-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f16e376
commit d134309
Showing
9 changed files
with
1,160 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
name: Publish manylinux_ghr_x86_64 image | ||
on: | ||
workflow_dispatch: | ||
push: | ||
branches: ['main'] | ||
paths: | ||
- dockerfiles/manylinux_ghr_x86_64.Dockerfile | ||
- .github/workflows/publish_manylinux_ghr_x86_64.yml | ||
|
||
env: | ||
REGISTRY: ghcr.io | ||
IMAGE_NAME: nod-ai/manylinux_ghr_x86_64 | ||
|
||
jobs: | ||
build-and-push-image: | ||
runs-on: ubuntu-latest | ||
# Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. | ||
permissions: | ||
contents: read | ||
packages: write | ||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v3 | ||
- name: Log in to the Container registry | ||
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 | ||
with: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Extract metadata (tags, labels) for Docker | ||
id: meta | ||
uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | ||
with: | ||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | ||
# This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. | ||
# It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. | ||
# It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step. | ||
- name: Build and push Docker image | ||
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 | ||
with: | ||
context: . | ||
file: dockerfiles/manylinux_ghr_x86_64.Dockerfile | ||
push: true | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/bash | ||
# Copyright 2022 The IREE Authors | ||
# | ||
# Licensed under the Apache License v2.0 with LLVM Exceptions. | ||
# See https://llvm.org/LICENSE.txt for license information. | ||
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception | ||
|
||
set -euo pipefail | ||
|
||
CMAKE_VERSION="$1" | ||
|
||
ARCH="$(uname -m)" | ||
|
||
curl --silent --fail --show-error --location \ | ||
"https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-${ARCH}.sh" \ | ||
--output cmake-installer.sh | ||
|
||
chmod +x cmake-installer.sh | ||
./cmake-installer.sh --skip-license --prefix=/usr/ |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# GitHub Actions Runner Support | ||
|
||
This contains bits and bobs from various places: | ||
|
||
* https://github.com/myoung34/docker-github-actions-runner |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
#!/bin/bash | ||
# | ||
# Request an ACCESS_TOKEN to be used by a GitHub APP | ||
# Environment variable that need to be set up: | ||
# * APP_ID, the GitHub's app ID | ||
# * APP_PRIVATE_KEY, the content of GitHub app's private key in PEM format. | ||
# * APP_LOGIN, the login name used to install GitHub's app | ||
# | ||
# https://github.com/orgs/community/discussions/24743#discussioncomment-3245300 | ||
# | ||
|
||
set -o pipefail | ||
|
||
_GITHUB_HOST=${GITHUB_HOST:="github.com"} | ||
|
||
# If URL is not github.com then use the enterprise api endpoint | ||
if [[ ${GITHUB_HOST} = "github.com" ]]; then | ||
URI="https://api.${_GITHUB_HOST}" | ||
else | ||
URI="https://${_GITHUB_HOST}/api/v3" | ||
fi | ||
|
||
API_VERSION=v3 | ||
API_HEADER="Accept: application/vnd.github.${API_VERSION}+json" | ||
CONTENT_LENGTH_HEADER="Content-Length: 0" | ||
APP_INSTALLATIONS_URI="${URI}/app/installations" | ||
|
||
|
||
# JWT parameters based off | ||
# https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-a-github-app | ||
# | ||
# JWT token issuance and expiration parameters | ||
JWT_IAT_DRIFT=60 | ||
JWT_EXP_DELTA=600 | ||
|
||
JWT_JOSE_HEADER='{ | ||
"alg": "RS256", | ||
"typ": "JWT" | ||
}' | ||
|
||
|
||
build_jwt_payload() { | ||
now=$(date +%s) | ||
iat=$((now - JWT_IAT_DRIFT)) | ||
jq -c \ | ||
--arg iat_str "${iat}" \ | ||
--arg exp_delta_str "${JWT_EXP_DELTA}" \ | ||
--arg app_id_str "${APP_ID}" \ | ||
' | ||
($iat_str | tonumber) as $iat | ||
| ($exp_delta_str | tonumber) as $exp_delta | ||
| ($app_id_str | tonumber) as $app_id | ||
| .iat = $iat | ||
| .exp = ($iat + $exp_delta) | ||
| .iss = $app_id | ||
' <<< "{}" | tr -d '\n' | ||
} | ||
|
||
base64url() { | ||
base64 | tr '+/' '-_' | tr -d '=\n' | ||
} | ||
|
||
rs256_sign() { | ||
openssl dgst -binary -sha256 -sign <(echo "$1") | ||
} | ||
|
||
request_access_token() { | ||
jwt_payload=$(build_jwt_payload) | ||
encoded_jwt_parts=$(base64url <<<"${JWT_JOSE_HEADER}").$(base64url <<<"${jwt_payload}") | ||
encoded_mac=$(echo -n "${encoded_jwt_parts}" | rs256_sign "${APP_PRIVATE_KEY}" | base64url) | ||
generated_jwt="${encoded_jwt_parts}.${encoded_mac}" | ||
|
||
auth_header="Authorization: Bearer ${generated_jwt}" | ||
|
||
app_installations_response=$(curl -sX GET \ | ||
-H "${auth_header}" \ | ||
-H "${API_HEADER}" \ | ||
"${APP_INSTALLATIONS_URI}" \ | ||
) | ||
access_token_url=$(echo "${app_installations_response}" | jq --raw-output '.[] | select (.account.login == "'"${APP_LOGIN}"'" and .app_id == '"${APP_ID}"') .access_tokens_url') | ||
curl -sX POST \ | ||
-H "${CONTENT_LENGTH_HEADER}" \ | ||
-H "${auth_header}" \ | ||
-H "${API_HEADER}" \ | ||
"${access_token_url}" | \ | ||
jq --raw-output .token | ||
} | ||
|
||
request_access_token |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,203 @@ | ||
#!/usr/bin/dumb-init /bin/bash | ||
# shellcheck shell=bash | ||
|
||
export RUNNER_ALLOW_RUNASROOT=1 | ||
export PATH=${PATH}:/actions-runner | ||
|
||
# Un-export these, so that they must be passed explicitly to the environment of | ||
# any command that needs them. This may help prevent leaks. | ||
export -n ACCESS_TOKEN | ||
export -n RUNNER_TOKEN | ||
export -n APP_ID | ||
export -n APP_PRIVATE_KEY | ||
|
||
deregister_runner() { | ||
echo "Caught SIGTERM. Deregistering runner" | ||
if [[ -n "${ACCESS_TOKEN}" ]]; then | ||
_TOKEN=$(ACCESS_TOKEN="${ACCESS_TOKEN}" bash /token.sh) | ||
RUNNER_TOKEN=$(echo "${_TOKEN}" | jq -r .token) | ||
fi | ||
./config.sh remove --token "${RUNNER_TOKEN}" | ||
exit | ||
} | ||
|
||
_DISABLE_AUTOMATIC_DEREGISTRATION=${DISABLE_AUTOMATIC_DEREGISTRATION:-false} | ||
|
||
_RANDOM_RUNNER_SUFFIX=${RANDOM_RUNNER_SUFFIX:="true"} | ||
|
||
_RUNNER_NAME=${RUNNER_NAME:-${RUNNER_NAME_PREFIX:-github-runner}-$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 ; echo '')} | ||
if [[ ${RANDOM_RUNNER_SUFFIX} != "true" ]]; then | ||
# In some cases this file does not exist | ||
if [[ -f "/etc/hostname" ]]; then | ||
# in some cases it can also be empty | ||
if [[ $(stat --printf="%s" /etc/hostname) -ne 0 ]]; then | ||
_RUNNER_NAME=${RUNNER_NAME:-${RUNNER_NAME_PREFIX:-github-runner}-$(cat /etc/hostname)} | ||
echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX}. /etc/hostname exists and has content. Setting runner name to ${_RUNNER_NAME}" | ||
else | ||
echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX} ./etc/hostname exists but is empty. Not using /etc/hostname." | ||
fi | ||
else | ||
echo "RANDOM_RUNNER_SUFFIX is ${RANDOM_RUNNER_SUFFIX} but /etc/hostname does not exist. Not using /etc/hostname." | ||
fi | ||
fi | ||
|
||
_RUNNER_WORKDIR=${RUNNER_WORKDIR:-/_work/${_RUNNER_NAME}} | ||
_LABELS=${LABELS:-default} | ||
_RUNNER_GROUP=${RUNNER_GROUP:-Default} | ||
_GITHUB_HOST=${GITHUB_HOST:="github.com"} | ||
_RUN_AS_ROOT=${RUN_AS_ROOT:="true"} | ||
_START_DOCKER_SERVICE=${START_DOCKER_SERVICE:="false"} | ||
|
||
# ensure backwards compatibility | ||
if [[ -z ${RUNNER_SCOPE} ]]; then | ||
if [[ ${ORG_RUNNER} == "true" ]]; then | ||
echo 'ORG_RUNNER is now deprecated. Please use RUNNER_SCOPE="org" instead.' | ||
export RUNNER_SCOPE="org" | ||
else | ||
export RUNNER_SCOPE="repo" | ||
fi | ||
fi | ||
|
||
RUNNER_SCOPE="${RUNNER_SCOPE,,}" # to lowercase | ||
|
||
case ${RUNNER_SCOPE} in | ||
org*) | ||
[[ -z ${ORG_NAME} ]] && ( echo "ORG_NAME required for org runners"; exit 1 ) | ||
_SHORT_URL="https://${_GITHUB_HOST}/${ORG_NAME}" | ||
RUNNER_SCOPE="org" | ||
if [[ -n "${APP_ID}" ]] && [[ -z "${APP_LOGIN}" ]]; then | ||
APP_LOGIN=${ORG_NAME} | ||
fi | ||
;; | ||
|
||
ent*) | ||
[[ -z ${ENTERPRISE_NAME} ]] && ( echo "ENTERPRISE_NAME required for enterprise runners"; exit 1 ) | ||
_SHORT_URL="https://${_GITHUB_HOST}/enterprises/${ENTERPRISE_NAME}" | ||
RUNNER_SCOPE="enterprise" | ||
;; | ||
|
||
*) | ||
[[ -z ${REPO_URL} ]] && ( echo "REPO_URL required for repo runners"; exit 1 ) | ||
_SHORT_URL=${REPO_URL} | ||
RUNNER_SCOPE="repo" | ||
if [[ -n "${APP_ID}" ]] && [[ -z "${APP_LOGIN}" ]]; then | ||
APP_LOGIN=${REPO_URL%/*} | ||
APP_LOGIN=${APP_LOGIN##*/} | ||
fi | ||
;; | ||
esac | ||
|
||
configure_runner() { | ||
ARGS=() | ||
if [[ -n "${APP_ID}" ]] && [[ -n "${APP_PRIVATE_KEY}" ]] && [[ -n "${APP_LOGIN}" ]]; then | ||
if [[ -n "${ACCESS_TOKEN}" ]] || [[ -n "${RUNNER_TOKEN}" ]]; then | ||
echo "ERROR: ACCESS_TOKEN or RUNNER_TOKEN provided but are mutually exclusive with APP_ID, APP_PRIVATE_KEY and APP_LOGIN." >&2 | ||
exit 1 | ||
fi | ||
echo "Obtaining access token for app_id ${APP_ID} and login ${APP_LOGIN}" | ||
nl=" | ||
" | ||
ACCESS_TOKEN=$(APP_ID="${APP_ID}" APP_PRIVATE_KEY="${APP_PRIVATE_KEY//\\n/${nl}}" APP_LOGIN="${APP_LOGIN}" bash /app_token.sh) | ||
elif [[ -n "${APP_ID}" ]] || [[ -n "${APP_PRIVATE_KEY}" ]] || [[ -n "${APP_LOGIN}" ]]; then | ||
echo "ERROR: All of APP_ID, APP_PRIVATE_KEY and APP_LOGIN must be specified." >&2 | ||
exit 1 | ||
fi | ||
|
||
if [[ -n "${ACCESS_TOKEN}" ]]; then | ||
echo "Obtaining the token of the runner" | ||
_TOKEN=$(ACCESS_TOKEN="${ACCESS_TOKEN}" bash /token.sh) | ||
RUNNER_TOKEN=$(echo "${_TOKEN}" | jq -r .token) | ||
fi | ||
|
||
# shellcheck disable=SC2153 | ||
if [ -n "${EPHEMERAL}" ]; then | ||
echo "Ephemeral option is enabled" | ||
ARGS+=("--ephemeral") | ||
fi | ||
|
||
if [ -n "${DISABLE_AUTO_UPDATE}" ]; then | ||
echo "Disable auto update option is enabled" | ||
ARGS+=("--disableupdate") | ||
fi | ||
|
||
if [ -n "${NO_DEFAULT_LABELS}" ]; then | ||
echo "Disable adding the default self-hosted, platform, and architecture labels" | ||
ARGS+=("--no-default-labels") | ||
fi | ||
|
||
echo "Configuring" | ||
./config.sh \ | ||
--url "${_SHORT_URL}" \ | ||
--token "${RUNNER_TOKEN}" \ | ||
--name "${_RUNNER_NAME}" \ | ||
--work "${_RUNNER_WORKDIR}" \ | ||
--labels "${_LABELS}" \ | ||
--runnergroup "${_RUNNER_GROUP}" \ | ||
--unattended \ | ||
--replace \ | ||
"${ARGS[@]}" | ||
|
||
[[ ! -d "${_RUNNER_WORKDIR}" ]] && mkdir "${_RUNNER_WORKDIR}" | ||
|
||
} | ||
|
||
|
||
# Opt into runner reusage because a value was given | ||
if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then | ||
echo "Runner reusage is enabled" | ||
|
||
# directory exists, copy the data | ||
if [[ -d "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then | ||
echo "Copying previous data" | ||
cp -p -r "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}/." "/actions-runner" | ||
fi | ||
|
||
if [ -f "/actions-runner/.runner" ]; then | ||
echo "The runner has already been configured" | ||
else | ||
configure_runner | ||
fi | ||
else | ||
echo "Runner reusage is disabled" | ||
configure_runner | ||
fi | ||
|
||
if [[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]]; then | ||
echo "Reusage is enabled. Storing data to ${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" | ||
# Quoting (even with double-quotes) the regexp brokes the copying | ||
cp -p -r "/actions-runner/_diag" "/actions-runner/svc.sh" /actions-runner/.[^.]* "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" | ||
fi | ||
|
||
if [[ ${_DISABLE_AUTOMATIC_DEREGISTRATION} == "false" ]]; then | ||
trap deregister_runner SIGINT SIGQUIT SIGTERM INT TERM QUIT | ||
fi | ||
|
||
# Start docker service if needed (e.g. for docker-in-docker) | ||
if [[ ${_START_DOCKER_SERVICE} == "true" ]]; then | ||
echo "Starting docker service" | ||
_PREFIX="" | ||
[[ ${_RUN_AS_ROOT} != "true" ]] && _PREFIX="sudo" | ||
${_PREFIX} service docker start | ||
fi | ||
|
||
# Container's command (CMD) execution as runner user | ||
|
||
|
||
if [[ ${_RUN_AS_ROOT} == "true" ]]; then | ||
if [[ $(id -u) -eq 0 ]]; then | ||
"$@" | ||
else | ||
echo "ERROR: RUN_AS_ROOT env var is set to true but the user has been overridden and is not running as root, but UID '$(id -u)'" | ||
exit 1 | ||
fi | ||
else | ||
if [[ $(id -u) -eq 0 ]]; then | ||
[[ -n "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]] && chown -R runner "${CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" | ||
chown -R runner "${_RUNNER_WORKDIR}" /actions-runner | ||
# The toolcache is not recursively chowned to avoid recursing over prepulated tooling in derived docker images | ||
chown runner /opt/hostedtoolcache/ | ||
/usr/sbin/gosu runner "$@" | ||
else | ||
"$@" | ||
fi | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/bin/bash -ex | ||
GH_RUNNER_VERSION=$1 | ||
TARGETPLATFORM=$2 | ||
|
||
export TARGET_ARCH="x64" | ||
if [[ $TARGETPLATFORM == "linux/arm64" ]]; then | ||
export TARGET_ARCH="arm64" | ||
fi | ||
curl -L "https://github.com/actions/runner/releases/download/v${GH_RUNNER_VERSION}/actions-runner-linux-${TARGET_ARCH}-${GH_RUNNER_VERSION}.tar.gz" > actions.tar.gz | ||
tar -zxf actions.tar.gz | ||
rm -f actions.tar.gz | ||
./bin/installdependencies.sh | ||
mkdir /_work |
Oops, something went wrong.