ACCESS-NRI · jo-basevi · Sep 26, 2024 · Sep 26, 2024 · Oct 2, 2024 · Oct 2, 2024
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -9,17 +9,34 @@ jobs:
   build:
     name: Build environment
     runs-on: ubuntu-latest
+    environment: Gadi
     steps:
-      - name: Build environment
-        uses: appleboy/[email protected]
+      - name: Setup SSH
+        uses: access-nri/actions/.github/actions/setup-ssh@main
+        id: ssh
         with:
-          host: gadi.nci.org.au
-          username: ${{secrets.GADI_USER}}
-          key: ${{secrets.DEPLOY_KEY}}
-          command_timeout: 120m
-          script: |
-            export SCRIPT_DIR=${{secrets.GADI_REPO_PATH}}/scripts
-            eval $( grep ADMIN_DIR $SCRIPT_DIR/install_config.sh )
-            eval $( grep JOB_LOG_DIR $SCRIPT_DIR/install_config.sh )
-            cd $JOB_LOG_DIR
-            qsub -N build_${{ inputs.environment }} -lncpus=1,mem=20GB,walltime=2:00:00,jobfs=50GB,storage=gdata/v45+scratch/v45+gdata/hh5+scratch/hh5 -v SCRIPT_DIR,CONDA_ENVIRONMENT=${{ inputs.environment }} -P kr06 -q copyq -Wblock=true -Wumask=037 "${SCRIPT_DIR}"/build.sh
+          hosts: ${{ secrets.HOST }}
+          private-key: ${{ secrets.SSH_KEY }}
+
+      - name: Build environment
+        run: |
+          ssh ${{ secrets.USER }}@${{ secrets.HOST }} -i ${{ steps.ssh.outputs.private-key-path }} /bin/bash <<'EOT'
+          set -e
+          export SCRIPT_DIR="${{ secrets.REPO_PATH }}/scripts"
+          export CONDA_ENVIRONMENT="${{ inputs.environment }}"
+          export ADMIN_DIR="${{ vars.ADMIN_DIR }}"
+          export CONDA_BASE="${{ vars.CONDA_BASE }}"
+          export APPS_USERS_GROUP="${{ vars.APPS_USERS_GROUP }}"
+          export APPS_OWNERS_GROUP="${{ vars.APPS_OWNERS_GROUP }}"
+          PROJECT=${{ vars.PROJECT }}
+          STORAGE=${{ vars.STORAGE }}
+
+          source "${SCRIPT_DIR}"/install_config.sh
+          cd "${JOB_LOG_DIR}"
+
+          qsub -N build_"${CONDA_ENVIRONMENT}" -lncpus=1,mem=20GB,walltime=2:00:00,jobfs=50GB,storage="${STORAGE}" \
+            -v SCRIPT_DIR,CONDA_ENVIRONMENT,ADMIN_DIR,CONDA_BASE,APPS_USERS_GROUP,APPS_OWNERS_GROUP \
+            -P "${PROJECT}" -q copyq -Wblock=true -Wumask=037 \
+            "${SCRIPT_DIR}"/build.sh
+
+          EOT
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -9,16 +9,28 @@ jobs:
   deploy:
     name: Deploy environment
     runs-on: ubuntu-latest
+    environment: Gadi
     steps:
-      - name: Deploy environment
-        uses: appleboy/[email protected]
+      - name: Setup SSH
+        uses: access-nri/actions/.github/actions/setup-ssh@main
+        id: ssh
         with:
-          host: gadi.nci.org.au
-          username: ${{secrets.GADI_USER}}
-          key: ${{secrets.DEPLOY_KEY}}
-          script: |
-            export SCRIPT_DIR=${{secrets.GADI_REPO_PATH}}/scripts
-            export CONDA_ENVIRONMENT=${{ inputs.environment }}
-            eval $( grep ADMIN_DIR $SCRIPT_DIR/install_config.sh )
-            eval $( grep BUILD_STAGE_DIR $SCRIPT_DIR/install_config.sh )
-            "${SCRIPT_DIR}"/deploy.sh
+          hosts: ${{ secrets.HOST }}
+          private-key: ${{ secrets.SSH_KEY }}
+
+      - name: Deploy environment
+        run: |
+          ssh ${{ secrets.USER }}@${{ secrets.HOST }} -i ${{ steps.ssh.outputs.private-key-path }} /bin/bash <<'EOT'
+          set -e
+          export SCRIPT_DIR="${{ secrets.REPO_PATH }}/scripts"
+          export CONDA_ENVIRONMENT="${{ inputs.environment }}"
+          export ADMIN_DIR="${{ vars.ADMIN_DIR }}"
+          export CONDA_BASE="${{ vars.CONDA_BASE }}"
+          export APPS_USERS_GROUP="${{ vars.APPS_USERS_GROUP }}"
+          export APPS_OWNERS_GROUP="${{ vars.APPS_OWNERS_GROUP }}"
+
+          source "${SCRIPT_DIR}"/install_config.sh
+
+          "${SCRIPT_DIR}"/deploy.sh
+
+          EOT
diff --git a/.github/workflows/get_changed_env.yml b/.github/workflows/get_changed_env.yml
@@ -32,7 +32,7 @@ jobs:
           for line in $DIFF; do
             if [[ $line =~ environments ]]; then
                 env_name=$( basename ${line%/*} )
-                if ! [[ $json =~ $env_name ]]; then
+                if ! [[ $json =~ $env_name ]] && [ -d "environments/$env_name" ]; then
                     json="$json{\"environment\":\"$env_name\"},"
                 fi
             fi

diff --git a/.github/workflows/manual_trigger.yml b/.github/workflows/manual_trigger.yml
@@ -10,27 +10,42 @@ on:
 jobs:
   setup:
     runs-on: ubuntu-latest
+    environment: Gadi
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+
+      - name: Setup SSH
+        uses: access-nri/actions/.github/actions/setup-ssh@main
+        id: ssh
+        with:
+          hosts: |
+            ${{ secrets.HOST }}
+            ${{ secrets.HOST_DATA }}
+          private-key: ${{ secrets.SSH_KEY }}
+
       - name: Sync repository to Gadi
-        uses: up9cloud/[email protected]
-        env:
-          HOST: gadi.nci.org.au
-          TARGET: ${{secrets.GADI_REPO_PATH}}
-          KEY: ${{secrets.DEPLOY_KEY}}
-          USER: ${{secrets.GADI_USER}}
+        run: |
+          rsync -e 'ssh -i ${{ steps.ssh.outputs.private-key-path }}' \
+            -avz --delete --exclude=/.git/ --exclude=/.github/ \
+            ./ \
+            ${{ secrets.USER }}@${{ secrets.HOST_DATA }}:${{ secrets.REPO_PATH }}
+
       - name: Create Admin dirs on Gadi
-        uses: appleboy/[email protected]
-        with:
-          host: gadi.nci.org.au
-          username: ${{secrets.GADI_USER}}
-          key: ${{secrets.DEPLOY_KEY}}
-          script: |
-            source ${{secrets.GADI_REPO_PATH}}/scripts/install_config.sh
-            source ${{secrets.GADI_REPO_PATH}}/scripts/functions.sh
-            mkdir -p $ADMIN_DIR $JOB_LOG_DIR $BUILD_STAGE_DIR
-            set_admin_perms $ADMIN_DIR $JOB_LOG_DIR $BUILD_STAGE_DIR
+        run: |
+          ssh ${{ secrets.USER }}@${{ secrets.HOST }} -i ${{ steps.ssh.outputs.private-key-path }} /bin/bash <<'EOT'
+          set -e
+          export ADMIN_DIR="${{ vars.ADMIN_DIR }}"
+          export CONDA_BASE="${{ vars.CONDA_BASE }}"
+          export APPS_USERS_GROUP="${{ vars.APPS_USERS_GROUP }}"
+          export APPS_OWNERS_GROUP="${{ vars.APPS_OWNERS_GROUP }}"
+
+          source "${{ secrets.REPO_PATH }}/scripts/install_config.sh"
+          source "${{ secrets.REPO_PATH }}/scripts/functions.sh"
+          mkdir -p "${ADMIN_DIR}" "${JOB_LOG_DIR}" "${BUILD_STAGE_DIR}"
+          set_admin_perms "${ADMIN_DIR}" "${JOB_LOG_DIR}" "${BUILD_STAGE_DIR}"
+
+          EOT
 
   build:
     needs: setup

diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -1,51 +1,135 @@
 name: Build and test conda env
+
 on: pull_request
+
 jobs:
   generate_matrix:
     uses: ./.github/workflows/get_changed_env.yml
-  
-  setup:
+
+  build_base_image:
     runs-on: ubuntu-latest
     needs: generate_matrix
     if: ${{ needs.generate_matrix.outputs.matrix != '{"include":[]}' }}
     container:
       image: quay.io/singularity/singularity:v3.11.4
       options: --privileged
+    outputs:
+      built-container: ${{ steps.changed-container-def.outputs.containerdef_any_changed }}
     steps:
       - name: Checkout repository
         ### Latest at time of writing
         uses: actions/checkout@v4
+
       - name: Check if container definition has changed
         id: changed-container-def
-        uses: tj-actions/changed-files@v41
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v43.0.2
         with:
           files_yaml: |
             containerdef:
               - container/container.def
+
       - name: Build container if definition has changed
         if: steps.changed-container-def.outputs.containerdef_any_changed == 'true'
         run: |
             echo ${{ needs.generate_matrix.outputs.matrix }}
             sudo -E singularity build container/base.sif container/container.def
+
+      - name: Upload base container
+        if: steps.changed-container-def.outputs.containerdef_any_changed == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+            name: base-container
+            path: container/base.sif
+
+  setup:
+    runs-on: ubuntu-latest
+    needs: [ generate_matrix, build_base_image ]
+    if: ${{ needs.generate_matrix.outputs.matrix != '{"include":[]}' }}
+    environment: Gadi
+    steps:
+      - name: Check Gadi Github Environment configuration
+        run: |
+          vars_unset=false
+          if [ -z "${{ vars.ADMIN_DIR }}" ]; then
+            echo "::error::vars.ADMIN_DIR is unset. ADMIN_DIR is the base directory which will contain the staging and logs sub-directories"
+            vars_unset=true
+          fi
+          if [ -z "${{ vars.CONDA_BASE }}" ]; then
+            echo "::error::vars.CONDA_BASE is unset. CONDA_BASE is the base deployment directory which will contain apps and module sub-directories"
+            vars_unset=true
+          fi
+          if [ -z "${{ vars.PROJECT }}" ]; then
+            echo "::error::vars.PROJECT is unset. PROJECT is the project code passed to build+test qsub calls"
+            vars_unset=true
+          fi
+          if [ -z "${{ vars.STORAGE }}" ]; then
+            echo "::error::vars.STORAGE is unset. STORAGE is the storage flags passed to build+test qsub calls"
+            vars_unset=true
+          fi
+          if [ -z "${{ vars.APPS_USERS_GROUP }}" ]; then
+            echo "::error::vars.APPS_USERS_GROUP is unset. APPS_USERS_GROUP is used for setting file permissions"
+            vars_unset=true
+          fi
+          if [ -z "${{ vars.APPS_OWNERS_GROUP }}" ]; then
+            echo "::error::APPS_OWNERS_GROUP is unset. APPS_OWNERS_GROUP is used for setting file permissions"
+            vars_unset=true
+          fi
+          if [ -z "${{ secrets.REPO_PATH }}" ]; then
+            echo "::error::secrets.REPO_PATH is unset. REPO_PATH is the path where this repository is synced to"
+            vars_unset=true
+          fi
+
+          if [ "$vars_unset" == "true" ]; then
+            echo "::error::Required vars in Gadi Github Environment are unset."
+            exit 1
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download base container
+        if: needs.build_base_image.outputs.built-container == 'true'
+        uses: actions/download-artifact@v4
+        with:
+            name: base-container
+            path: container
+
+      - name: Setup SSH
+        uses: access-nri/actions/.github/actions/setup-ssh@main
+        id: ssh
+        with:
+          hosts: |
+            ${{ secrets.HOST }}
+            ${{ secrets.HOST_DATA }}
+          private-key: ${{ secrets.SSH_KEY }}
+
+      - name: Create parent repository directories
+        run: |
+          ssh ${{ secrets.USER }}@${{ secrets.HOST }} -i ${{ steps.ssh.outputs.private-key-path }} /bin/bash <<'EOT'
+          mkdir -p ${{ secrets.REPO_PATH }}
+          EOT
+
       - name: Sync repository to Gadi
-        ### Latest at time of writing
-        uses: up9cloud/[email protected]
-        env:
-          HOST: gadi.nci.org.au
-          TARGET: ${{secrets.GADI_REPO_PATH}}
-          KEY: ${{secrets.DEPLOY_KEY}}
-          USER: ${{secrets.GADI_USER}}
+        run: |
+          rsync -e 'ssh -i ${{ steps.ssh.outputs.private-key-path }}' \
+            -avz --delete --exclude=/.git/ --exclude=/.github/ \
+            ./ \
+            ${{ secrets.USER }}@${{ secrets.HOST_DATA }}:${{ secrets.REPO_PATH }}
+
       - name: Create Admin dirs on Gadi
-        uses: appleboy/[email protected]
-        with:
-          host: gadi.nci.org.au
-          username: ${{secrets.GADI_USER}}
-          key: ${{secrets.DEPLOY_KEY}}
-          script: |
-            source ${{secrets.GADI_REPO_PATH}}/scripts/install_config.sh
-            source ${{secrets.GADI_REPO_PATH}}/scripts/functions.sh
-            mkdir -p $ADMIN_DIR $JOB_LOG_DIR $BUILD_STAGE_DIR
-            set_admin_perms $ADMIN_DIR $JOB_LOG_DIR $BUILD_STAGE_DIR
+        run: |
+          ssh ${{ secrets.USER }}@${{ secrets.HOST }} -i ${{ steps.ssh.outputs.private-key-path }} /bin/bash <<'EOT'
+          set -e
+          export ADMIN_DIR="${{ vars.ADMIN_DIR }}"
+          export CONDA_BASE="${{ vars.CONDA_BASE }}"
+          export APPS_USERS_GROUP="${{ vars.APPS_USERS_GROUP }}"
+          export APPS_OWNERS_GROUP="${{ vars.APPS_OWNERS_GROUP }}"
+
+          source "${{ secrets.REPO_PATH }}/scripts/install_config.sh"
+          source "${{ secrets.REPO_PATH }}/scripts/functions.sh"
+          mkdir -p "${ADMIN_DIR}" "${JOB_LOG_DIR}" "${BUILD_STAGE_DIR}"
+          set_admin_perms "${ADMIN_DIR}" "${JOB_LOG_DIR}" "${BUILD_STAGE_DIR}"
+          EOT
 
   build:
     needs: [ generate_matrix, setup ]

diff --git a/.github/workflows/push_to_main.yml b/.github/workflows/push_to_main.yml
@@ -8,19 +8,26 @@ jobs:
 
   setup:
     runs-on: ubuntu-latest
+    environment: Gadi
     steps:
       - name: Checkout repository
         ### Latest at time of writing
         uses: actions/checkout@v4
+
+      - name: Setup SSH
+        uses: access-nri/actions/.github/actions/setup-ssh@main
+        id: ssh
+        with:
+          hosts: ${{ secrets.HOST_DATA }}
+          private-key: ${{ secrets.SSH_KEY }}
+
       - name: Sync repository to Gadi
-        ### Latest at time of writing
-        uses: up9cloud/[email protected]
-        env:
-          HOST: gadi.nci.org.au
-          TARGET: ${{secrets.GADI_REPO_PATH}}
-          KEY: ${{secrets.DEPLOY_KEY}}
-          USER: ${{secrets.GADI_USER}}
-
+        run: |
+          rsync -e 'ssh -i ${{ steps.ssh.outputs.private-key-path }}' \
+            -avz --delete --exclude=/.git/ --exclude=/.github/ \
+            ./ \
+            ${{ secrets.USER }}@${{ secrets.HOST_DATA }}:${{ secrets.REPO_PATH }}
+
   deploy:
     needs: [ generate_matrix, setup ]
     uses: ./.github/workflows/deploy.yml

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -9,16 +9,34 @@ jobs:
   test:
     name: Test environment
     runs-on: ubuntu-latest
+    environment: Gadi
     steps:
-      - name: Test environment
-        uses: appleboy/[email protected]
+      - name: Setup SSH
+        uses: access-nri/actions/.github/actions/setup-ssh@main
+        id: ssh
         with:
-          host: gadi.nci.org.au
-          username: ${{secrets.GADI_USER}}
-          key: ${{secrets.DEPLOY_KEY}}
-          script: |
-            export SCRIPT_DIR=${{secrets.GADI_REPO_PATH}}/scripts
-            eval $( grep ADMIN_DIR $SCRIPT_DIR/install_config.sh )
-            eval $( grep JOB_LOG_DIR $SCRIPT_DIR/install_config.sh )
-            cd $JOB_LOG_DIR
-            qsub -N test_${{ inputs.environment }} -lncpus=4,mem=20GB,walltime=0:20:00,jobfs=50GB,storage=gdata/v45+scratch/v45+gdata/hh5+scratch/hh5 -v SCRIPT_DIR,CONDA_ENVIRONMENT=${{ inputs.environment }} -P kr06 -Wblock=true -Wumask=037 "${SCRIPT_DIR}"/test.sh
+          hosts: ${{ secrets.HOST }}
+          private-key: ${{ secrets.SSH_KEY }}
+
+      - name: Test environment
+        run: |
+          ssh ${{ secrets.USER }}@${{ secrets.HOST }} -i ${{ steps.ssh.outputs.private-key-path }} /bin/bash <<'EOT'
+          set -e
+          export SCRIPT_DIR="${{secrets.REPO_PATH}}/scripts"
+          export CONDA_ENVIRONMENT="${{ inputs.environment }}"
+          export ADMIN_DIR="${{ vars.ADMIN_DIR }}"
+          export CONDA_BASE="${{ vars.CONDA_BASE }}"
+          export APPS_USERS_GROUP="${{ vars.APPS_USERS_GROUP }}"
+          export APPS_OWNERS_GROUP="${{ vars.APPS_OWNERS_GROUP }}"
+          PROJECT=${{ vars.PROJECT }}
+          STORAGE=${{ vars.STORAGE }}
+
+          source "${SCRIPT_DIR}"/install_config.sh
+          cd "${JOB_LOG_DIR}"
+
+          qsub -N test_"${CONDA_ENVIRONMENT}" -lncpus=4,mem=20GB,walltime=0:20:00,jobfs=50GB,storage="${STORAGE}" \
+            -v SCRIPT_DIR,CONDA_ENVIRONMENT,ADMIN_DIR,CONDA_BASE,APPS_USERS_GROUP,APPS_OWNERS_GROUP \
+            -P "${PROJECT}" -Wblock=true -Wumask=037 \
+            "${SCRIPT_DIR}"/test.sh
+
+          EOT