From b65b1bc05200599606f799e311d8776ba0fd7b4f Mon Sep 17 00:00:00 2001 From: Jacinta Callahan Date: Fri, 21 Feb 2025 21:02:04 +0000 Subject: [PATCH 1/2] Temporarily bypass SHA check for clean demo deploy --- .gitlab-ci.yml | 74 ++++++++++++++++++++++++++++++--- scripts/compare-deployed-commit | 16 ++++--- 2 files changed, 79 insertions(+), 11 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 38013700a29..5ae8b38d254 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -30,16 +30,16 @@ variables: GOLANGCI_LINT_VERBOSE: "-v" # Specify the environment: loadtest, demo, exp - DP3_ENV: &dp3_env placeholder_env + DP3_ENV: &dp3_env demo # Specify the branch to deploy TODO: this might be not needed. So far useless - DP3_BRANCH: &dp3_branch placeholder_branch_name + DP3_BRANCH: &dp3_branch B-22384-Test-Sha-Check-dp3 # Ignore branches for integration tests - INTEGRATION_IGNORE_BRANCH: &integration_ignore_branch placeholder_branch_name - INTEGRATION_MTLS_IGNORE_BRANCH: &integration_mtls_ignore_branch placeholder_branch_name - CLIENT_IGNORE_BRANCH: &client_ignore_branch placeholder_branch_name - SERVER_IGNORE_BRANCH: &server_ignore_branch placeholder_branch_name + INTEGRATION_IGNORE_BRANCH: &integration_ignore_branch B-22384-Test-Sha-Check-dp3 + INTEGRATION_MTLS_IGNORE_BRANCH: &integration_mtls_ignore_branch B-22384-Test-Sha-Check-dp3 + CLIENT_IGNORE_BRANCH: &client_ignore_branch B-22384-Test-Sha-Check-dp3 + SERVER_IGNORE_BRANCH: &server_ignore_branch B-22384-Test-Sha-Check-dp3 OTEL_IMAGE_TAG: &otel_image_tag "git-$OTEL_VERSION-$CI_COMMIT_SHORT_SHA" @@ -1293,6 +1293,28 @@ integration_test_office: ############################################################### ## DP3 Env push and deploy stages all off of setting dp3 env ## ############################################################### + +check_against_dp3_sha: + stage: pre_checks # Run before deployment stages + tags: + - $RUNNER_TAG # Ensure the job runs on the correct GitLab Runner + environment: $DP3_ENV + image: $DOCKER_APP_IMAGE # Use the correct image for your pipeline + before_script: + - *setup_milmove_env # Set up environment variables if required. + script: + - echo "Skipping SHA check to force a clean deploy to demo." + - echo "success" > sha_check_status + # - echo "Checking if deployed commit is an ancestor..." + # - scripts/compare-deployed-commit my.demo.dp3.us $CI_COMMIT_SHA + artifacts: + paths: + - sha_check_status # Store the status for downstream jobs + expire_in: 1h + allow_failure: true # Ensure the job does not fail the pipeline even if the script detects a SHA mismatch + rules: + - *check_dp3 # Ensure this matches your ruleset for conditional execution + build_push_app_dp3: stage: push interruptible: true @@ -1303,6 +1325,7 @@ build_push_app_dp3: name: gcr.io/kaniko-project/executor:v1.14.0-debug entrypoint: [""] needs: + - check_against_dp3_sha - compile_app_client - compile_app_server before_script: @@ -1310,6 +1333,10 @@ build_push_app_dp3: - *setup_release_dp3 - *kaniko_before_setup script: + - | + if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then + echo "Deploy halted due to SHA check failure."; + exit 0; - echo "Building and Pushing app Docker image..." - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/${APP_DOCKER_FILE}" --destination "${ECR_REPOSITORY_URI}/app:git-$CI_COMMIT_SHORT_SHA" after_script: @@ -1327,6 +1354,7 @@ build_push_migrations_dp3: name: gcr.io/kaniko-project/executor:v1.14.0-debug entrypoint: [""] needs: + - check_against_dp3_sha - compile_app_server - compile_app_client before_script: @@ -1334,6 +1362,10 @@ build_push_migrations_dp3: - *setup_release_dp3 - *kaniko_before_setup script: + - | + if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then + echo "Deploy halted due to SHA check failure."; + exit 0; - echo "Building and Pushing migrations Docker image..." - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/Dockerfile.migrations" --destination "${ECR_REPOSITORY_URI}/app-migrations:git-$CI_COMMIT_SHORT_SHA" after_script: @@ -1351,6 +1383,7 @@ build_push_tasks_dp3: name: gcr.io/kaniko-project/executor:v1.14.0-debug entrypoint: [""] needs: + - check_against_dp3_sha - compile_app_server - compile_app_client before_script: @@ -1358,6 +1391,10 @@ build_push_tasks_dp3: - *setup_release_dp3 - *kaniko_before_setup script: + - | + if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then + echo "Deploy halted due to SHA check failure."; + exit 0; - echo "Building tasks Docker image..." - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/${TASK_DOCKER_FILE}" --destination "${ECR_REPOSITORY_URI}/app-tasks:git-$CI_COMMIT_SHORT_SHA" after_script: @@ -1378,9 +1415,14 @@ push_otel_collector_image_dp3: name: $DOCKER_BASE_IMAGE entrypoint: [""] needs: + - check_against_dp3_sha - compile_app_server - compile_app_client script: + - | + if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then + echo "Deploy halted due to SHA check failure."; + exit 0; - echo "Logging in to DockerHub with Crane..." - echo "${DOCKERHUB_PASSWORD}" | crane auth login docker.io -u "${DOCKERHUB_USERNAME}" --password-stdin @@ -1411,6 +1453,7 @@ deploy_migrations_dp3: name: $DOCKER_APP_IMAGE entrypoint: [""] needs: + - check_against_dp3_sha - push_otel_collector_image_dp3 - build_push_migrations_dp3 - compile_app_server @@ -1419,6 +1462,10 @@ deploy_migrations_dp3: - *setup_aws_vars_dp3 - *setup_release_dp3 script: + - | + if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then + echo "Deploy halted due to SHA check failure."; + exit 0; # Step 1: Get the Digest - echo "Getting Digest from AWS" - export ECR_DIGEST=$(aws ecr describe-images --repository-name app-migrations --image-ids imageTag=git-$CI_COMMIT_SHORT_SHA --query 'imageDetails[0].imageDigest' --output text) @@ -1443,6 +1490,7 @@ deploy_tasks_dp3: name: $DOCKER_APP_IMAGE entrypoint: [""] needs: + - check_against_dp3_sha - deploy_migrations_dp3 - build_push_tasks_dp3 - compile_app_server @@ -1451,6 +1499,10 @@ deploy_tasks_dp3: - *setup_aws_vars_dp3 - *setup_release_dp3 script: + - | + if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then + echo "Deploy halted due to SHA check failure."; + exit 0; - echo "Getting Digest from AWS" - export ECR_DIGEST=$(aws ecr describe-images --repository-name app-tasks --image-ids imageTag=git-$CI_COMMIT_SHORT_SHA --query 'imageDetails[0].imageDigest' --output text) - echo "Deploying GHC fuel price data task service" @@ -1472,6 +1524,7 @@ deploy_app_client_tls_dp3: name: $DOCKER_APP_IMAGE entrypoint: [""] needs: + - check_against_dp3_sha - deploy_migrations_dp3 - push_otel_collector_image_dp3 - compile_app_server @@ -1484,6 +1537,10 @@ deploy_app_client_tls_dp3: - *setup_tls_vars_dp3 - *setup_release_dp3 script: + - | + if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then + echo "Deploy halted due to SHA check failure."; + exit 0; # - echo "Comparing against deployed commit" # - ./scripts/compare-deployed-commit "" $CI_COMMIT_SHA ${TLS_KEY} ${TLS_CERT} ${TLS_CA} - echo "Getting Digest from AWS" @@ -1514,6 +1571,7 @@ deploy_app_dp3: name: $DOCKER_APP_IMAGE entrypoint: [""] needs: + - check_against_dp3_sha - build_push_app_dp3 - deploy_migrations_dp3 - compile_app_server @@ -1526,6 +1584,10 @@ deploy_app_dp3: - *setup_aws_vars_dp3 - *setup_release_dp3 script: + - | + if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then + echo "Deploy halted due to SHA check failure."; + exit 0; - echo "Comparing against deployed commit" # - ./scripts/compare-deployed-commit "" "$CI_COMMIT_SHA" "$TLS_KEY" "$TLS_CERT" "$TLS_CA" - echo "Creating .go-version file if not already present" diff --git a/scripts/compare-deployed-commit b/scripts/compare-deployed-commit index c0f95b8da15..a488a624e52 100755 --- a/scripts/compare-deployed-commit +++ b/scripts/compare-deployed-commit @@ -34,19 +34,25 @@ fi if [[ "${deployed_commit}" == "${local_commit}" ]]; then echo "* Deployed commit ($deployed_commit) is the local commit ($local_commit)." echo "* Deploy can continue." + echo "success" > sha_check_status exit 0 # See pattern at https://git-scm.com/docs/git-merge-base elif git merge-base --is-ancestor "$deployed_commit" "$local_commit"; then echo "* Deployed commit ($deployed_commit) is an ancestor of the local commit ($local_commit)." echo "* Deploy can continue." + echo "success" > sha_check_status exit 0 else - echo "* Deployed commit ($deployed_commit) is not an ancestor of the local commit ($local_commit)." + echo "* Deployed commit ($deployed_commit) is NOT ancestor of the local commit ($local_commit)." echo "* The deployed commit is either ahead of the local commit or the commits have different histories." echo "* Deploy is blocked." - if [ -n "${CIRCLECI+x}" ]; then - circleci-agent step halt - else - exit 1 + + # Ensure a status file is always written + echo "failed" > sha_check_status + +if [ -n "${GITLAB_CI+x}" ]; then + exit 0 # Prevents the job from failing but stops deployment +else + exit 1 # Fails locally if not running in GitLab fi fi From 6ded4048496c18b877c434fa07ef19956d0a1098 Mon Sep 17 00:00:00 2001 From: Jacinta Callahan Date: Fri, 21 Feb 2025 21:38:19 +0000 Subject: [PATCH 2/2] Temporarily bypass SHA check for clean demo deploy --- .gitlab-ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5ae8b38d254..a88b4abd628 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1337,6 +1337,7 @@ build_push_app_dp3: if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then echo "Deploy halted due to SHA check failure."; exit 0; + fi - echo "Building and Pushing app Docker image..." - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/${APP_DOCKER_FILE}" --destination "${ECR_REPOSITORY_URI}/app:git-$CI_COMMIT_SHORT_SHA" after_script: @@ -1366,6 +1367,7 @@ build_push_migrations_dp3: if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then echo "Deploy halted due to SHA check failure."; exit 0; + fi - echo "Building and Pushing migrations Docker image..." - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/Dockerfile.migrations" --destination "${ECR_REPOSITORY_URI}/app-migrations:git-$CI_COMMIT_SHORT_SHA" after_script: @@ -1395,6 +1397,7 @@ build_push_tasks_dp3: if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then echo "Deploy halted due to SHA check failure."; exit 0; + fi - echo "Building tasks Docker image..." - /kaniko/executor --context "${CI_PROJECT_DIR}/" --dockerfile "${CI_PROJECT_DIR}/${TASK_DOCKER_FILE}" --destination "${ECR_REPOSITORY_URI}/app-tasks:git-$CI_COMMIT_SHORT_SHA" after_script: @@ -1423,6 +1426,7 @@ push_otel_collector_image_dp3: if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then echo "Deploy halted due to SHA check failure."; exit 0; + fi - echo "Logging in to DockerHub with Crane..." - echo "${DOCKERHUB_PASSWORD}" | crane auth login docker.io -u "${DOCKERHUB_USERNAME}" --password-stdin @@ -1466,6 +1470,7 @@ deploy_migrations_dp3: if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then echo "Deploy halted due to SHA check failure."; exit 0; + fi # Step 1: Get the Digest - echo "Getting Digest from AWS" - export ECR_DIGEST=$(aws ecr describe-images --repository-name app-migrations --image-ids imageTag=git-$CI_COMMIT_SHORT_SHA --query 'imageDetails[0].imageDigest' --output text) @@ -1503,6 +1508,7 @@ deploy_tasks_dp3: if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then echo "Deploy halted due to SHA check failure."; exit 0; + fi - echo "Getting Digest from AWS" - export ECR_DIGEST=$(aws ecr describe-images --repository-name app-tasks --image-ids imageTag=git-$CI_COMMIT_SHORT_SHA --query 'imageDetails[0].imageDigest' --output text) - echo "Deploying GHC fuel price data task service" @@ -1541,6 +1547,7 @@ deploy_app_client_tls_dp3: if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then echo "Deploy halted due to SHA check failure."; exit 0; + fi # - echo "Comparing against deployed commit" # - ./scripts/compare-deployed-commit "" $CI_COMMIT_SHA ${TLS_KEY} ${TLS_CERT} ${TLS_CA} - echo "Getting Digest from AWS" @@ -1588,6 +1595,7 @@ deploy_app_dp3: if [ -f sha_check_status ] && grep -q "failed" sha_check_status; then echo "Deploy halted due to SHA check failure."; exit 0; + fi - echo "Comparing against deployed commit" # - ./scripts/compare-deployed-commit "" "$CI_COMMIT_SHA" "$TLS_KEY" "$TLS_CERT" "$TLS_CA" - echo "Creating .go-version file if not already present"