test-provider.yaml

# This is only workflow that requires cloud credentials and therefore will not run on PRs coming from forks.
name: "Test Nebari Provider"

on:
  schedule:
    - cron: "0 3 * * *"
  pull_request:
    paths:
      - ".github/workflows/test-provider.yaml"
      - ".github/failed-workflow-issue-templates/test-provider.md"
      - ".github/actions/publish-from-template"
      - "tests/**"
      - "scripts/**"
      - "src/**"
      - "pyproject.toml"
  push:
    branches:
      - main
      - develop
      - release/\d{4}.\d{1,2}.\d{1,2}
    paths:
      - ".github/workflows/test-provider.yaml"
      - "tests/**"
      - "scripts/**"
      - "src/**"
      - "pyproject.toml"
  workflow_call:
    inputs:
      pr_number:
        required: true
        type: string

jobs:
  test-render-providers:
    # avoid running on PRs coming from a fork
    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
    name: "Test Nebari Provider"
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      pull-requests: write
    strategy:
      matrix:
        provider:
          - aws
          - azure
          - do
          - gcp
          - local
          - existing
        cicd:
          - none
          - github-actions
          - gitlab-ci
      fail-fast: false
    steps:
      - name: "Checkout Infrastructure"
        uses: actions/checkout@v3

      - name: Checkout the branch from the PR that triggered the job
        if: ${{ github.event_name == 'issue_comment' }}
        run: hub pr checkout ${{ inputs.pr_number }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: 3.8

      - name: Retrieve secret from Vault
        uses: hashicorp/vault-action@v2.5.0
        with:
          method: jwt
          url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"
          namespace: "admin/quansight"
          role: "repository-nebari-dev-nebari-role"
          secrets: |
            kv/data/repository/nebari-dev/nebari/amazon_web_services/nebari-dev-ci role_name | AWS_ROLE_ARN;
            kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci project_id | PROJECT_ID;
            kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci workload_identity_provider | GCP_WORKFLOW_PROVIDER;
            kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci service_account_name | GCP_SERVICE_ACCOUNT;
            kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci client_id | ARM_CLIENT_ID;
            kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci tenant_id | ARM_TENANT_ID;
            kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci subscription_id | ARM_SUBSCRIPTION_ID;
            kv/data/repository/nebari-dev/nebari/shared_secrets DIGITALOCEAN_TOKEN | DIGITALOCEAN_TOKEN;

      - name: 'Authenticate to GCP'
        if: ${{ matrix.provider == 'gcp' }}
        uses: 'google-github-actions/auth@v1'
        with:
          token_format: access_token
          create_credentials_file: 'true'
          workload_identity_provider: ${{ env.GCP_WORKFLOW_PROVIDER }}
          service_account: ${{ env.GCP_SERVICE_ACCOUNT }}

      - name: Set required environment variables
        if: ${{ matrix.provider == 'gcp' }}
        run: |
          echo "GOOGLE_CREDENTIALS=${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" >> $GITHUB_ENV

      - name: 'Authenticate to AWS'
        if: ${{ matrix.provider == 'aws' }}
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ env.AWS_ROLE_ARN }}
          role-session-name: github-action
          aws-region: us-east-1

      - name: 'Azure login'
        if: ${{ matrix.provider == 'azure' }}
        uses: azure/login@v1
        with:
          client-id: ${{ env.ARM_CLIENT_ID }}
          tenant-id: ${{ env.ARM_TENANT_ID }}
          subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}

      - name: Install Nebari
        run: |
          pip install --upgrade pip
          pip install .[dev]

      - name: Nebari Initialize
        run: |
          nebari init "${{ matrix.provider }}" --project "TestProvider" --domain "${{ matrix.provider }}.nebari.dev" --auth-provider github --disable-prompt --ci-provider ${{ matrix.cicd }}
          cat "nebari-config.yaml"

      - name: Nebari Render
        run: |
          nebari render -c "nebari-config.yaml" -o "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment"
          cp "nebari-config.yaml" "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment/nebari-config.yaml"

      - name: Nebari Render Artifact
        uses: actions/upload-artifact@master
        with:
          name: "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-artifact"
          path: "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment"

      - if: failure() || github.event_name == 'pull_request'
        name: Publish information from template
        uses: ./.github/actions/publish-from-template
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PROVIDER: ${{ matrix.provider }}
          CICD: ${{ matrix.cicd }}
        with:
          filename: .github/failed-workflow-issue-templates/test-provider.md