Add CI/CD workflows for terraform automation #183
Conversation
- add transcrypt script - workflow changes to terraform
DaMandal0rian
force-pushed
the
terraform-ci-workflows
branch
2 times, most recently
from
67239db
to
24b2e7a
Compare
- fix permissions - write to /tmp path and not directly in repo for transcrypt - fix backend config path
DaMandal0rian
force-pushed
the
terraform-ci-workflows
branch
from
24b2e7a
to
99a5ac2
Compare
|
The checks will fail since other PRs need to be merged beforehand. |
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
It doesn't seem to be used, why setting?
There was a problem hiding this comment.
The env variable needs to be set when calling github api, otherwise an error is thrown.
There was a problem hiding this comment.
What and where calls those APIs? I don't see any usage of it.
There was a problem hiding this comment.
The GITHUB_TOKEN is needed in CI or bash cli for API calls. The API is called with curl via https://github.com/subspace/infra/pull/183/files/99a5ac25712fdda531fd88026a12f96aafeacb83#diff-b46b68b6df852ad5f8fc96162f55c2fe198f6d53eb2fe7d7ce12fcd4b2650ba6R39-R43
If you want to use the API in a GitHub Actions workflow, GitHub recommends that you authenticate with the built-in GITHUB_TOKEN
There was a problem hiding this comment.
What you linked doesn't use GITHUB_TOKEN environment variable, it uses $token that is obtained in a different way.
There was a problem hiding this comment.
@nazar-pc removed it, here you go:
https://github.com/subspace/infra/actions/runs/6484473796/job/17608384650#step:5:24
There was a problem hiding this comment.
Okay, so it is not for curl, it was for gh CLI command, now it makes sense.
With that knowledge we understand why it is necessary. I think what we should do now in a secure way without using heavy tools like setting repo (I'm fairly certain simply setting environment variable wasn't) without using heavy tools like setting repo's secrets from workflow is to use outputs and mask them such that they are not visible in logs: https://github.com/orgs/community/discussions/25225#discussioncomment-3246942
That is the goal here: to pass the token from one step into another. What we had in earlier versions of this PR are various suboptimal/incorrect ways of achieving that ultimate goal.
There was a problem hiding this comment.
correct, github cli, I should have been more clear about that "The GITHUB_TOKEN is needed in CI or bash cli for API calls" but couldn't remember exactly since it was a while ago. That being said the solution of masking the secret and just passing it is nice if using the ephemeral runners maybe but this solution and workflow is for the dedicated runners, where i need to retain the secret so I can unregister and delete runner if need be and remove it from github. See https://docs.github.com/en/free-pro-team@latest/rest/actions/self-hosted-runners?apiVersion=2022-11-28#delete-a-self-hosted-runner-from-an-organization
There was a problem hiding this comment.
But you mentioned that tokens only live for 1 hour, so you'll have to retrieve fresh token anyway. Why retaining it then at all?
There was a problem hiding this comment.
The token is not needed to deregister, a force delete can be done. So i've used the masking technique.
| env: | ||
| GH_TOKEN: ${{ github.token }} |
There was a problem hiding this comment.
You're using secrets.GITHUB_TOKEN above and github.token here, which are both the same thing. Would be nice to make it consistent.
But this environment doesn't seem to be used either.
There was a problem hiding this comment.
It is used with github api, will make consistent. It is needed for api calls to get the PAT token for github runner registration.
There was a problem hiding this comment.
GitHub API again? Which API, I don't see any usage of it.
There was a problem hiding this comment.
How is linked code related to GH_TOKEN?
There was a problem hiding this comment.
Ok, for $token in the auth header of the curl request that is the pat token to authenticate to the repo and get the runner token. If i remove GH_TOKEN you will see an error in ci that you need to have GH_TOKEN to call github apis from workflow :). I wasn't using it before, but added it to fix the problem. Here is an old version:
https://github.com/subspace/infra/blob/bd296590f29cdd730ab29869c7ade1258cb395ae/.github/workflows/terraform_gh_runner.yml
- make tokens consistent and adjust some paths. - add comments - remove extra env variable set
DaMandal0rian
force-pushed
the
terraform-ci-workflows
branch
from
460596b
to
4a6c180
Compare
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
What you linked doesn't use GITHUB_TOKEN environment variable, it uses $token that is obtained in a different way.
| env: | ||
| GH_TOKEN: ${{ github.token }} |
There was a problem hiding this comment.
How is linked code related to GH_TOKEN?
- this is not needed with terraform cloud - test (remove GH_TOKEN)
DaMandal0rian
force-pushed
the
terraform-ci-workflows
branch
from
e7c5456
to
2d35eef
Compare
|
@DaMandal0rian is this ready to be reviewed? Looks like GH actions are still failing |
- remove tfvars secret and storing in github, use the encrypted terraform.tfvars file with transcrypt. - add branch as input - change API token name and remove vars secret file - change path for dedicated runners
DaMandal0rian
force-pushed
the
terraform-ci-workflows
branch
from
935a2a2
to
d865c7c
Compare
@vedhavyas yes the PR is ready. The reason is the tfvars file does not exist in the path, but i will upload the encrypted version in another PR for the resources. I've also made some changes. |
- add genesis hash input - add terraform apply and destroy inputs
|
tfvars file is added in PR https://github.com/subspace/infra/pull/226/files |
There was a problem hiding this comment.
I maybe be missing something here but looks like we can only run one ephemeral devnet at a time since TF uses the same working directory. This would also be a problem if multiple people want to deploy at the same time.
If its aws, can we deploy new instances instead ?
As for the hetzner, we should not allow new deployments unless the workspace is already destroyed so that machine can be re-used.
Though I'm not sure if this is out of scope for this PR.
|
@vedhavyas For hetzner can run the destroy input with workflow dispatch event. Also, please check the readme file which addresses this. This is outside the scope of this PR which deals with CI/CD. In another PR i can add a random generator to the backend (AWS) for |
|
@DaMandal0rian it has been awhile since this PR has progressed? Are there any updates? |
The PR adds terraform automation with github actions CI for devnet, gemini-3(x) and ephemeral devnets.
Closes #184