voxpupuli / gha-puppet Goto Github PK

[acceptance] ~/github/puppet-alternatives $ be metadata2gha | grep beaker_setfiles
::set-output name=beaker_setfiles::[{"name":"Debian 10","value":"debian10-64"},{"name":"Debian 11","value":"debian11-64"},{"name":"Ubuntu 18.04","value":"ubuntu1804-64"},{"name":"Ubuntu 20.04","value":"ubuntu2004-64"},{"name":"CentOS 7","value":"centos7-64"},{"name":"CentOS 8","value":"centos8-64"}]
[acceptance] ~/github/puppet-alternatives $ be metadata2gha --pidfile-workaround false | grep beaker_setfiles
::set-output name=beaker_setfiles::[{"name":"Debian 10","value":"debian10-64"},{"name":"Debian 11","value":"debian11-64"},{"name":"Ubuntu 18.04","value":"ubuntu1804-64"},{"name":"Ubuntu 20.04","value":"ubuntu2004-64"},{"name":"CentOS 7","value":"centos7-64"},{"name":"CentOS 8","value":"centos8-64"}]
[acceptance] ~/github/puppet-alternatives $ be metadata2gha --pidfile-workaround CentOS | grep beaker_setfiles
::set-output name=beaker_setfiles::[{"name":"Debian 10","value":"debian10-64"},{"name":"Debian 11","value":"debian11-64"},{"name":"Ubuntu 18.04","value":"ubuntu1804-64"},{"name":"Ubuntu 20.04","value":"ubuntu2004-64"},{"name":"CentOS 7","value":"centos7-64{image=centos:7.6.1810}"}]

This was discovered while working on voxpupuli/puppet-alternatives#126

It's possible to set a fact via environment variables. This is used in theforeman/puppet-pulpcore to run the entire test suite on multiple supported versions.

It would be great if this was also supported in gha-puppet.

I started with voxpupuli/puppet_metadata#35 which at least pushes the name generation into the gem. That gem already generates the matrix so this opens the path to generating a bigger matrix. Then it just needs a good way to specify the inputs and map it.

The release workflow is there, but right now it's untested and undocumented.

It's possible to create .github/workflow-templates to make it easy for users to use our workflow, even if they don't use modulesync. This may make it easier new users to onboard.

https://docs.github.com/en/actions/learn-github-actions/creating-starter-workflows-for-your-organization

Vox Pupuli uses https://github.com/voxpupuli/modulesync_config/blob/a87ca50493f5b1ac09956fd7f8c226cf6fc3165f/moduleroot/Gemfile.erb#L38-L39 or:

puppetversion = ENV['PUPPET_VERSION'] || '<%= @configs['puppet_version'] %>'
gem 'puppet', puppetversion, :require => false, :groups => [:test]

The Foreman uses puppetversion = ENV['PUPPET_VERSION'] || '<%= @configs['puppet_version'] %>'
gem 'puppet', puppetversion, :require => false, :groups => [:test] or:

gem 'puppet', ENV.key?('PUPPET_VERSION') ? "~> #{ENV['PUPPET_VERSION']}" : '>= 5.5', groups: ['development', 'test']

pdk-templates uses https://github.com/puppetlabs/pdk-templates/blob/b851eaa1db21ee695c07da1a9594a86403bfcc18/moduleroot/Gemfile.erb#L103-L109 or (summarized for readability):

def location_for(place_or_version, fake_version = nil)
  git_url_regex = %r{\A(?<url>(https?|git)[:@][^#]*)(#(?<branch>.*))?}
  file_url_regex = %r{\Afile:\/\/(?<path>.*)}

  if place_or_version && (git_url = place_or_version.match(git_url_regex))
    [fake_version, { git: git_url[:url], branch: git_url[:branch], require: false }].compact
  elsif place_or_version && (file_url = place_or_version.match(file_url_regex))
    ['>= 0', { path: File.expand_path(file_url[:path]), require: false }]
  else
    [place_or_version, { require: false }]
  end
end

puppet_version = ENV['PUPPET_GEM_VERSION']
gem_params = location_for(puppet_version)
gem 'puppet', *gem_params

So none of these really is the same:

• VP and Foreman use PUPPET_VERSION as the environment variable but PDK uses PUPPET_GEM_VERSION
• VP and PDK use the full specifier while Foreman forces ~>

If these workflows are to be used by all, it would be good to align on a single convention.

PUPPET_GEM_VERSION does have the benefit that it doesn't overlap with PUPPET_VERSION which is also used in beaker-puppet_install_helper (https://github.com/puppetlabs/beaker-puppet_install_helper/blob/41c355b1f83fde562dd5bd6961e2e4eb8b81421c/lib/beaker/puppet_install_helper.rb#L128) which, while archived, is still used by Vox Pupuli and Foreman in their Beaker setups.

The job does more than only beaker tests, should the filename reflect that?

Hi,

It seems that voxpupuli/gha-puppet/.github/workflows/basic.yml@v1 fails now with an error related to Git syntax errors:

fatal: ls-files -i must be used with either -o or -c

This has been reported by other projects and seems related to a Git version that breaks backwards compatibility. This issue seems to affect Ubuntu 20.04 and 22.04 images. Here's another report of what seems to be the same issue:

• reviewdog/action-hadolint#54

The relevant raw logs from GitHub Action here:

2023-01-23T08:42:14.9307855Z Requested labels: ubuntu-latest
2023-01-23T08:42:14.9307894Z Job defined at: voxpupuli/gha-puppet/.github/workflows/basic.yml@refs/heads/v1
2023-01-23T08:42:14.9308042Z Reusable workflow chain:
2023-01-23T08:42:14.9308082Z Puppet-Finland/puppet-ipa/.github/workflows/ci.yml@refs/pull/51/merge (a6b9e583c969e253f014370a2d6b01607aacfb6a)
2023-01-23T08:42:14.9308123Z -> voxpupuli/gha-puppet/.github/workflows/basic.yml@refs/heads/v1 (a8fea30a9fcf14fd4cc9071c839e5a55d5dbab83)
2023-01-23T08:42:14.9308143Z Waiting for a runner to pick up this job...
2023-01-23T08:42:15.3069344Z Job is waiting for a hosted runner to come online.
2023-01-23T08:42:20.0951290Z Job is about to start running on the hosted runner: Hosted Agent (hosted)
2023-01-23T08:42:22.2513455Z Current runner version: '2.300.2'
2023-01-23T08:42:22.2547523Z ##[group]Operating System
2023-01-23T08:42:22.2548413Z Ubuntu
2023-01-23T08:42:22.2548716Z 22.04.1
2023-01-23T08:42:22.2548996Z LTS
2023-01-23T08:42:22.2549248Z ##[endgroup]
2023-01-23T08:42:22.2549569Z ##[group]Runner Image
2023-01-23T08:42:22.2549971Z Image: ubuntu-22.04
2023-01-23T08:42:22.2550251Z Version: 20230118.2
2023-01-23T08:42:22.2550763Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20230118.2/images/linux/Ubuntu2204-Readme.md
2023-01-23T08:42:22.2551397Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20230118.2
2023-01-23T08:42:22.2551804Z ##[endgroup]
--- snip ---
2023-01-23T08:42:22.2562884Z Prepare workflow directory
2023-01-23T08:42:22.3750447Z Prepare all required actions
2023-01-23T08:42:22.3931872Z Getting action download info
2023-01-23T08:42:22.6214970Z Download action repository 'actions/checkout@v3' (SHA:ac593985615ec2ede58e132d2e21d2b1cbd6127c)
2023-01-23T08:42:23.0219206Z Download action repository 'ruby/setup-ruby@v1' (SHA:ee26e27437bde475b19a6bf8cb73c9fa658876a2)
2023-01-23T08:42:23.3344054Z Uses: voxpupuli/gha-puppet/.github/workflows/basic.yml
--- snip ---
2023-01-23T08:42:35.9539098Z [36;1mbundle exec rake validate lint check[0m
2023-01-23T08:42:35.9592809Z shell: /usr/bin/bash -e {0}
2023-01-23T08:42:35.9593038Z env:
2023-01-23T08:42:35.9593325Z   BUNDLE_WITHOUT: development:system_tests:release
2023-01-23T08:42:35.9593701Z ##[endgroup]
2023-01-23T08:42:37.0076470Z ruby -c lib/facter/ipa_server_version.rb
2023-01-23T08:42:37.0117439Z Syntax OK
2023-01-23T08:42:37.0126079Z ---> syntax:manifests
2023-01-23T08:42:37.3167538Z ---> syntax:templates
2023-01-23T08:42:37.3600457Z ---> syntax:hiera:yaml
2023-01-23T08:42:37.9234627Z fatal: ls-files -i must be used with either -o or -c

You can set up puppet-lint and GHA to upload in SARIF format. The explore workflows suggests the following workflow:

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
# https://puppet.com/docs/puppet/7/style_guide.html
# Puppet Lint validates only code style; it does not validate syntax.
# To test syntax, use Puppet's puppet parser validate command.
# More details at https://github.com/puppetlabs/puppet-lint/

name: puppet-lint

on:
  push:
    branches: [ "master" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "master" ]
  schedule:
    - cron: '41 13 * * 2'

permissions:
  contents: read

jobs:
  puppet-lint:
    name: Run puppet-lint scanning
    runs-on: ubuntu-latest
    permissions:
      contents: read # for checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Setup Ruby
        uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
        with:
          ruby-version: 2.7
          bundler-cache: true

      - name: Install puppet-lint
        run: gem install puppet-lint

      - name: Run puppet-lint
        run: puppet-lint . --sarif > puppet-lint-results.sarif
        continue-on-error: true

      - name: Upload analysis results to GitHub
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: puppet-lint-results.sarif
          wait-for-processing: true

Obviously we only care about the last 2 steps, but the permissions are also useful.

This may be nicer than annotations because it also shows up in code scans when run on the cron schedule.

Perhaps this is something that belongs in voxpupuli-test, perhaps somewhere in between.

I created a completely blank puppet module, copied over Gemfile and Rakefile verbatim, created the puppet.yml Github action file and upon creating a pull request, the Github action fails at "Setup Ruby". I believe this is because the Gemfile doesn't have a pointer to get the gems installed. I added the following to the top of the Gemfile:

source ENV['GEM_SOURCE'] || 'https://rubygems.org'
re-ran the action and the "Setup Ruby" job passed.

The Gemfile at voxpupuli/puppet-chrony implies that the GEM_SOURCE needs to be set.

Modules such openvpn and spiped currently can't be modulesynced to use the shared actions as they require beaker setfiles with more than one host. eg https://github.com/voxpupuli/puppet-openvpn/blob/7ce40c3baa99b77880f8b5a9062bd36cc5557ad0/.github/workflows/ci.yml#L69-L85

I think the first step will be to decide what a new command line option to metadata2gha would look like and then implement that change over in https://github.com/voxpupuli/puppet_metadata

eg. maybe something like the following
--multi-node-roles server,ma:client,a

would produce setfile values of the form
ubuntu1804-64server.ma{hostname=server}-ubuntu1804-64client.a{hostname=client}

I'm setting the hostname and the 'arbitrary-role' to be the same thing. Maybe that's too limited, but maybe if it's ok for 90% of the use-cases, then that's ok. Dunno.

The workflow uses environment variables to set the Puppet version (see #3 as well), but it also has some groups.

It also depends on puppetlabs_spec_helper, which is mentioned but not that it must be in Gemfile.

It also relies on https://github.com/voxpupuli/puppet_metadata to be present since it needs to parse metadata.json to generate the matrix.

Perhaps the matrix generation should also be pushed in puppetlabs_spec_helper as a rake task, since that's generally the interface anyway. If puppetlabs_spec_helper has the right dependencies, it reduces the need to track things in Gemfile.

In the release workflow (https://github.com/voxpupuli/gha-puppet/blob/v1/.github/workflows/release.yml) it uses deploy but I'd say it's really release. It was copied from Vox Pupuli's old release job, but should this be changed now?

I'm trying to use the gha-puppet reusable workflows for the first time and the parallel_tests are failing. I can only assume this is because the parallel_spec Gem is not installed.

I'm very green at this so I don't know where the solutions is. The output error when I have a completely generic project is:

Run ruby/setup-ruby@v1
Modifying PATH
Downloading Ruby
Extracting  Ruby
Print Ruby version
Installing Bundler
> bundle install
/opt/hostedtoolcache/Ruby/3.0.5/x64/bin/bundle config --local path /home/runner/work/junk/junk/vendor/bundle
/opt/hostedtoolcache/Ruby/3.0.5/x64/bin/bundle lock
Fetching gem metadata from https://rubygems.org/.......
Could not find gem 'parallel_spec_standalone' in rubygems repository
https://rubygems.org/ or installed locally.
Error: The process '/opt/hostedtoolcache/Ruby/3.0.5/x64/bin/bundle' failed with exit code 7

I added "gem 'parallel_tests'" to my Gemfile and it seemed to make things better.