Script run stage

[ffjlabo]

What this PR does / why we need it:

Implement SCRIPT_RUN stage to execute any command on the pipeline.
First, this PR is for just executing commands, not considered for rollbacking.

Which issue(s) this PR fixes:

Part of #4643

Does this PR introduce a user-facing change?:
yes

• How are users affected by this change:
  • User can execute any command on the pipeline.

[codecov]

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (a47b2f2) 30.83% compared to head (b198ecc) 30.80%.

Files	Patch %	Lines
pkg/config/application.go	50.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4720      +/-   ##
==========================================
- Coverage   30.83%   30.80%   -0.04%     
==========================================
  Files         221      221              
  Lines       26005    26015      +10     
==========================================
- Hits         8018     8013       -5     
- Misses      17337    17352      +15     
  Partials      650      650              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ffjlabo]

/review

[github-actions]

PR Analysis

Main theme

Enhancement

PR summary

The PR introduces a new stage for running arbitrary scripts. This change enables SCRIPT_RUN as a new stage option in PipeCD's deployment pipeline configurations.

Type of PR

Enhancement

PR Feedback:

General suggestions

This enhancement is useful as it provides users with a flexible mechanism for running custom scripts during deployments. However, it's crucial to ensure the execution of arbitrary scripts does not compromise security or stability. Take care to manage environment variables and consider validation or sanitation of the scripts if necessary.

Code feedback

• relevant file: pkg/app/piped/executor/scriptrun/scriptrun.go
  suggestion: |-
  Ensure the command execution is error-checked to provide a detailed cause of failure. The error returned from cmd.Run() should be logged to aid in diagnosis of failed script executions. [important]
  relevant line: + if err := cmd.Run(); err != nil {

• relevant file: pkg/app/piped/executor/scriptrun/scriptrun.go
  suggestion: |-
  The RollbackExecutor is not yet implemented. Consider adding implementation for rollback scenarios or remove this placeholder if the rollback is not applicable for script execution. [medium]
  relevant line: +func (e *RollbackExecutor) Execute(sig executor.StopSignal) model.StageStatus {

Security concerns:

yes

Executing arbitrary scripts can be a security risk, especially if the script content is sourced from an untrusted input or manipulated before execution. Although the scripts seem to be specified in stage configurations, which may be from controlled sources (e.g., git repositories), it is important to ensure they are not susceptible to injection attacks and that proper measures, like sanitation and permissions checks, are in place for both the contents of the scripts and the environment variables used within them.

[ffjlabo]

It works like this :)↓

apiVersion: pipecd.dev/v1beta1
kind: KubernetesApp
spec:
  name: canary
  labels:
    env: example
    team: product
  pipeline:
    stages:
      # Deploy the workloads of CANARY variant. In this case, the number of
      # workload replicas of CANARY variant is 10% of the replicas number of PRIMARY variant.
      - name: K8S_CANARY_ROLLOUT
        with:
          replicas: 10%
      # Wait 10 seconds before going to the next stage.
      - name: WAIT
        with:
          duration: 10s
      # Update the workload of PRIMARY variant to the new version.
      - name: K8S_PRIMARY_ROLLOUT
      # Destroy all workloads of CANARY variant.
      - name: K8S_CANARY_CLEAN
      - name: SCRIPT_RUN
        with:
          env:
            MSG: "Hello from script_run"
          run: |
            echo $MSG
            kubectl get all
  description: |
    This app demonstrates how to deploy a Kubernetes app by Canary strategy without requering any mesh.\
    References: [adding a new app](https://pipecd.dev/docs/user-guide/managing-application/adding-an-application/), [app configuration](https://pipecd.dev/docs/user-guide/configuration-reference/)

[khanhtc1202]

Use stage failed, and print out unimplemented in stage log instead, or this will block the deployment forever 🤔

[ffjlabo]

fixed on 2594710 🙏

[khanhtc1202]

What do we want here? I don't see any kinds here 👀

[ffjlabo]

b1e6555
Sorry this comment is meaningless 🙏 so deleted

[ffjlabo]

I fixed the implementation like custom sync :)
https://github.com/pipe-cd/pipecd/blob/master/pkg/app/piped/executor/customsync/customsync.go#L55
92c6dd9

I will implement the rollback on another PR 🙏

[khanhtc1202]

Nice, thank you 🚀

[khanhtc1202]

@ffjlabo Please sign-off the commit 👀

[ffjlabo]

@khanhtc1202 oops, sorry 🙏 signed!

[khanhtc1202]

🚀

[ffjlabo]

Also, I will create docs for it on another PR:)

[t-kikuc]

🚀

[ffjlabo]

The stage works with multiple script run stage 👍