Skip to content

Commit

Permalink
chore(IDX): encrypt bep (#3684)
Browse files Browse the repository at this point in the history 
Only upload encrypted BEP files.

---------

Co-authored-by: IDX GitHub Automation <[email protected]>
  • Loading branch information
@marko-k0 @sa-idx-admin
marko-k0 and sa-idx-admin authored Jan 30, 2025
1 parent 8f754dd commit 59c4b87
Show file tree
Hide file tree
Showing 10 changed files with 266 additions and 4 deletions.
8 changes: 8 additions & 0 deletions .github/actions/bazel-test-all/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ inputs:
required: false
SSH_PRIVATE_KEY_BACKUP_POD:
required: false
GPG_PASSPHRASE:
required: false

runs:
using: "composite"
Expand Down Expand Up @@ -60,6 +62,11 @@ runs:
rm "$exportout"
echo "BEP events exported to honeycomb!"
fi
if [ -n "$GPG_PASSPHRASE" ] && [ -f ./bazel-bep.pb ]; then
gpg --symmetric --cipher-algo AES256 -o bazel-bep.pb.gpg \
--passphrase "$GPG_PASSPHRASE" --batch --yes bazel-bep.pb
fi
rm -f bazel-bep.pb
# output node name to gihub step summary
[ -n "${NODE_NAME:-}" ] && echo "Run on node: $NODE_NAME" >>$GITHUB_STEP_SUMMARY
Expand All @@ -78,3 +85,4 @@ runs:
CI_PULL_REQUEST_TARGET_BRANCH_NAME: ${{ github.event.pull_request.base.ref }}
MERGE_BASE_SHA: ${{ github.event.pull_request.base.sha }}
SSH_PRIVATE_KEY_BACKUP_POD: ${{ inputs.SSH_PRIVATE_KEY_BACKUP_POD }}
GPG_PASSPHRASE: ${{ inputs.GPG_PASSPHRASE }}
12 changes: 11 additions & 1 deletion .github/workflows-source/ci-main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ anchors:
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb
bazel-bep.pb.gpg
profile.json
jobs:
Expand Down Expand Up @@ -153,6 +153,8 @@ jobs:
# check if PR title contains release and set timeout filters accordingly
BAZEL_EXTRA_ARGS: ${{ env.BAZEL_EXTRA_ARGS }}
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep
- <<: *bazel-upload

bazel-build-all-config-check:
Expand All @@ -169,6 +171,8 @@ jobs:
BAZEL_COMMAND: "build"
BAZEL_TARGETS: "//rs/..."
BAZEL_CI_CONFIG: "--config=check --config=ci --keep_going"
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

bazel-test-macos-intel:
name: Bazel Test macOS Intel
Expand Down Expand Up @@ -200,6 +204,8 @@ jobs:
BAZEL_EXTRA_ARGS: '--test_tag_filters=test_macos'
BAZEL_STARTUP_ARGS: "--output_base /var/tmp/bazel-output/${{ github.run_id }}"
BAZEL_TARGETS: "//rs/... //publish/binaries/..."
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep
- name: Purge Bazel Output
if: always()
shell: bash
Expand All @@ -218,6 +224,8 @@ jobs:
BAZEL_COMMAND: "build"
BAZEL_TARGETS: "//rs/..."
BAZEL_EXTRA_ARGS: "--keep_going --config=fuzzing --build_tag_filters=libfuzzer"
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

bazel-build-fuzzers-afl:
name: Bazel Build Fuzzers AFL
Expand All @@ -231,6 +239,8 @@ jobs:
BAZEL_COMMAND: "build"
BAZEL_TARGETS: "//rs/..."
BAZEL_EXTRA_ARGS: "--keep_going --config=afl"
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

python-ci-tests:
name: Python CI Tests
Expand Down
14 changes: 13 additions & 1 deletion .github/workflows-source/release-testing.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ anchors:
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb
bazel-bep.pb.gpg
profile.json
jobs:
Expand All @@ -82,6 +82,8 @@ jobs:
BAZEL_CI_CONFIG: "--config=ci --repository_cache=/cache/bazel"
BAZEL_EXTRA_ARGS: "--keep_going --test_tag_filters=system_test_nightly"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

bazel-system-test-staging:
name: Bazel System Test Staging
Expand All @@ -98,6 +100,8 @@ jobs:
BAZEL_CI_CONFIG: "--config=ci --repository_cache=/cache/bazel"
BAZEL_EXTRA_ARGS: "--keep_going --test_tag_filters=system_test_staging"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

bazel-system-test-hotfix:
name: Bazel System Test Hotfix
Expand All @@ -115,6 +119,8 @@ jobs:
BAZEL_CI_CONFIG: "--config=ci --repository_cache=/cache/bazel"
BAZEL_EXTRA_ARGS: "--keep_going --test_tag_filters=system_test_hotfix"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

dependency-scan-release-cut:
name: Dependency Scan for Release
Expand Down Expand Up @@ -187,3 +193,9 @@ jobs:
BAZEL_CI_CONFIG: "--config=systest --repository_cache=/cache/bazel"
BAZEL_EXTRA_ARGS: "--keep_going --test_timeout=7200 --test_env=OLD_VERSION=${{ matrix.version }}"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep
name: Upload bazel bep for version ${{ matrix.version }}
with:
<<: *bazel-bep-with
name: ${{ github.job }}-${{ matrix.version }}-bep
8 changes: 7 additions & 1 deletion .github/workflows-source/schedule-daily.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ anchors:
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb
bazel-bep.pb.gpg
profile.json
jobs:
Expand Down Expand Up @@ -118,6 +118,8 @@ jobs:
BAZEL_EXTRA_ARGS: "--keep_going --test_tag_filters=fi_tests_nightly --test_env=SSH_AUTH_SOCK --test_timeout=43200"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
SSH_PRIVATE_KEY_BACKUP_POD: ${{ secrets.SSH_PRIVATE_KEY_BACKUP_POD }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

nns-tests-nightly:
name: Bazel Test NNS Nightly
Expand All @@ -136,6 +138,8 @@ jobs:
BAZEL_EXTRA_ARGS: "--keep_going --test_tag_filters=nns_tests_nightly --test_env=SSH_AUTH_SOCK --test_env=NNS_CANISTER_UPGRADE_SEQUENCE=all"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
SSH_PRIVATE_KEY_BACKUP_POD: ${{ secrets.SSH_PRIVATE_KEY_BACKUP_POD }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

system-tests-benchmarks-nightly:
name: Bazel System Test Benchmarks
Expand All @@ -159,6 +163,8 @@ jobs:
# note: there's just one performance cluster, so the job can't be parallelized
BAZEL_EXTRA_ARGS: "--test_tag_filters=system_test_benchmark --//bazel:enable_upload_perf_systest_results=True --keep_going --jobs 1"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep
- name: Post Slack Notification
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
if: failure()
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows-source/schedule-hourly.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ anchors:
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb
bazel-bep.pb.gpg
profile.json
jobs:
Expand All @@ -66,6 +66,8 @@ jobs:
BAZEL_CI_CONFIG: "--config=ci"
BAZEL_COMMAND: "build"
BAZEL_EXTRA_ARGS: "--repository_cache= --disk_cache= --noremote_accept_cached --remote_instance_name=${CI_COMMIT_SHA} --@rules_rust//rust/settings:pipelined_compilation=True"
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

bazel-system-test-hourly:
name: Bazel System Tests Hourly
Expand All @@ -85,6 +87,8 @@ jobs:
BAZEL_CI_CONFIG: "--config=ci --repository_cache=/cache/bazel"
BAZEL_EXTRA_ARGS: "--keep_going --test_tag_filters=system_test_hourly"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- <<: *bazel-bep

bazel-run-fuzzers-hourly:
name: Bazel Run Fuzzers Hourly
Expand Down
70 changes: 70 additions & 0 deletions .github/workflows/ci-main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,20 @@ jobs:
# check if PR title contains release and set timeout filters accordingly
BAZEL_EXTRA_ARGS: ${{ env.BAZEL_EXTRA_ARGS }}
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Upload bazel-bep
# runs only if previous step succeeded or failed;
# we avoid collecting artifacts of jobs that were cancelled
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}-bep
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb.gpg
profile.json
- name: Upload bazel-targets
uses: actions/upload-artifact@v4
with:
Expand Down Expand Up @@ -136,6 +150,20 @@ jobs:
BAZEL_COMMAND: "build"
BAZEL_TARGETS: "//rs/..."
BAZEL_CI_CONFIG: "--config=check --config=ci --keep_going"
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Upload bazel-bep
# runs only if previous step succeeded or failed;
# we avoid collecting artifacts of jobs that were cancelled
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}-bep
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb.gpg
profile.json
bazel-test-macos-intel:
name: Bazel Test macOS Intel
timeout-minutes: 130
Expand Down Expand Up @@ -168,6 +196,20 @@ jobs:
BAZEL_EXTRA_ARGS: '--test_tag_filters=test_macos'
BAZEL_STARTUP_ARGS: "--output_base /var/tmp/bazel-output/${{ github.run_id }}"
BAZEL_TARGETS: "//rs/... //publish/binaries/..."
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Upload bazel-bep
# runs only if previous step succeeded or failed;
# we avoid collecting artifacts of jobs that were cancelled
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}-bep
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb.gpg
profile.json
- name: Purge Bazel Output
if: always()
shell: bash
Expand All @@ -194,6 +236,20 @@ jobs:
BAZEL_COMMAND: "build"
BAZEL_TARGETS: "//rs/..."
BAZEL_EXTRA_ARGS: "--keep_going --config=fuzzing --build_tag_filters=libfuzzer"
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Upload bazel-bep
# runs only if previous step succeeded or failed;
# we avoid collecting artifacts of jobs that were cancelled
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}-bep
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb.gpg
profile.json
bazel-build-fuzzers-afl:
name: Bazel Build Fuzzers AFL
runs-on:
Expand All @@ -215,6 +271,20 @@ jobs:
BAZEL_COMMAND: "build"
BAZEL_TARGETS: "//rs/..."
BAZEL_EXTRA_ARGS: "--keep_going --config=afl"
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Upload bazel-bep
# runs only if previous step succeeded or failed;
# we avoid collecting artifacts of jobs that were cancelled
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}-bep
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb.gpg
profile.json
python-ci-tests:
name: Python CI Tests
runs-on:
Expand Down
56 changes: 56 additions & 0 deletions .github/workflows/release-testing.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,20 @@ jobs:
BAZEL_CI_CONFIG: "--config=ci --repository_cache=/cache/bazel"
BAZEL_EXTRA_ARGS: "--keep_going --test_tag_filters=system_test_nightly"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Upload bazel-bep
# runs only if previous step succeeded or failed;
# we avoid collecting artifacts of jobs that were cancelled
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}-bep
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb.gpg
profile.json
bazel-system-test-staging:
name: Bazel System Test Staging
runs-on:
Expand Down Expand Up @@ -80,6 +94,20 @@ jobs:
BAZEL_CI_CONFIG: "--config=ci --repository_cache=/cache/bazel"
BAZEL_EXTRA_ARGS: "--keep_going --test_tag_filters=system_test_staging"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Upload bazel-bep
# runs only if previous step succeeded or failed;
# we avoid collecting artifacts of jobs that were cancelled
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}-bep
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb.gpg
profile.json
bazel-system-test-hotfix:
name: Bazel System Test Hotfix
runs-on:
Expand Down Expand Up @@ -109,6 +137,20 @@ jobs:
BAZEL_CI_CONFIG: "--config=ci --repository_cache=/cache/bazel"
BAZEL_EXTRA_ARGS: "--keep_going --test_tag_filters=system_test_hotfix"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Upload bazel-bep
# runs only if previous step succeeded or failed;
# we avoid collecting artifacts of jobs that were cancelled
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: ${{ github.job }}-bep
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb.gpg
profile.json
dependency-scan-release-cut:
name: Dependency Scan for Release
runs-on:
Expand Down Expand Up @@ -212,3 +254,17 @@ jobs:
BAZEL_CI_CONFIG: "--config=systest --repository_cache=/cache/bazel"
BAZEL_EXTRA_ARGS: "--keep_going --test_timeout=7200 --test_env=OLD_VERSION=${{ matrix.version }}"
BUILDEVENT_APIKEY: ${{ secrets.HONEYCOMB_TOKEN }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- # runs only if previous step succeeded or failed;
# we avoid collecting artifacts of jobs that were cancelled
if: success() || failure()
uses: actions/upload-artifact@v4
name: Upload bazel bep for version ${{ matrix.version }}
with:
retention-days: 14
if-no-files-found: ignore
compression-level: 9
path: |
bazel-bep.pb.gpg
profile.json
name: ${{ github.job }}-${{ matrix.version }}-bep
Loading

0 comments on commit 59c4b87

Please sign in to comment.