Skip to content

Richer access checks #11476

Richer access checks

Richer access checks #11476

Workflow file for this run

# Copyright (C) 2020 Dremio
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Unifies main + PR workflow.
#
# The unified CI workflow consists of 2 "stages":
# - Checks - test, intTest, NesQuEIT, etc
# - Finalize - a "success" dummy job for PRs + a "save to github-cache" job for push-to-main
#
# Utilizes the Gradle build cache for all stages. The updated build cache
# of the jobs in the checks stage are saved as artifacts (with the minimum
# retention period). The updated build cache is pushed back to GigHub's
# cache when the checks have successfully finished.
name: CI build
on:
push:
branches:
- main
- release-*
paths-ignore:
- 'LICENSE'
- 'NOTICE'
- '**.md'
- '!site/**'
- '.github/renovate.json5'
- '.github/workflows/release*.yml'
- '.github/workflows/check*.yml'
- '.idea/**'
- '.editorconfig'
pull_request:
types: [labeled, opened, synchronize, reopened]
# For the main branch: let all CI runs complete, one after the other. This has a couple advantages:
# * Site deployments happen in commit-order
# * Saved Gradle cache are persisted in commit-order
# * (Potentially) more GH runners available for PRs
concurrency:
# PRs: 1 CI run concurrently / older ones are cancelled
# main branch: 1 CI run concurrently / no cancellation
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
jobs:
code-checks:
name: CI Code Checks et al
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
# Needed for the Quarkus plugin - can likely go away once we use Quarkus 3 or newer
- name: Bump Gradle daemon heap
run: sed -i 's/-Xms.*/-Xms6G -Xmx6G -XX:MaxMetaspaceSize=1g \\/' gradle.properties
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Gradle / Compile
run: |
./gradlew \
spotlessCheck \
compileAll \
-x :nessie-quarkus:compileAll \
-x :nessie-server-admin-tool:compileAll \
-x :nessie-events-quarkus:compileAll \
--scan
- name: Gradle / Compile Quarkus
run: |
# 2 Retries - to mitigate https://github.com/gradle/gradle/issues/25751
./gradlew :nessie-quarkus:compileAll :nessie-server-admin-tool:compileAll :nessie-events-quarkus:compileAll --scan || \
./gradlew :nessie-quarkus:compileAll :nessie-server-admin-tool:compileAll :nessie-events-quarkus:compileAll --scan || \
./gradlew :nessie-quarkus:compileAll :nessie-server-admin-tool:compileAll :nessie-events-quarkus:compileAll --scan
- name: Gradle / Code checks
run: ./gradlew codeChecks --scan
- name: Gradle / Assemble
run: ./gradlew assemble --scan
- name: Gradle / Publish to Maven local
run: ./gradlew publishToMavenLocal --scan
# This is a rather quick one and uses the output of 'publishToMavenLocal', which uses the
# outputs of 'assemble'
- name: Gradle / build tools integration tests
run: ./gradlew buildToolsIntegrationTest
- name: Save partial Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-save
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
job-name: 'code-checks'
test:
name: CI Test
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Gradle / test
run: ./gradlew test :nessie-client:check -x :nessie-client:intTest -x :nessie-quarkus:test -x :nessie-server-admin-tool:test -x :nessie-events-quarkus:test --scan
- name: Capture Test Reports
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
if: ${{ failure() }}
with:
name: ci-test-reports
path: |
**/build/reports/*
**/build/test-results/*
retention-days: 7
- name: Save partial Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-save
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
job-name: 'test'
test-quarkus:
name: CI Test Quarkus
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Gradle / Test Quarkus Server
run: |
# 2 Retries - to mitigate https://github.com/gradle/gradle/issues/25751
./gradlew :nessie-quarkus:test --scan || \
./gradlew :nessie-quarkus:test --scan || \
./gradlew :nessie-quarkus:test --scan
- name: Gradle / Test Quarkus Events
run: |
# 2 Retries - to mitigate https://github.com/gradle/gradle/issues/25751
./gradlew :nessie-events-quarkus:test --scan || \
./gradlew :nessie-events-quarkus:test --scan || \
./gradlew :nessie-events-quarkus:test --scan
- name: Dump quarkus.log
if: ${{ failure() }}
run: |
find . -path "**/build/quarkus.log" | while read ql ; do
echo "::group::Quarkus build log $ql"
cat $ql
echo "::endgroup::"
done
- name: Capture Test Reports
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
if: ${{ failure() }}
with:
name: ci-test-quarkus-reports
path: |
**/build/quarkus.log
**/build/reports/*
**/build/test-results/*
retention-days: 7
- name: Save partial Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-save
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
job-name: 'test-quarkus'
int-test:
name: CI intTest
runs-on: ubuntu-22.04
timeout-minutes: 60
env:
SPARK_LOCAL_IP: localhost
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Gradle / intTest
run: |
echo "::group::Collect :nessie-versioned-storage projects"
./gradlew :listProjectsWithPrefix --prefix :nessie-versioned-persist- --output ../persist-prjs.txt --exclude
echo "::endgroup::"
echo "::group::Collect :nessie-versioned-persist projects"
./gradlew :listProjectsWithPrefix --prefix :nessie-versioned-storage- --output ../storage-prjs.txt --exclude
echo "::endgroup::"
echo "::group::Collect :nessie-spark-extensions projects"
./gradlew :listProjectsWithPrefix --prefix :nessie-spark-ext --output ../spark-prjs.txt --exclude
echo "::endgroup::"
./gradlew intTest \
-x :nessie-quarkus:intTest \
-x :nessie-server-admin-tool:intTest \
-x :nessie-events-quarkus:intTest \
$(cat ../persist-prjs.txt) \
$(cat ../storage-prjs.txt) \
$(cat ../spark-prjs.txt) \
--scan
- name: Capture Test Reports
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
if: ${{ failure() }}
with:
name: ci-inttest-reports
path: |
**/build/reports/*
**/build/test-results/*
retention-days: 7
- name: Save partial Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-save
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
job-name: 'int-test'
int-test-stores:
name: CI intTest versioned/stores
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Gradle / intTest versioned/stores
run: |
echo "::group::Collect :nessie-versioned-storage projects"
./gradlew :listProjectsWithPrefix --prefix :nessie-versioned-storage- --output ../storage-prjs.txt
echo "::endgroup::"
echo "::group::Collect :nessie-versioned-persist projects"
./gradlew :listProjectsWithPrefix --prefix :nessie-versioned-persist- --output ../persist-prjs.txt
echo "::endgroup::"
./gradlew $(cat ../persist-prjs.txt) $(cat ../storage-prjs.txt) --scan
- name: Capture Test Reports
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
if: ${{ failure() }}
with:
name: ci-inttest-stores-reports
path: |
**/build/reports/*
**/build/test-results/*
retention-days: 7
- name: Save partial Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-save
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
job-name: 'int-test-stores'
int-test-integrations:
name: CI intTest integrations
runs-on: ubuntu-22.04
timeout-minutes: 60
env:
SPARK_LOCAL_IP: localhost
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
with:
# Need Java 17 in addition to the default Java 21
additional-java-version: 17
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Gradle / intTest integrations
run: |
echo "::group::Collect :nessie-spark-extensions projects"
./gradlew :listProjectsWithPrefix --prefix :nessie-spark-ext --output ../spark-prjs.txt
echo "::endgroup::"
./gradlew $(cat ../spark-prjs.txt) --scan
- name: Capture Test Reports
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
if: ${{ failure() }}
with:
name: ci-inttest-integrations-reports
path: |
**/build/reports/*
**/build/test-results/*
retention-days: 7
- name: Save partial Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-save
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
job-name: 'int-test-integrations'
int-test-quarkus-server:
name: CI intTest Quarkus Server
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Gradle / intTest Quarkus Server
run:
# 2 Retries - to mitigate https://github.com/gradle/gradle/issues/25751
./gradlew :nessie-quarkus:intTest --scan || \
./gradlew :nessie-quarkus:intTest --scan || \
./gradlew :nessie-quarkus:intTest --scan
- name: Dump quarkus.log
if: ${{ failure() }}
run: |
find . -path "**/build/quarkus.log" | while read ql ; do
echo "::group::Quarkus build log $ql"
cat $ql
echo "::endgroup::"
done
- name: Capture Test Reports
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
if: ${{ failure() }}
with:
name: ci-inttest-quarkus-server-reports
path: |
**/build/quarkus.log
**/build/reports/*
**/build/test-results/*
retention-days: 7
- name: Save partial Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-save
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
job-name: 'int-test-quarkus-server'
int-test-quarkus-tool:
name: CI intTest Admin Tool
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Gradle / intTest Admin Tool
run:
# 2 Retries - to mitigate https://github.com/gradle/gradle/issues/25751
./gradlew :nessie-server-admin-tool:intTest --scan || \
./gradlew :nessie-server-admin-tool:intTest --scan || \
./gradlew :nessie-server-admin-tool:intTest --scan
- name: Dump quarkus.log
if: ${{ failure() }}
run: |
find . -path "**/build/quarkus.log" | while read ql ; do
echo "::group::Quarkus build log $ql"
cat $ql
echo "::endgroup::"
done
- name: Capture Test Reports
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
if: ${{ failure() }}
with:
name: ci-inttest-quarkus-tool-reports
path: |
**/build/quarkus.log
**/build/reports/*
**/build/test-results/*
retention-days: 7
- name: Save partial Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-save
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
job-name: 'int-test-quarkus-tool'
int-test-quarkus-events:
name: CI intTest Quarkus Events
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Gradle / intTest Quarkus Events
run:
# 2 Retries - to mitigate https://github.com/gradle/gradle/issues/25751
./gradlew :nessie-events-quarkus:intTest --scan || \
./gradlew :nessie-events-quarkus:intTest --scan || \
./gradlew :nessie-events-quarkus:intTest --scan
- name: Dump quarkus.log
if: ${{ failure() }}
run: |
find . -path "**/build/quarkus.log" | while read ql ; do
echo "::group::Quarkus build log $ql"
cat $ql
echo "::endgroup::"
done
- name: Capture Test Reports
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
if: ${{ failure() }}
with:
name: ci-inttest-quarkus-events-reports
path: |
**/build/quarkus.log
**/build/reports/*
**/build/test-results/*
retention-days: 7
- name: Save partial Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-save
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
with:
job-name: 'int-test-quarkus-events'
determine-jobs:
name: CI Determine jobs
runs-on: ubuntu-22.04
timeout-minutes: 5
outputs:
# Each "conditional" job has a mapped output here, also a "non-PR" case and a "PR" case
# with label and globs (at the end of the script).
docker: ${{ steps.determine.outputs.docker }}
nesqueit: ${{ steps.determine.outputs.nesqueit }}
steps:
- name: install minimatch
shell: bash
run: npm install minimatch@"^7.4.3"
- name: Determine conditional jobs to run
id: determine
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
with:
script: |
const {Minimatch} = require("minimatch");
async function getChangedFiles(pull_request) {
const listFilesOptions = github.rest.pulls.listFiles.endpoint.merge({
owner: pull_request.base.repo.owner.login,
repo: pull_request.base.repo.name,
pull_number: pull_request.number,
});
return github.paginate(listFilesOptions).then(resp => resp.map(f => f.filename))
}
function isMatch(changedFile, matchers) {
for (const matcher of matchers) {
if (matcher.match(changedFile)) {
core.info("Match found for changed file " + changedFile);
return true;
}
}
core.info("No changed file matched the globs");
return false;
}
function filesMatchAnyGlob(changedFiles, globs) {
const matchers = globs.map(g => new Minimatch(g));
for (const changedFile of changedFiles) {
if (isMatch(changedFile, matchers)) {
return true;
}
}
return false;
}
function checkLabelOrGlobs(pr, changedFiles, labelName, globs) {
core.info("Checking for " + labelName);
// If the PR has the given label, then let the conditional job run.
for (const label of pr.labels) {
if (label.name === labelName) {
core.info("PR has label " + labelName);
return true;
}
}
// For pull request, check the list of changed files against the given globs.
// Let the conditional job run, if any of the globs matches and of the changed files.
core.info("Checking changed files against globs " + globs);
return filesMatchAnyGlob(changedFiles, globs);
}
///////////////////////////////////////////////////////////////////////////////////////
// "Non PR" case:
// Behavior of the conditional jobs when the event that triggered the workflow is not
// for a pull request (usually a push-to-main).
//
if (!context.payload || !context.payload.pull_request) {
core.info("Not a pull-request, enabling all jobs.");
// Yield default values for all event payload types, except pull_request
core.setOutput('docker', true);
core.setOutput('nesqueit', false); // handled in a scheduled job
return true;
}
///////////////////////////////////////////////////////////////////////////////////////
// "PR" case:
// Determine the whether the conditional jobs shall run, based on a label name, which
// has been manually added, or, if the label is not present, based on some globs to
// check.
const pr = context.payload.pull_request
core.info("pull-request #" + pr.number);
// Retrieves the full list of changed files for the PR.
const changedFiles = await getChangedFiles(pr);
core.startGroup('PR job check / Docker');
core.setOutput('docker', checkLabelOrGlobs(pr, changedFiles,
'pr-docker',
['gradle/wrapper/**', 'tools/dockerbuild/**', 'helm/**', '.github/**']));
core.endGroup();
core.startGroup('PR job check / NesQuEIT');
core.setOutput('nesqueit', checkLabelOrGlobs(pr, changedFiles,
'pr-integrations',
['gradle/wrapper/**', 'integrations/**', 'api/**', '.github/**']));
core.endGroup();
docker-testing:
name: CI Docker and Helm checks
runs-on: ubuntu-22.04
timeout-minutes: 60
needs:
- determine-jobs
if: needs.determine-jobs.outputs.docker == 'true'
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Extract version
run: |
VERSION="$(cat version.txt)"
DOCKER_VERSION="${VERSION%-SNAPSHOT}"
echo ${DOCKER_VERSION}
echo "DOCKER_VERSION=${DOCKER_VERSION}" >> ${GITHUB_ENV}
# Free disk space (minikube warning: "Docker is nearly out of disk space, which may cause
# deployments to fail! (85% of capacity)")
- name: Free disk space
uses: ./.github/actions/free-disk-space
- name: Setup Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4
with:
# https://helm.sh/docs/topics/version_skew/
version: 'v3.11.3'
- name: Setup chart-testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Setup Python
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5
with:
python-version: '3.11'
- name: Setup & Start Minikube
uses: medyagh/setup-minikube@d8c0eb871f6f455542491d86a574477bd3894533 # v0.0.18
with:
# If required, use the matrix strategy against this option to test against multiple Kubernetes versions:
kubernetes-version: stable
cache: false
# This _should_ work, but doesn't somehow (the image push fails). It errors out looking for a coredns pod
# with these settings...
#addons: 'registry'
#insecure-registry: '192.168.0.0/16'
- name: Setup Docker registry
run: |
echo "::group::Get registry IP"
DOCKER_REGISTRY="$(minikube ip)"
echo "Registry IP is ${DOCKER_REGISTRY}"
echo "::endgroup::"
echo "::group::Update buildkitd_conf for 'docker buildx build'"
# Use 'http' instead of 'https' during 'docker buildx build' in 'tools/dockerbuild/build-push-images.sh'
cat <<EOF > ../buildkitd.toml
[registry."${DOCKER_REGISTRY}:5000"]
http = true
EOF
buildkitd_conf="$(pwd)/../buildkitd.toml"
echo "::endgroup::"
echo "::group::Update /etc/docker/daemon.json for 'docker pull'"
cp /etc/docker/daemon.json ..
cat ../daemon.json | \
jq ". + {\"insecure-registries\": [\"${DOCKER_REGISTRY}:5000\"]}" | \
sudo tee /etc/docker/daemon.json
echo "::endgroup::"
# minikube restart, because:
# 1. required after docker daemon restart
# 2. tweak the "registry addon" into the start command
# 3. tweak the "insecure-registry" setting into the start command
# Must delete the minikube cluster to let the insecure-registry setting take effect.
# See 'Enabling Insecure Registries' in https://minikube.sigs.k8s.io/docs/handbook/registry/
echo "::group::Stop minikube"
minikube stop
echo "::endgroup::"
echo "::group::Delete minikube"
minikube delete
echo "::endgroup::"
echo "::group::Restart docker daemon"
sudo systemctl restart docker
echo "::endgroup::"
echo "::group::Start minikube"
minikube start --insecure-registry="${DOCKER_REGISTRY}:5000" --addons=registry
echo "::endgroup::"
echo "BUILDX_CONFIG=--config ${buildkitd_conf}" >> ${GITHUB_ENV}
echo "DOCKER_IMAGE=${DOCKER_REGISTRY}:5000/nessie-testing" >> ${GITHUB_ENV}
echo "DOCKER_GC_IMAGE=${DOCKER_REGISTRY}:5000/nessie-gc-testing" >> ${GITHUB_ENV}
echo "DOCKER_SERVER_ADMIN_IMAGE=${DOCKER_REGISTRY}:5000/nessie-server-admin-testing" >> ${GITHUB_ENV}
echo "DOCKER_CLI_IMAGE=${DOCKER_REGISTRY}:5000/nessie-cli-testing" >> ${GITHUB_ENV}
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Docker images publishing
run: |
tools/dockerbuild/build-push-images.sh \
-g ":nessie-quarkus" \
-p "servers/quarkus-server" \
-d "Dockerfile-server" \
${DOCKER_IMAGE}
tools/dockerbuild/build-push-images.sh \
-g ":nessie-gc-tool" \
-p "gc/gc-tool" \
-d "Dockerfile-gctool" \
${DOCKER_GC_IMAGE}
tools/dockerbuild/build-push-images.sh \
-g ":nessie-server-admin-tool" \
-p "tools/server-admin" \
-d "Dockerfile-admintool" \
${DOCKER_SERVER_ADMIN_IMAGE}
tools/dockerbuild/build-push-images.sh \
-g ":nessie-cli" \
-p "cli/cli" \
-d "Dockerfile-cli" \
${DOCKER_CLI_IMAGE}
- name: Cleanup buildx
run: |
docker buildx use default
docker buildx rm nessiebuild
- name: Check if expected Docker images exist
run: |
docker pull ${DOCKER_IMAGE}:latest
docker pull ${DOCKER_IMAGE}:latest-java
docker pull ${DOCKER_IMAGE}:${DOCKER_VERSION}
docker pull ${DOCKER_IMAGE}:${DOCKER_VERSION}-java
docker pull ${DOCKER_GC_IMAGE}:latest
docker pull ${DOCKER_GC_IMAGE}:latest-java
docker pull ${DOCKER_GC_IMAGE}:${DOCKER_VERSION}
docker pull ${DOCKER_GC_IMAGE}:${DOCKER_VERSION}-java
docker pull ${DOCKER_SERVER_ADMIN_IMAGE}:latest
docker pull ${DOCKER_SERVER_ADMIN_IMAGE}:latest-java
docker pull ${DOCKER_SERVER_ADMIN_IMAGE}:${DOCKER_VERSION}
docker pull ${DOCKER_SERVER_ADMIN_IMAGE}:${DOCKER_VERSION}-java
docker pull ${DOCKER_CLI_IMAGE}:latest
docker pull ${DOCKER_CLI_IMAGE}:latest-java
docker pull ${DOCKER_CLI_IMAGE}:${DOCKER_VERSION}
docker pull ${DOCKER_CLI_IMAGE}:${DOCKER_VERSION}-java
cat <<! >> $GITHUB_STEP_SUMMARY
## Docker images
\`\`\`
$(docker images)
\`\`\`
!
- name: Check if Server Docker Java image works
run: |
docker run --rm --detach --name nessie ${DOCKER_IMAGE}:latest-java
echo "Let Nessie Java Docker image run for one minute (to make sure it starts up fine)..."
for i in {1..60}; do
STATUS="$(docker container inspect nessie | jq -r '.[0].State.Status')"
if [[ ${STATUS} != "running" ]] ; then
echo "Nessie Java Docker image stopped on its own ... a bug?" > /dev/stderr
docker logs nessie
cat <<! >> $GITHUB_STEP_SUMMARY
## Nessie Java Docker image FAILED
\`\`\`
$(docker logs nessie)
\`\`\`
!
exit 1
fi
sleep 1
done
echo "## Nessie Java Docker image smoke test: PASSED" >> $GITHUB_STEP_SUMMARY
echo "Nessie Java Docker image smoke test: PASSED"
docker stop nessie
- name: Check if GC Tool Docker Java image works
run: |
if docker run --rm --name nessie-gc ${DOCKER_GC_IMAGE}:latest-java --help | grep -q "Usage: nessie-gc.jar"; then
echo "## GC Tool Java Docker image smoke test: PASSED" >> $GITHUB_STEP_SUMMARY
echo "GC Tool Java Docker image smoke test: PASSED"
else
echo "GC Tool Java Docker image smoke test: FAILED" > /dev/stderr
cat <<! >> $GITHUB_STEP_SUMMARY
## GC Tool Java Docker image FAILED
\`\`\`
$(docker logs nessie-gc)
\`\`\`
!
exit 1
fi
- name: Check if Server Admin Tool Docker Java image works
run: |
if docker run --rm --name nessie-server-admin ${DOCKER_SERVER_ADMIN_IMAGE}:latest-java --help | grep -q "Usage: nessie-server-admin"; then
echo "## Server Admin Tool Java Docker image smoke test: PASSED" >> $GITHUB_STEP_SUMMARY
echo "Server Admin Tool Java Docker image smoke test: PASSED"
else
echo "Server Admin Tool Java Docker image smoke test: FAILED" > /dev/stderr
cat <<! >> $GITHUB_STEP_SUMMARY
## Server Admin Tool Java Docker image FAILED
\`\`\`
$(docker logs nessie-server-admin)
\`\`\`
!
exit 1
fi
- name: Check if CLI Docker Java image works
run: |
if docker run --rm --name nessie-cli ${DOCKER_CLI_IMAGE}:latest-java --help | grep -q "Usage: nessie-cli.jar"; then
echo "## CLI Java Docker image smoke test: PASSED" >> $GITHUB_STEP_SUMMARY
echo "CLI Java Docker image smoke test: PASSED"
else
echo "CLI Java Docker image smoke test: FAILED" > /dev/stderr
cat <<! >> $GITHUB_STEP_SUMMARY
## CLI Java Docker image FAILED
\`\`\`
$(docker logs nessie-cli)
\`\`\`
!
exit 1
fi
- name: Run chart-testing (list-changed)
run: |
ct list-changed --target-branch ${{ github.event.repository.default_branch }}
- name: Run 'helm template' validation
run: |
cd helm/nessie
for f in values.yaml ci/*.yaml; do
echo "::group::helm template $f"
helm template --debug --namespace nessie-ns --values $f .
echo "::endgroup::"
done
- name: Run chart-testing (lint)
run: ct lint --debug --charts ./helm/nessie
- name: Show pods
run: kubectl get pods -A
- name: Install secrets
run: |
kubectl create namespace nessie-ns
kubectl apply --namespace nessie-ns $(find helm/nessie/ci/fixtures -name "*.yaml" -exec echo -n "-f {} " \;)
- name: Run chart-testing (install)
run: |
echo "Using image: ${DOCKER_IMAGE}"
echo " tag: ${DOCKER_VERSION}"
ct install \
--namespace nessie-ns \
--helm-extra-set-args "--set=image.repository=${DOCKER_IMAGE} --set=image.tag=${DOCKER_VERSION}" \
--debug --charts ./helm/nessie
nesqueit:
name: CI NesQuEIT
runs-on: ubuntu-22.04
timeout-minutes: 60
needs:
- determine-jobs
# Only run NesQuEIT tests for PRs, if requested. This job can easily run for 30+ minutes.
if: github.event_name == 'pull_request' && needs.determine-jobs.outputs.nesqueit == 'true'
env:
NESSIE_DIR: included-builds/nessie
NESSIE_PATCH_REPOSITORY: ''
NESSIE_PATCH_BRANCH: ''
NESQUEIT_REPOSITORY: projectnessie/query-engine-integration-tests
NESQUEIT_BRANCH: main
ICEBERG_DIR: included-builds/iceberg
ICEBERG_MAIN_REPOSITORY: apache/iceberg
ICEBERG_MAIN_BRANCH: main
ICEBERG_PATCH_REPOSITORY: snazy/iceberg
ICEBERG_PATCH_BRANCH: iceberg-nesqueit
SPARK_LOCAL_IP: localhost
steps:
- name: Prepare Git
run: |
git config --global user.email "[email protected]"
git config --global user.name "Integrations Testing [Bot]"
- name: Checkout NeQuEIT repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: ${{env.NESQUEIT_REPOSITORY}}
ref: ${{env.NESQUEIT_BRANCH}}
- name: Free disk space
uses: ./.github/actions/free-disk-space
- name: Setup runner
uses: ./.github/actions/setup-runner
with:
more-memory: 'true'
- name: Checkout and patch Nessie PR
uses: ./.github/actions/patch-git
with:
name: Nessie
local-dir: ${{env.NESSIE_DIR}}
main-repository: ${{ env.GITHUB_REPOSITORY }}
patch-repository: ${{env.NESSIE_PATCH_REPOSITORY}}
patch-branch: ${{env.NESSIE_PATCH_BRANCH}}
work-branch: nessie-integration-patched
- name: Checkout and patch Iceberg
uses: ./.github/actions/patch-git
with:
name: Nessie
local-dir: ${{env.ICEBERG_DIR}}
main-repository: ${{env.ICEBERG_MAIN_REPOSITORY}}
main-branch: ${{env.ICEBERG_MAIN_BRANCH}}
patch-repository: ${{env.ICEBERG_PATCH_REPOSITORY}}
patch-branch: ${{env.ICEBERG_PATCH_BRANCH}}
work-branch: iceberg-integration-patched
- name: Setup JDK
uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4
with:
distribution: 'temurin'
# Java 17 or 21 required for Nessie build, Java 17 required for Iceberg build, Java 11 required for Flink & Presto
java-version: |
11
17
21
- name: Setup Gradle
uses: gradle/actions/setup-gradle@d156388eb19639ec20ade50009f3d199ce1e2808 # v4
with:
cache-read-only: true
validate-wrappers: false
- name: Iceberg Nessie test
run: ./gradlew :iceberg:iceberg-nessie:test --scan
- name: Nessie Spark 3.3 / 2.12 Extensions test
run: ./gradlew :nessie:nessie-iceberg:nessie-spark-extensions-3.3_2.12:test :nessie:nessie-iceberg:nessie-spark-extensions-3.3_2.12:intTest --scan
- name: Nessie Spark 3.4 / 2.13 Extensions test
run: ./gradlew :nessie:nessie-iceberg:nessie-spark-extensions-3.4_2.13:test :nessie:nessie-iceberg:nessie-spark-extensions-3.4_2.13:intTest --scan
- name: Nessie Spark 3.5 / 2.13 Extensions test
run: ./gradlew :nessie:nessie-iceberg:nessie-spark-extensions-3.5_2.13:test :nessie:nessie-iceberg:nessie-spark-extensions-3.5_2.13:intTest --scan
#- name: Publish Nessie + Iceberg to local Maven repo
# run: ./gradlew publishLocal --scan
#
#- name: Gather locally published versions
# run: |
# NESSIE_VERSION="$(cat included-builds/nessie/version.txt)"
# ICEBERG_VERSION="$(cat included-builds/iceberg/build/iceberg-build.properties | grep '^git.build.version=' | cut -d= -f2)"
# echo "NESSIE_VERSION=${NESSIE_VERSION}" >> ${GITHUB_ENV}
# echo "ICEBERG_VERSION=${ICEBERG_VERSION}" >> ${GITHUB_ENV}
# cat <<! >> $GITHUB_STEP_SUMMARY
# ## Published versions
# | Published Nessie version | Published Iceberg version |
# | ------------------------ | ------------------------- |
# | ${NESSIE_VERSION} | ${ICEBERG_VERSION} |
# !
- name: Tools & Integrations tests
run: ./gradlew intTest --scan
site:
name: CI Website
runs-on: ubuntu-22.04
timeout-minutes: 20
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Prepare Gradle build cache
uses: ./.github/actions/ci-incr-build-cache-prepare
- name: Setup Python
uses: ./.github/actions/dev-tool-python
with:
python-version: '3.11'
- name: Generate Static Site
run: make build
working-directory: ./site
- name: Check code block indentation
run: python3 check_code_indent.py
working-directory: ./site
- name: Deploy Static Site to GitHub
if: github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'projectnessie/nessie'
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
with:
external_repository: projectnessie/projectnessie.github.io
publish_branch: main
deploy_key: ${{ secrets.NESSIE_SITE_DEPLOY_KEY }}
publish_dir: ./site/site
cname: projectnessie.org
store-cache:
# Store the Gradle cache to GH cache as soon as all relevant Nessie/Gradle jobs have finished.
name: CI Store Cache
runs-on: ubuntu-22.04
timeout-minutes: 30
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
# Only include jobs that use Nessie's Gradle cache, especially excluding NesQuEIT, which
# is a "very special" citizen and also not run for "main" CI, which does
# not add anything to the Gradle cache that's not already produced by other jobs.
- code-checks
- test
- test-quarkus
- int-test
- int-test-stores
- int-test-integrations
- int-test-quarkus-server
- int-test-quarkus-tool
- int-test-quarkus-events
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup runner
uses: ./.github/actions/setup-runner
- name: Setup Java, Gradle
uses: ./.github/actions/dev-tool-java
- name: Collect partial Gradle build caches
uses: ./.github/actions/ci-incr-build-cache-prepare
with:
cache-read-only: false
- name: Trigger Gradle home cleanup
run: ./gradlew --no-daemon :showVersion
# Note: the "Post Gradle invocation" archives the updated build cache.