Fix CI issues due to disconnected 1ES pools and unneeded AzureLogin t…

…asks (#118) This has been a lot of fun to figure out... When we marked the repo as public the 1ES hosted pools that we were previously using lost their linkage to this repository. This meant that PR tasks were not being picked up. The fix for this was to re-create new pools that are scoped to our repo. The other issue this change resolves is removing the Azure Login task from stages that do not need it. There are still some tasks that do need access to the key vault (to download test VHD's) but this will get the CI in a much better state. --------- Co-authored-by: Ben Hillis <[email protected]>
microsoft · Oct 17, 2024 · 09bdb63 · 09bdb63
1 parent ee0a3f9
commit 09bdb63
Show file tree

Hide file tree

Showing 11 changed files with 1,013 additions and 3,249 deletions.
diff --git a/.github/workflows/openvmm-ci.json b/.github/workflows/openvmm-ci.json
diff --git a/.github/workflows/openvmm-ci.yaml b/.github/workflows/openvmm-ci.yaml
diff --git a/.github/workflows/openvmm-pr.json b/.github/workflows/openvmm-pr.json
diff --git a/.github/workflows/openvmm-pr.yaml b/.github/workflows/openvmm-pr.yaml
diff --git a/flowey/flowey_core/src/node.rs b/flowey/flowey_core/src/node.rs
@@ -1773,6 +1773,9 @@ pub mod steps {
 
             /// `github.workspace`
             pub const GITHUB__WORKSPACE: GhContextVar = GhContextVar::new("github.workspace");
+
+            /// `github.token`
+            pub const GITHUB__TOKEN: GhContextVar = GhContextVar::new("github.token");
         }
 
         impl GhContextVar {

diff --git a/flowey/flowey_hvlite/src/pipelines/checkin_gates.rs b/flowey/flowey_hvlite/src/pipelines/checkin_gates.rs
@@ -105,11 +105,7 @@ impl IntoPipeline for CheckinGatesCli {
 
         if let RepoSource::GithubSelf = &openvmm_repo_source {
             pipeline.gh_set_flowey_bootstrap_template(
-                crate::pipelines_shared::gh_flowey_bootstrap_template::get_template(
-                    &client_id,
-                    &tenant_id,
-                    &subscription_id,
-                ),
+                crate::pipelines_shared::gh_flowey_bootstrap_template::get_template(),
             );
         }
 
@@ -127,11 +123,6 @@ impl IntoPipeline for CheckinGatesCli {
                         hvlite_repo_source: openvmm_repo_source.clone(),
                     },
                 )
-                .dep_on(|_| flowey_lib_hvlite::_jobs::cfg_gh_azure_login::Params {
-                    client_id: client_id.clone(),
-                    tenant_id: tenant_id.clone(),
-                    subscription_id: subscription_id.clone(),
-                })
                 .gh_grant_permissions::<flowey_lib_common::git_checkout::Node>([(
                     GhPermission::Contents,
                     GhPermissionValue::Read,
@@ -906,6 +897,11 @@ impl IntoPipeline for CheckinGatesCli {
                         fail_job_on_test_fail: true,
                         done: ctx.new_done_handle(),
                     }
+                })
+                .dep_on(|_| flowey_lib_hvlite::_jobs::cfg_gh_azure_login::Params {
+                    client_id: client_id.clone(),
+                    tenant_id: tenant_id.clone(),
+                    subscription_id: subscription_id.clone(),
                 });
 
             if let Some(pub_vmm_tests_junit_xml) = pub_vmm_tests_junit_xml {

diff --git a/flowey/flowey_hvlite/src/pipelines_shared/gh_flowey_bootstrap_template.rs b/flowey/flowey_hvlite/src/pipelines_shared/gh_flowey_bootstrap_template.rs
@@ -2,34 +2,14 @@
 
 //! See [`get_template`]
 
-use flowey::node::prelude::GhContextVar;
-
 /// Get our internal flowey bootstrap template.
 ///
 /// See [`Pipeline::gh_set_flowey_bootstrap_template`]
 ///
 /// [`Pipeline::gh_set_flowey_bootstrap_template`]:
 ///     flowey::pipeline::prelude::Pipeline::gh_set_flowey_bootstrap_template
-pub fn get_template(
-    client_id: &GhContextVar,
-    tenant_id: &GhContextVar,
-    subscription_id: &GhContextVar,
-) -> String {
+pub fn get_template() -> String {
     // to be clear: these replaces are totally custom to this particular
     // bootstrap template. flowey knows nothing of these replacements.
-    let template = include_str!("gh_flowey_bootstrap_template.yml").to_string();
-
-    template
-        .replace(
-            "{{OPENVMM_CLIENT_ID}}",
-            &format!("${{{{ {} }}}}", client_id.as_raw_var_name()),
-        )
-        .replace(
-            "{{OPENVMM_TENANT_ID}}",
-            &format!("${{{{ {} }}}}", tenant_id.as_raw_var_name()),
-        )
-        .replace(
-            "{{OPENVMM_SUBSCRIPTION_ID}}",
-            &format!("${{{{ {} }}}}", subscription_id.as_raw_var_name()),
-        )
+    include_str!("gh_flowey_bootstrap_template.yml").to_string()
 }
diff --git a/flowey/flowey_hvlite/src/pipelines_shared/gh_flowey_bootstrap_template.yml b/flowey/flowey_hvlite/src/pipelines_shared/gh_flowey_bootstrap_template.yml
@@ -1,23 +1,3 @@
-- uses: Azure/login@v2
-  with:
-    # These secrets describe the HvLite-GitHub service principal and associated Azure subscription,
-    # which, along with the GITHUB_TOKEN, are used to authenticate GitHub Actions to Azure with OpenID Connect.
-    # The service principal has federated identity credentials configured describing which branches and
-    # scenarios can be authenticated.
-    client-id: {{OPENVMM_CLIENT_ID}}
-    tenant-id: {{OPENVMM_TENANT_ID}}
-    subscription-id: {{OPENVMM_SUBSCRIPTION_ID}}
-
-- name: Pull Azure Key Vault secrets
-  run: |
-    VPackAccessToken=$(az keyvault secret show --name "VPackAccessToken" --vault-name "HvLite-PATs" --query value --output tsv)
-    echo "::add-mask::$VPackAccessToken"
-    echo "VPackAccessToken=$VPackAccessToken" >> $GITHUB_ENV
-    MsAzurePull=$(az keyvault secret show --name "MsAzurePull" --vault-name "HvLite-PATs" --query value --output tsv)
-    echo "::add-mask::$MsAzurePull"
-    echo "MsAzurePull=$MsAzurePull" >> $GITHUB_ENV
-  shell: bash
-
 - run: |
     set -x
     curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y

diff --git a/flowey/flowey_hvlite/src/pipelines_shared/gh_pools.rs b/flowey/flowey_hvlite/src/pipelines_shared/gh_pools.rs
@@ -25,14 +25,14 @@ pub fn default_gh_hosted(platform: FlowPlatform) -> GhRunner {
 pub fn windows_amd_self_hosted() -> GhRunner {
     GhRunner::SelfHosted(vec![
         "self-hosted".to_string(),
-        "1ES.Pool=HvLite-GitHub-Win-Pool-WestUS3".to_string(),
+        "1ES.Pool=OpenVMM-GitHub-Win-Pool-WestUS3".to_string(),
     ])
 }
 
 pub fn windows_intel_self_hosted() -> GhRunner {
     GhRunner::SelfHosted(vec![
         "self-hosted".to_string(),
-        "1ES.Pool=HvLite-GitHub-Win-Pool-Intel-WestUS3".to_string(),
+        "1ES.Pool=OpenVMM-GitHub-Win-Pool-Intel-WestUS3".to_string(),
         "1ES.ImageOverride=HvLite-CI-Win-Ge-Image-256GB".to_string(),
     ])
 }
@@ -43,7 +43,7 @@ pub fn windows_intel_self_hosted() -> GhRunner {
 pub fn windows_amd_self_hosted_largedisk() -> GhRunner {
     GhRunner::SelfHosted(vec![
         "self-hosted".to_string(),
-        "1ES.Pool=HvLite-GitHub-Win-Pool-WestUS3".to_string(),
+        "1ES.Pool=OpenVMM-GitHub-Win-Pool-WestUS3".to_string(),
         "1ES.ImageOverride=HvLite-CI-Win-Ge-Image-256GB".to_string(),
     ])
 }
@@ -54,15 +54,15 @@ pub fn windows_amd_self_hosted_largedisk() -> GhRunner {
 pub fn windows_intel_self_hosted_largedisk() -> GhRunner {
     GhRunner::SelfHosted(vec![
         "self-hosted".to_string(),
-        "1ES.Pool=HvLite-GitHub-Win-Pool-Intel-WestUS3".to_string(),
+        "1ES.Pool=OpenVMM-GitHub-Win-Pool-Intel-WestUS3".to_string(),
         "1ES.ImageOverride=HvLite-CI-Win-Ge-Image-256GB".to_string(),
     ])
 }
 
 pub fn linux_self_hosted() -> GhRunner {
     GhRunner::SelfHosted(vec![
         "self-hosted".to_string(),
-        "1ES.Pool=HvLite-GitHub-Linux-Pool-WestUS3".to_string(),
+        "1ES.Pool=OpenVMM-GitHub-Linux-Pool-WestUS3".to_string(),
     ])
 }
 

diff --git a/flowey/flowey_lib_hvlite/src/_jobs/cfg_common.rs b/flowey/flowey_lib_hvlite/src/_jobs/cfg_common.rs
@@ -91,14 +91,7 @@ impl SimpleFlowNode for Node {
             ));
 
             {
-                let (gh_token, write_gh_token) = ctx.new_secret_var();
-                ctx.req(
-                    flowey_lib_common::gh_download_azure_key_vault_secret::GetSecret {
-                        key_vault_name: "HvLite-PATs".to_string(),
-                        secret: "GitHub-CLI-PAT".into(),
-                        resolved_secret: write_gh_token,
-                    },
-                );
+                let gh_token = ctx.get_gh_context_var(GhContextVar::GITHUB__TOKEN);
 
                 ctx.req(flowey_lib_common::use_gh_cli::Request::WithAuth(
                     flowey_lib_common::use_gh_cli::GhCliAuth::AuthToken(gh_token),

diff --git a/flowey/flowey_lib_hvlite/src/_jobs/test_local_flowey_build_igvm.rs b/flowey/flowey_lib_hvlite/src/_jobs/test_local_flowey_build_igvm.rs
@@ -21,22 +21,14 @@ impl SimpleFlowNode for Node {
     fn imports(ctx: &mut ImportCtx<'_>) {
         ctx.import::<crate::git_checkout_openvmm_repo::Node>();
         ctx.import::<flowey_lib_common::install_rust::Node>();
-        ctx.import::<flowey_lib_common::gh_download_azure_key_vault_secret::Node>();
     }
 
     fn process_request(request: Self::Request, ctx: &mut NodeCtx<'_>) -> anyhow::Result<()> {
         let Request { base_recipe, done } = request;
 
         let hvlite_repo = ctx.reqv(crate::git_checkout_openvmm_repo::req::GetRepoDir);
         let rust_install = ctx.reqv(flowey_lib_common::install_rust::Request::EnsureInstalled);
-        let (gh_token, write_gh_token) = ctx.new_secret_var();
-        ctx.req(
-            flowey_lib_common::gh_download_azure_key_vault_secret::GetSecret {
-                key_vault_name: "HvLite-PATs".to_string(),
-                secret: "GitHub-CLI-PAT".into(),
-                resolved_secret: write_gh_token,
-            },
-        );
+        let gh_token = ctx.get_gh_context_var(GhContextVar::GITHUB__TOKEN);
 
         let test_local = ctx.emit_rust_step(
             "test cargo xflowey build-igvm x64 --install-missing-deps",