New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: overhaul and release automation #141
ci: overhaul and release automation #141
Conversation
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this looks solid, just a few minor comments that may need clarification.
Also huge +1 for using Renovate, it's much better than Dependabot. It will need to be activated first however.
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
7a4690e
to
2a61e12
Compare
@k3rnelpan1c-dev @stevespringett I think we should decide on either Debian or Alpine. There's really no reason to have both. I'd personally vouch for Alpine - smaller attack surface and I've never seen issues with it. See also @k3rnelpan1c-dev's response here: #78 (comment) I'd rather not have the complexity of handling multiple flavors in CI if we can avoid it. Thoughts? |
The API Server moved to Debian due to use of glibc and to avoid some issues that Alpine has with K8s. The frontend we have a bit more flexibility over. I also prefer Alpine due to the smaller attack surface, but I need to find out what that K8s issue with Alpine was. But I would prefer to have a single base image rather than multiple. |
I cannot imagine Alpine having any issue on K8s, after all the most commonly used external Ingress controller happens to be Nginx, which is using its Alpine based version IIRC. But I am curious, if you happen to find the reference / remember what this issue might have been that would be great input. The only "issue" that I am aware with Alpine was that programs relying on glibc could experience very odd behaviour, however that was in every container environment not just K8s. |
Known issues appear to evolve around DNS resolution. Small selection:
The K8s team themselves claim:
The frontend doesn't do any DNS resolution though. Even if the issue(s) above persist, it won't be a problem for this particular container. |
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
🤦♂️ I actually heard of that before. Thank you for the detailed response!
Edit: |
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
took the liberty and removed the Debian flavour from the build and release process, as we all seem to be in agreement that we would prefer to only offer one flavour and that the minimal attack surface of Alpine Linux is favourable. |
9ce99b3
to
f13aef4
Compare
@k3rnelpan1c-dev Apologies for my commits. Wanted to test in my fork but forgot to specify the correct remote when pushing my changes... May I ask you to hard-reset them, verify that everything's still as you intended and force push? 🥲 |
Anyway, I was now able to test this and it works like a charm!
Once we have my mess 🥲 cleaned up it's good to go from my side. |
Signed-off-by: K3rnelPan1c <69395733+k3rnelpan1c-dev@users.noreply.github.com>
f13aef4
to
37cec71
Compare
all done + added a tiny hotfix that we should consider adding to the backed CI eventually. edit: |
Thank you for testing this nscuro :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All good from my side, just need @stevespringett to approve it before we can merge.
Huge thanks @k3rnelpan1c-dev |
I enjoy working on CI and automation, happy to have helped out :) |
It looks like, when releasing, For example, https://github.com/DependencyTrack/frontend/runs/6483307556?check_suite_focus=true checked out 01b253c instead of 3fe6bf7. This results in the I'm wondering what would be the best strategy to resolve this. Some ideas:
Would love to get your input @k3rnelpan1c-dev, your expertise is greatly appreciated. |
Oha, well this is interesting and certainly unexpected behaviour 🤔 Anyway, for feedback on your workaround proposals: Both can work. EDIT: |
Okay I thought of this a bit more and it actually makes sense that by default every checkout step within the same workflow checks out the state that it got triggered with .... (and now I am annoyed that I didn't think of this earlier) In other news I have a feeling that the idea of creating a pure "create release" workflow and letting a "publish" workflow trigger on "release creation" might be the right way to move forward. I will analyse more, but otherwise would commit to that idea and iterate over the CI that way. |
Okay, tiny problem with the separated workflows: No matter how I change it using the default
So to say that I am stuck with that idea is quite accurate, unless we opt to setup a "Dependency-Track-Bot" account that will serve as PAT donor to create the release and commits to the projects on release. |
Description
In the same veins as DependencyTrack/dependency-track#1419, this PR offers a CI overhaul and migrates the current release workflow from a bash script based solution to a GHA Workflow.
I took the liberty to include a proposal configuration for renovate-bot, as I personally find that a better configurable dependabot alternative for frontend repositories. An example of what this config would produce
Changes
propose a renovate-bot config as it supports grouping and very granular configuration(opted to move to followup PR)Issues
addresses Migrate Docker image from Alpine to Debian Slim #78 (by adding a Debian flavour)