Update images digests #34067
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | name: Build | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: write # This is required for actions/checkout and create release | |
| pull-requests: write | |
| actions: write # This is required for trigger another action which is used by JetBrains integrateion tests | |
| packages: read | |
| on: | |
| pull_request: | |
| types: [ opened, edited ] | |
| push: | |
| workflow_dispatch: | |
| inputs: | |
| recreate_vm: | |
| required: true | |
| type: string | |
| description: "Whether to recreate the VM" | |
| default: "false" | |
| simulate_scheduled_run: | |
| required: false | |
| type: boolean | |
| description: "Simulate a scheduled run" | |
| default: false | |
| schedule: | |
| # Run at midnight UTC every day | |
| # Purpose: This scheduled run performs regular vulnerability scans of the codebase | |
| # and sends notifications to Slack when new critical vulnerabilities are found. | |
| # The scan results are used to maintain security standards and address issues promptly. | |
| - cron: '0 0 * * *' | |
| jobs: | |
| create-runner: | |
| uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main | |
| secrets: | |
| runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }} | |
| gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }} | |
| concurrency: | |
| group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-create-runner | |
| cancel-in-progress: false | |
| configuration: | |
| name: Configure job parameters | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| needs: [ create-runner ] | |
| concurrency: | |
| group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-configuration | |
| cancel-in-progress: true | |
| outputs: | |
| is_main_branch: ${{ (github.head_ref || github.ref) == 'refs/heads/main' }} | |
| is_scheduled_run: ${{ github.event_name == 'schedule' || inputs.simulate_scheduled_run == true }} | |
| version: ${{ steps.branches.outputs.sanitized-branch-name }}-gha.${{github.run_number}} | |
| preview_enable: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft with-preview') || (steps.output.outputs.with_integration_tests != '') }} | |
| preview_name: ${{ github.head_ref || github.ref_name }} | |
| build_no_cache: ${{ contains( steps.pr-details.outputs.pr_body, '[x] leeway-no-cache') }} | |
| build_no_test: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft no-test') }} | |
| with_large_vm: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft with-large-vm') || (steps.output.outputs.with_integration_tests != '') }} | |
| publish_to_npm: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft publish-to-npm') }} | |
| publish_to_jbmp: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft publish-to-jb-marketplace') }} | |
| with_preemptible: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft preemptible') }} | |
| with_dedicated_emulation: ${{ contains( steps.pr-details.outputs.pr_body, '[X] with-dedicated-emulation') }} | |
| analytics: ${{ steps.output.outputs.analytics }} | |
| workspace_feature_flags: ${{ steps.output.outputs.workspace_feature_flags }} | |
| pr_no_diff_skip: ${{ steps.pr-diff.outputs.pr_no_diff_skip }} | |
| with_werft: ${{ steps.output.outputs.with-werft }} | |
| with_integration_tests: ${{ steps.output.outputs.with_integration_tests }} | |
| with_monitoring: ${{ contains( steps.pr-details.outputs.pr_body, '[x] with-monitoring') }} | |
| latest_ide_version: ${{ contains( steps.pr-details.outputs.pr_body, '[x] latest-ide-version=true') }} | |
| leeway_cache_bucket: ${{ steps.output.outputs.leeway_cache_bucket }} | |
| image_repo_base: ${{ steps.output.outputs.image_repo_base }} | |
| pr_number: ${{ steps.pr-details.outputs.number }} | |
| pr_body: ${{ steps.pr-details.outputs.pr_body }} | |
| steps: | |
| - name: "Determine Branch" | |
| id: branches | |
| uses: transferwise/sanitize-branch-name@v1 | |
| # Since we trigger this worklow on other event types, besides pull_request | |
| # We use this action to help us get the pr body, as it's not included in push/workflow_dispatch events | |
| - uses: 8BitJonny/[email protected] | |
| id: pr-details | |
| with: | |
| sha: ${{ github.event.pull_request.head.sha }} | |
| # If the PR got edited, but no checkbox changes occurred, we don't want to run the whole build | |
| # Therefore we set a flag and use it to skip the next jobs | |
| - name: "Check PR diff" | |
| id: pr-diff | |
| if: (github.event_name == 'pull_request' && github.event.action == 'edited') | |
| env: | |
| PR_DESC: "${{ steps.pr-details.outputs.pr_body }}" | |
| OLD_BODY: "${{ github.event.changes.body.from }}" | |
| run: | | |
| if ! diff <(echo "$OLD_BODY") <(echo "$PR_DESC") | grep -e '\[x\]' -e '\[X\]'; then | |
| echo "pr_no_diff_skip=true" >> $GITHUB_OUTPUT | |
| fi | |
| - name: "Set outputs" | |
| id: output | |
| env: | |
| PR_DESC: "${{ steps.pr-details.outputs.pr_body }}" | |
| MAIN_BRANCH: ${{ (github.head_ref || github.ref) == 'refs/heads/main' }} | |
| shell: bash | |
| run: | | |
| { | |
| echo "workspace_feature_flags=$(echo "$PR_DESC" | grep -oiP '(?<=\[x\] workspace-feature-flags=).*?(?=\s*$)')" | |
| echo "with_integration_tests=$(echo "$PR_DESC" | grep -oiP '(?<=\[x\] with-integration-tests=).*?(?=\s*$)')" | |
| echo "analytics=$(echo "$PR_DESC" | grep -oiP '(?<=\[x\] analytics=).*?(?=\s*$)')" | |
| echo "leeway_cache_bucket=$([[ "$MAIN_BRANCH" = "true" ]] && echo "leeway-cache-main-c514a01" || echo "leeway-cache-dev-3ac8ef5")" | |
| echo "image_repo_base=$([[ "$MAIN_BRANCH" = "true" ]] && echo "eu.gcr.io/gitpod-core-dev" || echo "eu.gcr.io/gitpod-dev-artifact")" | |
| } >> $GITHUB_OUTPUT | |
| build-previewctl: | |
| name: Build previewctl | |
| if: | | |
| (needs.configuration.outputs.pr_no_diff_skip != 'true') && | |
| (needs.configuration.outputs.preview_enable == 'true') && | |
| (needs.configuration.outputs.is_scheduled_run != 'true') | |
| needs: [ configuration, create-runner ] | |
| concurrency: | |
| group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build-previewctl | |
| cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }} | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| container: | |
| image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.33389 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Environment | |
| uses: ./.github/actions/setup-environment | |
| with: | |
| identity_provider: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_PROVIDER || secrets.DEV_PREVIEW_PROVIDER }} | |
| service_account: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_SA || secrets.DEV_PREVIEW_SA }} | |
| leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
| - name: Build previewctl | |
| id: build | |
| shell: bash | |
| env: | |
| LEEWAY_REMOTE_CACHE_BUCKET: ${{needs.configuration.outputs.leeway_cache_bucket}} | |
| run: | | |
| leeway build dev/preview/previewctl:cli --cache remote | |
| infrastructure: | |
| needs: [ configuration, build-previewctl, create-runner ] | |
| if: | | |
| (needs.configuration.outputs.pr_no_diff_skip != 'true') && | |
| (needs.configuration.outputs.preview_enable == 'true') && | |
| (needs.configuration.outputs.is_main_branch != 'true') && | |
| (needs.configuration.outputs.is_scheduled_run != 'true') | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| concurrency: | |
| group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Environment | |
| uses: ./.github/actions/setup-environment | |
| with: | |
| identity_provider: ${{ secrets.DEV_PREVIEW_PROVIDER }} | |
| service_account: ${{ secrets.DEV_PREVIEW_SA }} | |
| leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
| - name: Create preview environment infrastructure | |
| id: create | |
| uses: ./.github/actions/preview-create | |
| with: | |
| name: ${{ needs.configuration.outputs.preview_name }} | |
| previewctl_hash: ${{ needs.build-previewctl.outputs.previewctl_hash }} | |
| large_vm: ${{ needs.configuration.outputs.with_large_vm }} | |
| preemptible: ${{ needs.configuration.outputs.with_preemptible }} | |
| recreate_vm: ${{ inputs.recreate_vm }} | |
| image_repo_base: ${{needs.configuration.outputs.image_repo_base}}/build | |
| build-gitpod: | |
| name: Build Gitpod | |
| needs: [ configuration, create-runner ] | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| outputs: | |
| affected_packages: ${{ steps.check_vulnerabilities.outputs.affected_packages }} | |
| concurrency: | |
| group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build-gitpod | |
| cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }} | |
| services: | |
| mysql: | |
| image: bitnamilegacy/mysql:8.0.33-debian-11-r24 | |
| env: | |
| MYSQL_ROOT_PASSWORD: test | |
| #MYSQL_TCP_PORT: 23306 bitnamilegacy/mysql does not honor this, but has it's own: | |
| MYSQL_PORT_NUMBER: 23306 | |
| MYSQL_AUTHENTICATION_PLUGIN: mysql_native_password | |
| ports: | |
| - 23306:23306 | |
| redis: | |
| image: redis | |
| ports: | |
| - 6379:6379 | |
| container: | |
| image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.33389 | |
| env: | |
| DB_HOST: "mysql" | |
| DB_PORT: "23306" | |
| REDIS_HOST: "redis" | |
| # GitHub action + MySQL 8.0 need longer to initialize | |
| DB_RETRIES: 5 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-environment | |
| with: | |
| identity_provider: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_PROVIDER || secrets.DEV_PREVIEW_PROVIDER }} | |
| service_account: ${{ github.ref == 'refs/heads/main' && secrets.CORE_DEV_SA || secrets.DEV_PREVIEW_SA }} | |
| leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
| - name: Leeway Vet | |
| shell: bash | |
| run: | | |
| leeway vet --ignore-warnings | |
| - name: Pre-Commit Checks | |
| shell: bash | |
| run: | | |
| RESULT=0 | |
| pre-commit run --show-diff-on-failure || RESULT=$? | |
| if [ $RESULT -ne 0 ]; then | |
| echo "::error title=The Pre-Commit Checks Failed.::Please run 'pre-commit run --show-diff-on-failure'" | |
| fi | |
| exit "$RESULT" | |
| - name: Dev Build | |
| id: dev-build | |
| env: | |
| JAVA_HOME: /home/gitpod/.sdkman/candidates/java/current | |
| VERSION: ${{needs.configuration.outputs.version}} | |
| LEEWAY_REMOTE_CACHE_BUCKET: ${{needs.configuration.outputs.leeway_cache_bucket}} | |
| IMAGE_REPO_BASE: ${{needs.configuration.outputs.image_repo_base}}/dev | |
| shell: bash | |
| run: | | |
| RESULT=0 | |
| set -x | |
| leeway build dev:all \ | |
| --docker-build-options network=host \ | |
| --cache remote \ | |
| -Dversion=$VERSION \ | |
| -DlocalAppVersion=$VERSION \ | |
| -DimageRepoBase=$IMAGE_REPO_BASE \ | |
| --report large-report.html || RESULT=$? | |
| set +x | |
| # capture logs for the dev/image build, they're too big for GITHUB_STEP_SUMMARY | |
| pup -p -f large-report.html '[id="dev/image:docker"] + details + details' > remove.txt | |
| # remove logs for the dev/image build output from the report file | |
| grep -vxFf remove.txt large-report.html > report.html | |
| cat report.html >> $GITHUB_STEP_SUMMARY | |
| exit $RESULT | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Leeway Build | |
| id: leeway | |
| shell: bash | |
| env: | |
| NODE_OPTIONS: "--max_old_space_size=4096" | |
| JAVA_HOME: /home/gitpod/.sdkman/candidates/java/current | |
| VERSION: ${{needs.configuration.outputs.version}} | |
| PR_NO_CACHE: ${{needs.configuration.outputs.build_no_cache}} | |
| PR_NO_TEST: ${{needs.configuration.outputs.build_no_test}} | |
| NPM_AUTH_TOKEN: "${{ secrets.NPM_AUTH_TOKEN }}" | |
| PUBLISH_TO_NPM: ${{ needs.configuration.outputs.publish_to_npm == 'true' || needs.configuration.outputs.is_main_branch == 'true' }} | |
| JB_MARKETPLACE_PUBLISH_TOKEN: "${{ secrets.JB_MARKETPLACE_PUBLISH_TOKEN }}" | |
| PUBLISH_TO_JBPM: ${{ needs.configuration.outputs.publish_to_jbmp == 'true' || needs.configuration.outputs.is_main_branch == 'true' }} | |
| CODECOV_TOKEN: "${{ secrets.CODECOV_TOKEN }}" | |
| LEEWAY_REMOTE_CACHE_BUCKET: ${{needs.configuration.outputs.leeway_cache_bucket}} | |
| IMAGE_REPO_BASE: ${{needs.configuration.outputs.image_repo_base}}/build | |
| # SCM tokens for integration tests | |
| GITPOD_TEST_TOKEN_BITBUCKET: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET }}" | |
| GITPOD_TEST_TOKEN_BITBUCKET_SERVER: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET_SERVER }}" | |
| GITPOD_TEST_TOKEN_BITBUCKET_SERVER_WRITE: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET_SERVER_WRITE }}" | |
| GITPOD_TEST_TOKEN_BITBUCKET_SERVER_READ: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET_SERVER_READ }}" | |
| GITPOD_TEST_TOKEN_GITHUB: "${{ secrets.GITPOD_TEST_TOKEN_GITHUB }}" | |
| GITPOD_TEST_TOKEN_GITLAB: "${{ secrets.GITPOD_TEST_TOKEN_GITLAB }}" | |
| GITPOD_TEST_TOKEN_AZURE_DEVOPS: "${{ secrets.GITPOD_TEST_TOKEN_AZURE_DEVOPS }}" | |
| run: | | |
| [[ "$PR_NO_CACHE" = "true" ]] && CACHE="none" || CACHE="remote" | |
| [[ "$PR_NO_TEST" = "true" ]] && TEST="--dont-test" || TEST="" | |
| [[ "${PUBLISH_TO_NPM}" = 'true' ]] && NPM_PUBLISH_TRIGGER=$(date +%s%3N) || NPM_PUBLISH_TRIGGER="false" | |
| RESULT=0 | |
| set -x | |
| # CI=true is a var set by GHA. Unsetting it for the build, as yarn builds treat warnings as errors if that var is set to true | |
| CI= leeway build \ | |
| --cache $CACHE \ | |
| $TEST \ | |
| -Dversion=$VERSION \ | |
| --docker-build-options network=host \ | |
| --max-concurrent-tasks 1 \ | |
| -DlocalAppVersion=$VERSION \ | |
| -DpublishToNPM="${PUBLISH_TO_NPM}" \ | |
| -DnpmPublishTrigger="${NPM_PUBLISH_TRIGGER}" \ | |
| -DpublishToJBMarketplace="${PUBLISH_TO_JBPM}" \ | |
| -DimageRepoBase=$IMAGE_REPO_BASE \ | |
| --report report.html || RESULT=$? | |
| set +x | |
| cat report.html >> $GITHUB_STEP_SUMMARY | |
| SUMMARY_SIZE=$(wc -c < $GITHUB_STEP_SUMMARY) | |
| if [[ $SUMMARY_SIZE -gt 1000000 ]]; then | |
| head -c 1000000 $GITHUB_STEP_SUMMARY > $GITHUB_STEP_SUMMARY.tmp | |
| mv $GITHUB_STEP_SUMMARY.tmp $GITHUB_STEP_SUMMARY | |
| ( | |
| echo '.....' | |
| echo '' | |
| echo ':x: **WARNING: Summary is too large and has been truncated.**' | |
| echo '' | |
| ) >> $GITHUB_STEP_SUMMARY | |
| fi | |
| exit $RESULT | |
| - name: Tag the release | |
| if: github.ref == 'refs/heads/main' && needs.configuration.outputs.is_scheduled_run != 'true' | |
| run: | | |
| git config --global user.name $GITHUB_USER | |
| git config --global user.email $GITHUB_EMAIL | |
| git tag -a ${VERSION} -m "Release ${VERSION}" | |
| git push origin ${VERSION} | |
| env: | |
| GITHUB_USER: roboquat | |
| GITHUB_EMAIL: [email protected] | |
| VERSION: ${{ needs.configuration.outputs.version }} | |
| - name: Scan for Vulnerabilities | |
| id: scan | |
| shell: bash | |
| env: | |
| VERSION: ${{needs.configuration.outputs.version}} | |
| PUBLISH_TO_NPM: ${{ needs.configuration.outputs.publish_to_npm == 'true' || needs.configuration.outputs.is_main_branch == 'true' }} | |
| PUBLISH_TO_JBPM: ${{ needs.configuration.outputs.publish_to_jbmp == 'true' || needs.configuration.outputs.is_main_branch == 'true' }} | |
| LEEWAY_REMOTE_CACHE_BUCKET: ${{needs.configuration.outputs.leeway_cache_bucket}} | |
| IMAGE_REPO_BASE: ${{needs.configuration.outputs.image_repo_base}}/build | |
| run: | | |
| [[ "$PR_NO_CACHE" = "true" ]] && CACHE="none" || CACHE="remote" | |
| [[ "$PR_NO_TEST" = "true" ]] && TEST="--dont-test" || TEST="" | |
| [[ "${PUBLISH_TO_NPM}" = 'true' ]] && NPM_PUBLISH_TRIGGER=$(date +%s%3N) || NPM_PUBLISH_TRIGGER="false" | |
| sboms_dir=$(mktemp -d) | |
| CI= leeway sbom export components:needs-vuln-scan --with-dependencies --output-dir "$sboms_dir" \ | |
| -Dversion=$VERSION \ | |
| --docker-build-options network=host \ | |
| --max-concurrent-tasks 1 \ | |
| -DlocalAppVersion=$VERSION \ | |
| -DpublishToNPM="${PUBLISH_TO_NPM}" \ | |
| -DnpmPublishTrigger="${NPM_PUBLISH_TRIGGER}" \ | |
| -DpublishToJBMarketplace="${PUBLISH_TO_JBPM}" \ | |
| -DimageRepoBase=$IMAGE_REPO_BASE | |
| scans_dir=$(mktemp -d) | |
| CI= leeway sbom scan components:needs-vuln-scan --with-dependencies --output-dir "$scans_dir" \ | |
| -Dversion=$VERSION \ | |
| --docker-build-options network=host \ | |
| --max-concurrent-tasks 1 \ | |
| -DlocalAppVersion=$VERSION \ | |
| -DpublishToNPM="${PUBLISH_TO_NPM}" \ | |
| -DnpmPublishTrigger="${NPM_PUBLISH_TRIGGER}" \ | |
| -DpublishToJBMarketplace="${PUBLISH_TO_JBPM}" \ | |
| -DimageRepoBase=$IMAGE_REPO_BASE || RESULT=$? | |
| { | |
| echo "leeway_sboms_dir=$sboms_dir" | |
| echo "leeway_vulnerability_reports_dir=$scans_dir" | |
| } >> $GITHUB_OUTPUT | |
| cat "$scans_dir/vulnerability-summary.md" >> $GITHUB_STEP_SUMMARY | |
| exit $RESULT | |
| - name: Check for Critical Vulnerabilities | |
| if: needs.configuration.outputs.is_scheduled_run == 'true' | |
| id: check_vulnerabilities | |
| shell: bash | |
| run: | | |
| # Parse vulnerability-stats.json from the scans directory | |
| CRITICAL_PACKAGES=$(jq -r '.[] | select(.critical > 0) | "\(.name): \(.critical) critical vulnerabilities"' "${{ steps.scan.outputs.leeway_vulnerability_reports_dir }}/vulnerability-stats.json") | |
| # If there are critical packages, list them and fail the build | |
| if [ -n "$CRITICAL_PACKAGES" ]; then | |
| echo "::error::Critical vulnerabilities found in the following packages:" | |
| echo "$CRITICAL_PACKAGES" | tee -a $GITHUB_STEP_SUMMARY | |
| echo "affected_packages<<EOF" >> $GITHUB_OUTPUT | |
| echo "$CRITICAL_PACKAGES" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| exit 1 | |
| else | |
| echo "No critical vulnerabilities found." | |
| fi | |
| - name: Upload SBOMs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sboms | |
| path: ${{ steps.scan.outputs.leeway_sboms_dir }} | |
| - name: Upload vulnerability reports | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: vulnerability-reports | |
| path: ${{ steps.scan.outputs.leeway_vulnerability_reports_dir }} | |
| install-app: | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| needs: [ configuration, build-gitpod, create-runner ] | |
| if: ${{ needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true' }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| env: [ staging, production ] | |
| steps: | |
| - uses: gitpod-io/[email protected] | |
| id: auth | |
| with: | |
| private-key: ${{ secrets.ACTIONS_APP_PKEY }} | |
| app-id: 308947 | |
| installation-id: 35574470 | |
| - name: trigger installation | |
| uses: actions/github-script@v6 | |
| with: | |
| github-token: ${{ steps.auth.outputs.token }} | |
| script: | | |
| const result = await github.rest.actions.createWorkflowDispatch({ | |
| owner: context.repo.owner, | |
| repo: 'gitpod-dedicated', | |
| workflow_id: 'install-app.yaml', | |
| ref: 'main', | |
| inputs: { | |
| "version": '${{ needs.configuration.outputs.version }}', | |
| "repo": "https://github.com/gitpod-io/gitpod", | |
| "commit": "${{github.sha}}", | |
| "release": "${{ matrix.env }}", | |
| "env": "${{ matrix.env }}" | |
| } | |
| }) | |
| install: | |
| name: "Install Gitpod" | |
| needs: | |
| - configuration | |
| - build-previewctl | |
| - build-gitpod | |
| - infrastructure | |
| - create-runner | |
| if: needs.configuration.outputs.is_scheduled_run != 'true' | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| concurrency: | |
| group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install | |
| cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Environment | |
| uses: ./.github/actions/setup-environment | |
| with: | |
| identity_provider: ${{ secrets.DEV_PREVIEW_PROVIDER }} | |
| service_account: ${{ secrets.DEV_PREVIEW_SA }} | |
| leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
| - name: Deploy Gitpod to the preview environment | |
| id: deploy-gitpod | |
| uses: ./.github/actions/deploy-gitpod | |
| with: | |
| name: ${{ needs.configuration.outputs.preview_name }} | |
| version: ${{needs.configuration.outputs.version}} | |
| with_dedicated_emu: ${{needs.configuration.outputs.with_dedicated_emulation}} | |
| analytics: ${{needs.configuration.outputs.analytics}} | |
| workspace_feature_flags: ${{needs.configuration.outputs.workspace_feature_flags}} | |
| image_repo_base: ${{needs.configuration.outputs.image_repo_base}}/build | |
| - uses: actions/github-script@v6 | |
| if: needs.configuration.outputs.pr_number != '' && contains(needs.configuration.outputs.pr_body, 'gitpod:summary') | |
| with: | |
| script: | | |
| const prNumber = ${{ needs.configuration.outputs.pr_number }}; | |
| const summaryEncoded = `${{ steps.deploy-gitpod.outputs.report }}`; | |
| const summary = Buffer.from(summaryEncoded, 'base64').toString('utf8'); | |
| const { data: pr } = await github.rest.pulls.get({ | |
| ...context.repo, | |
| pull_number: prNumber, | |
| }); | |
| const prBody = pr.body; | |
| const newBody = prBody.replace('gitpod:summary', summary); | |
| await github.rest.pulls.update({ | |
| ...context.repo, | |
| pull_number: prNumber, | |
| body: newBody, | |
| }); | |
| monitoring: | |
| name: "Install Monitoring Satellite" | |
| needs: [ infrastructure, build-previewctl, create-runner ] | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| if: needs.configuration.outputs.with_monitoring == 'true' && needs.configuration.outputs.is_scheduled_run != 'true' | |
| concurrency: | |
| group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-monitoring | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Environment | |
| uses: ./.github/actions/setup-environment | |
| with: | |
| identity_provider: ${{ secrets.DEV_PREVIEW_PROVIDER }} | |
| service_account: ${{ secrets.DEV_PREVIEW_SA }} | |
| leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
| - name: Deploy monitoring satellite to the preview environment | |
| id: deploy-monitoring-satellite | |
| uses: ./.github/actions/deploy-monitoring-satellite | |
| with: | |
| previewctl_hash: ${{ needs.build-previewctl.outputs.previewctl_hash }} | |
| image_repo_base: ${{needs.configuration.outputs.image_repo_base}}/build | |
| integration-test: | |
| name: "Run integration test" | |
| needs: | |
| - configuration | |
| - build-previewctl | |
| - build-gitpod | |
| - infrastructure | |
| - install | |
| - create-runner | |
| runs-on: ${{ needs.create-runner.outputs.label }} | |
| container: | |
| image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.33389 | |
| if: needs.configuration.outputs.with_integration_tests != '' && needs.configuration.outputs.is_scheduled_run != 'true' | |
| concurrency: | |
| group: ${{ needs.configuration.outputs.preview_name }}-integration-test | |
| cancel-in-progress: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run integration test | |
| id: integration-test | |
| uses: ./.github/actions/integration-tests | |
| with: | |
| preview_name: ${{ needs.configuration.outputs.preview_name }} | |
| test_suite: ${{ needs.configuration.outputs.with_integration_tests }} | |
| notify_slack_webhook: '' | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| latest_ide_version: ${{ needs.configuration.outputs.latest_ide_version }} | |
| test_build_id: ${{ github.run_id }} | |
| test_build_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| test_build_ref: ${{ github.head_ref || github.ref }} | |
| identity_provider: ${{ secrets.DEV_PREVIEW_PROVIDER }} | |
| service_account: ${{ secrets.DEV_PREVIEW_SA }} | |
| leeway_segment_key: ${{ secrets.LEEWAY_SEGMENT_KEY }} | |
| integration_test_username: ${{ secrets.WORKSPACE_INTEGRATION_TEST_USERNAME }} | |
| integration_test_usertoken: ${{ secrets.WORKSPACE_INTEGRATION_TEST_USER_TOKEN }} | |
| workspace-integration-tests-main: | |
| name: "Run workspace integration tests on main branch" | |
| needs: | |
| - configuration | |
| - build-gitpod | |
| - create-runner | |
| if: needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true' | |
| uses: ./.github/workflows/workspace-integration-tests.yml | |
| with: | |
| version: ${{ needs.configuration.outputs.version }} | |
| secrets: inherit | |
| ide-code-updates: | |
| name: "Run VS Code update jobs on main branch" | |
| needs: | |
| - configuration | |
| - build-gitpod | |
| - create-runner | |
| if: needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true' | |
| uses: ./.github/workflows/code-updates.yml | |
| secrets: inherit | |
| ide-jb-updates: | |
| name: "Run JetBrains update jobs on main branch" | |
| needs: | |
| - configuration | |
| - build-gitpod | |
| - create-runner | |
| if: needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true' | |
| uses: ./.github/workflows/jetbrains-updates.yml | |
| secrets: inherit | |
| notify-scheduled-failure: | |
| name: "Notify on scheduled run failure" | |
| if: needs.configuration.outputs.is_scheduled_run == 'true' && failure() | |
| needs: | |
| - configuration | |
| - build-gitpod | |
| - workspace-integration-tests-main | |
| - ide-code-updates | |
| - ide-jb-updates | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Slack Notification | |
| uses: rtCamp/action-slack-notify@v2 | |
| env: | |
| SLACK_WEBHOOK: ${{ secrets.WORKSPACE_SLACK_WEBHOOK }} | |
| SLACK_ICON_EMOJI: ":x:" | |
| SLACK_USERNAME: "Scheduled Build" | |
| SLACK_COLOR: "danger" | |
| SLACK_MESSAGE: "⚠️ Security Alert: Daily vulnerability scan detected critical vulnerabilities in the following packages:\n${{ needs.build-gitpod.outputs.affected_packages }}" | |
| SLACK_FOOTER: "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Workflow Logs>" | |
| delete-runner: | |
| if: always() | |
| needs: | |
| - create-runner | |
| - configuration | |
| - build-previewctl | |
| - infrastructure | |
| - build-gitpod | |
| - install-app | |
| - install | |
| - monitoring | |
| - integration-test | |
| - notify-scheduled-failure | |
| uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main | |
| secrets: | |
| gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }} | |
| with: | |
| runner-label: ${{ needs.create-runner.outputs.label }} | |
| machine-zone: ${{ needs.create-runner.outputs.machine-zone }} |