Build: Save build artifact and publish release#2633
Build: Save build artifact and publish release#2633mattklein123 merged 11 commits intoenvoyproxy:masterfrom
Conversation
Description: This pull request saves the release binary to circleci artifacts. Additionally adds a release script to create and publish a github release with the linux binary attached to the github release as an asset. Risk Level: low Testing: I manually tested using this github repo: https://github.com/taion809/envoy-build-tests Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
|
Looks like there is some issue with this on CircleCI. Do you have enough info to debug? |
|
yep, it looks like the initial release step moves the gitconfig file, so we just need to wrap it in a test |
Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
ci/do_ci.sh
Outdated
|
|
||
| if [[ -n "${TAG:-}" ]]; then | ||
| ghrelease release --tag "${TAG:-}" --user taion809 --repo envoy-build-tests --name "${TAG:-}" | ||
| ghrelease upload --tag "${TAG:-}" --user taion809 --repo envoy-build-tests --name "envoy-linux-amd64" --file "${ENVOY_SRCDIR}/build_release_stripped/envoy" |
There was a problem hiding this comment.
Does this need to be parameterized somehow to publish to a CNCF user? Looks like this is using your credentials somehow unless I misunderstand it.
There was a problem hiding this comment.
😱
yeah it does, that should have been removed.
Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
|
@dnoe Updated, i've also updated the PR description with some prerequisite work |
ci/do_ci.sh
Outdated
| docs/publish.sh | ||
| exit 0 | ||
| elif [[ "$1" == "github_release" ]]; then | ||
| if [[ ! -f "${ENVOY_SRCDIR}/build_release_stripped/envoy" ]]; then |
There was a problem hiding this comment.
Can you move this into a new script ci/publish_github_release.sh? There's a fair bit of logic here that would be easier to understand in isolation. In the new script, can you also add a comment at the top explicitly warning not to set set -x debug, since we can get dangerous leakage of GH creds via CI logs if we don't take this step. This hit us previously in Docker CI image push, see https://github.com/envoyproxy/envoy/blob/master/ci/build_container/docker_push.sh#L3.
ci/do_ci.sh
Outdated
| if [[ ! -f "${ENVOY_SRCDIR}/build_release_stripped/envoy" ]]; then | ||
| echo "could not locate envoy binary at path: ${ENVOY_SRCDIR}/build_release_stripped/envoy" | ||
|
|
||
| # TODO(taion809): discuss whether or not failing to publish to github warrents failing the build itself |
There was a problem hiding this comment.
I think misconfiguration that is this bad, i.e. we're in a completely unexpected environment, should warrant failure via exit 1.
Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
taion809
force-pushed
the
feat-add-linux-binaries
branch
from
724ae6e to
442f364
Compare
Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
LGTM, if you can address the TODOs we can ship..
ci/publish_github_release.sh
Outdated
| echo "environment variable GITHUB_TOKEN unset; cannot continue with publishing." | ||
|
|
||
| # TODO(taion809): discuss whether or not failing to publish to github warrents failing the build itself | ||
| exit 0 |
There was a problem hiding this comment.
Yeah, please make these all exit 1, I think if we don't have the expected envs, then something has gone badly wrong and we should be notified early.
Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
|
@htuch addressed from the circleci side the environment variables will need to be added prior to cutting a release |
|
@taion809 this is ready to ship when we have the CircleCI changes made. |
|
@taion809 friendly ping. |
| steps: | ||
| - checkout | ||
| - run: ci/do_circle_ci.sh bazel.release | ||
| - run: ci/do_circle_ci.sh github_release |
There was a problem hiding this comment.
I think this will be run on every repository event, resulting in a release created for every merge?
We've historically handled this by adding a check in the script to only publish/release for tag events. Here's an example
There was a problem hiding this comment.
this should be fixed, great catch!
Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
taion809
force-pushed
the
feat-add-linux-binaries
branch
from
2fb00b3 to
9ee83f6
Compare
Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
ci/publish_github_release.sh
Outdated
| exit 1 | ||
| fi | ||
|
|
||
| if [[ -z "${CIRCLE_TAG:-}" ]]; then |
There was a problem hiding this comment.
I'd move this to be the very first check since this file runs on every build. We should bail early if it's not a tag event rather than failing on unnecessary dependencies
Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
ci/publish_github_release.sh
Outdated
| cp /tmp/bin/linux/amd64/github-release /usr/local/bin/ghrelease | ||
| chmod +x /usr/local/bin/ghrelease | ||
|
|
||
| ghrelease release --tag "${CIRCLE_TAG:-}" --name "${CIRCLE_TAG:-}" |
There was a problem hiding this comment.
@taion809 From a cursory look, this appears to create a Github release?
Currently, I think the process is roughly as follows:
- @mattklein123 manually creates a release on Github
- CircleCI receives a webhook with
$CIRCLE_TAGset to the tag e.g. v1.5.0 - Scripts that need to do things on releases, like publish Docker images, check for the existence of
$CIRCLE_TAG.
So I think this needs to be changed to add the binary to the existing Github release, rather than creating a release, otherwise we'll need to revise the release process for Envoy.
releases are done manually today through the github interface so we should only upload a file to the existing release. Signed-off-by: Nicholas Johns <nicholas.a.johns5@gmail.com>
|
LGTM Once merged we'll need to do a test release to validate functionality, cc @mattklein123 |
|
@taion809 waiting for your go-ahead to merge. |
|
@htuch SGTM cc @mattklein123 we need the above env var's in the envoy circleci project before the next release is cut |
|
Assigning to myself to merge this when I'm back. |
|
@taion809 getting back to this. Am I reading this correct that this requires a bot user? Is there any way to do this using a deploy key? |
|
i replied in slack, but for consistency i'll put it here too I'm not sure it's possible with deploy keys, as far as I know deploy keys only give you access to git and not the github api. |
|
OK I made a bot user. I'm going to merge this and then do a test release. |
This reverts commit 19b57d8.
This reverts commit 19b57d8. Signed-off-by: Matt Klein <mklein@lyft.com>
* bump SHA Signed-off-by: Kuat Yessenov <kuat@google.com> * update workspace Signed-off-by: Kuat Yessenov <kuat@google.com> * no RBE Signed-off-by: Kuat Yessenov <kuat@google.com>
Description: As a follow up for PR2568, the PR maps the network_disconnected and quic exception errors. The network_changed error has been removed as this is not relevant to envoymobile. Signed-off-by: Chidera Olibie <colibie@google.com> Signed-off-by: JP Simard <jp@jpsim.com>
Description: As a follow up for PR2568, the PR maps the network_disconnected and quic exception errors. The network_changed error has been removed as this is not relevant to envoymobile. Signed-off-by: Chidera Olibie <colibie@google.com> Signed-off-by: JP Simard <jp@jpsim.com>
5 participants
Description:
This pull request saves the release binary to
circleci artifacts. Additionally adds a release
script to create and publish a github release with
the linux binary attached to the github release as an asset.
A CNCF member will need to:
Risk Level: low
Testing:
I manually tested using this github repo:
https://github.com/taion809/envoy-build-tests
fixes #2095
Signed-off-by: Nicholas Johns nicholas.a.johns5@gmail.com