Skip to content

Latest commit

 

History

History
56 lines (34 loc) · 3.29 KB

File metadata and controls

56 lines (34 loc) · 3.29 KB

Self-hosted GitHub Action Runners

This service is based on the echo template. Please view the README for details about the dev loop and how it works.

Architecture

We use the GitHub-Runner-Provisioner to serve a webhook to GitHub Actions. GitHub will send any Actions events to the GRP running in Skunkworks, which will parse those events looking for workflows that request special labels in their runs-on property.

Using the GitHub Self-Hosted Runner binaries we then spin up the custom runners in one of our supported runner providers - currently AWS and CodeMagic. Supported runners are configured in runner.go.

AWS

AWS runners are created in EC2 using the AWS SDK. See the aws_runners package for details on the implementation.

CodeMagic

CodeMagic runners are actually CodeMagic Builds (CI jobs in their service) that then pull the GitHub Self-Hosted binaries and register themselves as ephemeral (single-use) runners - picking up a single job from the calling repo and then terminating.

Testing

Integration Tests

Note: Before running tests, make sure you run the application with environment variable WEBHOOK_TOKEN=FAKE_TOKEN.

You will also need to set GITHUB_TOKEN to a PAT for the D6E Automaton. These values can all be found in the github-runner-provisioner-secrets.yaml file in Keybase - you will need to base64 decode them before use. If only running dry-runs only AWS and GitHub authentication is required.

To test the application we use targets in the Makefile. The make go-unit-tests target will run the unit tests, and make test-runners will run the integration tests against the dry-run endpoints. Note that to test the AWS macOS-arm64 runner you will need to set the USE_CODEMAGIC environment variable to true in the GRP.

Testing CodeMagic M1 & AWS ubuntu-arm64:

USE_CODEMAGIC=true GITHUB_TOKEN=<pat> go run main.go --dry-run
make test-runners

Note: You can send requests to the production client using make run-<runner tag> Be careful when sending requests to production using an HTTP client, since the dry-run request parameter defaults to true. This is necessary because we have no way to set GitHub to send this parameter.

Unit Tests

Some unit tests use mocks generated by gomock. If the interface being mocked is updated, you may have to re-generate the mocks by running:

make update-go-mocks

Env Vars

The runner provisioner requires the following variables to be configured:

  • GITHUB_TOKEN - a personal access token with admin access to the repo configuring the runners. We use the D6E-Automaton's token in production.
  • WEBHOOK_TOKEN - the secret used to configure the webhook in GitHub. We use the token stored at /Keybase/team/datawireio/infra/github-runner-provisioner-secrets
  • CODEMAGIC_TOKEN - the secret used to authenticate to the CodeMagic build API to trigger M1 runners
  • USE_CODEMAGIC - a boolean flag to indicate whether to use CodeMagic or AWS to provision M1 runners
  • AWS auth can be configured with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY or by using the AWS CLI