From ef7b3e5794c98ca35f6e8b3ae230f27e0e53ed95 Mon Sep 17 00:00:00 2001 From: Joss Date: Thu, 2 May 2024 03:00:59 +0100 Subject: [PATCH] chore: upgrade ci --- .github/.flake8 | 8 ++ .github/commitlint.config.mjs | 16 ++++ .github/pull_request_template.md | 14 ++++ .github/workflows/build-canary-chart.yaml | 67 ++++++++++++++++ .github/workflows/build-canary-container.yaml | 62 ++++++++++++++ .github/workflows/flake8.yaml | 38 --------- .github/workflows/lint-canary.yaml | 43 ++++++++++ .github/workflows/lint-pr-title.yaml | 19 +++++ .github/workflows/on-pr-update.yaml | 79 ------------------ .github/workflows/on-release.yaml | 80 ------------------- 10 files changed, 229 insertions(+), 197 deletions(-) create mode 100644 .github/.flake8 create mode 100644 .github/commitlint.config.mjs create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/build-canary-chart.yaml create mode 100644 .github/workflows/build-canary-container.yaml delete mode 100644 .github/workflows/flake8.yaml create mode 100644 .github/workflows/lint-canary.yaml create mode 100644 .github/workflows/lint-pr-title.yaml delete mode 100644 .github/workflows/on-pr-update.yaml delete mode 100644 .github/workflows/on-release.yaml diff --git a/.github/.flake8 b/.github/.flake8 new file mode 100644 index 0000000..d6cbf96 --- /dev/null +++ b/.github/.flake8 @@ -0,0 +1,8 @@ +[flake8] +per-file-ignores = + # imported but unused + __init__.py: F401 + +max-complexity = 10 + +extend-ignore = E501,C901 diff --git a/.github/commitlint.config.mjs b/.github/commitlint.config.mjs new file mode 100644 index 0000000..3de816d --- /dev/null +++ b/.github/commitlint.config.mjs @@ -0,0 +1,16 @@ +import { RuleConfigSeverity } from '@commitlint/types'; + +export default { + extends: ['@commitlint/config-conventional'], + parserPreset: 'conventional-changelog-conventionalcommits', + rules: { + 'scope-enum': [RuleConfigSeverity.Error, 'always', [ + '', + 'deps', + 'canary-container', + 'canary-chart', + 'canary-crds-chart' + ]], + 'subject-case': [RuleConfigSeverity.Error, 'never', []], + } +}; diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..4c8c5c6 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,14 @@ +## :construction: Suggest a change + +A clear and concise description of what you are changing. + +## :memo: Pre-merge checklist + +Ready to merge? Do not merge until all checks are satisfied. +- [ ] :chart: Have all `required` CI checks passed on the most recent commit? +- [ ] :black_nib: Is the PR title a valid and meaningful conventional-commit message? ie. `type(scope): summary` +- [ ] :boom: Are `breaking changes` declared in the PR title in conventional-commit style? ie. `type!(scope): summary` +- [ ] :art: Does new code follow the code style of this project? +- [ ] :mag: Has new code been spellchecked and linted? +- [ ] :book: Have docs been updated where necessary? +- [ ] :poop: Have commits been checked for accidental file inclusions? diff --git a/.github/workflows/build-canary-chart.yaml b/.github/workflows/build-canary-chart.yaml new file mode 100644 index 0000000..05b759c --- /dev/null +++ b/.github/workflows/build-canary-chart.yaml @@ -0,0 +1,67 @@ +name: Build Canary Chart + +on: + pull_request: + # Ignore PRs on branches specifically intended for other assets + branches-ignore: + - '*/canary-container*' + - '*/canary-crds-chart*' + # Only consider PRs that change files for this asset, including ci scripts + paths: + - '.github/workflows/build-canary-chart.yaml' + - 'charts/canary/**' + # Make sure all workflows that are "required checks" for a given + # branch protection rule have the same paths: and branches-ignore: + # filters. Otherwise, you can end up in a deadlock waiting on a + # required check that will never be executed. + push: + # Only release off of release and maintenance branches for this asset + branches: + - 'maintenance/canary-chart/[0-9]+.x.x' + - 'maintenance/canary-chart/[0-9]+.[0-9]+.x' + - 'main' + # Only consider pushes that change files for this asset, including ci scripts + paths: + - '.github/workflows/build-canary-chart.yaml' + - 'charts/canary/**' + +permissions: + contents: write + pull-requests: write + actions: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # Cancel early on pull requests if new commits are added, + # Don't cancel on release pushes + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + # Job name must be unique across repo to target + # branch protection rules "required checks" properly! + canary-chart: + uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-chart.yaml@v2.0.0-charts + with: + job-name: canary-chart + comment-pr: "true" + comment-release: "true" + registry: ${{ vars.HARBOR_REGISTRY }} + registry-user: ${{ vars.HARBOR_USER }} + registry-project: ${{ vars.HARBOR_PROJECT }} + registry-repo: canary + release-tag-format: 'canary-chart-${version}' + cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} + chart: charts/canary + test-command: | + helm template $CHART \ + --values charts/canary/values.yaml \ + --include-crds \ + --name-template canary \ + --namespace canary \ + --create-namespace \ + --debug + + secrets: + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + registry-token: ${{ secrets.HARBOR_TOKEN }} diff --git a/.github/workflows/build-canary-container.yaml b/.github/workflows/build-canary-container.yaml new file mode 100644 index 0000000..872d362 --- /dev/null +++ b/.github/workflows/build-canary-container.yaml @@ -0,0 +1,62 @@ +name: Build Canary Container + +on: + pull_request: + # Ignore PRs on branches specifically intended for other assets + branches-ignore: + - '*/canary-chart*' + - '*/canary-crds-chart*' + # Only consider PRs that change files for this asset, including ci scripts + paths: + - '.github/workflows/lint-canary-flake8.yaml' + - '.github/workflows/build-canary-container.yaml' + - 'containers/canary/**' + - 'src/**' + # Make sure all workflows that are "required checks" for a given + # branch protection rule have the same paths: and branches-ignore: + # filters. Otherwise, you can end up in a deadlock waiting on a + # required check that will never be executed. + push: + # Only release off of release and maintenance branches for this asset + branches: + - 'maintenance/canary-container/[0-9]+.x.x' + - 'maintenance/canary-container/[0-9]+.[0-9]+.x' + - 'main' + # Only consider pushes that change files for this asset, including ci scripts + paths: + - '.github/workflows/lint-canary-flake8.yaml' + - '.github/workflows/build-canary-container.yaml' + - 'containers/canary/**' + - 'src/**' + +permissions: + contents: write + pull-requests: write + actions: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # Cancel early on pull requests if new commits are added, + # Don't cancel on release pushes + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + # Job name must be unique across repo to target + # branch protection rules "required checks" properly! + canary-container: + uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-and-release-container.yaml@v2.0.0-containers + with: + job-name: canary-container + comment-pr: "true" + comment-release: "true" + registry: ${{ vars.HARBOR_REGISTRY }} + registry-user: ${{ vars.HARBOR_USER }} + registry-repo: ${{ vars.HARBOR_PROJECT }}/canary + release-tag-format: 'canary-container-${version}' + cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} + build-file: containers/canary/Dockerfile + build-context: '.' + secrets: + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + registry-token: ${{ secrets.HARBOR_TOKEN }} diff --git a/.github/workflows/flake8.yaml b/.github/workflows/flake8.yaml deleted file mode 100644 index 5a340a6..0000000 --- a/.github/workflows/flake8.yaml +++ /dev/null @@ -1,38 +0,0 @@ -name: Flake8 - -on: - pull_request: - types: - - opened - - synchronize - paths: - - 'src/**.py' - -permissions: - # read on both needed for changes detection - pull-requests: read - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - flake8: - runs-on: - labels: [self-hosted, linux, x64] - group: light - - steps: - - name: clone repo - uses: actions/checkout@v4 - - - name: install flake8 - run: pip install flake8 - - - name: run flake8 - uses: rbialon/flake8-annotations@v1 - - - name: run flake8 - run: | - flake8 --max-complexity 10 --ignore E501,C901 src diff --git a/.github/workflows/lint-canary.yaml b/.github/workflows/lint-canary.yaml new file mode 100644 index 0000000..1fffe53 --- /dev/null +++ b/.github/workflows/lint-canary.yaml @@ -0,0 +1,43 @@ +name: Lint Canary + +on: + pull_request: + # Ignore PRs on branches specifically intended for other assets + branches-ignore: + - '*/canary-chart*' + - '*/canary-crds-chart*' + # Only consider PRs that change files for this asset, including ci scripts + paths: + - '.github/workflows/lint-canary-flake8.yaml' + - '.github/workflows/build-canary-container.yaml' + - 'containers/canary/**' + - 'src/**' + # Make sure all workflows that are "required checks" for a given + # branch protection rule have the same paths: and branches-ignore: + # filters. Otherwise, you can end up in a deadlock waiting on a + # required check that will never be executed. + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # This linting can be cancelled if there is a newer commit to lint + cancel-in-progress: true + +jobs: + controller-flake8: + runs-on: + labels: [self-hosted, linux, x64] + group: light + + steps: + - name: clone repo + uses: actions/checkout@v4 + + - name: install flake8 + run: pip install flake8 + + - name: install flake8 annotations + uses: rbialon/flake8-annotations@v1 + + - name: run flake8 + run: | + flake8 --config=".github/.flake8" src diff --git a/.github/workflows/lint-pr-title.yaml b/.github/workflows/lint-pr-title.yaml new file mode 100644 index 0000000..76b43b5 --- /dev/null +++ b/.github/workflows/lint-pr-title.yaml @@ -0,0 +1,19 @@ +name: Lint PR Title + +on: + pull_request: + # Run on all PRs whenever the title could have changed + types: + - opened + - reopened + - edited + - synchronize + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + # This linting can be cancelled if there is a newer commit to lint + cancel-in-progress: true + +jobs: + pr-title-commitlint: + uses: SwanseaUniversityMedical/workflows/.github/workflows/pr-title-commitlint.yaml@v1.2.0-pr-title-commitlint diff --git a/.github/workflows/on-pr-update.yaml b/.github/workflows/on-pr-update.yaml deleted file mode 100644 index 93e1bd8..0000000 --- a/.github/workflows/on-pr-update.yaml +++ /dev/null @@ -1,79 +0,0 @@ -name: PR Update - -on: - pull_request: - types: - - opened - - synchronize - -permissions: - # read on both needed for changes detection. - pull-requests: read - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - changes: - # Detect which files have been changed on this PR's full history - uses: SwanseaUniversityMedical/workflows/.github/workflows/changes-pr.yaml@v5.1.2 - with: - slack-channel: ${{ vars.SLACK_CHANNEL }} - filters: | - canary-container: - - 'containers/canary/**' - - 'src/**' - canary-chart: - - 'charts/canary/**' - - secrets: - slack-token: ${{ secrets.SLACK_TOKEN }} - - canary-container: - # Build the container and push it as :pr-42 and :pr-42-fe45b3h - needs: changes - if: fromJSON(needs.changes.outputs.changes).canary-container == 'true' - uses: SwanseaUniversityMedical/workflows/.github/workflows/build-and-test-pr-container.yaml@v5.1.2 - with: - job-name: canary-container - registry: ${{ vars.HARBOR_REGISTRY }} - registry-user: ${{ vars.HARBOR_USER }} - registry-repo: ${{ vars.HARBOR_PROJECT }}/canary - slack-channel: ${{ vars.SLACK_CHANNEL }} - cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} - build-file: containers/canary/Dockerfile - build-context: '.' - secrets: - cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} - cosign-password: ${{ secrets.COSIGN_PASSWORD }} - registry-token: ${{ secrets.HARBOR_TOKEN }} - slack-token: ${{ secrets.SLACK_TOKEN }} - - canary-chart: - # Build the chart and push it as :pr-42 and :pr-42-fe45b3h - needs: changes - if: fromJSON(needs.changes.outputs.changes).canary-chart == 'true' - uses: SwanseaUniversityMedical/workflows/.github/workflows/on-pr-update-chart.yaml@v5.1.2 - with: - job-name: chart - chart: charts/canary - chart-registry: ${{ vars.HARBOR_REGISTRY }} - chart-registry-user: ${{ vars.HARBOR_USER }} - chart-registry-project: ${{ vars.HARBOR_PROJECT }} - chart-registry-repo: canary - slack-channel: ${{ vars.SLACK_CHANNEL }} - cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} - test-command: | - helm template $CHART \ - --values charts/canary/values.yaml \ - --include-crds \ - --name-template canary \ - --namespace canary \ - --create-namespace - secrets: - cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} - cosign-password: ${{ secrets.COSIGN_PASSWORD }} - chart-registry-token: ${{ secrets.HARBOR_TOKEN }} - slack-token: ${{ secrets.SLACK_TOKEN }} diff --git a/.github/workflows/on-release.yaml b/.github/workflows/on-release.yaml deleted file mode 100644 index b80c55f..0000000 --- a/.github/workflows/on-release.yaml +++ /dev/null @@ -1,80 +0,0 @@ -name: Release - -on: - push: - branches: - - main - -permissions: - # read needed for changes detection - # write needed to author a Github release - contents: write - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: false - -jobs: - changes: - # Detect which files have been changed on this PR's full history - uses: SwanseaUniversityMedical/workflows/.github/workflows/changes-release.yaml@v5.1.2 - with: - slack-channel: ${{ vars.SLACK_CHANNEL }} - filters: | - canary-container: - - 'containers/canary/**' - - 'src/**' - canary-chart: - - 'charts/canary/**' - - secrets: - slack-token: ${{ secrets.SLACK_TOKEN }} - - canary-container: - # Build the Airflow container with dags inside and push it as :rc-1.0.0 - needs: changes - if: fromJSON(needs.changes.outputs.changes).canary-container == 'true' - uses: SwanseaUniversityMedical/workflows/.github/workflows/build-and-test-release-container.yaml@v5.1.2 - with: - job-name: canary-container - registry: ${{ vars.HARBOR_REGISTRY }} - registry-user: ${{ vars.HARBOR_USER }} - registry-repo: ${{ vars.HARBOR_PROJECT }}/canary - release-tag-format: 'canary-container-${version}' - slack-channel: ${{ vars.SLACK_CHANNEL }} - cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} - build-file: containers/canary/Dockerfile - build-context: '.' - secrets: - cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} - cosign-password: ${{ secrets.COSIGN_PASSWORD }} - registry-token: ${{ secrets.HARBOR_TOKEN }} - slack-token: ${{ secrets.SLACK_TOKEN }} - - canary-chart: - # Build the chart and push it as x.y.z-rc - needs: changes - if: fromJSON(needs.changes.outputs.changes).canary-chart == 'true' - uses: SwanseaUniversityMedical/workflows/.github/workflows/on-release-chart.yaml@v5.1.2 - with: - job-name: canary-chart - chart-registry: ${{ vars.HARBOR_REGISTRY }} - chart-registry-user: ${{ vars.HARBOR_USER }} - chart-registry-project: ${{ vars.HARBOR_PROJECT }} - chart-registry-repo: canary - release-tag-format: 'canary-chart-${version}' - slack-channel: ${{ vars.SLACK_CHANNEL }} - cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }} - chart: charts/canary - test-command: | - helm template $CHART \ - --values charts/canary/values.yaml \ - --include-crds \ - --name-template canary \ - --namespace canary \ - --create-namespace - secrets: - cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} - cosign-password: ${{ secrets.COSIGN_PASSWORD }} - chart-registry-token: ${{ secrets.HARBOR_TOKEN }} - slack-token: ${{ secrets.SLACK_TOKEN }}