cloudscale-cloud-controller-manager/.github/workflows/ccm-integration-tests.yml at 1f1cb43f7b180dd008024597ff21c1e168ef3d7e · cloudscale-ch/cloudscale-cloud-controller-manager · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
name: CCM Integration Tests

on:
  push:
    branches:
      - main

  pull_request:

  # Allow to run this workflow manually from the Actions tab
  workflow_dispatch:

  # Run this regularly, to get integration tests results against new
  # Kubernetes releases.
  schedule:
    - cron: '15 3 * * *'

permissions:
  contents: read

env:
  GO_VERSION: 1.25

jobs:
  lint:
    name: "Run Linters"
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: '${{ env.GO_VERSION }}'

      - name: Restore cache
        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ~/.cache/golangci-lint
            ~/.cache/go-build
          key: lint-${{ hashFiles('go.mod') }}

      - name: Install go tools
        run: go mod tidy -modfile tool.mod

      - name: Run Linter
        run: make lint

      - name: Save cache
        uses: actions/cache/save@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
        with:
          path: |
            ~/.cache/golangci-lint
            ~/.cache/go-build
          key: lint-${{ hashFiles('go.mod') }}

  unit:
    name: "Run Unit Tests"
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: '${{ env.GO_VERSION }}'

      - name: Run Unit Tests
        run: make test

  test-matrix:
    name: "Get Kubernetes Releases"
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: "Generate Test Matrix"
        id: list
        run: 'echo "tests=$(helpers/test-matrix)" >> $GITHUB_OUTPUT'

    outputs:
      tests: ${{ steps.list.outputs.tests }}

  build-image:
    name: "Build Container Image"
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Evaluate image name
        run: 'helpers/image-from-ref >> $GITHUB_ENV'

      - name: Build image
        run: 'docker build --platform=linux/amd64 --tag "$IMAGE" .'

      - name: Export image
        run: 'docker image save "$IMAGE" -o image.tar'

      - name: Store hash
        run: 'shasum -a 256 image.tar | tee image.tar.sha256'

      - name: Store image
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: tested-image
          path: |
            image.tar
            image.tar.sha256
          retention-days: 30d

  check-ccm-integration:
    # Preflight: verify the CLOUDSCALE_API_TOKEN at step-level and set an output
    # so the integration job can be skipped.
    #
    # GitHub Actions limitations motivating this:
    # - `secrets` are NOT available in `jobs.<id>.if` (job-level `if`), so you cannot
    #   directly gate/skip a job by testing a secret there.
    name: Check CCM Integration Configuration
    runs-on: ubuntu-latest

    outputs:
      integration-enabled: ${{ steps.check.outputs.enabled }}

    steps:
      - id: check
        name: Verify CLOUDSCALE_API_TOKEN is present
        env:
          CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
        run: |
          if [ -n "$CLOUDSCALE_API_TOKEN" ]; then
            echo "enabled=true" >> $GITHUB_OUTPUT
            echo "CLOUDSCALE_API_TOKEN found — integration will run."
          else
            echo "enabled=false" >> $GITHUB_OUTPUT
            echo "CLOUDSCALE_API_TOKEN not configured — skipping integration."
          fi

  integration:
    name: "Kubernetes ${{ matrix.kubernetes }}"
    runs-on: ubuntu-latest

    needs:
      - lint
      - unit
      - test-matrix
      - build-image
      - check-ccm-integration
    if: needs.check-ccm-integration.outputs.integration-enabled == 'true'

    strategy:
      fail-fast: false
      max-parallel: 1
      matrix:
        include: "${{ fromJson(needs.test-matrix.outputs.tests) }}"

    env:
      CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
      HTTP_ECHO_BRANCH: ${{ vars.HTTP_ECHO_BRANCH }}
      KUBERNETES: '${{ matrix.kubernetes }}'
      SUBNET: '${{ matrix.subnet }}'
      CLUSTER_PREFIX: '${{ matrix.cluster_prefix }}'
      IMAGE_SOURCE: import

    # Prevent integration tests from running in parallel. Ideally this should
    # be seuqential, but that won't work due to the following issue:
    #
    # https://github.com/orgs/community/discussions/5435
    #
    # Instead we ensure that only one integration test per supported version
    # is run at any given time.
    concurrency:
      group: integration-${{ matrix.kubernetes }}

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Load image
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: tested-image

      - name: Validate hash
        run: 'shasum --check image.tar.sha256'

      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
        with:
          go-version: '${{ env.GO_VERSION }}'

      - name: Evaluate image name
        run: 'helpers/image-from-ref >> $GITHUB_ENV'

      - name: Cleanup Leftovers
        if: always()
        run: helpers/cleanup

      - name: Create Test Cluster
        run: helpers/run-in-test-cluster

      - name: Wait For CCM Startup
        run: sleep 60

      - name: Run Integration Tests
        run: make integration

      - name: Wait For Kubernetes-Internal Cleanup
        if: always()
        run: sleep 30

      - name: Destroy Test Cluster
        if: always()
        run: helpers/cleanup

  validate-workflows:
    name: Validate GitHub Workflows
    runs-on: ubuntu-latest

    # More Information:
    # https://github.com/zizmorcore/zizmor-action?tab=readme-ov-file#usage-with-github-advanced-security-recommended
    #
    # Use `uvx zizmor .github/` for a local preview using the latest zizmor version.

    permissions:
      contents: read
      security-events: write

    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Run zizmor 🌈
        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0