feat(prerelease-setup): add composite action for pre-release workflow setup#148
feat(prerelease-setup): add composite action for pre-release workflow setup#148sowmyav27 wants to merge 5 commits into
Conversation
… setup Extracts ~100 lines of duplicated setup steps from loft-sh/loft-enterprise .github/workflows/prerelease-checks.yaml (prerelease-vcluster + prerelease-aicloud jobs) into a single composite action. The action performs: free disk space, checkout, setup-go (cache on, go-version-file: go.mod), setup-kubectl, setup-helm, OIDC AWS Login (role-session-name is the only AWS input that differs between the two jobs), resolve+validate the standalone vCluster base/upgrade and platform base/RC versions (with curl/jq fallbacks to "latest release" / "latest pre-release"), download the vCluster CLI matching the resolved base, and verify kubectl/helm/vcluster are on PATH. Resolved versions are written to GITHUB_OUTPUT and mirrored to GITHUB_ENV so the consumer's downstream test step (run-ginkgo) keeps reading them as env vars exactly as in the inlined version. The action does NOT include EC2 provisioning (aws-test-infra) or test execution (run-ginkgo) — those remain inline in the consumer because only the AI Cloud job needs EC2 and both jobs run different test directories. Mirrors the convention from PR loft-sh#139 (aws-test-infra). Refs ENGQA-1042.
…ers; drop vci-k8s inputs Two CI fixes plus a scope tightening: - zizmor (github-env): the previous revision mirrored resolved versions to GITHUB_ENV so the consumer's downstream test step could read them as env vars. zizmor flagged this as a code-execution risk and the repo convention (aws-test-infra) writes only to GITHUB_OUTPUT. The consumer now wires outputs to env via the run-ginkgo step's env: block (shown in README Usage). - check-docs: README must use the AUTO-DOC-INPUT / AUTO-DOC-OUTPUT markers consumed by tj-actions/auto-doc; hand-written tables removed and the markers populated via `make generate-docs`. - vci-k8s-version / vci-k8s-upgrade-version inputs dropped. They are not produced or validated by any setup step and are already available to the consumer at the workflow env: block; carrying them as pass-through-only inputs would be dead code. README "Notes" calls this deviation from the original ticket scope out explicitly.
…zmor unpinned-uses)
…anup
- Add required github-token input. The platform release resolvers call the
GitHub API for loft-sh/loft-enterprise, which is private — unauthenticated
calls return 404. Pass ${{ github.token }} from a caller whose job
permissions include contents:read.
- Authenticate the vcluster (public) /releases/latest call too. The GH API
rate-limits unauthenticated calls to 60/hr per runner IP; auth bumps it to
1000/hr per token and removes the intermittent 403 mode on shared runners.
- Drop output-credentials: true. configure-aws-credentials exports AWS_*
env vars by default; the flag only adds step outputs, which no downstream
step reads.
- Bump major versions on third-party actions:
actions/setup-go v5 -> v6.4.0
azure/setup-kubectl v4 -> v5.1.0
azure/setup-helm v4 -> v5.0.0
aws-actions/configure-aws-credentials v5.1.1 -> v6.1.3
All four bumps share the same breaking change (node24 runtime, requires
runner v2.327.1+) which GitHub-hosted ubuntu-latest already satisfies.
- Regenerate README via make generate-docs.
|
Thanks for the review @sydorovdmytro — pushed Line 104 (private-repo auth) + Line 90 (rate limit) — fixed. Added a required Line 72 ( Line 55 (outdated action versions) — bumped:
All four share the same breaking change (node24 runtime, requires runner ≥v2.327.1) which GitHub-hosted Line 83 (Bats extraction) and Line 42 (free-disk-space → caller) — deferring. Bats refactor is scope creep for this PR; happy to follow up in a separate one if you'd like. Leaving free-disk-space in the action for now since both current consumers need it and pulling it out duplicates 5 lines per caller — open to revisiting if more callers appear that don't need it. |
2 participants
Summary
Adds
.github/actions/prerelease-setup/— a composite action that consolidates the duplicated setup block at the top of the two jobs inloft-sh/loft-enterprise.github/workflows/prerelease-checks.yaml(prerelease-vclusterandprerelease-aicloud). The two jobs share ~100 lines of identical setup that only differ inrole-session-name.The action performs:
jlumbroso/free-disk-space@v1.3.1)actions/checkout@v6)actions/setup-go@v5,go-version-file: go.mod, cache on)azure/setup-kubectl@v4)azure/setup-helm@v4)aws-actions/configure-aws-credentials@v5.1.1againstarn:aws:iam::084374023943:role/e2e-test-executor,us-west-2, 6300s)set -euo pipefail+ semver regex +curl/jq"latest release" / "latest pre-release" fallbacks, identical to the inlined version)vclusterCLI matching the resolved base standalone versionkubectl,helm,vclusteron$PATHResolved versions are written to
$GITHUB_OUTPUTand mirrored to$GITHUB_ENVso the consumer's downstreamrun-ginkgostep keeps reading them as env vars exactly as in the inlined version — this preserves the acceptance criterion that PR 6937's two jobs run identically before and after extraction.Mirrors the convention from #139 (
aws-test-infra).Inputs / outputs
Documented in
README.md. Summary:role-session-name(req),standalone-vcluster-version,standalone-vcluster-upgrade-version(req),platform-base-version,platform-rc-version,vci-k8s-version,vci-k8s-upgrade-version.v):standalone-vcluster-version,standalone-vcluster-upgrade-version,platform-base-version,platform-rc-version.Out of scope
aws-test-infra@aws-test-infra/v1, AI Cloud–only)run-ginkgo@run-ginkgo/v1, different test dirs per job)loft-enterpriseconsumer PR — tracked separately under ENGQA-1042 Step 2; it will reference this action via theprerelease-setup/v1tag after merge.Test plan
prerelease-setup/v1after mergeloft-enterpriseconsumer PR (Step 2) referencing@prerelease-setup/v1; verify bothprerelease-vclusterandprerelease-aicloudjobs run identically before/after (CI run time and artifact contents unchanged)References
aws-test-infra)