Update token (#4)

* generic curl * refactor * upgrade to 2.319.1 * build now works * update some components * try vars * fix the action inputs * fix the action inputs * another typo * add the token * requirements * GH_AUTH_TOKEN added * fix one more token * try a different repo * move to github variables * fix the inputs * more fixes of variables * fix the action inputs * remember the backslashes * proper runner labels * fix the action inputs * ready runner * fix the action inputs * github_repository change * try with a different repository * try a different token * get the right app ID * fix the access token for offline runners cleanup * ready to PR fo production * two runners let's go for it * only deploy to prod
ministryofjustice · Nov 29, 2024 · 806af2e · 806af2e
1 parent 7cd71a5
commit 806af2e
Show file tree

Hide file tree

Showing 10 changed files with 143 additions and 55 deletions.
diff --git a/.github/actions/cloud-platform-deploy/action.yml b/.github/actions/cloud-platform-deploy/action.yml
@@ -23,11 +23,20 @@ inputs:
   token:
     description: The KUBE_TOKEN
     required: true
+  gh_auth_token:
+    description: Auth token for Github
+    required: true
+  github_repository:
+    description: The repository in which the runners are deployed
+    required: true
+  runner_labels:
+    description: The labels for the runners
+    required: true  
 
 runs:
   using: composite
   steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - name: Get environment details
       uses: ./.github/actions/get-env-details
@@ -61,4 +70,8 @@ runs:
           --set 'version=${{ inputs.version }}' \
           --timeout 10m \
           --values 'helm_deploy/${{ steps.env.outputs.values-file }}' \
-          --wait
+          --wait \
+          --set generic-service.env.GH_AUTH_TOKEN="${{ inputs.gh_auth_token }}" \
+          --set generic-service.env.RUNNER_LABELS="${{ inputs.runner_labels }}" \
+          --set generic-service.env.GITHUB_REPOSITORY="${{ inputs.github_repository }}" 
+          
diff --git a/.github/actions/docker-build/action.yml b/.github/actions/docker-build/action.yml
@@ -9,6 +9,8 @@ inputs:
     default: 'false'
   version:
     description: Version
+  gh_auth_token:
+    description: GitHub token
 
 runs:
   using: "composite"
@@ -32,3 +34,5 @@ runs:
         tags: |
           ghcr.io/ministryofjustice/${{ inputs.project }}:latest
           ghcr.io/ministryofjustice/${{ inputs.project }}:${{ inputs.version }}
+      env:
+        GH_AUTH_TOKEN: ${{ inputs.gh_auth_token }}
diff --git a/.github/actions/runner-cleanup/action.yml b/.github/actions/runner-cleanup/action.yml
@@ -0,0 +1,57 @@
+name: 'Remove offline runners'
+description: 'action to remove offline runners'
+inputs:
+  gh_auth_token:
+    description: 'Token used to authenticate to Github'
+  qty_runners:
+    description: 'Number of expected runners'
+    default: '1'
+  github_repository:
+    description: 'The repository in which the runners are deployed'
+
+runs:
+  using: "composite"
+  steps:
+  - name: Install dependencies
+    shell: bash
+    run: |
+      python -m pip install --upgrade pip
+      pip install -r requirements.txt
+  - name: clean up runners
+    shell: python {0} 
+    id: cleanup-runners
+    run: |
+      from github import Auth
+      from github import Github
+      from github import GithubException
+      import os
+      from time import sleep
+      # Attempts to remove any offline runners - giving time for old ones to expire
+      def main():
+        expected_number_of_runners=os.getenv('qty_runners',1)
+        github_repository=os.getenv('github_repository')
+        auth = Auth.Token(os.getenv('gh_auth_token'))
+        print(f'Repo name is: {github_repository}')
+        g = Github(auth=auth)
+        repo = g.get_repo(github_repository)
+        offline_deleted=False
+        qty_runners=retry_count=0
+        while qty_runners!=expected_number_of_runners and retry_count < 10:
+          try:
+            runners = repo.get_self_hosted_runners() 
+            qty_runners=runners.totalCount
+            print(f'Attempt to clean up offline runners: {retry_count} - found {qty_runners} runners')
+            for each_runner in runners:
+              print(f'Checking runner {each_runner.name} with status {each_runner.status}')
+              if each_runner.status == 'offline':
+                success=repo.remove_self_hosted_runner(each_runner.id)
+          except:
+            print(f'Failed because {GithubException.message}')
+          retry_count+=1
+          sleep(10)
+      if __name__ == '__main__':
+        main()
+    
+    env:
+      github_repository: ${{ inputs.github_repository }}
+      gh_auth_token: ${{ inputs.gh_auth_token }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -21,6 +21,7 @@ on:
 
 env:
   push: ${{ inputs.push }}
+  ghcr_token: ${{ secrets.GHCR_TOKEN}}
 
 jobs:
   build-docker:
@@ -41,10 +42,18 @@ jobs:
           version=$(date '+%Y-%m-%d').${{ github.run_number }}.$(echo ${{ github.sha }} | cut -c1-7)
           echo "version=$version" | tee -a "$GITHUB_OUTPUT"
 
+      - name: GitHub app JWT and installation access token generation
+        uses: jamestrousdale/[email protected]
+        id: generate-github-app-tokens
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - name: Build Docker images
         uses: ./.github/actions/docker-build
         id: build
         with:
           project: ${{ matrix.project }}
           push: ${{ env.push }}
           version: ${{ steps.version.outputs.version }}
+          gh_auth_token: ${{ steps.generate-github-app-tokens.outputs.access-token }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -31,7 +31,6 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
-
     environment:
       name: ${{ inputs.environment }}  
     steps:
@@ -41,6 +40,13 @@ jobs:
         with:
           environment: ${{ inputs.environment }}
 
+      - name: GitHub app JWT and installation access token generation
+        uses: jamestrousdale/[email protected]
+        id: generate-github-app-tokens
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - name: Deploy to Platform
         uses: ./.github/actions/cloud-platform-deploy
         with:
@@ -51,3 +57,13 @@ jobs:
           cluster: ${{ secrets.KUBE_CLUSTER }}
           namespace: ${{ secrets.KUBE_NAMESPACE }}
           token: ${{ secrets.KUBE_TOKEN }}   
+          gh_auth_token: ${{ steps.generate-github-app-tokens.outputs.access-token }}
+          github_repository: ${{ vars.GH_REPOSITORY }}
+          runner_labels: ${{ vars.RUNNER_LABELS }}
+
+      - name: Remove offline runners
+        uses: ./.github/actions/runner-cleanup
+        with:
+          gh_auth_token: ${{ steps.generate-github-app-tokens.outputs.access-token }}
+          github_repository: ${{ vars.GH_REPOSITORY }}
+
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -27,21 +27,22 @@ jobs:
       push: true
     secrets: inherit
 
-  deploy_to_dev:
-    name: Deploy to dev
-    uses: ./.github/workflows/deploy.yml
-    needs: build
-    with:
-      environment: development
-      version: ${{ needs.build.outputs.version }}
-    secrets: inherit
+  # deploy_to_dev:
+  #   name: Deploy to dev
+  #   uses: ./.github/workflows/deploy.yml
+  #   needs: build
+  #   with:
+  #     environment: development
+  #     version: ${{ needs.build.outputs.version }}
+  #   secrets: inherit
 
+  # Only need to deploy to production nowadays
   deploy_to_prod:
+    if : github.ref == 'refs/heads/main'
     name: Deploy to prod
     uses: ./.github/workflows/deploy.yml
     needs:
       - build
-      - deploy_to_dev # wait for the deploy_to_dev job to complete
     with:
       environment: production
       version: ${{ needs.build.outputs.version }}

diff --git a/Dockerfile b/Dockerfile
@@ -13,8 +13,8 @@ ENV CONTAINER_USER="runner" \
     CONTAINER_GID="10000" \
     CONTAINER_HOME="/actions-runner" \
     DEBIAN_FRONTEND="noninteractive" \
-    ACTIONS_RUNNER_VERSION="2.319.1" \
-    ACTIONS_RUNNER_PKG_SHA="3f6efb7488a183e291fc2c62876e14c9ee732864173734facc85a1bfb1744464"
+    ACTIONS_RUNNER_VERSION="2.321.0" \
+    ACTIONS_RUNNER_PKG_SHA="ba46ba7ce3a4d7236b16fbe44419fb453bc08f866b24f04d549ec89f1722a29e"
 
 SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
 
@@ -37,18 +37,18 @@ chown --recursive ${CONTAINER_USER}:${CONTAINER_GROUP} ${CONTAINER_HOME}
 apt-get update
 
 apt-get install --yes --no-install-recommends \
-  "apt-transport-https=2.7.14build2" \
-  "ca-certificates=20240203" \
-  "curl=8.5.0-2ubuntu10.4" \
-  "git=1:2.43.0-1ubuntu7.1" \
-  "jq=1.7.1-3build1" \
-  "libicu-dev=74.2-1ubuntu3.1" \
-  "lsb-release=12.0-2" \
-  "gcc=4:13.2.0-7ubuntu1" \
-  "libsqlite3-dev=3.45.1-1ubuntu2" \
+  "apt-transport-https" \
+  "ca-certificates" \
+  "curl" \
+  "git" \
+  "jq" \
+  "libicu-dev" \
+  "lsb-release" \
+  "gcc" \
+  "libsqlite3-dev" \
   "python3" \
   "httpie"
-
+ 
 apt-get clean
 
 rm -rf /var/lib/apt/lists/*
@@ -69,4 +69,4 @@ USER ${CONTAINER_UID}
 
 WORKDIR ${CONTAINER_HOME}
 
-ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
diff --git a/helm_deploy/hmpps-github-actions-runner/values.yaml b/helm_deploy/hmpps-github-actions-runner/values.yaml
@@ -2,10 +2,7 @@
 generic-service:
   nameOverride: hmpps-github-actions-runner
 
-  replicaCount: 1 # we can start with one and do more
-
-  env:
-    RUNNER_LABELS: hmpps-github-actions-runner
+  replicaCount: 2 # we can start with one and do more
 
   image:
     repository: ghcr.io/ministryofjustice/hmpps-github-actions-runner
@@ -20,35 +17,22 @@ generic-service:
   # Looks like it might be fixed, so...
 
   livenessProbe: null
-  readinessProbe: null
-
-  # livenessProbe:
-  #   httpGet:
-  #     path: /ping
-  #     port: 8080
-  #   initialDelaySeconds: 10
-  #   periodSeconds: 10
-  #   timeoutSeconds: 5
-  #   failureThreshold: 5
-
-  # readinessProbe:
-  #   httpGet:
-  #     path: /ping
-  #     port: 8080
-  #   initialDelaySeconds: 10
-  #   periodSeconds: 10
-  #   timeoutSeconds: 5
-  #   failureThreshold: 5
+
+  readinessProbe:
+    httpGet: null
+    exec:
+      command:
+        - cat
+        - /tmp/runner.ready
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 5
 
   # Pre-existing kubernetes secrets to load as environment variables in the deployment.
   # namespace_secrets:
   #   [name of kubernetes secret]:
   #     [name of environment variable as seen by app]: [key of kubernetes secret to load]
 
-  namespace_secrets:
-    hmpps-github-actions-runner:
-      GITHUB_REPOSITORY: "GITHUB_REPOSITORY"
-      GITHUB_TOKEN: "GITHUB_TOKEN"
-
 generic-prometheus-alerts:
   targetApplication: hmpps-github-actions-runner
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1 @@
+PyGithub>=2.5.0
diff --git a/src/usr/local/bin/entrypoint.sh b/src/usr/local/bin/entrypoint.sh
@@ -17,7 +17,7 @@ getRegistrationToken=$(
     --location \
     --request "POST" \
     --header "X-GitHub-Api-Version: 2022-11-28" \
-    --header "Authorization: Bearer ${GITHUB_TOKEN}" \
+    --header "Authorization: Bearer ${GH_AUTH_TOKEN}" \
     https://api.github.com/repos/"${GITHUB_REPOSITORY}"/actions/runners/registration-token | jq -r '.token'
 )
 export getRegistrationToken
@@ -39,7 +39,7 @@ else
 fi
 
 echo "Checking the runner"
-bash "${ACTIONS_RUNNER_DIRECTORY}/config.sh" --check --url "https://github.com/${GITHUB_REPOSITORY}" --pat ${GITHUB_TOKEN}
+bash "${ACTIONS_RUNNER_DIRECTORY}/config.sh" --check --url "https://github.com/${GITHUB_REPOSITORY}" --pat ${GH_AUTH_TOKEN}
 
 echo "Configuring runner"
 bash "${ACTIONS_RUNNER_DIRECTORY}/config.sh" ${EPHEMERAL_FLAG} \
@@ -50,5 +50,8 @@ bash "${ACTIONS_RUNNER_DIRECTORY}/config.sh" ${EPHEMERAL_FLAG} \
   --name "$(hostname)" \
   --labels "${RUNNER_LABELS}"
 
+echo "Setting the 'ready' flag for Kubernetes liveness probe"
+touch /tmp/runner.ready
+
 echo "Starting runner"
 bash "${ACTIONS_RUNNER_DIRECTORY}/run.sh"