'
+if [ "${GITHUB_EVENT_NAME}" = "push" ] || [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
   # Check if the channels file contains changes to versions from the minor version
-  if [ "$(git --no-pager diff --no-color -G "^  - version:" $DRONE_COMMIT_BEFORE -- "$CHANNELS_FILE" | grep -c -P "(^\+\s+- version: v1.$KDM_TEST_K8S_MINOR)")" -ne 0 ]; then
+  if [ "$(git --no-pager diff --no-color -G "^  - version:" $PREV_COMMIT_SHA -- "$CHANNELS_FILE" | grep -c -P "(^\+\s+- version: v1.$KDM_TEST_K8S_MINOR)")" -ne 0 ]; then
     exit 0
   fi
 fi

scripts/validate-ci

@@ -25,6 +25,3 @@ fi
 
 echo Checking if released versions are not changed
 go run ./pkg/validation/validation.go release-v2.7
-
-echo Checking the generated regsync.yaml file
-regsync check --config ./regsync.yaml

scripts/version

@@ -5,7 +5,11 @@ if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
 fi
 
 COMMIT=$(git rev-parse --short HEAD)
-GIT_TAG=${DRONE_TAG:-$(git tag -l --contains HEAD | head -n 1)}
+
+GIT_TAG=$(git tag -l --contains HEAD | head -n 1)
+if [[ "$GITHUB_EVENT_NAME" = "push" && "$GITHUB_REF_TYPE" = "tag" ]]; then
+  GIT_TAG=$GITHUB_REF_NAME
+fi
 
 if [[ -z "$DIRTY" && -n "$GIT_TAG" ]]; then
     VERSION=$GIT_TAG