update scripts (#812)

stackrox · Jul 8, 2022 · a4442ad · a4442ad
1 parent b45fac7
commit a4442ad
Show file tree

Hide file tree

Showing 5 changed files with 193 additions and 21 deletions.
diff --git a/.openshift-ci/dispatch.sh b/.openshift-ci/dispatch.sh
@@ -1,26 +1,19 @@
 #!/usr/bin/env bash
 
+# The entrypoint for CI defined in https://github.com/openshift/release/tree/master/ci-operator/config/stackrox/scanner
+# Imports secrets to env vars, gates the job based on context, changed files and PR labels and ultimately
+# hands off to the test/build script in *scripts/ci/jobs*.
+#
 # Adapted from https://github.com/stackrox/stackrox/blob/master/.openshift-ci/dispatch.sh
 
 ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/.. && pwd)"
 source "$ROOT/scripts/ci/lib.sh"
 
 set -euo pipefail
 
-shopt -s nullglob
-for cred in /tmp/secret/**/[A-Z]*; do
-    export "$(basename "$cred")"="$(cat "$cred")"
-done
-
 openshift_ci_mods
-
-function hold() {
-    while [[ -e /tmp/hold ]]; do
-        info "Holding this job for debug"
-        sleep 60
-    done
-}
-trap hold EXIT
+openshift_ci_import_creds
+create_exit_trap
 
 if [[ "$#" -lt 1 ]]; then
     die "usage: dispatch <ci-job> [<...other parameters...>]"
@@ -56,4 +49,13 @@ else
     exit 0
 fi
 
-"${job_script}" "$@"
+"${job_script}" "$@" &
+job_pid="$!"
+
+forward_sigint() {
+    echo "Dispatch is forwarding SIGINT to job"
+    kill -SIGINT "${job_pid}"
+}
+trap forward_sigint SIGINT
+
+wait "${job_pid}"
diff --git a/scripts/ci/gke.sh b/scripts/ci/gke.sh
@@ -94,6 +94,9 @@ create_cluster() {
     else
         die "Support is missing for this CI environment"
     fi
+    # . from branch names
+    tags="${tags//./-}"
+    labels="${labels//./-}"
     # lowercase
     tags="${tags,,}"
     labels="${labels,,}"

diff --git a/scripts/ci/lib.sh b/scripts/ci/lib.sh
@@ -29,6 +29,22 @@ ci_export() {
     fi
 }
 
+ci_exit_trap() {
+    info "Executing a general purpose exit trap for CI"
+    echo "Exit code is: $?"
+
+    (send_slack_notice_for_failures_on_merge "$?") || { echo "ERROR: Could not slack a test failure message"; }
+
+    while [[ -e /tmp/hold ]]; do
+        info "Holding this job for debug"
+        sleep 60
+    done
+}
+
+create_exit_trap() {
+    trap ci_exit_trap EXIT
+}
+
 push_images() {
     info "Pushing images"
 
@@ -119,6 +135,25 @@ is_tagged() {
     [[ -n "$tags" ]]
 }
 
+is_nightly_run() {
+    [[ "${CIRCLE_TAG:-}" =~ -nightly- ]]
+}
+
+is_in_PR_context() {
+    if is_CIRCLECI && [[ -n "${CIRCLE_PULL_REQUEST:-}" ]]; then
+        return 0
+    elif is_OPENSHIFT_CI && [[ -n "${PULL_NUMBER:-}" ]]; then
+        return 0
+    elif is_OPENSHIFT_CI && [[ -n "${CLONEREFS_OPTIONS:-}" ]]; then
+        # bin, test-bin, images
+        local pull_request
+        pull_request=$(jq -r <<<"$CLONEREFS_OPTIONS" '.refs[0].pulls[0].number' 2>&1) || return 1
+        [[ "$pull_request" =~ ^[0-9]+$ ]] && return 0
+    fi
+
+    return 1
+}
+
 is_openshift_CI_rehearse_PR() {
     [[ "$(get_repo_full_name)" == "openshift/release" ]]
 }
@@ -390,7 +425,7 @@ gate_merge_job() {
         return
     fi
 
-    info "$job will be skipped"
+    info "$job will be skipped - neither master/run_on_master or tagged/run_on_tags"
     exit 0
 }
 
@@ -414,6 +449,17 @@ _EOH_
 }
 
 openshift_ci_mods() {
+    info "BEGIN OpenShift CI mods"
+
+    info "Env A-Z dump:"
+    env | sort | grep -E '^[A-Z]' || true
+
+    info "Git log:"
+    git log --oneline --decorate -n 20 || true
+
+    info "Current Status:"
+    "$ROOT/status.sh" || true
+
     # For ci_export(), override BASH_ENV from stackrox-test with something that is writable.
     BASH_ENV=$(mktemp)
     export BASH_ENV
@@ -426,6 +472,20 @@ openshift_ci_mods() {
     export CIRCLE_JOB="${JOB_NAME:-${OPENSHIFT_BUILD_NAME}}"
     CIRCLE_TAG="$(git tag --contains | head -1)"
     export CIRCLE_TAG
+
+    handle_nightly_runs
+
+    info "Status after mods:"
+    "$ROOT/status.sh" || true
+
+    info "END OpenShift CI mods"
+}
+
+openshift_ci_import_creds() {
+    shopt -s nullglob
+    for cred in /tmp/secret/**/[A-Z]*; do
+        export "$(basename "$cred")"="$(cat "$cred")"
+    done
 }
 
 openshift_ci_e2e_mods() {
@@ -457,6 +517,33 @@ openshift_ci_e2e_mods() {
     fi
 }
 
+handle_nightly_runs() {
+    if ! is_OPENSHIFT_CI; then
+        die "Only for OpenShift CI"
+    fi
+
+    if ! is_in_PR_context; then
+        info "Debug:"
+        echo "JOB_NAME: ${JOB_NAME:-}"
+        echo "JOB_NAME_SAFE: ${JOB_NAME_SAFE:-}"
+    fi
+
+    local nightly_tag_prefix
+    nightly_tag_prefix="$(git describe --tags --abbrev=0 --exclude '*-nightly-*')-nightly-"
+    if ! is_in_PR_context && [[ "${JOB_NAME_SAFE:-}" =~ ^nightly- ]]; then
+        ci_export CIRCLE_TAG "${nightly_tag_prefix}$(date '+%Y%m%d')"
+    elif is_in_PR_context && pr_has_label "simulate-nightly-run"; then
+        local sha
+        if [[ -n "${PULL_PULL_SHA:-}" ]]; then
+            sha="${PULL_PULL_SHA}"
+        else
+            sha=$(jq -r <<<"$CLONEREFS_OPTIONS" '.refs[0].pulls[0].sha') || die "Cannot find pull sha"
+            [[ "$sha" != "null" ]] || die "Cannot find pull sha"
+        fi
+        ci_export CIRCLE_TAG "${nightly_tag_prefix}${sha:0:8}"
+    fi
+}
+
 store_test_results() {
     if [[ "$#" -ne 2 ]]; then
         die "missing args. usage: store_test_results <from> <to>"
@@ -476,6 +563,70 @@ store_test_results() {
     cp -a "$from" "$dest" || true # (best effort)
 }
 
+send_slack_notice_for_failures_on_merge() {
+    local exitstatus="${1:-}"
+
+    if ! is_OPENSHIFT_CI || [[ "$exitstatus" == "0" ]] || is_in_PR_context || is_nightly_run; then
+        return
+    fi
+
+    local tag
+    tag="$(make --quiet tag)"
+    [[ "$tag" =~ $RELEASE_RC_TAG_BASH_REGEX ]] || {
+        return
+    }
+
+    local webhook_url="${TEST_FAILURES_NOTIFY_WEBHOOK}"
+
+    local commit_details
+    org=$(jq -r <<<"$CLONEREFS_OPTIONS" '.refs[0].org') || return 1
+    repo=$(jq -r <<<"$CLONEREFS_OPTIONS" '.refs[0].repo') || return 1
+    [[ "$org" != "null" ]] && [[ "$repo" != "null" ]] || return 1
+    local commit_details_url="https://api.github.com/repos/${org}/${repo}/commits/${OPENSHIFT_BUILD_COMMIT}"
+    commit_details=$(curl --retry 5 -sS "${commit_details_url}") || return 1
+
+    local job_name="${JOB_NAME_SAFE#merge-}"
+
+    local commit_msg
+    commit_msg=$(jq -r <<<"$commit_details" '.commit.message') || return 1
+    local commit_url
+    commit_url=$(jq -r <<<"$commit_details" '.html_url') || return 1
+    local author
+    author=$(jq -r <<<"$commit_details" '.commit.author.name') || return 1
+    [[ "$commit_msg" != "null" ]] && [[ "$commit_url" != "null" ]] && [[ "$author" != "null" ]] || return 1
+
+    local log_url="https://prow.ci.openshift.org/view/gs/origin-ci-test/logs/${JOB_NAME}/${BUILD_ID}"
+
+    local body
+    body=$(cat <<_EOB_
+{
+    "text": "*Job Name:* $job_name",
+    "blocks": [
+		{
+			"type": "header",
+			"text": {
+				"type": "plain_text",
+				"text": "Prow job failure: $job_name"
+			}
+		},
+        {
+            "type": "section",
+            "text": {
+                "type": "mrkdwn",
+                "text": "*Commit:* <$commit_url|$commit_msg>\n*Author:* $author\n*Log:* $log_url"
+            }
+        },
+		{
+			"type": "divider"
+		}
+    ]
+}
+_EOB_
+    )
+
+    echo "$body" | jq | curl -XPOST -d @- -H 'Content-Type: application/json' "$webhook_url"
+}
+
 if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
     if [[ "$#" -lt 1 ]]; then
         die "When invoked at the command line a method is required."

diff --git a/scripts/ci/store-artifacts.sh b/scripts/ci/store-artifacts.sh
@@ -82,14 +82,25 @@ set_gs_path_vars() {
     GS_URL="gs://roxci-artifacts"
 
     if is_OPENSHIFT_CI; then
-        require_environment "REPO_NAME"
+        local repo
+        if [[ -n "${REPO_NAME:-}" ]]; then
+            # presubmit, postsubmit and batch runs
+            # (ref: https://github.com/kubernetes/test-infra/blob/master/prow/jobs.md#job-environment-variables)
+            repo="${REPO_NAME}"
+        elif [[ -n "${JOB_SPEC:-}" ]]; then
+            # periodics
+            # OpenShift CI adds 'extra_refs'
+            repo="$(jq -r <<<"${JOB_SPEC}" '.extra_refs[0].repo')" || die "invalid JOB_SPEC yaml"
+            if [[ "$repo" == "null" ]]; then
+                die "expect: repo in JOB_SEC.extra_refs[0]"
+            fi
+        else
+            die "Expect REPO_OWNER/NAME or JOB_SPEC"
+        fi
         require_environment "BUILD_ID"
         require_environment "JOB_NAME"
-        if [ -z "${PULL_PULL_SHA:-}" ] && [ -z "${PULL_BASE_SHA:-}" ]; then
-            die "There is no ID suitable to separate artifacts for this commit"
-        fi
-        local workflow_id="${PULL_PULL_SHA:-${PULL_BASE_SHA}}"
-        WORKFLOW_SUBDIR="${REPO_NAME}/${workflow_id}"
+        local workflow_id="${PULL_PULL_SHA:-${PULL_BASE_SHA:-nightly-$(date '+%Y%m%d')}}"
+        WORKFLOW_SUBDIR="${repo}/${workflow_id}"
         JOB_SUBDIR="${BUILD_ID}-${JOB_NAME}"
         GS_JOB_URL="${GS_URL}/${WORKFLOW_SUBDIR}/${JOB_SUBDIR}"
     elif is_CIRCLECI; then

diff --git a/status.sh b/status.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+echo "STABLE_SCANNER_VERSION $(make --quiet --no-print-directory tag)"
+echo "STABLE_GIT_SHORT_SHA $(git rev-parse --short HEAD)"
+echo "BUILD_TIMESTAMP $(date '+%s')"