Add scheduled CI task to validate local job-server setup

This required updating the setup scripts to skip the need to have `SOCIAL_AUTH_*` properly configured. The local job-server still runs fine w/o it, but it wouldn't be able to actually log users in from github. There's a CI jobs that is meant to notify #team-rap slack channel when this happens, but for reasons I am not sure of, it does seem to work. Seems like fixing it will mean addressing fact that our slack bot token setup is undocumented and unclear.
opensafely-core · Aug 28, 2024 · 4c2d9ff · 4c2d9ff
1 parent d4b735a
commit 4c2d9ff
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 7 deletions.
diff --git a/.github/workflows/job-server.yml b/.github/workflows/job-server.yml
@@ -0,0 +1,38 @@
+---
+name: Local job-server setup CI
+
+on:
+  schedule: 
+    # every day at 2:37am
+    - cron: "37 2 * * *"
+
+jobs:
+  test-local-job-server:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: "opensafely-core/setup-action@v1"
+        with:
+          python-version: "3.11"
+          install-just: true
+
+      - name: "Test local job server setup"
+        # this should download, configure and successfully launch a local job-server
+        # we test it to make sure we catch breaking changes in job-server configuration we need to update.
+        run: |
+          just _dotenv  # we don't need a full devenv
+          just job-server/configure username
+          just job-server/create-workspace test-workspace
+
+      - name: "Notify Slack on Failure"
+        # TODO: 2024-08-27 this does not work, gives the error "not_in_channel", despite all our bots being in the channel
+        if: failure() && github.ref_name == 'main'
+        uses: zuplo/github-action-slack-notify-build@cf8e7e66a21d76a8125ea9648979c30920195552 # v2
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+        with:
+          channel_id: "C069YDR4NCA"
+          status: "Airlock local job-server integration test failure"
+          color: danger
+
diff --git a/job-server/justfile b/job-server/justfile
@@ -15,11 +15,13 @@ check:
     test -f .env.jobserver || error
 
     . .env.jobserver
-    if test "$SOCIAL_AUTH_GITHUB_KEY" = "test" -o -z "$SOCIAL_AUTH_GITHUB_KEY"; then
-         error "SOCIAL_AUTH_GITHUB_KEY not set properly"
-    fi
-    if test "$SOCIAL_AUTH_GITHUB_SECRET" = "test" -o -z "$SOCIAL_AUTH_GITHUB_SECRET"; then
-        error "SOCIAL_AUTH_GITHUB_SECRET not set properly"
+    if test -z "${CI:-}"; then
+        if test "$SOCIAL_AUTH_GITHUB_KEY" = "test" -o -z "$SOCIAL_AUTH_GITHUB_KEY"; then
+            error "SOCIAL_AUTH_GITHUB_KEY not set properly"
+        fi
+        if test "$SOCIAL_AUTH_GITHUB_SECRET" = "test" -o -z "$SOCIAL_AUTH_GITHUB_SECRET"; then
+            error "SOCIAL_AUTH_GITHUB_SECRET not set properly"
+        fi
     fi
 
 # enable local airlock config to point to local job-server

diff --git a/job-server/local-setup.sh b/job-server/local-setup.sh
@@ -36,10 +36,13 @@ fi
 
 # setup github social logins
 # this only needs to be done very rarely, and bw client is a faff, so add a check to only if needed
-if test "$SOCIAL_AUTH_GITHUB_KEY" = "test" -o -z "$SOCIAL_AUTH_GITHUB_KEY"; then
+if test -n "${CI:-}"; then
+    echo "Skipping job-server SOCIAL_AUTH setup as it is CI"
+elif test "$SOCIAL_AUTH_GITHUB_KEY" = "test" -o -z "$SOCIAL_AUTH_GITHUB_KEY"; then
     tmp=$(mktemp)
     if ! command -v bw > /dev/null; then
-        echo "bitwarden client bw not found"
+        echo "bitwarden cli client bw not found"
+        echo "We need it to automatically setup job-server's SOCIAL_AUTH_GITHUB_KEY as one time thing"
         exit 1
     fi
     if bw status | grep -q unauthenticated; then