build(deps): bump the npm_and_yarn at /superset-frontend security update group in /superset-frontend with 3 updates #6313
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Ephemeral env workflow | |
on: | |
issue_comment: | |
types: [created] | |
jobs: | |
config: | |
runs-on: "ubuntu-latest" | |
if: github.event.issue.pull_request | |
outputs: | |
has-secrets: ${{ steps.check.outputs.has-secrets }} | |
steps: | |
- name: "Check for secrets" | |
id: check | |
shell: bash | |
run: | | |
if [ -n "${{ (secrets.AWS_ACCESS_KEY_ID != '' && secrets.AWS_SECRET_ACCESS_KEY != '') || '' }}" ]; then | |
echo "has-secrets=1" >> "$GITHUB_OUTPUT" | |
fi | |
ephemeral_env_comment: | |
needs: config | |
if: needs.config.outputs.has-secrets | |
name: Evaluate ephemeral env comment trigger (/testenv) | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
outputs: | |
slash-command: ${{ steps.eval-body.outputs.result }} | |
feature-flags: ${{ steps.eval-feature-flags.outputs.result }} | |
steps: | |
- name: Debug | |
run: | | |
echo "Comment on PR #${{ github.event.issue.number }} by ${{ github.event.issue.user.login }}, ${{ github.event.comment.author_association }}" | |
- name: Eval comment body for /testenv slash command | |
uses: actions/github-script@v3 | |
id: eval-body | |
with: | |
result-encoding: string | |
script: | | |
const pattern = /^\/testenv (up|down)/ | |
const result = pattern.exec(context.payload.comment.body) | |
return result === null ? 'noop' : result[1] | |
- name: Eval comment body for feature flags | |
uses: actions/github-script@v3 | |
id: eval-feature-flags | |
with: | |
script: | | |
const pattern = /FEATURE_(\w+)=(\w+)/g; | |
let results = []; | |
[...context.payload.comment.body.matchAll(pattern)].forEach(match => { | |
const config = { | |
name: `SUPERSET_FEATURE_${match[1]}`, | |
value: match[2], | |
}; | |
results.push(config); | |
}); | |
return results; | |
- name: Limit to committers | |
if: > | |
steps.eval-body.outputs.result != 'noop' && | |
github.event.comment.author_association != 'MEMBER' && | |
github.event.comment.author_association != 'OWNER' | |
uses: actions/github-script@v3 | |
with: | |
github-token: ${{github.token}} | |
script: | | |
const errMsg = '@${{ github.event.comment.user.login }} Ephemeral environment creation is currently limited to committers.' | |
github.issues.createComment({ | |
issue_number: ${{ github.event.issue.number }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: errMsg | |
}) | |
core.setFailed(errMsg) | |
docker_ephemeral_env: | |
needs: config | |
if: needs.config.outputs.has-secrets | |
name: Push ephemeral env Docker image to ECR | |
runs-on: ubuntu-latest | |
steps: | |
- name: "Download artifact" | |
uses: actions/[email protected] | |
with: | |
script: | | |
const artifacts = await github.actions.listWorkflowRunArtifacts({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
run_id: ${{ github.event.workflow_run.id }}, | |
}); | |
core.info('*** artifacts') | |
core.info(JSON.stringify(artifacts)) | |
const matchArtifact = artifacts.data.artifacts.filter((artifact) => { | |
return artifact.name === "build"; | |
}); | |
if (!matchArtifact.length) { | |
return core.setFailed("Build artifacts not found"); | |
} | |
const download = await github.actions.downloadArtifact({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
artifact_id: matchArtifact[0].id, | |
archive_format: 'zip', | |
}); | |
var fs = require('fs'); | |
fs.writeFileSync('${{github.workspace}}/build.zip', Buffer.from(download.data)); | |
- run: unzip build.zip | |
- name: Display downloaded files (debug) | |
run: ls -la | |
- name: Get SHA | |
id: get-sha | |
run: echo "::set-output name=sha::$(cat ./SHA)" | |
- name: Get PR | |
id: get-pr | |
run: echo "::set-output name=num::$(cat ./PR-NUM)" | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-west-2 | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Load, tag and push image to ECR | |
id: push-image | |
env: | |
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
ECR_REPOSITORY: superset-ci | |
SHA: ${{ steps.get-sha.outputs.sha }} | |
IMAGE_TAG: pr-${{ steps.get-pr.outputs.num }} | |
run: | | |
docker load < $SHA.tar.gz | |
docker tag $SHA $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
docker tag $SHA $ECR_REGISTRY/$ECR_REPOSITORY:$SHA | |
docker push -a $ECR_REGISTRY/$ECR_REPOSITORY | |
ephemeral_env_up: | |
needs: ephemeral_env_comment | |
if: needs.ephemeral_env_comment.outputs.slash-command == 'up' | |
name: Spin up an ephemeral environment | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
pull-requests: write | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
persist-credentials: false | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-west-2 | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@v1 | |
- name: Check target image exists in ECR | |
id: check-image | |
continue-on-error: true | |
run: | | |
aws ecr describe-images \ | |
--registry-id $(echo "${{ steps.login-ecr.outputs.registry }}" | grep -Eo "^[0-9]+") \ | |
--repository-name superset-ci \ | |
--image-ids imageTag=pr-${{ github.event.issue.number }} | |
- name: Fail on missing container image | |
if: steps.check-image.outcome == 'failure' | |
uses: actions/github-script@v3 | |
with: | |
github-token: ${{github.token}} | |
script: | | |
const errMsg = '@${{ github.event.comment.user.login }} Container image not yet published for this PR. Please try again when build is complete.' | |
github.issues.createComment({ | |
issue_number: ${{ github.event.issue.number }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: errMsg | |
}) | |
core.setFailed(errMsg) | |
- name: Fill in the new image ID in the Amazon ECS task definition | |
id: task-def | |
uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
with: | |
task-definition: .github/workflows/ecs-task-definition.json | |
container-name: superset-ci | |
image: ${{ steps.login-ecr.outputs.registry }}/superset-ci:pr-${{ github.event.issue.number }} | |
- name: Update env vars in the Amazon ECS task definition | |
run: | | |
cat <<< "$(jq '.containerDefinitions[0].environment += ${{ needs.ephemeral_env_comment.outputs.feature-flags }}' < ${{ steps.task-def.outputs.task-definition }})" > ${{ steps.task-def.outputs.task-definition }} | |
- name: Describe ECS service | |
id: describe-services | |
run: | | |
echo "::set-output name=active::$(aws ecs describe-services --cluster superset-ci --services pr-${{ github.event.issue.number }}-service | jq '.services[] | select(.status == "ACTIVE") | any')" | |
- name: Create ECS service | |
if: steps.describe-services.outputs.active != 'true' | |
id: create-service | |
env: | |
ECR_SUBNETS: subnet-0e15a5034b4121710,subnet-0e8efef4a72224974 | |
ECR_SECURITY_GROUP: sg-092ff3a6ae0574d91 | |
run: | | |
aws ecs create-service \ | |
--cluster superset-ci \ | |
--service-name pr-${{ github.event.issue.number }}-service \ | |
--task-definition superset-ci \ | |
--launch-type FARGATE \ | |
--desired-count 1 \ | |
--platform-version LATEST \ | |
--network-configuration "awsvpcConfiguration={subnets=[$ECR_SUBNETS],securityGroups=[$ECR_SECURITY_GROUP],assignPublicIp=ENABLED}" \ | |
--tags key=pr,value=${{ github.event.issue.number }} key=github_user,value=${{ github.actor }} | |
- name: Deploy Amazon ECS task definition | |
id: deploy-task | |
uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
with: | |
task-definition: ${{ steps.task-def.outputs.task-definition }} | |
service: pr-${{ github.event.issue.number }}-service | |
cluster: superset-ci | |
wait-for-service-stability: true | |
wait-for-minutes: 10 | |
- name: List tasks | |
id: list-tasks | |
run: | | |
echo "::set-output name=task::$(aws ecs list-tasks --cluster superset-ci --service-name pr-${{ github.event.issue.number }}-service | jq '.taskArns | first')" | |
- name: Get network interface | |
id: get-eni | |
run: | | |
echo "::set-output name=eni::$(aws ecs describe-tasks --cluster superset-ci --tasks ${{ steps.list-tasks.outputs.task }} | jq '.tasks | .[0] | .attachments | .[0] | .details | map(select(.name=="networkInterfaceId")) | .[0] | .value')" | |
- name: Get public IP | |
id: get-ip | |
run: | | |
echo "::set-output name=ip::$(aws ec2 describe-network-interfaces --network-interface-ids ${{ steps.get-eni.outputs.eni }} | jq -r '.NetworkInterfaces | first | .Association.PublicIp')" | |
- name: Comment (success) | |
if: ${{ success() }} | |
uses: actions/github-script@v3 | |
with: | |
github-token: ${{github.token}} | |
script: | | |
github.issues.createComment({ | |
issue_number: ${{ github.event.issue.number }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: '@${{ github.event.comment.user.login }} Ephemeral environment spinning up at http://${{ steps.get-ip.outputs.ip }}:8080. Credentials are `admin`/`admin`. Please allow several minutes for bootstrapping and startup.' | |
}) | |
- name: Comment (failure) | |
if: ${{ failure() }} | |
uses: actions/github-script@v3 | |
with: | |
github-token: ${{github.token}} | |
script: | | |
github.issues.createComment({ | |
issue_number: ${{ github.event.issue.number }}, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: '@${{ github.event.comment.user.login }} Ephemeral environment creation failed. Please check the Actions logs for details.' | |
}) |