Backport of Only use the short persistKeyring timeout for encryption count tracking into release/1.13.x #33424
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| - release/** | |
| concurrency: | |
| group: ${{ github.head_ref || github.run_id }}-build | |
| cancel-in-progress: true | |
| jobs: | |
| # verify-changes determines if the changes are only for docs (website) | |
| verify-changes: | |
| uses: ./.github/workflows/verify_changes.yml | |
| product-metadata: | |
| # do not run build and test steps for docs changes | |
| # Following https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/troubleshooting-required-status-checks#handling-skipped-but-required-checks | |
| # we conditionally skip the build and tests for docs(website) changes | |
| if: | | |
| github.event.pull_request.draft == false && | |
| needs.verify-changes.outputs.is_docs_change == 'false' | |
| runs-on: ubuntu-latest | |
| needs: verify-changes | |
| outputs: | |
| build-date: ${{ steps.get-metadata.outputs.build-date }} | |
| filepath: ${{ steps.generate-metadata-file.outputs.filepath }} | |
| package-name: ${{ steps.get-metadata.outputs.package-name }} | |
| vault-revision: ${{ steps.get-metadata.outputs.vault-revision }} | |
| vault-version: ${{ steps.set-product-version.outputs.product-version }} | |
| vault-version-package: ${{ steps.get-metadata.outputs.vault-version-package }} | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Ensure Go modules are cached | |
| uses: ./.github/actions/set-up-go | |
| id: set-up-go | |
| with: | |
| github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
| no-restore: true # don't download them on a cache hit | |
| - name: Set Product version | |
| id: set-product-version | |
| uses: hashicorp/actions-set-product-version@v1 | |
| - name: Get metadata | |
| id: get-metadata | |
| env: | |
| VAULT_VERSION: ${{ steps.set-product-version.outputs.product-version }} | |
| run: | | |
| # shellcheck disable=SC2129 | |
| echo "build-date=$(make ci-get-date)" >> "$GITHUB_OUTPUT" | |
| echo "package-name=vault" >> "$GITHUB_OUTPUT" | |
| echo "vault-revision=$(make ci-get-revision)" >> "$GITHUB_OUTPUT" | |
| echo "vault-version-package=$(make ci-get-version-package)" >> "$GITHUB_OUTPUT" | |
| - uses: hashicorp/actions-generate-metadata@v1 | |
| id: generate-metadata-file | |
| with: | |
| version: ${{ steps.set-product-version.outputs.product-version }} | |
| product: ${{ steps.get-metadata.outputs.package-name }} | |
| - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: metadata.json | |
| path: ${{ steps.generate-metadata-file.outputs.filepath }} | |
| if-no-files-found: error | |
| build-ui: | |
| name: UI | |
| runs-on: custom-linux-xl-vault-latest | |
| outputs: | |
| cache-key: ui-${{ steps.ui-hash.outputs.ui-hash }} | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Get UI hash | |
| id: ui-hash | |
| run: echo "ui-hash=$(git ls-tree HEAD ui --object-only)" >> "$GITHUB_OUTPUT" | |
| - name: Set up UI asset cache | |
| id: cache-ui-assets | |
| uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| enableCrossOsArchive: true | |
| lookup-only: true | |
| path: http/web_ui | |
| # Only restore the UI asset cache if we haven't modified anything in the ui directory. | |
| # Never do a partial restore of the web_ui if we don't get a cache hit. | |
| key: ui-${{ steps.ui-hash.outputs.ui-hash }} | |
| - if: steps.cache-ui-assets.outputs.cache-hit != 'true' | |
| name: Set up node and yarn | |
| uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 | |
| with: | |
| node-version: 14 | |
| cache: yarn | |
| cache-dependency-path: ui/yarn.lock | |
| - if: steps.cache-ui-assets.outputs.cache-hit != 'true' | |
| name: Build UI | |
| run: make ci-build-ui | |
| build-other: | |
| name: Other | |
| needs: | |
| - product-metadata | |
| - build-ui | |
| strategy: | |
| matrix: | |
| goos: [freebsd, windows, netbsd, openbsd, solaris] | |
| goarch: [386, amd64, arm] | |
| exclude: | |
| - goos: solaris | |
| goarch: 386 | |
| - goos: solaris | |
| goarch: arm | |
| - goos: windows | |
| goarch: arm | |
| fail-fast: true | |
| uses: ./.github/workflows/build-vault-ce.yml | |
| with: | |
| create-packages: false | |
| goarch: ${{ matrix.goarch }} | |
| goos: ${{ matrix.goos }} | |
| go-tags: ui | |
| package-name: ${{ needs.product-metadata.outputs.package-name }} | |
| web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }} | |
| vault-version: ${{ needs.product-metadata.outputs.vault-version }} | |
| secrets: inherit | |
| build-linux: | |
| name: Linux | |
| needs: | |
| - product-metadata | |
| - build-ui | |
| strategy: | |
| matrix: | |
| goos: [linux] | |
| goarch: [arm, arm64, 386, amd64] | |
| fail-fast: true | |
| uses: ./.github/workflows/build-vault-ce.yml | |
| with: | |
| goarch: ${{ matrix.goarch }} | |
| goos: ${{ matrix.goos }} | |
| go-tags: ui | |
| package-name: ${{ needs.product-metadata.outputs.package-name }} | |
| web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }} | |
| vault-version: ${{ needs.product-metadata.outputs.vault-version }} | |
| secrets: inherit | |
| build-darwin: | |
| name: Darwin | |
| needs: | |
| - product-metadata | |
| - build-ui | |
| strategy: | |
| matrix: | |
| goos: [darwin] | |
| goarch: [amd64, arm64] | |
| fail-fast: true | |
| uses: ./.github/workflows/build-vault-ce.yml | |
| with: | |
| create-packages: false | |
| goarch: ${{ matrix.goarch }} | |
| goos: ${{ matrix.goos }} | |
| go-tags: ui | |
| package-name: ${{ needs.product-metadata.outputs.package-name }} | |
| web-ui-cache-key: ${{ needs.build-ui.outputs.cache-key }} | |
| vault-version: ${{ needs.product-metadata.outputs.vault-version }} | |
| secrets: inherit | |
| build-docker: | |
| name: Docker image | |
| needs: | |
| - product-metadata | |
| - build-linux | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| arch: [arm, arm64, 386, amd64] | |
| env: | |
| repo: ${{ github.event.repository.name }} | |
| version: ${{ needs.product-metadata.outputs.vault-version }} | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - uses: hashicorp/actions-docker-build@v1 | |
| with: | |
| version: ${{ env.version }} | |
| target: default | |
| arch: ${{ matrix.arch }} | |
| zip_artifact_name: vault_${{ env.version }}_linux_${{ matrix.arch }}.zip | |
| tags: | | |
| docker.io/hashicorp/${{ env.repo }}:${{ env.version }} | |
| public.ecr.aws/hashicorp/${{ env.repo }}:${{ env.version }} | |
| build-ubi: | |
| name: UBI image | |
| needs: | |
| - product-metadata | |
| - build-linux | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| arch: [amd64] | |
| env: | |
| repo: ${{ github.event.repository.name }} | |
| version: ${{ needs.product-metadata.outputs.vault-version }} | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - uses: hashicorp/actions-docker-build@v1 | |
| with: | |
| version: ${{ env.version }} | |
| target: ubi | |
| arch: ${{ matrix.arch }} | |
| zip_artifact_name: vault_${{ env.version }}_linux_${{ matrix.arch }}.zip | |
| # The redhat_tag differs on CE and ENT editions. Be mindful when resolving merge conflicts. | |
| redhat_tag: quay.io/redhat-isv-containers/5f89bb5e0b94cf64cfeb500a:${{ env.version }}-ubi | |
| test: | |
| name: Test ${{ matrix.build-artifact-name }} | |
| needs: | |
| - product-metadata | |
| - build-linux | |
| uses: ./.github/workflows/test-run-enos-scenario-matrix.yml | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - sample-name: build_ce_linux_amd64_deb | |
| build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1_amd64.deb | |
| - sample-name: build_ce_linux_arm64_deb | |
| build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version-package }}-1_arm64.deb | |
| - sample-name: build_ce_linux_amd64_rpm | |
| build-artifact-name: vault-${{ needs.product-metadata.outputs.vault-version-package }}-1.x86_64.rpm | |
| - sample-name: build_ce_linux_arm64_rpm | |
| build-artifact-name: vault-${{ needs.product-metadata.outputs.vault-version-package }}-1.aarch64.rpm | |
| - sample-name: build_ce_linux_amd64_zip | |
| build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_amd64.zip | |
| - sample-name: build_ce_linux_arm64_zip | |
| build-artifact-name: vault_${{ needs.product-metadata.outputs.vault-version }}_linux_arm64.zip | |
| with: | |
| build-artifact-name: ${{ matrix.build-artifact-name }} | |
| sample-max: 1 | |
| sample-name: ${{ matrix.sample-name }} | |
| ssh-key-name: ${{ github.event.repository.name }}-ci-ssh-key | |
| vault-revision: ${{ needs.product-metadata.outputs.vault-revision }} | |
| vault-version: ${{ needs.product-metadata.outputs.vault-version }} | |
| secrets: inherit | |
| test-docker-k8s: | |
| name: Test Docker K8s | |
| needs: | |
| - product-metadata | |
| - build-docker | |
| uses: ./.github/workflows/enos-run-k8s.yml | |
| with: | |
| artifact-build-date: ${{ needs.product-metadata.outputs.build-date }} | |
| artifact-name: ${{ github.event.repository.name }}_default_linux_amd64_${{ needs.product-metadata.outputs.vault-version }}_${{ needs.product-metadata.outputs.vault-revision }}.docker.tar | |
| artifact-revision: ${{ needs.product-metadata.outputs.vault-revision }} | |
| artifact-version: ${{ needs.product-metadata.outputs.vault-version }} | |
| secrets: inherit | |
| report-build-failures: | |
| name: Report Build Failures | |
| needs: | |
| - build-other | |
| - build-linux | |
| - build-darwin | |
| - build-docker | |
| - build-ubi | |
| - test | |
| - test-docker-k8s | |
| if: (success() || failure()) && github.head_ref != '' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Build Status | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| RUN_ID: ${{ github.run_id }} | |
| REPO: ${{ github.event.repository.name }} | |
| BUILD_OTHER: ${{ needs.build-other.result }} | |
| BUILD_LINUX: ${{ needs.build-linux.result }} | |
| BUILD_DARWIN: ${{ needs.build-darwin.result }} | |
| BUILD_DOCKER: ${{ needs.build-docker.result }} | |
| BUILD_UBI: ${{ needs.build-ubi.result }} | |
| TEST: ${{ needs.test.result }} | |
| TEST_DOCKER_K8S: ${{ needs.test-docker-k8s.result }} | |
| run: ./.github/scripts/report_failed_builds.sh | |
| completed-successfully: | |
| # We force a failure if any of the dependent jobs fail, | |
| # this is a workaround for the issue reported https://github.com/actions/runner/issues/2566 | |
| if: always() | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-other | |
| - build-linux | |
| - build-darwin | |
| - build-docker | |
| - build-ubi | |
| - test | |
| - test-docker-k8s | |
| steps: | |
| - run: | | |
| tr -d '\n' <<< '${{ toJSON(needs.*.result) }}' | grep -q -v -E '(failure|cancelled)' | |
| notify-completed-successfully-failures-ce: | |
| if: ${{ always() && github.repository == 'hashicorp/vault' && needs.completed-successfully.result == 'failure' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| needs: | |
| - completed-successfully | |
| - build-other | |
| - build-linux | |
| - build-darwin | |
| - build-docker | |
| - build-ubi | |
| - test | |
| - test-docker-k8s | |
| steps: | |
| - name: send-notification | |
| uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
| # We intentionally aren't using the following here since it's from an internal repo | |
| # uses: hashicorp/cloud-gha-slack-notifier@730a033037b8e603adf99ebd3085f0fdfe75e2f4 #v1 | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| with: | |
| channel-id: "C05AABYEA9Y" # sent to #feed-vault-ci-official, use "C05Q4D5V89W"/test-vault-ci-slack-integration for testing | |
| payload: | | |
| { | |
| "text": "CE build failures on ${{ github.ref_name }}", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": ":rotating_light: CE build failures on ${{ github.ref_name }} :rotating_light:", | |
| "emoji": true | |
| } | |
| }, | |
| { | |
| "type": "divider" | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "${{ (needs.build-other.result != 'failure' && needs.build-linux.result != 'failure' && needs.build-darwin.result != 'failure' && needs.build-docker.result != 'failure' && needs.build-ubi.result != 'failure') && ':white_check_mark:' || ':x:' }} Build results\n${{ (needs.test.result != 'failure' && needs.test-docker-k8s.result != 'failure') && ':white_check_mark:' || ':x:' }} Enos tests" | |
| }, | |
| "accessory": { | |
| "type": "button", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "View Failing Workflow", | |
| "emoji": true | |
| }, | |
| "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| } | |
| } | |
| ] | |
| } | |
| notify-completed-successfully-failures-ent: | |
| if: ${{ always() && github.repository == 'hashicorp/vault-enterprise' && needs.completed-successfully.result == 'failure' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) }} | |
| runs-on: ['self-hosted', 'linux', 'small'] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| needs: | |
| - completed-successfully | |
| - build-other | |
| - build-linux | |
| - build-darwin | |
| - build-docker | |
| - build-ubi | |
| - test | |
| - test-docker-k8s | |
| steps: | |
| - id: vault-auth | |
| name: Vault Authenticate | |
| run: vault-auth | |
| - id: secrets | |
| name: Fetch Vault Secrets | |
| uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e | |
| with: | |
| url: ${{ steps.vault-auth.outputs.addr }} | |
| caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} | |
| token: ${{ steps.vault-auth.outputs.token }} | |
| secrets: | | |
| kv/data/github/${{ github.repository }}/github_actions_notifications_bot token | SLACK_BOT_TOKEN; | |
| - name: send-notification | |
| uses: hashicorp/cloud-gha-slack-notifier@730a033037b8e603adf99ebd3085f0fdfe75e2f4 #v1 | |
| with: | |
| channel-id: "C05AABYEA9Y" # sent to #feed-vault-ci-official, use "C05Q4D5V89W"/test-vault-ci-slack-integration for testing | |
| slack-bot-token: ${{ steps.secrets.outputs.SLACK_BOT_TOKEN }} | |
| payload: | | |
| { | |
| "text": "Enterprise build failures on ${{ github.ref_name }}", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": ":rotating_light: Enterprise build failures on ${{ github.ref_name }} :rotating_light:", | |
| "emoji": true | |
| } | |
| }, | |
| { | |
| "type": "divider" | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "${{ (needs.build-other.result != 'failure' && needs.build-linux.result != 'failure' && needs.build-darwin.result != 'failure' && needs.build-docker.result != 'failure' && needs.build-ubi.result != 'failure') && ':white_check_mark:' || ':x:' }} Build results\n${{ (needs.test.result != 'failure' && needs.test-docker-k8s.result != 'failure') && ':white_check_mark:' || ':x:' }} Enos tests" | |
| }, | |
| "accessory": { | |
| "type": "button", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "View Failing Workflow", | |
| "emoji": true | |
| }, | |
| "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| } | |
| } | |
| ] | |
| } |