github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
be250f1e00d30df262fbf1d809e28dd5ecf80dfe
firezone/.github/README_CI.md
Jamil 8e326d24bb docs: add note on how to rotate client secret for windows code signing (#6900) 
Moved the code signing to our US-based Azure account
(firezoneprod.onmicrosoft.com)

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Co-authored-by: Brian Manifold <bmanifold@users.noreply.github.com>
Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
2024-10-02 17:35:40 +00:00

2.8 KiB
Raw Blame History

CI Tips and Tricks

Rotating signing secrets

Batch-deleting workflow runs

Manually disable the workflows to be cleaned up, then run this:

org=firezone
repo=firezone

# Get workflow IDs with status "disabled_manually"
workflow_ids=($(gh api repos/$org/$repo/actions/workflows --paginate | jq '.workflows[] | select(.["state"] | contains("disabled_manually")) | .id'))

for workflow_id in "${workflow_ids[@]}"
do
  echo "Listing runs for the workflow ID $workflow_id"
  run_ids=( $(gh api repos/$org/$repo/actions/workflows/$workflow_id/runs --paginate | jq '.workflow_runs[].id') )
  for run_id in "${run_ids[@]}"
  do
    echo "Deleting Run ID $run_id"
    gh api repos/$org/$repo/actions/runs/$run_id -X DELETE >/dev/null
  done
done

Adding a new repository to Google Cloud workload identity

We are using a separate Google Cloud project for GitHub Actions workload federation, if you need auth action to work from a new repo - it needs to be added to the principal set of a GitHub Actions service account:

export REPO="firezone/firezone"
gcloud iam service-accounts add-iam-policy-binding "github-actions@github-iam-387915.iam.gserviceaccount.com" \
  --project="github-iam-387915" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/${REPO}"

for more details see https://github.com/google-github-actions/auth.

Larger GitHub-hosted runners

We've configured two GitHub-hosted larger runners to use in workflows:

  • ubuntu-22.04.firezone-4c
  • ubuntu-22.04-firezone-16c

Please use them wisely (especially the 16c one) as we are billed for their usage.

Before you run your jobs on these larger runners, please ensure your workload is CPU-bound or Memory-size-bound so that your workflow / job will actually benefit from the extra cores. Many workloads are IO-bound and won't see a marked difference using a larger runner.

Self-hosted runners

We maintain a baremetal testbed for running our end-to-end test suite. See the e2e directory. Please don't target those runners unless you're specifically trying to run workflows that require a baremetal runner.

Busting the GCP Docker layer cache

If you find yourself hitting strange Docker image issues like Rust binaries failing to start inside Docker images, you may need to bust the GCP layer cache.

To do so:

  • Login to GCP
  • Ensure firezone-staging project is selected
  • Navigate to the artifact registry service
  • Delete all image versions for the appropriate cache/ image repository
Reference in New Issue View Git Blame Copy Permalink