Skip to content

Update ci-image-build.yml #1

Update ci-image-build.yml

Update ci-image-build.yml #1

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
---
name: Build CI images
xxx

Check failure on line 20 in .github/workflows/ci-image-build.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/ci-image-build.yml

Invalid workflow file

You have an error in your yaml syntax on line 20
on: # yamllint disable-line rule:truthy
workflow_call:
inputs:
runs-on:
description: "The array of labels (in json form) determining type of the runner to use for the build."
required: false
default: '["ubuntu-22.04"]'
type: string
do-build:
description: >
Whether to actually do the build (true/false). If set to false, the build is done
already in pull-request-target workflow, so we skip it here.
required: false
default: "true"
type: string
target-commit-sha:
description: "The commit SHA to checkout for the build"
required: false
default: ""
type: string
pull-request-target:
description: "Whether we are running this from pull-request-target workflow (true/false)"
required: false
default: "false"
type: string
is-committer-build:
description: "Whether the build is executed by committer (true/false)"
required: false
default: "false"
type: string
platform:
description: >
Name of the platform for the build - 'amd64/arm64'
default: "amd64"
type: string
push-image:
description: "Whether to push image to the registry (true/false)"
required: false
default: "true"
type: string
upload-constraints:
description: "Whether to upload constraints artifacts"
default: "false"
type: string
debian-version:
description: "Base Debian distribution to use for the build (bookworm/bullseye)"
type: string
default: "bookworm"
install-mysql-client-type:
description: "MySQL client type to use during build (mariadb/mysql)"
type: string
default: "mariadb"
use-uv:
description: "Whether to use uv to build the image (true/false)"
required: true
type: string
image-tag:
description: "Tag to set for the image"
required: true
type: string
python-versions:
description: "JSON-formatted array of Python versions to build images from"
required: true
type: string
branch:
description: "Branch used to run the CI jobs in (main/v2_*_test)."
required: true
type: string
constraints-branch:
description: "Branch used to construct constraints URL from."
required: true
type: string
upgrade-to-newer-dependencies:
description: "Whether to attempt to upgrade image to newer dependencies (false/RANDOM_VALUE)"
required: true
type: string
docker-cache:
description: "Docker cache specification to build the image (registry, local, disabled)."
required: true
type: string
jobs:
build-ci-images:
strategy:
fail-fast: true
matrix:
# yamllint disable-line rule:line-length
python-version: ${{ inputs.do-build == 'true' && fromJson(inputs.python-versions) || fromJson('[""]') }}
timeout-minutes: 110
name: "\
${{ inputs.do-build == 'true' && 'Build' || 'Skip building' }} \
CI ${{inputs.platform}} image\
${{matrix.python-version}}${{ inputs.do-build == 'true' && ':' || '' }}\
${{ inputs.do-build == 'true' && inputs.image-tag || '' }}"
runs-on: ${{ fromJson(inputs.runs-on) }}
env:
BACKEND: sqlite
DEFAULT_BRANCH: ${{ inputs.branch }}
DEFAULT_CONSTRAINTS_BRANCH: ${{ inputs.constraints-branch }}
VERSION_SUFFIX_FOR_PYPI: "dev0"
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
USE_UV: ${{ inputs.use-uv }}
steps:
- name: "Cleanup repo"
shell: bash
run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
if: inputs.do-build == 'true'
- uses: actions/checkout@v4
with:
ref: ${{ inputs.target-commit-sha }}
persist-credentials: false
if: inputs.do-build == 'true'
####################################################################################################
# BE VERY CAREFUL HERE! THIS LINE AND THE END OF THE WARNING. IN PULL REQUEST TARGET WORKFLOW
# WE CHECK OUT THE TARGET COMMIT ABOVE TO BE ABLE TO BUILD THE IMAGE FROM SOURCES FROM THE
# INCOMING PR, RATHER THAN FROM TARGET BRANCH. THIS IS A SECURITY RISK, BECAUSE THE PR
# CAN CONTAIN ANY CODE AND WE EXECUTE IT HERE. THEREFORE, WE NEED TO BE VERY CAREFUL WHAT WE
# DO HERE. WE SHOULD NOT EXECUTE ANY CODE THAT COMES FROM THE PR. WE SHOULD NOT RUN ANY BREEZE
# COMMAND NOR SCRIPTS NOR COMPOSITE ACTIONS. WE SHOULD ONLY RUN CODE THAT IS EMBEDDED DIRECTLY IN
# THIS WORKFLOW - BECAUSE THIS IS THE ONLY CODE THAT WE CAN TRUST.
####################################################################################################
- name: Checkout target branch to 'target-airflow' folder to use ci/scripts and breeze from there.
uses: actions/checkout@v4
with:
path: "target-airflow"
ref: ${{ github.base_ref }}
persist-credentials: false
if: >
inputs.do-build == 'true' && inputs.pull-request-target == 'true' &&
inputs.is-committer-build != 'true'
- name: >
Replace "scripts/ci", "dev", ".github/actions" and ".github/workflows" with the target branch
so that the those directories are not coming from the PR
shell: bash
run: |
echo
echo -e "\033[33m Replace scripts, dev, actions with target branch for non-committer builds!\033[0m"
echo
rm -rfv "scripts/ci"
rm -rfv "dev"
rm -rfv ".github/actions"
rm -rfv ".github/workflows"
mv -v "target-airflow/scripts/ci" "scripts"
mv -v "target-airflow/dev" "."
mv -v "target-airflow/.github/actions" "target-airflow/.github/workflows" ".github"
if: >
inputs.do-build == 'true' && inputs.pull-request-target == 'true' &&
inputs.is-committer-build != 'true'
####################################################################################################
# HERE IT'S A BIT SAFER. THE `dev`, `scripts/ci` AND `.github/actions` ARE NOW COMING FROM THE
# BASE_REF - WHICH IS THE TARGET BRANCH OF THE PR. WE CAN TRUST THAT THOSE SCRIPTS ARE SAVE TO RUN.
# ALL THE REST OF THE CODE COMES FROM THE PR, AND FOR EXAMPLE THE CODE IN THE `Dockerfile.ci` CAN
# BE RUN SAFELY AS PART OF DOCKER BUILD. BECAUSE IT RUNS INSIDE THE DOCKER CONTAINER AND IT IS
# ISOLATED FROM THE RUNNER.
####################################################################################################
- name: Cleanup docker
uses: ./.github/actions/cleanup-docker
if: inputs.do-build == 'true'
- name: "Install Breeze"
uses: ./.github/actions/breeze
if: inputs.do-build == 'true'
- name: "Regenerate dependencies in case they was modified manually so that we can build an image"
shell: bash
run: |
pip install rich>=12.4.4 pyyaml
python scripts/ci/pre_commit/pre_commit_update_providers_dependencies.py
if: inputs.do-build == 'true' && inputs.upgrade-to-newer-dependencies != 'false'
- name: "Start ARM instance"
run: ./scripts/ci/images/ci_start_arm_instance_and_connect_to_docker.sh
if: inputs.do-build == 'true' && inputs.platform == 'arm64'
- name: Login to ghcr.io
run: echo "${{ env.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
if: inputs.do-build == 'true'
- name: >
Build ${{ inputs.push-image == 'true' && ' & push ' || '' }}
${{ inputs.platform }}:${{ matrix.python-version }}:${{ inputs.image-tag }}
run: >
breeze ci-image build --tag-as-latest --image-tag "${{ inputs.image-tag }}"
--python "${{ matrix.python-version }}"
--platform "linux/${{ inputs.platform }}"
env:
DOCKER_CACHE: ${{ inputs.cache-directive }}
INSTALL_MYSQL_CLIENT_TYPE: ${{ inputs.install-mysql-client-type }}
UPGRADE_TO_NEWER_DEPENDENCIES: ${{ inputs.upgrade-to-newer-dependencies }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BUILDER: ${{ inputs.platform == 'amd64' && 'default' || 'airflow_cache' }}
PUSH: ${{ inputs.push-image }}
if: inputs.do-build == 'true'
- name: "Stop ARM instance"
run: ./scripts/ci/images/ci_stop_arm_instance.sh
if: always() && inputs.do-build == 'true' && inputs.platform == 'arm64'
- name: "Source constraints: ${{ matrix.python-version }}"
shell: bash
run: >
breeze release-management generate-constraints --python "${{ matrix.python-version }}"
--airflow-constraints-mode constraints-source-providers --answer yes
if: inputs.do-build == 'true' && inputs.upload-constraints == 'true'
- name: "Upload constraint artifacts"
uses: actions/upload-artifact@v4
with:
name: source-constraints-${{ matrix.python-version }}
path: ./files/constraints-*/constraints-source-providers-*.txt
retention-days: 7
if-no-files-found: error
if: inputs.do-build == 'true' && inputs.upload-constraints == 'true'