build: Ephemeral environments for PRs via slash command #13189
Conversation
|
Super excited for this! Thanks for setting this up and the sponsorship! |
|
Thanks for setting this up; it's going to improve the manual testing process vastly. 🙂 |
There was a problem hiding this comment.
Since issue_comment event also has access to all the base repo secrets, would it make sense to bypass the workflow_run step and upload artifacts to ECR in the issue_comment workflow, too?
The built docker image is kind of large, too. I'm wondering whether it's possible to use the latest released apache/superset:master as the base image and build a new image just for ECR? (I'd imagine the saved docker build will only contain the new layers with pip package, python file, and static assets overrides.)
| echo ${{ github.sha }} > ./build/SHA | ||
| echo ${{ github.event.pull_request.number }} > ./build/PR-NUM | ||
| docker build --target ci -t ${{ github.sha }} -t "pr-${{ github.event.pull_request.number }}" . | ||
| docker save ${{ github.sha }} | gzip > ./build/${{ github.sha }}.tar.gz |
There was a problem hiding this comment.
Will it make sense to save the already built image from previously step and rely on file names to get both SHA and PR number?
There was a problem hiding this comment.
Since the --target ci build here is already using the cached layers from the previous builds, there's not much of a gain in using those images directly. We could embed both the PR num and SHA in the filename, but this felt a bit cleaner, and wouldn't save any measurable time in the workflow_run step.
.github/workflows/ephemeral-env.yml
Outdated
| with: | ||
| github-token: ${{secrets.GITHUB_TOKEN}} | ||
| script: | | ||
| const errMsg = 'Ephemeral environment creation is currently limited to committers.' |
There was a problem hiding this comment.
Maybe add a @comment_author here 😉
Ideally, yes, but there's no way (that I've found) for an
Not sure how this would work in a PR context, as the standard docker builds are not pushed to Dockerhub for PRs from forked repos (no secrets access). The current CI (ephemeral env) build is leveraging the cache from the current Docker build process, but agreed that the image size is large. I'm working on getting the overall image size down, but on first pass there's not a whole lot of wasted space here. |
You can potentially get the branch name of the PR first, then find the workflow runs by branch name. I've done that in the superset/scripts/cancel_github_workflows.py Lines 176 to 183 in 2456a2e
I'm not familiar with Docker, but I was imaging if you have a FROM apache/superset:master
# copy latest file contents
...
# re-install dependencies
...
# rebuild assets
...The saved docker image will contain only the additional layers on top of |
Reinstalling dependencies and rebuilding assets would add significant time to the build of the CI image. Running webpack is the most expensive operation in the build. |
|
Apache INFRA ticket: https://issues.apache.org/jira/browse/INFRA-21442 |
|
Secrets have been added by Apache infra. |
|
@robdiciuccio thanks again for improving the process. Do you mind adding a non-technical user friendly tutorial, so our designers and PMs can all benefit from it? 🙏 |
|
@junlincc yes, I'll be adding some documentation once the feature has gone through some testing on the repo (merging this PR is required for testing due to the security model of GitHub Action). |
* First pass at ephemeral env, new Docker ci target * Add service checks, get public IP * Separate issue_comment and workflow_run jobs * Refactor workflows * Adjust comment author association * Checkout code * Fix image name, manage service desired task count * Use merge commit sha * Fix IP output, add failure comment * Refactor comment parsing & env spinup * Check container image publish status * Parse AWS account ID from registry URL * Use PR number rather than variable merge commit SHA for image tag * Fix docker push conditional * Push multiple tags to ECR * Fix comment author check * Refactor comment body check * Provision service with active task to get correct IP * /testenv up * Add @mentions to PR comments, env var cleanup
mistercrunch
added
🏷️ bot
SUMMARY
Github Actions that provide the ability to create an ephemeral environment running a PR's latest merge commit via a command executed via PR comment. The Docker build is run in a virtual environment created via AWS ECS, using the Fargate container runtime. This functionality is sponsored by @preset-io.
pull_requestevents (utilizing the cache from previousdocker buildruns) and saves the build as a workflow artifact.workflow_run) workflow to tag and push the Docker ci image to AWS ECR.issue_comment) workflow to evaluate PR comments for the/testenv upor/testenv downcommands and deploy ECS services accordingly.AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY. These credentials correspond to an AWS IAM user with appropriate ECS privileges. An Apache INFRA ticket is pending to add these secrets to the repo.Running
/testenv up(and nothing else) will trigger the ephemeral environment creation or update. Note: this functionality is currently restricted to members of the apache Github organization.Security
The enclosed workflows follow Github's security guidelines for builds. Docker images are built via the read-only
pull_requestevent, preventing malicious code from accessing tokens with repo write access.workflow_runandissue_commentprivileged workflows are limited to uploading and interacting with the AWS API, not building or running any of the untrusted code.TEST PLAN
workflow_runandissue_commentworkflows will not run until they are merged tomaster.TODO (in future PRs)
/testenv downcommand to manually shutdown environmentsADDITIONAL INFORMATION