-
Notifications
You must be signed in to change notification settings - Fork 2
204 lines (187 loc) · 7.77 KB
/
Copy pathdevcontainer.yml
File metadata and controls
204 lines (187 loc) · 7.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
# This file is generated from a template in `ci/templates/`.
# Do not edit it directly.
# Run `bazel run //:ci_workflows` to regenerate it after editing the template.
name: Reusable Workflow for Devcontainer
# example:
# name: Example job with multiple commands
# uses: ./.github/workflows/devcontainer.yml
# # The nested job needs write permissions, which means this job also needs them.
# permissions:
# packages: write
# secrets: inherit
# with:
# runs-on: depot-ubuntu-24.04-32
# run: |
# # Command 1:
# bazel build //...
# # Command 2:
# bazel test //...
on:
workflow_call:
inputs:
arch:
required: false
type: string
default: amd64
cancel-workflow-on-failure:
required: true
type: boolean
runs-on:
required: true
type: string
run:
required: true
type: string
artifact-name:
required: false
type: string
artifact-path:
required: false
type: string
workflow_dispatch:
inputs:
arch:
required: false
type: string
default: amd64
cancel-workflow-on-failure:
required: true
type: boolean
runs-on:
required: true
type: string
run:
required: true
type: string
artifact-name:
required: false
type: string
artifact-path:
required: false
type: string
# Live debug failures using tmate by toggling input parameter
# 'debug_enabled':
# https://github.com/mxschmitt/action-tmate#manually-triggered-debug
# When manually running this workflow:
# https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow
debug_enabled:
description: "Enable tmate debugging"
type: boolean
default: false
env:
AMD64_IMAGE_NAME: ghcr.io/reboot-dev/mono/workstation
ARM64_IMAGE_NAME: ghcr.io/reboot-dev/mono/arm64_builder
jobs:
# Helper job that we run before any other jobs to ensure that we
# have all of the secrets that we need.
#
# Based off of the examples on GitHub at
# 'https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets'.
check-secrets:
name: Check Secrets
runs-on: ubuntu-latest
steps:
- name: Fail if GCP_REMOTE_CACHE_CREDENTIALS_BASE64 secret is missing
env:
secret: ${{ secrets.GCP_REMOTE_CACHE_CREDENTIALS_BASE64 }}
if: ${{ env.secret == '' }}
run: echo "Missing secret 'GCP_REMOTE_CACHE_CREDENTIALS_BASE64'"; exit 1
run:
name: GitHub-hosted Runner
needs: check-secrets
runs-on: ${{ inputs.runs-on }}
permissions:
# Enable pushing newly built images to our cache.
packages: write
steps:
# ATTENTION: the following steps run on the _runner_, which runs a plain
# GitHub-provided Ubuntu image. Only the `Run` step (below)
# executes its commands inside our devcontainer.
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
show-progress: false
# Needed to be able to push the latest Devcontainer image to the
# registry as a cache.
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: ./.github/actions/setup-bazel-remote-cache
with:
include-devcontainer-json: "true"
- name: Run
uses: devcontainers/ci@v0.3
env:
# NOTE: the following environment variables are _not_ passed through
# to the devcontainer when it runs, but are available ONLY to
# its `devcontainer.json` (the build step). The
# `devcontainer.json` forwards some of them on to the runtime
# environment of the devcontainer, but that is not a given.
# If you would like to pass environment variables to the
# run-time of the devcontainer, use the `env` section inside the
# `with`; see:
# https://github.com/devcontainers/ci/blob/main/docs/github-action.md#environment-variables
# NOTE: while there does exist an 'env' input to
# 'devcontainers/ci', that _only_ changes the environment for
# the 'runCmd', not for the building and creating of the
# devcontainer itself. In contrast, this 'env' section also influences
# the build, as it should.
GCP_REMOTE_CACHE_CREDENTIALS_BASE64: ${{ secrets.GCP_REMOTE_CACHE_CREDENTIALS_BASE64 }}
# Tell `devcontainer.json` where to mount the workspace. The default
# `workspaceMount` would only bind-mount the `subFolder` (the
# "arm64-builder" subdirectory), not the full repo root. We override
# it to mount `GITHUB_WORKSPACE` (the full repo root) to a
# well-known container path. See the `workspaceMount` field in
# `devcontainer.json` for details.
WORKSPACE_FOLDER: /workspaces/reboot
with:
# The Docker image of the runner will get built based on the
# `.devcontainer/devcontainer.json`, which in our case means it's
# mostly based on the `Dockerfile`.
imageName: ${{ inputs.arch == 'amd64' && env.AMD64_IMAGE_NAME || env.ARM64_IMAGE_NAME }}
imageTag: latest
# We explicitly use the workstation's Docker image as a
# cache as we want to try and abstain from doing re-builds
# of the devcontainer as much as possible.
#
# It's safe to use a cache because the
# `devcontainer.json`/`Dockerfile` that we have checked out
# locally will override anything that's in the cache:
# there's no way for the cache to change the outcome of the
# build.
cacheFrom: ${{ inputs.arch == 'amd64' && env.AMD64_IMAGE_NAME || env.ARM64_IMAGE_NAME }}
# If (and only if) the build is successful on the 'main' branch (so
# not when doing a PR to `main`, or when pushing to any other branch),
# push the newly built image to the registry, thereby updating the
# cache for future builds by this Action, and for our workstations. We
# only push from `main` so that we don't push an image that's
# associated with a PR that may never be approved. Once again, though,
# the cache only changes the _speed_ of future builds, it can't change
# the _outcome_ of future builds.
refFilterForPush: refs/heads/main
subFolder: ${{ inputs.arch == 'arm64' && 'reboot/containers/arm64-builder' || '.' }}
env: |
# For the same reason, propagate the token and actor, which can then
# be used by the runCmd, e.g. to `docker login ghcr.io`.
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
GITHUB_ACTOR=${{ github.actor }}
# The `EXCLUDE_FLAKY` variable is set to `true` if the
# `reboot-release` label is present on the PR.
EXCLUDE_FLAKY=${{ contains(github.event.pull_request.labels.*.name, 'reboot-release') }}
# Run the user-specified commands in the devcontainer.
runCmd: |
${{ inputs.run }}
- name: Upload artifacts (if any)
if: ${{ inputs.artifact-name != '' && inputs.artifact-path != '' }}
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.artifact-name }}
path: ${{ inputs.artifact-path }}
- uses: ./.github/actions/debug-and-cancel
if: failure()
with:
cancel-workflow-on-failure: ${{ inputs.cancel-workflow-on-failure }}