Security - Backend - wolfi container base image with support for rootless user #3537
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR Tests - Stack | |
on: | |
# schedule: | |
# - cron: "0 22 * * *" # 7pm Brazil, 10pm UTC, 8am AEST | |
workflow_call: | |
pull_request: | |
branches: | |
- dev | |
- main | |
- "0.8" | |
workflow_dispatch: | |
inputs: | |
none: | |
description: "Run Version Tests Manually" | |
required: false | |
concurrency: | |
group: stack-${{ github.event_name == 'pull_request' && format('{0}-{1}', github.workflow, github.event.pull_request.number) || github.workflow_ref }} | |
cancel-in-progress: true | |
jobs: | |
pr-tests-stack: | |
strategy: | |
max-parallel: 99 | |
matrix: | |
# os: [ubuntu-latest, macos-latest, windows-latest, windows] | |
# os: [om-ci-16vcpu-ubuntu2204] | |
os: [ubuntu-latest] | |
python-version: ["3.11"] | |
pytest-modules: ["frontend network"] | |
fail-fast: false | |
runs-on: ${{matrix.os}} | |
steps: | |
# - name: Permission to home directory | |
# run: | | |
# sudo chown -R $USER:$USER $HOME | |
# - name: "clean .git/config" | |
# if: matrix.os == 'windows' | |
# continue-on-error: true | |
# shell: bash | |
# run: | | |
# echo "deleting ${GITHUB_WORKSPACE}/.git/config" | |
# rm ${GITHUB_WORKSPACE}/.git/config | |
- uses: actions/checkout@v3 | |
# free 10GB of space | |
- name: Remove unnecessary files | |
if: matrix.os == 'ubuntu-latest' | |
run: | | |
sudo rm -rf /usr/share/dotnet | |
sudo rm -rf "$AGENT_TOOLSDIRECTORY" | |
- name: Check for file changes | |
uses: dorny/paths-filter@v2 | |
id: changes | |
with: | |
base: ${{ github.ref }} | |
token: ${{ github.token }} | |
filters: .github/file-filters.yml | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v3 | |
if: steps.changes.outputs.stack == 'true' | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Get pip cache dir | |
if: steps.changes.outputs.stack == 'true' | |
id: pip-cache | |
shell: bash | |
run: | | |
echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT | |
- name: pip cache | |
uses: buildjet/cache@v3 | |
if: steps.changes.outputs.stack == 'true' | |
with: | |
path: ${{ steps.pip-cache.outputs.dir }} | |
key: ${{ runner.os }}-pip-py${{ matrix.python-version }} | |
restore-keys: | | |
${{ runner.os }}-pip-py${{ matrix.python-version }} | |
- name: Upgrade pip | |
if: steps.changes.outputs.stack == 'true' | |
run: | | |
python -m pip install --upgrade --user pip | |
- name: Install tox | |
if: steps.changes.outputs.stack == 'true' | |
run: | | |
pip install -U tox | |
- name: Show choco installed packages | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
uses: crazy-max/ghaction-chocolatey@v1 | |
with: | |
args: list --localonly | |
- name: Install git | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
uses: crazy-max/ghaction-chocolatey@v1 | |
with: | |
args: install git.install --params "/GitAndUnixToolsOnPath /WindowsTerminal /NoAutoCrlf" -y | |
- name: Install cmake | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
uses: crazy-max/ghaction-chocolatey@v1 | |
with: | |
args: install cmake.portable --installargs 'ADD_CMAKE_TO_PATH=System' -y | |
- name: Check cmake version | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
run: | | |
cmake --version | |
shell: cmd | |
- name: Install visualcpp-build-tools | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
uses: crazy-max/ghaction-chocolatey@v1 | |
with: | |
args: install visualstudio2019-workload-vctools -y | |
- name: Install Docker Compose | |
if: steps.changes.outputs.stack == 'true' && runner.os == 'Linux' | |
shell: bash | |
run: | | |
mkdir -p ~/.docker/cli-plugins | |
DOCKER_COMPOSE_VERSION=v2.21.0 | |
curl -sSL https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose | |
chmod +x ~/.docker/cli-plugins/docker-compose | |
- name: Fix Colima issue on MacOS Runners | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'macos-latest' | |
shell: bash | |
run: | | |
export HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK=1 | |
brew update | |
brew reinstall qemu | |
- name: Docker on MacOS | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'macos-latest' | |
uses: crazy-max/[email protected] | |
- name: Docker Compose on MacOS | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'macos-latest' | |
shell: bash | |
run: | | |
brew install docker-compose | |
mkdir -p ~/.docker/cli-plugins | |
ln -sfn /usr/local/opt/docker-compose/bin/docker-compose ~/.docker/cli-plugins/docker-compose || true | |
docker compose version | |
- name: Remove existing containers | |
if: steps.changes.outputs.stack == 'true' | |
continue-on-error: true | |
shell: bash | |
run: | | |
docker rm $(docker ps -aq) --force || true | |
docker volume prune -f || true | |
docker buildx use default || true | |
- name: Run integration tests | |
if: steps.changes.outputs.stack == 'true' | |
timeout-minutes: 60 | |
env: | |
HAGRID_ART: false | |
PYTEST_MODULES: "${{ matrix.pytest-modules }}" | |
run: | | |
tox -e stack.test.integration | |
#Run log collector python script | |
- name: Run log collector | |
timeout-minutes: 5 | |
if: failure() | |
shell: bash | |
run: | | |
python ./scripts/container_log_collector.py | |
# Get Job name and url | |
- name: Get job name and url | |
id: job_name | |
if: failure() | |
shell: bash | |
run: | | |
echo "job_name=$(echo ${{ github.job }})" >> $GITHUB_OUTPUT | |
echo "url=$(echo ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" >> $GITHUB_OUTPUT | |
- name: Get current date | |
id: date | |
if: failure() | |
shell: bash | |
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
- name: Upload logs to GitHub | |
uses: actions/upload-artifact@master | |
if: failure() | |
with: | |
name: ${{ matrix.os }}-${{ steps.job_name.outputs.job_name }}-${{ matrix.pytest-modules }}-logs-${{ steps.date.outputs.date }} | |
path: ./logs/${{ steps.job_name.outputs.job_name}}/ | |
- name: Mandatory Container cleanup | |
if: steps.changes.outputs.stack == 'true' | |
continue-on-error: true | |
shell: bash | |
run: | | |
docker rm `docker ps -aq` --force || true | |
docker volume prune -f || true | |
# Get Job name and url | |
- name: Reboot node | |
if: matrix.os == 'windows' && failure() | |
run: | | |
shutdown /r /t 1 | |
#Get Pull request url | |
- name: Get pull request url | |
id: pull_request | |
if: failure() | |
shell: bash | |
run: | | |
echo "url=$(echo ${{ github.event.pull_request.html_url }})" >> $GITHUB_OUTPUT | |
- name: Job Report Status | |
# cant access secrets on forks | |
if: github.repository == 'OpenMined/PySyft' && failure() | |
uses: ravsamhq/notify-slack-action@v2 | |
with: | |
status: ${{ job.status }} | |
notify_when: "failure" | |
notification_title: " {workflow} has {status_message}" | |
message_format: "${{matrix.os}} {emoji} *{job}* {status_message} in {run_url}" | |
footer: "Find the PR here ${{ steps.pull_request.outputs.url }}" | |
mention_users: "U01LNCACY03,U8KUAD396,UNMQ2SJSW,U01SAESBJA0" | |
mention_users_when: "failure,warnings" | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK_WEBHOOK_URL }} | |
pr-tests-notebook-stack: | |
strategy: | |
max-parallel: 99 | |
matrix: | |
# os: [ubuntu-latest, macos-latest, windows-latest, windows] | |
os: [om-ci-16vcpu-ubuntu2204] | |
python-version: ["3.11"] | |
notebook-paths: ["api/0.8"] | |
fail-fast: false | |
runs-on: ${{matrix.os}} | |
steps: | |
- name: Permission to home directory | |
run: | | |
sudo chown -R $USER:$USER $HOME | |
- name: "clean .git/config" | |
if: matrix.os == 'windows' | |
continue-on-error: true | |
shell: bash | |
run: | | |
echo "deleting ${GITHUB_WORKSPACE}/.git/config" | |
rm ${GITHUB_WORKSPACE}/.git/config | |
- uses: actions/checkout@v3 | |
- name: Check for file changes | |
uses: dorny/paths-filter@v2 | |
id: changes | |
with: | |
base: ${{ github.ref }} | |
token: ${{ github.token }} | |
filters: .github/file-filters.yml | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v3 | |
if: steps.changes.outputs.stack == 'true' | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Get pip cache dir | |
if: steps.changes.outputs.stack == 'true' | |
id: pip-cache | |
shell: bash | |
run: | | |
echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT | |
- name: pip cache | |
uses: buildjet/cache@v3 | |
if: steps.changes.outputs.stack == 'true' | |
with: | |
path: ${{ steps.pip-cache.outputs.dir }} | |
key: ${{ runner.os }}-pip-py${{ matrix.python-version }} | |
restore-keys: | | |
${{ runner.os }}-pip-py${{ matrix.python-version }} | |
- name: Upgrade pip | |
if: steps.changes.outputs.stack == 'true' | |
run: | | |
python -m pip install --upgrade --user pip | |
- name: Install tox | |
if: steps.changes.outputs.stack == 'true' | |
run: | | |
pip install -U tox | |
- name: Show choco installed packages | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
uses: crazy-max/ghaction-chocolatey@v1 | |
with: | |
args: list --localonly | |
- name: Install git | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
uses: crazy-max/ghaction-chocolatey@v1 | |
with: | |
args: install git.install --params "/GitAndUnixToolsOnPath /WindowsTerminal /NoAutoCrlf" -y | |
- name: Install cmake | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
uses: crazy-max/ghaction-chocolatey@v1 | |
with: | |
args: install cmake.portable --installargs 'ADD_CMAKE_TO_PATH=System' -y | |
- name: Check cmake version | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
run: | | |
cmake --version | |
shell: cmd | |
- name: Install visualcpp-build-tools | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'windows' | |
uses: crazy-max/ghaction-chocolatey@v1 | |
with: | |
args: install visualstudio2019-workload-vctools -y | |
- name: Install Docker Compose | |
if: steps.changes.outputs.stack == 'true' && runner.os == 'Linux' | |
shell: bash | |
run: | | |
mkdir -p ~/.docker/cli-plugins | |
DOCKER_COMPOSE_VERSION=v2.21.0 | |
curl -sSL https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose | |
chmod +x ~/.docker/cli-plugins/docker-compose | |
- name: Fix Colima issue on MacOS Runners | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'macos-latest' | |
shell: bash | |
run: | | |
export HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK=1 | |
brew update | |
brew reinstall qemu | |
- name: Docker on MacOS | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'macos-latest' | |
uses: crazy-max/[email protected] | |
- name: Docker Compose on MacOS | |
if: steps.changes.outputs.stack == 'true' && matrix.os == 'macos-latest' | |
shell: bash | |
run: | | |
brew install docker-compose | |
mkdir -p ~/.docker/cli-plugins | |
ln -sfn /usr/local/opt/docker-compose/bin/docker-compose ~/.docker/cli-plugins/docker-compose || true | |
docker compose version | |
- name: Remove existing containers | |
if: steps.changes.outputs.stack == 'true' | |
continue-on-error: true | |
shell: bash | |
run: | | |
docker rm $(docker ps -aq) --force || true | |
docker volume prune -f || true | |
docker buildx use default || true | |
- name: Run Notebook integration tests | |
if: steps.changes.outputs.stack == 'true' | |
timeout-minutes: 60 | |
env: | |
ORCHESTRA_DEPLOYMENT_TYPE: "container_stack" | |
TEST_NOTEBOOK_PATHS: "${{ matrix.notebook-paths }}" | |
PYTEST_MODULES: "${{ matrix.pytest-modules }}" | |
run: | | |
tox -e stack.test.notebook | |
#Run log collector python script | |
- name: Run log collector | |
timeout-minutes: 5 | |
if: failure() | |
shell: bash | |
run: | | |
python ./scripts/container_log_collector.py | |
# Get Job name and url | |
- name: Get job name and url | |
id: job_name | |
if: failure() | |
shell: bash | |
run: | | |
echo "job_name=$(echo ${{ github.job }})" >> $GITHUB_OUTPUT | |
echo "url=$(echo ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" >> $GITHUB_OUTPUT | |
- name: Get current date | |
id: date | |
if: failure() | |
shell: bash | |
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
- name: Upload logs to GitHub | |
uses: actions/upload-artifact@master | |
if: failure() | |
with: | |
name: ${{ matrix.os }}-${{ steps.job_name.outputs.job_name }}-${{ matrix.pytest-modules }}-logs-${{ steps.date.outputs.date }} | |
path: ./logs/${{ steps.job_name.outputs.job_name}}/ | |
- name: Mandatory Container cleanup | |
if: steps.changes.outputs.stack == 'true' | |
continue-on-error: true | |
shell: bash | |
run: | | |
docker rm `docker ps -aq` --force || true | |
docker volume prune -f || true | |
# Get Job name and url | |
- name: Reboot node | |
if: matrix.os == 'windows' && failure() | |
run: | | |
shutdown /r /t 1 | |
#Get Pull request url | |
- name: Get pull request url | |
id: pull_request | |
if: failure() | |
shell: bash | |
run: | | |
echo "url=$(echo ${{ github.event.pull_request.html_url }})" >> $GITHUB_OUTPUT | |
- name: Job Report Status | |
# cant access secrets on forks | |
if: github.repository == 'OpenMined/PySyft' && failure() | |
uses: ravsamhq/notify-slack-action@v2 | |
with: | |
status: ${{ job.status }} | |
notify_when: "failure" | |
notification_title: " {workflow} has {status_message}" | |
message_format: "${{matrix.os}} {emoji} *{job}* {status_message} in {run_url}" | |
footer: "Find the PR here ${{ steps.pull_request.outputs.url }}" | |
mention_users: "U01LNCACY03,U8KUAD396,UNMQ2SJSW,U01SAESBJA0" | |
mention_users_when: "failure,warnings" | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK_WEBHOOK_URL }} | |
pr-tests-stack-k8s: | |
strategy: | |
max-parallel: 99 | |
matrix: | |
# os: [ubuntu-latest, macos-latest, windows-latest, windows] | |
os: [om-ci-16vcpu-ubuntu2204] | |
python-version: ["3.11"] | |
pytest-modules: ["frontend network"] | |
fail-fast: false | |
runs-on: ${{matrix.os}} | |
steps: | |
- name: Permission to home directory | |
run: | | |
sudo chown -R $USER:$USER $HOME | |
- uses: actions/checkout@v3 | |
- name: Check for file changes | |
uses: dorny/paths-filter@v2 | |
id: changes | |
with: | |
base: ${{ github.ref }} | |
token: ${{ github.token }} | |
filters: .github/file-filters.yml | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v3 | |
if: steps.changes.outputs.stack == 'true' | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Get pip cache dir | |
if: steps.changes.outputs.stack == 'true' | |
id: pip-cache | |
shell: bash | |
run: | | |
echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT | |
- name: pip cache | |
uses: buildjet/cache@v3 | |
if: steps.changes.outputs.stack == 'true' | |
with: | |
path: ${{ steps.pip-cache.outputs.dir }} | |
key: ${{ runner.os }}-pip-py${{ matrix.python-version }} | |
restore-keys: | | |
${{ runner.os }}-pip-py${{ matrix.python-version }} | |
- name: Upgrade pip | |
if: steps.changes.outputs.stack == 'true' | |
run: | | |
python -m pip install --upgrade --user pip | |
- name: Install tox | |
if: steps.changes.outputs.stack == 'true' | |
run: | | |
pip install -U tox | |
- name: Install kubectl | |
if: steps.changes.outputs.stack == 'true' | |
run: | | |
# cleanup apt version | |
sudo apt remove kubectl || true | |
# install kubectl 1.27 | |
curl -LO https://dl.k8s.io/release/v1.27.2/bin/linux/amd64/kubectl | |
chmod +x kubectl | |
sudo install kubectl /usr/local/bin; | |
- name: Install k9s | |
if: steps.changes.outputs.stack == 'true' | |
run: | | |
# install k9s | |
wget https://github.com/derailed/k9s/releases/download/v0.27.4/k9s_Linux_amd64.tar.gz | |
tar -xvf k9s_Linux_amd64.tar.gz | |
chmod +x k9s | |
sudo install k9s /usr/local/bin; | |
- name: Install helm | |
if: steps.changes.outputs.stack == 'true' | |
run: | | |
# install helm | |
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | |
chmod 700 get_helm.sh | |
./get_helm.sh | |
- name: Run K8s & Helm integration tests | |
if: steps.changes.outputs.stack == 'true' | |
timeout-minutes: 60 | |
env: | |
HAGRID_ART: false | |
PYTEST_MODULES: "${{ matrix.pytest-modules }}" | |
shell: bash | |
run: | | |
# install k3d | |
K3D_VERSION=v5.6.0 | |
wget https://github.com/k3d-io/k3d/releases/download/${K3D_VERSION}/k3d-linux-amd64 | |
mv k3d-linux-amd64 k3d | |
chmod +x k3d | |
export PATH=`pwd`:$PATH | |
k3d version | |
DEVSPACE_VERSION=v6.3.3 | |
curl -sSL https://github.com/loft-sh/devspace/releases/download/${DEVSPACE_VERSION}/devspace-linux-amd64 -o ./devspace | |
chmod +x devspace | |
devspace version | |
tox -e stack.test.integration.k8s | |
tox -e syft.build.helm | |
tox -e syft.package.helm | |
# tox -e syft.test.helm |