Standardize e2e testing

[chadwhitacre]

We have a messy mess of integration testing:

1. test.sh
2. integration-test.sh
3. self-hosted cloudbuild
4. sentry cloudbuild
5. snuba cloudbuild
6. relay cloudbuild

We should standardize this in a way that ensures that e2e is kept in sync across all consumer repos (sentry, snuba, relay) in addition to local environments and self-hosted cloudbuild.

Task list:

1. Review cloudbuild configs and write new Github Action based on them (needs to handle custom sentry/snuba/relay containers etc)
2. Add new Github Action to CI pipelines in repos we care about as allow-fail
   1. Try adding end to end tests using new action #1806
   2. Initial self-hosted end-to-end unified CI setup relay#1592
   3. Add self-hosted Sentry end-to-end tests to CI using new Github action snuba#3401
   4. ci: Initial self-hosted end-to-end Github Action sentry#42124
3. Set up PAT for GCB ⇔ GHA #1867
4. Add Docker container deployment (set up Dockerhub access token)
   1. relay
   2. snuba
   3. sentry
5. After two days, make the Action required
6. Remove old Google Cloud build check
   1. ci: Remove GCB tests and make GHA default for self-hosted e2e tests relay#1721
   2. ci: Remove GCB tests and make GHA default for self-hosted e2e tests snuba#3557
   3. ci: Remove GCB tests and make GHA default for self-hosted e2e tests sentry#42641
   4. Remove GCB and update Github Action SHA #1880

[BYK]

Historical context:

The reason for using Cloudbuild is two fold:

1. Performance: in the bad old days we did not have GitHub Actions and anything else was too slow or limited in terms of memory (no our build is not demanding :P). Since e2e has been working quite well for some time in self-hosted through GHA, I think that can be revisited. Even more, using hosted-runners for GHA might be a good option too.
2. The idea was to build the Sentry image and use the same image for single-tenant which lives in GCP. It was a hassle to manage secrets etc, again in the bad old days. Now in the bright future, we have OIDC which should also fix that problem: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform

Also, while we are at that, considering switching to GitHub packages instead of Docker Hub may be beneficial both in terms of performance and budget.

Now that I'm thinking, if you switch to using GHA for e2e tests, you can make it a custom action that can be shared across repos where each of them provides the "image override" env variable and you are golden.

[emmatyping]

Thanks for the background @BYK! I agree a custom action seems like the best way to standardize here.

[emmatyping]

Plan for switching over to the new action: Now in the first comment!

[emmatyping]

Repo is live at https://github.com/getsentry/action-self-hosted-e2e-tests. Planning on adding it to self-hosted today, the rest of the repos next week.

[emmatyping]

All of the actions are now deployed! Need to figure out the docker image deployment situation but once that is done we can start the clock on replacing GCB.

[chadwhitacre]

All of the actions are now deployed! Need to figure out the docker image deployment situation but once that is done we can start the clock on replacing GCB.

FTR we decided to keep Docker build and push in GCB rather than moving to GHA, mostly for security concerns. Now we're trying to kick off the e2e tests in GHA from GCB via a webhook. When we moved GitHub behind Okta I lost access to our bot accounts, so I'm trying to recover that so I can set up a PAT.

[chadwhitacre]

Bot accounts recovered! I created a (new-style) PAT and am looking at setting it up in GCB.

[chadwhitacre]

New-style PATs must expire, going with classic.

[chadwhitacre]

GCB secrets process is complicated ...

[chadwhitacre]

🐰🕳️

[chadwhitacre]

Hit a wall, escalated to Ops.

[chadwhitacre]

Decided to go with publishing from GHA to Docker after all.

Any concerns about keeping the dockerhub secret secure in Github Actions?

I don't have any concern, no -- I think we should do all the pushing in GHA instead of having to do complicated back and forth between GCB and GHA

I assume only Sentry employees will be able to kick off a release and publish to DockerHub?

The main concern with pushing from Github is people aren't going to check PRs for exposing secrets before hitting the approve button to run CI for PRs from external contributors, so if there is a PR from an outside contributor they might be able to expose the secret

they won't have access to secrets unless they are sentry employees

Even with a PR to getsentry/sentry?

yep. only pull_request_target will have secrets available and we're very particular about what we put into that

I created a token in Docker Hub and set it as a repo secret in sentry, relay, and snuba.

[emmatyping]

This is now done!

[chadwhitacre]

Had to do some cleanup in getsentry/action-self-hosted-e2e-tests#3 ftr.