-
Notifications
You must be signed in to change notification settings - Fork 93
152 lines (138 loc) · 5.93 KB
/
test-provider.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# This is only workflow that requires cloud credentials and therefore will not run on PRs coming from forks.
name: "Test Nebari Provider"
on:
schedule:
- cron: "0 3 * * *"
pull_request:
paths:
- ".github/workflows/test-provider.yaml"
- ".github/failed-workflow-issue-templates/test-provider.md"
- ".github/actions/publish-from-template"
- "tests/**"
- "scripts/**"
- "src/**"
- "pyproject.toml"
push:
branches:
- main
- release/\d{4}.\d{1,2}.\d{1,2}
paths:
- ".github/workflows/test-provider.yaml"
- "tests/**"
- "scripts/**"
- "src/**"
- "pyproject.toml"
workflow_call:
inputs:
pr_number:
required: true
type: string
jobs:
test-render-providers:
# Prevents the execution of this test under the following conditions:
# 1. When the 'NO_PROVIDER_CREDENTIALS' GitHub variable is set, indicating the absence of provider credentials.
# 2. For pull requests (PRs) originating from a fork, since GitHub does not provide the fork's credentials to the destination repository.
# ref. https://github.com/nebari-dev/nebari/issues/2379
if: |
vars.NO_PROVIDER_CREDENTIALS == '' &&
(github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
name: "Test Nebari Provider"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
pull-requests: write
strategy:
matrix:
provider:
- aws
- azure
- gcp
- local
- existing
cicd:
- none
- github-actions
- gitlab-ci
fail-fast: false
steps:
- name: "Checkout Infrastructure"
uses: actions/checkout@v4
- name: Checkout the branch from the PR that triggered the job
if: ${{ github.event_name == 'issue_comment' }}
run: hub pr checkout ${{ inputs.pr_number }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Retrieve secret from Vault
uses: hashicorp/vault-action@v3.0.0
with:
method: jwt
url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"
namespace: "admin/quansight"
role: "repository-nebari-dev-nebari-role"
secrets: |
kv/data/repository/nebari-dev/nebari/amazon_web_services/nebari-dev-ci role_name | AWS_ROLE_ARN;
kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci project_id | PROJECT_ID;
kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci workload_identity_provider | GCP_WORKFLOW_PROVIDER;
kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci service_account_name | GCP_SERVICE_ACCOUNT;
kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci client_id | ARM_CLIENT_ID;
kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci tenant_id | ARM_TENANT_ID;
kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci subscription_id | ARM_SUBSCRIPTION_ID;
kv/data/repository/nebari-dev/nebari/shared_secrets SPACES_ACCESS_KEY_ID | SPACES_ACCESS_KEY_ID;
kv/data/repository/nebari-dev/nebari/shared_secrets SPACES_SECRET_ACCESS_KEY | SPACES_SECRET_ACCESS_KEY;
- name: 'Authenticate to GCP'
if: ${{ matrix.provider == 'gcp' }}
uses: 'google-github-actions/auth@v1'
with:
token_format: access_token
create_credentials_file: 'true'
workload_identity_provider: ${{ env.GCP_WORKFLOW_PROVIDER }}
service_account: ${{ env.GCP_SERVICE_ACCOUNT }}
- name: Set required environment variables
if: ${{ matrix.provider == 'gcp' }}
run: |
echo "GOOGLE_CREDENTIALS=${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" >> $GITHUB_ENV
- name: 'Authenticate to AWS'
if: ${{ matrix.provider == 'aws' }}
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ env.AWS_ROLE_ARN }}
role-session-name: github-action
aws-region: us-east-1
- name: 'Azure login'
if: ${{ matrix.provider == 'azure' }}
uses: azure/login@v1
with:
client-id: ${{ env.ARM_CLIENT_ID }}
tenant-id: ${{ env.ARM_TENANT_ID }}
subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
- name: Install Nebari
run: |
pip install --upgrade pip
pip install .[dev]
- name: Nebari Initialize
run: |
nebari init "${{ matrix.provider }}" --project "TestProvider" --domain "${{ matrix.provider }}.nebari.dev" --auth-provider password --disable-prompt --ci-provider ${{ matrix.cicd }}
cat "nebari-config.yaml"
- name: Nebari Render
run: |
nebari render -c "nebari-config.yaml" -o "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment"
cp "nebari-config.yaml" "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment/nebari-config.yaml"
- name: Nebari Render Artifact
uses: actions/upload-artifact@master
with:
name: "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-artifact"
path: "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment"
- if: failure() || github.event_name == 'pull_request'
name: Publish information from template
uses: ./.github/actions/publish-from-template
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PROVIDER: ${{ matrix.provider }}
CICD: ${{ matrix.cicd }}
with:
filename: .github/failed-workflow-issue-templates/test-provider.md