GHA: Build and Publish to Public ECR and Build Nix #49
Conversation
|
Although the ECR repository may have @adamtajti , is the intention for the public to be able to pull these images? In which case, I think we should look into AWS public gallery? cc @aranair |
https://gallery.ecr.aws/u4f7y3k8/oplogtoredis I think this is the relevant public gallery entry? 🤔 |
|
I created that public repository as I initially wanted to place the images there, but there were a couple of permission issues that I faced while deploying from the garden and from my own machine as well, so I decided to stick with the private repository until we think that is important enough. Updated the README. I think it's alright that the workflow does something private for us at the moment, cause the forks won't be whitelisted by our IAM OIDC identity provider (@aranair @jgdef-tulip ) |
.github/workflows/pull-request.yml
Outdated
| export PATH=$PATH:$(go env GOPATH)/bin | ||
| golangci-lint --version | ||
| - name: golangci-lint | ||
| uses: golangci/golangci-lint-action@v3 |
There was a problem hiding this comment.
Should this be anchored with a hash?
There was a problem hiding this comment.
I think it's fine.
There was a problem hiding this comment.
But don't we use anchors for all non-GitHub actions as a security issue?
There was a problem hiding this comment.
Hmm, you are right, although I think that later versions of the action should provide fixes to both discovered security issues as well improve the performance of the existing functionalities. I'm ok with adding one though since it's no biggie, I'll hop back to this branch in a few hours.
There was a problem hiding this comment.
It seems like I forgot about this. Pinned down the versions.
| nativeBuildInputs = [installShellFiles]; | ||
| doCheck = false; | ||
| doInstallCheck = false; | ||
| nativeBuildInputs = [ installShellFiles ]; |
There was a problem hiding this comment.
Is there a nix linter?
There was a problem hiding this comment.
Not that I know of.
There was a problem hiding this comment.
| log.Printf("Warning: mongo insert failed: %s", err) | ||
| log.Printf("Warning: mongo insert failed for doc %s: %s", id, err) | ||
| if insertResult != nil && insertResult.InsertedID != nil { | ||
| log.Printf("Warning: although the previous insert faced this error, the InsertedID wasn't nil, so we'll conclude it was a success (InterruptedDueToReplStateChange). InsertedID: %s", insertResult.InsertedID) |
There was a problem hiding this comment.
🤔 is there a way to check the type of err (e.g., for InterruptedDueToReplStateChange)?
There was a problem hiding this comment.
I guess, this worked though, so lets go with this one. There could be many different errors, this was just what I picked up. The result is apparently simply not reliable in case of insert when using replicated mongo.
adamtajti
force-pushed
the
adam.workflow-built-ecr-images
branch
from
61f21c8 to
ed84c5f
Compare
|
Ready for review again. Rebased, repushed, we are using 1:1 IAM roles for these repositories to push the images from their respective workflows. |
|
(fyi The tulip/tulip parts got merged) |
verifies that the vendorHash has been properly updated.
adamtajti
changed the title
adamtajti
changed the title
|
I've included a Nix build in this pull request, which ensures that the |
.github/workflows/build-and-push.yml
Outdated
| cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} | ||
|
|
||
| permissions: | ||
| id-token: write # for the creds itself |
There was a problem hiding this comment.
Remind me again, the meaning behind the comment for the creds itself ?
There was a problem hiding this comment.
Honestly, I had no idea whatever this was required or not and what the comment meant. It looks like it was written by Ho Man, or someone before him and it was copied around (like over here). I remember failing the login without setting these permissions there, so I guess I assumed that it's needed over here as well, but it looks like it's not. Never looked into it deep enough. Removed the comment and removed the write perms.
There was a problem hiding this comment.
id-token is required for oidc role assumption
| id: generate-tag | ||
| run: | | ||
| # Extract the current version from `default.nix`. This must pass. | ||
| version=$(nix flake show . --quiet --all-systems --json | jq -r '.defaultPackage."aarch64-darwin".name' | cut -d'-' -f2-) |
There was a problem hiding this comment.
it's fine to hard-code aarch64-darwin ?
There was a problem hiding this comment.
I think it is, cause all the ${system} dicts will have the same .name attribute. Although I agree that it's ugly.
.github/workflows/build-and-push.yml
Outdated
| uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # 4.0.0 | ||
| with: | ||
| tags: ${{ steps.setup-ecr-buildx.outputs.ecr_registry }}/tulip/oplogtoredis:${{ steps.generate-tag.outputs.TAG }} | ||
| provenance: false |
There was a problem hiding this comment.
It's outside of this PR but eventually I like the idea of attaching metadata to instances via the provenance/SLSA attestations
There was a problem hiding this comment.
If it's just a switch to true flag, then lets change it. I'm not familiar with this feature, but it looks like that's all that we would need to do at a first glance, it writes the metadata into the image index.
.github/workflows/pull-request.yml
Outdated
| @@ -3,19 +3,31 @@ name: Pull Request | |||
| on: [ pull_request ] | |||
|
|
|||
| jobs: | |||
| nix_build: | |||
| runs-on: ubuntu-20.04 | |||
There was a problem hiding this comment.
any reason why there's an explicit ubuntu version here for PRs, but the build & push workflow uses ubuntu-latest?
There was a problem hiding this comment.
Hmm, none, I just followed the pattern in this file. I just changed it to latest. For the other steps here we can't make a bump yet though, it'll need some additional dependencies to be installed. I want to do that in another round.
README.md
Outdated
| # TODO: default.nix: Change the `vendorHash` property to an empty string and run `nix build`. | ||
| nix build | ||
| # ... | ||
| # error: hash mismatch in fixed-output derivation '/nix/store/by8bc99ywfw6j1i6zjxcwdmc5b3mmgzv-oplogtoredis-3.0.0-go-modules.drv': |
There was a problem hiding this comment.
Yeah, try reading the updated instructions, this was highly cryptic. I hope that the new one is more understandable ^^
README.md
Outdated
| You can build oplogtoredis from source with `go build .`, which produces a | ||
| statically-linked binary you can run. Alternatively, you can use [the public | ||
| docker image](https://hub.docker.com/r/tulip/oplogtoredis/tags/) | ||
| You can build oplogtoredis from source with `go build .`, which produces a statically-linked binary you can run. Alternatively, you can use [the public docker image](https://gallery.ecr.aws/u4f7y3k8/oplogtoredis). Previously we used to host these images in [Docker Hub](https://hub.docker.com/r/tulip/oplogtoredis/tags/). These won't be maintained anymore. |
There was a problem hiding this comment.
Now that we're approved, can't we use https://gallery.ecr.aws/tulip ?
|
bump; this should get in before the redis-sentinel support. |
|
Gabor gave this another review and I merged this after his approval. We think that we are in a better shape now, but in-case you have further suggestions feel free to comment here further or put up further pull requests. |
We're moving our Docker image hosting from Docker Hub to AWS Public ECR Repositories.
Additionally this PR also attempts to fix failures in the tests that were undetected in the last merge as we just added these workflows.