zulip/.github/workflows/production-suite.yml

name: Zulip Production Suite

on:
  push:
    paths:
      - "**/migrations/**"
      - puppet/**
      - requirements/**
      - scripts/**
      - static/**
      - tools/**
      - zproject/**
      - yarn.lock
      - .github/workflows/production-suite.yml
  pull_request:
    paths:
      - "**/migrations/**"
      - puppet/**
      - requirements/**
      - scripts/**
      - static/**
      - tools/**
      - zproject/**
      - yarn.lock
      - .github/workflows/production-suite.yml

defaults:
  run:
    shell: bash

jobs:
  production_build:
    name: Bionic Production Build
    runs-on: ubuntu-latest

    # This docker image was created by a generated Dockerfile at:
    #   tools/ci/images/bionic/Dockerfile
    # Bionic ships with Python 3.6.
    container: mepriyank/actions:bionic
    steps:
      - name: Add required permissions
        run: |
          # The checkout actions doesn't clone to ~/zulip or allow
          # us to use the path option to clone outside the current
          # /__w/zulip/zulip directory. Since this directory is owned
          # by root we need to change it's ownership to allow the
          # github user to clone the code here.
          # Note: /__w/ is a docker volume mounted to $GITHUB_WORKSPACE
          # which is /home/runner/work/.
          sudo chown -R github .

          # This is the GitHub Actions specific cache directory the
          # the current github user must be able to access for the
          # cache action to work. It is owned by root currently.
          sudo chmod -R 0777 /__w/_temp/

      - uses: actions/checkout@v2

      - name: Create cache directories
        run: |
          dirs=(/srv/zulip-{npm,venv,emoji}-cache)
          sudo mkdir -p "${dirs[@]}"
          sudo chown -R github "${dirs[@]}"

      - name: Restore node_modules cache
        uses: actions/cache@v2
        with:
          path: /srv/zulip-npm-cache
          key: v1-yarn-deps-${{ github.job }}-${{ hashFiles('package.json') }}-${{ hashFiles('yarn.lock') }}
          restore-keys: v1-yarn-deps-${{ github.job }}

      - name: Restore python cache
        uses: actions/cache@v2
        with:
          path: /srv/zulip-venv-cache
          key: v1-venv-${{ github.job }}-${{ hashFiles('requirements/thumbor-dev.txt') }}-${{ hashFiles('requirements/dev.txt') }}
          restore-keys: v1-venv-${{ github.job }}

      - name: Restore emoji cache
        uses: actions/cache@v2
        with:
          path: /srv/zulip-emoji-cache
          key: v1-emoji-${{ github.job }}-${{ hashFiles('tools/setup/emoji/emoji_map.json') }}-${{ hashFiles('tools/setup/emoji/build_emoji') }}-${{ hashFiles('tools/setup/emoji/emoji_setup_utils.py') }}-${{ hashFiles('tools/setup/emoji/emoji_names.py') }}-${{ hashFiles('package.json') }}
          restore-keys: v1-emoji-${{ github.job }}

      - name: Do Bionic hack
        run: |
          # Temporary hack till `sudo service redis-server start` gets fixes in Bionic. See
          # https://chat.zulip.org/#narrow/stream/3-backend/topic/Ubuntu.20bionic.20CircleCI
          sudo sed -i '/^bind/s/bind.*/bind 0.0.0.0/' /etc/redis/redis.conf

      - name: Build production tarball
        run: mispipe "./tools/ci/production-build 2>&1" ts

      - name: Upload production build artifacts for install jobs
        uses: actions/upload-artifact@v2
        with:
          name: production-tarball
          path: /tmp/production-build

  production_install:
    strategy:
      fail-fast: false
      matrix:
        include:
          - docker_image: mepriyank/actions:bionic
            name: Bionic Production Install
            is_bionic: true
            os: bionic

          - docker_image: mepriyank/actions:focal
            name: Focal Production Install
            is_focal: true
            os: focal

    name: ${{ matrix.name  }}
    container: ${{ matrix.docker_image }}
    runs-on: ubuntu-latest
    needs: production_build

    steps:
      - name: Download built production tarball
        uses: actions/download-artifact@v2
        with:
          name: production-tarball
          path: /tmp

      - name: Add required permissions and setup
        run: |
          # This is the GitHub Actions specific cache directory the
          # the current github user must be able to access for the
          # cache action to work. It is owned by root currently.
          sudo chmod -R 0777 /__w/_temp/

          # Create the zulip directory that the tools/ci/ scripts needs
          mkdir -p /home/github/zulip

          # Since actions/download-artifact@v2 loses all the permissions
          # of the tarball uploaded by the upload artifact fix those.
          chmod +x /tmp/production-extract-tarball
          chmod +x /tmp/production-upgrade-pg
          chmod +x /tmp/production-install
          chmod +x /tmp/production-verify

      - name: Create cache directories
        run: |
          dirs=(/srv/zulip-{npm,venv,emoji}-cache)
          sudo mkdir -p "${dirs[@]}"
          sudo chown -R github "${dirs[@]}"

      - name: Restore node_modules cache
        uses: actions/cache@v2
        with:
          path: /srv/zulip-npm-cache
          key: v1-yarn-deps-${{ matrix.os }}-${{ hashFiles('package.json') }}-${{ hashFiles('yarn.lock') }}
          restore-keys: v1-yarn-deps-${{ matrix.os }}

      - name: Do Bionic hack
        if: ${{ matrix.is_bionic }}
        run: |
          # Temporary hack till `sudo service redis-server start` gets fixes in Bionic. See
          # https://chat.zulip.org/#narrow/stream/3-backend/topic/Ubuntu.20bionic.20CircleCI
          sudo sed -i '/^bind/s/bind.*/bind 0.0.0.0/' /etc/redis/redis.conf

      - name: Production extract tarball
        run: mispipe "/tmp/production-extract-tarball 2>&1" ts

      - name: Install production
        run: |
          sudo service rabbitmq-server restart
          sudo mispipe "/tmp/production-install 2>&1" ts

      - name: Verify install
        run: sudo mispipe "/tmp/production-verify 2>&1" ts

      - name: Upgrade postgresql
        if: ${{ matrix.is_bionic }}
        run: sudo mispipe "/tmp/production-upgrade-pg 2>&1" ts

      - name: Verify install after upgrading postgresql
        if: ${{ matrix.is_bionic }}
        run: sudo mispipe "/tmp/production-verify 2>&1" ts
github-actions: Add bionic production build job. All the steps are same from circleci except two steps: 1. The 'Add permissions ...' step is Actions specific as explained in comments. 2. The step that used upload-artifacts is Actions verison of presist_to_workspace. Finally, I should note the duplication in this and zulip-ci workflow. There are three reason this is not a problem: 1. It will be messy to mush this into zulip-ci workflow only for benefit of un-duplicating the env and cache restore steps. 2. We needs this on its own workflow if we want to only run it when production related dependencies are updated. 3. I don't see us updating the duplicated steps between both workflow. Circle CI config is prefect example for this; nothing is changed except for adding or updating steps which are not duplicated. 2020-07-08 02:20:01 +02:00			`name: Zulip Production Suite`

			`on:`
			`push:`
github-actions: Only run production suite on production related updates. The production suite will only run if anything under puppet, scripts, and tools or any migrations are updated. The '' glob means it includes subdirectory updates. For migrations all ~5 migrations directories are includes using the /migrations/** pattern. The GitHub Action docs that explain the syntax: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet 2020-07-17 20:27:19 +02:00			`paths:`
			`- "/migrations/"`
			`- puppet/**`
			`- requirements/**`
			`- scripts/**`
			`- static/**`
			`- tools/**`
			`- zproject/**`
			`- yarn.lock`
			`- .github/workflows/production-suite.yml`
github-actions: Add bionic production build job. All the steps are same from circleci except two steps: 1. The 'Add permissions ...' step is Actions specific as explained in comments. 2. The step that used upload-artifacts is Actions verison of presist_to_workspace. Finally, I should note the duplication in this and zulip-ci workflow. There are three reason this is not a problem: 1. It will be messy to mush this into zulip-ci workflow only for benefit of un-duplicating the env and cache restore steps. 2. We needs this on its own workflow if we want to only run it when production related dependencies are updated. 3. I don't see us updating the duplicated steps between both workflow. Circle CI config is prefect example for this; nothing is changed except for adding or updating steps which are not duplicated. 2020-07-08 02:20:01 +02:00			`pull_request:`
github-actions: Only run production suite on production related updates. The production suite will only run if anything under puppet, scripts, and tools or any migrations are updated. The '' glob means it includes subdirectory updates. For migrations all ~5 migrations directories are includes using the /migrations/** pattern. The GitHub Action docs that explain the syntax: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet 2020-07-17 20:27:19 +02:00			`paths:`
			`- "/migrations/"`
			`- puppet/**`
			`- requirements/**`
			`- scripts/**`
			`- static/**`
			`- tools/**`
			`- zproject/**`
			`- yarn.lock`
			`- .github/workflows/production-suite.yml`
github-actions: Add bionic production build job. All the steps are same from circleci except two steps: 1. The 'Add permissions ...' step is Actions specific as explained in comments. 2. The step that used upload-artifacts is Actions verison of presist_to_workspace. Finally, I should note the duplication in this and zulip-ci workflow. There are three reason this is not a problem: 1. It will be messy to mush this into zulip-ci workflow only for benefit of un-duplicating the env and cache restore steps. 2. We needs this on its own workflow if we want to only run it when production related dependencies are updated. 3. I don't see us updating the duplicated steps between both workflow. Circle CI config is prefect example for this; nothing is changed except for adding or updating steps which are not duplicated. 2020-07-08 02:20:01 +02:00
			`defaults:`
			`run:`
			`shell: bash`

			`jobs:`
			`production_build:`
			`name: Bionic Production Build`
			`runs-on: ubuntu-latest`

			`# This docker image was created by a generated Dockerfile at:`
			`# tools/ci/images/bionic/Dockerfile`
			`# Bionic ships with Python 3.6.`
			`container: mepriyank/actions:bionic`
			`steps:`
			`- name: Add required permissions`
			`run: \|`
			`# The checkout actions doesn't clone to ~/zulip or allow`
			`# us to use the path option to clone outside the current`
			`# /__w/zulip/zulip directory. Since this directory is owned`
			`# by root we need to change it's ownership to allow the`
			`# github user to clone the code here.`
			`# Note: /__w/ is a docker volume mounted to $GITHUB_WORKSPACE`
			`# which is /home/runner/work/.`
			`sudo chown -R github .`

			`# This is the GitHub Actions specific cache directory the`
			`# the current github user must be able to access for the`
			`# cache action to work. It is owned by root currently.`
			`sudo chmod -R 0777 /__w/_temp/`

			`- uses: actions/checkout@v2`

			`- name: Create cache directories`
			`run: \|`
			`dirs=(/srv/zulip-{npm,venv,emoji}-cache)`
			`sudo mkdir -p "${dirs[@]}"`
			`sudo chown -R github "${dirs[@]}"`

			`- name: Restore node_modules cache`
			`uses: actions/cache@v2`
			`with:`
			`path: /srv/zulip-npm-cache`
			`key: v1-yarn-deps-${{ github.job }}-${{ hashFiles('package.json') }}-${{ hashFiles('yarn.lock') }}`
			`restore-keys: v1-yarn-deps-${{ github.job }}`

			`- name: Restore python cache`
			`uses: actions/cache@v2`
			`with:`
			`path: /srv/zulip-venv-cache`
			`key: v1-venv-${{ github.job }}-${{ hashFiles('requirements/thumbor-dev.txt') }}-${{ hashFiles('requirements/dev.txt') }}`
			`restore-keys: v1-venv-${{ github.job }}`

			`- name: Restore emoji cache`
			`uses: actions/cache@v2`
			`with:`
			`path: /srv/zulip-emoji-cache`
			`key: v1-emoji-${{ github.job }}-${{ hashFiles('tools/setup/emoji/emoji_map.json') }}-${{ hashFiles('tools/setup/emoji/build_emoji') }}-${{ hashFiles('tools/setup/emoji/emoji_setup_utils.py') }}-${{ hashFiles('tools/setup/emoji/emoji_names.py') }}-${{ hashFiles('package.json') }}`
			`restore-keys: v1-emoji-${{ github.job }}`

			`- name: Do Bionic hack`
			`run: \|`
			# Temporary hack till `sudo service redis-server start` gets fixes in Bionic. See
			`# https://chat.zulip.org/#narrow/stream/3-backend/topic/Ubuntu.20bionic.20CircleCI`
			`sudo sed -i '/^bind/s/bind.*/bind 0.0.0.0/' /etc/redis/redis.conf`

			`- name: Build production tarball`
			`run: mispipe "./tools/ci/production-build 2>&1" ts`

			`- name: Upload production build artifacts for install jobs`
			`uses: actions/upload-artifact@v2`
			`with:`
			`name: production-tarball`
			`path: /tmp/production-build`
github-actions: Add bionic and focal production install jobs. We remove the "Do memcached hack" step from CircleCI when migrating this job because a fix has been made upstream. 2020-07-16 21:34:01 +02:00
			`production_install:`
			`strategy:`
			`fail-fast: false`
			`matrix:`
			`include:`
			`- docker_image: mepriyank/actions:bionic`
			`name: Bionic Production Install`
			`is_bionic: true`
			`os: bionic`

			`- docker_image: mepriyank/actions:focal`
			`name: Focal Production Install`
			`is_focal: true`
			`os: focal`

			`name: ${{ matrix.name }}`
			`container: ${{ matrix.docker_image }}`
			`runs-on: ubuntu-latest`
			`needs: production_build`

			`steps:`
			`- name: Download built production tarball`
			`uses: actions/download-artifact@v2`
			`with:`
			`name: production-tarball`
			`path: /tmp`

			`- name: Add required permissions and setup`
			`run: \|`
			`# This is the GitHub Actions specific cache directory the`
			`# the current github user must be able to access for the`
			`# cache action to work. It is owned by root currently.`
			`sudo chmod -R 0777 /__w/_temp/`

			`# Create the zulip directory that the tools/ci/ scripts needs`
			`mkdir -p /home/github/zulip`

			`# Since actions/download-artifact@v2 loses all the permissions`
			`# of the tarball uploaded by the upload artifact fix those.`
			`chmod +x /tmp/production-extract-tarball`
			`chmod +x /tmp/production-upgrade-pg`
			`chmod +x /tmp/production-install`
			`chmod +x /tmp/production-verify`

			`- name: Create cache directories`
			`run: \|`
			`dirs=(/srv/zulip-{npm,venv,emoji}-cache)`
			`sudo mkdir -p "${dirs[@]}"`
			`sudo chown -R github "${dirs[@]}"`

			`- name: Restore node_modules cache`
			`uses: actions/cache@v2`
			`with:`
			`path: /srv/zulip-npm-cache`
			`key: v1-yarn-deps-${{ matrix.os }}-${{ hashFiles('package.json') }}-${{ hashFiles('yarn.lock') }}`
			`restore-keys: v1-yarn-deps-${{ matrix.os }}`

			`- name: Do Bionic hack`
			`if: ${{ matrix.is_bionic }}`
			`run: \|`
			# Temporary hack till `sudo service redis-server start` gets fixes in Bionic. See
			`# https://chat.zulip.org/#narrow/stream/3-backend/topic/Ubuntu.20bionic.20CircleCI`
			`sudo sed -i '/^bind/s/bind.*/bind 0.0.0.0/' /etc/redis/redis.conf`

			`- name: Production extract tarball`
			`run: mispipe "/tmp/production-extract-tarball 2>&1" ts`

			`- name: Install production`
			`run: \|`
			`sudo service rabbitmq-server restart`
			`sudo mispipe "/tmp/production-install 2>&1" ts`

			`- name: Verify install`
			`run: sudo mispipe "/tmp/production-verify 2>&1" ts`

			`- name: Upgrade postgresql`
			`if: ${{ matrix.is_bionic }}`
			`run: sudo mispipe "/tmp/production-upgrade-pg 2>&1" ts`

			`- name: Verify install after upgrading postgresql`
			`if: ${{ matrix.is_bionic }}`
			`run: sudo mispipe "/tmp/production-verify 2>&1" ts`