Convert gocardless/stolon-pgbouncer to Github Actions #150
Conversation
| env: | ||
| DOCKER_PASS: xxxx9e14 | ||
| DOCKER_USER: xxxxdmin | ||
| GITHUB_TOKEN: xxxx6d08 |
There was a problem hiding this comment.
Not sure what this was set to before. We might be able to get away with the usual GITHUB_TOKEN injected by GHA.
There was a problem hiding this comment.
Hey Sam 👋
A note of warning: this is a public repo that anyone can open PRs to, so you’ll want to double check you don’t respond to those changes by running builds on any private GitHub agents you may have had around.
Especially if you’re relying on ambient creds on those machines, which might mean people outside of GC could exfiltrate GitHub resources under the GC org by misusing the creds.
I’ve not checked this super closely, but wanted to warn you in case you hadn’t considered it. It may make more sense to leave this and other open source repos on Circle, to avoid exposing the private infra.
There was a problem hiding this comment.
Hey Lawrence,
Thanks for the heads up!
We don't have self-hosted runners set up just yet, but when we do we'll restrict them to run solely on private repositories, and leave public repos to use Github's runners.
There was a problem hiding this comment.
Great, wanted to nudge you in case it had gone under the radar, but sounds like you’re on it :)
| - uses: actions/upload-artifact@v2 | ||
| with: | ||
| path: |- | ||
| /go/src/github.com/gocardless/stolon-pgbouncer/bin/stolon-pgbouncer.linux_amd64 | ||
| /go/src/github.com/gocardless/stolon-pgbouncer/bin/stolon-pgbouncer-acceptance.linux_amd64 |
There was a problem hiding this comment.
I think uploading and downloading the artifact here and below is unnecessary. We could probably just bundle the build & acceptance into one job?
| working-directory: "/go/src/github.com/gocardless/stolon-pgbouncer" | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: gocardless/stolon-pgbouncer-circleci:2020050701 |
There was a problem hiding this comment.
| image: gocardless/stolon-pgbouncer-circleci:2020050701 | |
| image: gocardless/stolon-pgbouncer-ci:2020050701 |
We should remove references to circle throughout the repo.
| - unit-integration | ||
| steps: | ||
| # # 'setup_remote_docker' was not transformed because there is no suitable equivalent in GitHub Actions | ||
| - run: docker login -u "$DOCKER_USER" -p "$DOCKER_PASS" |
There was a problem hiding this comment.
Looks like our image installs docker so we can get away without adding much here. What registry are we wanting to login to? If it is GCR then we might want to make use of workload identity federation so we can bin some long lived credentials https://github.com/docker/login-action#google-container-registry-gcr
There was a problem hiding this comment.
Also see our docs https://backstage.gocardless.io/docs/default/component/github-actions/CI/03-authentication/#authenticating-with-workload-identity-federation for how we can set this up
There was a problem hiding this comment.
We're using docker hub, as this is a public project.
Pipeline migrated from Circle CI 🎉
Manual steps
Perform the follow steps to complete the migration:
gocardless/stolon-pgbouncer/build-integration
DOCKER_PASSDOCKER_USERGITHUB_TOKEN