build(deps): bump actions/checkout from 4.1.7 to 5.0.0 #21234
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - release/** | |
| - release-library/** | |
| pull_request: | |
| types: [opened, synchronize, reopened, labeled] | |
| merge_group: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RELAY_CARGO_ARGS: "--locked" | |
| IS_MASTER: "${{ github.event_name == 'merge_group' }}" | |
| jobs: | |
| lint: | |
| needs: build-setup | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| steps: | |
| - name: Install libcurl-dev | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libcurl4-openssl-dev | |
| - uses: actions/[email protected] | |
| with: | |
| submodules: recursive | |
| - name: Get changed files | |
| id: changes | |
| uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0 | |
| with: | |
| list-files: json | |
| filters: | | |
| all: | |
| - added|modified: '**/*' | |
| - name: Setup SSH agent | |
| if: env.SSH_PRIVATE_KEY != '' | |
| uses: webfactory/[email protected] | |
| with: | |
| ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} | |
| - name: Install Rust Toolchain | |
| run: | | |
| rustup toolchain install stable --profile minimal --no-self-update | |
| rustup component add clippy rustfmt rust-docs --toolchain stable | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - uses: astral-sh/setup-uv@884ad927a57e558e7a70b92f2bccf9198a4be546 # v6 | |
| with: | |
| version: '0.8.2' | |
| # we just cache the venv-dir directly in action-setup-venv | |
| enable-cache: false | |
| - uses: getsentry/action-setup-venv@3a832a9604b3e1a4202ae559248f26867b467cc7 # v2.1.1 | |
| with: | |
| python-version: 3.11.9 | |
| cache-dependency-path: uv.lock | |
| install-cmd: uv sync --frozen --only-dev --active | |
| - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: cache-epoch-1|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml', 'uv.lock') }} | |
| - name: Setup pre-commit | |
| run: pre-commit install-hooks | |
| - name: Run pre-commit | |
| run: | | |
| jq '.[]' --raw-output <<< '${{steps.changes.outputs.all_files}}' | | |
| # Run pre-commit to lint and format check files that were changed (but not deleted) | |
| xargs pre-commit run --files | |
| # running lint-python will unnecessarily go through setup-venv via devenv | |
| # we want to take advantage of cached action-setup-venv | |
| - run: make style-rust lint-rust | |
| - name: Check Docs | |
| run: cargo doc --workspace --all-features --no-deps --document-private-items | |
| env: | |
| RUSTDOCFLAGS: -Dwarnings | |
| lint_default: | |
| name: Lint Rust Default Features | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install libcurl-dev | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libcurl4-openssl-dev | |
| - uses: actions/[email protected] | |
| with: | |
| submodules: recursive | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --component clippy --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - name: Run Clippy | |
| run: cargo clippy --workspace --all-targets --no-deps -- -D warnings | |
| devservices-files-changed: | |
| name: detect what files changed | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 3 | |
| outputs: | |
| devservices-files-changed: ${{ steps.changes.outputs.devservices-files-changed }} | |
| steps: | |
| - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.1.7 | |
| - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| name: Check for file changes | |
| id: changes | |
| with: | |
| token: ${{ github.token }} | |
| filters: | | |
| devservices-files-changed: | |
| - 'devservices/**' | |
| - '.github/workflows/ci.yml' | |
| test: | |
| needs: build-setup | |
| timeout-minutes: 20 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [macos-latest, windows-latest] | |
| name: Test (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| # Skip redundant checks for library releases | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| steps: | |
| - uses: actions/[email protected] | |
| with: | |
| submodules: recursive | |
| - name: Setup SSH agent | |
| if: env.SSH_PRIVATE_KEY != '' | |
| # Windows needs an older versino of the ssh agent: https://github.com/webfactory/ssh-agent/pull/17 | |
| uses: webfactory/[email protected] | |
| with: | |
| ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - name: Run Cargo Tests | |
| run: cargo test --workspace | |
| test_all: | |
| needs: build-setup | |
| timeout-minutes: 15 | |
| name: Test All Features (ubuntu-latest) | |
| runs-on: ubuntu-latest | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| # Skip redundant checks for library releases | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| # Testing all features requires Docker container operations that are only available on | |
| # `ubuntu-latest`. This `test-all` job is to be seen as complementary to the `test` job. If | |
| # services become available on other platforms, the jobs should be consolidated. See | |
| # https://docs.github.com/en/actions/guides/about-service-containers | |
| services: | |
| redis: # https://docs.github.com/en/actions/guides/creating-redis-service-containers | |
| image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
| ports: | |
| - 6379:6379 | |
| redis_secondary: | |
| image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
| ports: | |
| - 6380:6379 | |
| steps: | |
| - name: Install libcurl-dev | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libcurl4-openssl-dev | |
| - uses: actions/[email protected] | |
| with: | |
| submodules: recursive | |
| - name: Setup SSH agent | |
| if: env.SSH_PRIVATE_KEY != '' | |
| uses: webfactory/[email protected] | |
| with: | |
| ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - name: Run Cargo Tests | |
| run: cargo test --workspace --all-features | |
| test_py: | |
| # Skip redundant checks for binary releases | |
| if: "!startsWith(github.ref, 'refs/heads/release/')" | |
| name: Test Python | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| with: | |
| submodules: recursive | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - uses: astral-sh/setup-uv@884ad927a57e558e7a70b92f2bccf9198a4be546 # v6 | |
| with: | |
| version: '0.8.2' | |
| # we just cache the venv-dir directly in action-setup-venv | |
| enable-cache: false | |
| - uses: getsentry/action-setup-venv@3a832a9604b3e1a4202ae559248f26867b467cc7 # v2.1.1 | |
| with: | |
| python-version: 3.11.9 | |
| cache-dependency-path: uv.lock | |
| install-cmd: uv sync --frozen --only-dev --active | |
| - name: Build and Install Library | |
| run: uv sync --frozen --verbose --active | |
| env: | |
| RELAY_DEBUG: 1 | |
| - name: Run Python Tests | |
| run: pytest -v py | |
| build-setup: | |
| name: Setup build metadata | |
| runs-on: ubuntu-latest | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| env: | |
| FULL_CI: "${{ | |
| github.ref == 'refs/heads/master' | |
| || github.event_name == 'merge_group' | |
| || startsWith(github.ref, 'refs/heads/release/') | |
| || contains(github.event.pull_request.labels.*.name, 'Trigger: Full-CI') | |
| }}" | |
| steps: | |
| - id: set-outputs | |
| run: | | |
| echo "full_ci=$FULL_CI" >> $GITHUB_OUTPUT | |
| if [[ "$FULL_CI" == "true" ]]; then | |
| echo "Running full CI" | |
| echo 'image_names=["relay", "relay-pop"]' >> $GITHUB_OUTPUT | |
| echo 'targets=["x86_64-unknown-linux-gnu", "aarch64-unknown-linux-gnu"]' >> $GITHUB_OUTPUT | |
| echo 'platforms=["linux/amd64","linux/arm64"]' >> $GITHUB_OUTPUT | |
| else | |
| echo "Skipping some CI steps" | |
| echo 'image_names=["relay"]' >> $GITHUB_OUTPUT | |
| echo 'targets=["x86_64-unknown-linux-gnu"]' >> $GITHUB_OUTPUT | |
| echo 'platforms=["linux/amd64"]' >> $GITHUB_OUTPUT | |
| fi | |
| if [[ ("${{ github.event.pull_request.head.repo.fork }}" != "true" && "${{ github.actor }}" != "dependabot[bot]") || "${{ needs.build-setup.outputs.full_ci }}" == "true" ]]; then | |
| echo "rustflags=--cfg sentry --cfg tokio_unstable" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "rustflags=--cfg tokio_unstable" >> "$GITHUB_OUTPUT" | |
| fi | |
| outputs: | |
| image_names: "${{ steps.set-outputs.outputs.image_names }}" | |
| targets: "${{ steps.set-outputs.outputs.targets }}" | |
| platforms: "${{ steps.set-outputs.outputs.platforms }}" | |
| full_ci: "${{ steps.set-outputs.outputs.full_ci }}" | |
| rustflags: "${{ steps.set-outputs.outputs.rustflags }}" | |
| build: | |
| needs: build-setup | |
| timeout-minutes: 30 | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| target: ${{ fromJson(needs.build-setup.outputs.targets) }} | |
| name: Build Relay Binary | |
| runs-on: |- | |
| ${{fromJson('{ | |
| "x86_64-unknown-linux-gnu": "ubuntu-22.04", | |
| "aarch64-unknown-linux-gnu": "ubuntu-22.04-arm" | |
| }')[matrix.target] }} | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| env: | |
| RELAY_BIN: "target/${{ matrix.target }}/release/relay" | |
| FEATURES: |- | |
| ${{fromJson('{ | |
| "relay": "processing,crash-handler", | |
| "relay-pop": "crash-handler" | |
| }')[matrix.image_name] }} | |
| DOCKER_PLATFORM: |- | |
| ${{fromJson('{ | |
| "x86_64-unknown-linux-gnu": "linux/amd64", | |
| "aarch64-unknown-linux-gnu": "linux/arm64" | |
| }')[matrix.target] }} | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y llvm curl | |
| - name: Install sentry-cli | |
| run: | | |
| curl -sL https://sentry.io/get-cli/ | bash | |
| - uses: actions/[email protected] | |
| with: | |
| submodules: recursive | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}" | |
| - name: Compile | |
| run: | | |
| cargo build --release --locked --features "${FEATURES}" --target "${{ matrix.target }}" | |
| - name: Split debug info | |
| run: | | |
| llvm-objcopy --only-keep-debug "${RELAY_BIN}"{,.debug} | |
| llvm-objcopy --strip-debug --strip-unneeded "${RELAY_BIN}" | |
| llvm-objcopy --add-gnu-debuglink "${RELAY_BIN}"{.debug,} | |
| sentry-cli difutil bundle-sources "${RELAY_BIN}.debug" | |
| zip "${RELAY_BIN}-debug.zip" "${RELAY_BIN}.debug" | |
| - name: Prepare Artifacts | |
| run: | | |
| mkdir -p "artifacts/${DOCKER_PLATFORM}" | |
| cp "${RELAY_BIN}"{,-debug.zip,.src.zip} "artifacts/${DOCKER_PLATFORM}" | |
| - name: Upload Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| retention-days: 1 | |
| name: ${{ matrix.image_name }}@${{ matrix.target }} | |
| path: "./artifacts/*" | |
| build-internal: | |
| needs: build-setup | |
| timeout-minutes: 30 | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| target: ${{ fromJson(needs.build-setup.outputs.targets) }} | |
| name: Build Internal Relay Binary | |
| runs-on: |- | |
| ${{fromJson('{ | |
| "x86_64-unknown-linux-gnu": "ubuntu-22.04", | |
| "aarch64-unknown-linux-gnu": "ubuntu-22.04-arm" | |
| }')[matrix.target] }} | |
| if: "(!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]') || needs.build-setup.outputs.full_ci == 'true'" | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| RELAY_BIN: "target/${{ matrix.target }}/release/relay" | |
| FEATURES: |- | |
| ${{fromJson('{ | |
| "relay": "processing,crash-handler", | |
| "relay-pop": "crash-handler" | |
| }')[matrix.image_name] }} | |
| DOCKER_PLATFORM: |- | |
| ${{fromJson('{ | |
| "x86_64-unknown-linux-gnu": "linux/amd64", | |
| "aarch64-unknown-linux-gnu": "linux/arm64" | |
| }')[matrix.target] }} | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y llvm curl | |
| - name: Install sentry-cli | |
| run: | | |
| curl -sL https://sentry.io/get-cli/ | bash | |
| - uses: actions/[email protected] | |
| with: | |
| submodules: recursive | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}" | |
| - uses: webfactory/[email protected] | |
| with: | |
| ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} | |
| - name: Compile | |
| run: | | |
| cargo build --release --locked --features "${FEATURES}" --target "${{ matrix.target }}" | |
| - name: Split debug info | |
| run: | | |
| llvm-objcopy --only-keep-debug "${RELAY_BIN}"{,.debug} | |
| llvm-objcopy --strip-debug --strip-unneeded "${RELAY_BIN}" | |
| llvm-objcopy --add-gnu-debuglink "${RELAY_BIN}"{.debug,} | |
| sentry-cli difutil bundle-sources "${RELAY_BIN}.debug" | |
| zip "${RELAY_BIN}-debug.zip" "${RELAY_BIN}.debug" | |
| - name: Prepare and Encrypt Artifacts | |
| run: | | |
| mkdir -p "artifacts/${DOCKER_PLATFORM}" | |
| for file in "${RELAY_BIN}" "${RELAY_BIN}-debug.zip" "${RELAY_BIN}.src.zip"; do | |
| gpg --quiet --batch --yes --symmetric --cipher-algo AES256 \ | |
| --passphrase "${{ secrets.ENCRYPTION_KEY }}" \ | |
| --output "artifacts/${DOCKER_PLATFORM}/$(basename $file).gpg" "$file" | |
| done | |
| - name: Upload Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| retention-days: 1 | |
| name: internal-${{ matrix.image_name }}@${{ matrix.target }} | |
| path: "./artifacts/*" | |
| build-docker: | |
| timeout-minutes: 5 | |
| needs: [build-setup, build] | |
| name: Build Docker Image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| env: | |
| PLATFORMS: "${{ join(fromJson(needs.build-setup.outputs.platforms), ',') }}" | |
| DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}" | |
| REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: actions/download-artifact@v5 | |
| with: | |
| pattern: "${{ matrix.image_name }}@*" | |
| merge-multiple: true | |
| - name: Build and push to ghcr.io | |
| if: "!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'" | |
| uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 | |
| with: | |
| image_name: ${{ matrix.image_name }} | |
| platforms: ${{ env.PLATFORMS }} | |
| dockerfile_path: "./Dockerfile.release" | |
| ghcr: true | |
| tag_nightly: true | |
| tag_latest: true | |
| google_ar: false | |
| publish_on_pr: true | |
| - name: Build and publish docker artifact | |
| if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
| uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 | |
| with: | |
| image_name: ${{ matrix.image_name }} | |
| platforms: ${{ env.PLATFORMS }} | |
| dockerfile_path: "./Dockerfile.release" | |
| ghcr: false | |
| google_ar: false | |
| outputs: "type=docker,dest=${{ matrix.image_name }}-docker-image" | |
| tags: "ghcr.io/getsentry/${{ matrix.image_name }}:${{ github.event.pull_request.head.sha || github.sha }}" | |
| - name: Upload docker image | |
| if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| retention-days: 1 | |
| name: ${{ matrix.image_name }}-docker-image | |
| path: "${{ matrix.image_name }}-docker-image" | |
| publish-to-ar-internal: | |
| timeout-minutes: 5 | |
| needs: [build-setup, build-internal] | |
| name: Publish Relay to Internal AR | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| env: | |
| PLATFORMS: "${{ join(fromJson(needs.build-setup.outputs.platforms), ',') }}" | |
| AR_DOCKER_IMAGE: "us-central1-docker.pkg.dev/internal-sentry/relay/${{ matrix.image_name }}" | |
| REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" | |
| steps: | |
| - uses: actions/[email protected] | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| # Logic taken from: publish-to-gcr | |
| - name: Google Auth | |
| id: auth | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
| service_account: [email protected] | |
| - name: Configure docker | |
| run: | | |
| gcloud auth configure-docker us-central1-docker.pkg.dev | |
| # Logic taken from: build-docker | |
| - uses: actions/download-artifact@v5 | |
| with: | |
| pattern: "internal-${{ matrix.image_name }}@*" | |
| merge-multiple: true | |
| - name: Decrypt Artifacts | |
| run: | | |
| find . -name "*.gpg" | while read file; do | |
| output_file="${file%.gpg}" | |
| gpg --quiet --batch --yes --decrypt \ | |
| --passphrase "${{ secrets.ENCRYPTION_KEY }}" \ | |
| --output "$output_file" "$file" | |
| rm "$file" | |
| done | |
| - name: Build and push to Internal AR | |
| uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 | |
| with: | |
| image_name: ${{ matrix.image_name }} | |
| platforms: ${{ env.PLATFORMS }} | |
| dockerfile_path: "./Dockerfile.release" | |
| ghcr: false | |
| publish_on_pr: true | |
| tag_latest: true | |
| google_ar: true | |
| google_ar_image_name: ${{ env.AR_DOCKER_IMAGE }} | |
| google_workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
| google_service_account: [email protected] | |
| publish-to-gcr: | |
| timeout-minutes: 5 | |
| needs: [build-setup, build-docker] | |
| name: Publish Relay to GCR | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| # required for google auth | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| env: | |
| GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}" | |
| AR_DOCKER_IMAGE: "us-central1-docker.pkg.dev/sentryio/relay/${{ matrix.image_name }}" | |
| REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| # Skip redundant checks for library releases | |
| # Skip for dependabot and if run on a fork | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" | |
| steps: | |
| - name: Google Auth | |
| id: auth | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
| service_account: [email protected] | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@v3" | |
| with: | |
| # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation | |
| # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. | |
| version: ">= 390.0.0" | |
| - name: Configure docker | |
| run: | | |
| gcloud auth configure-docker us-central1-docker.pkg.dev | |
| - name: Copy Image from GHCR to AR | |
| run: docker buildx imagetools create --tag "${AR_DOCKER_IMAGE}:${REVISION}" "${GHCR_DOCKER_IMAGE}:${REVISION}" | |
| - name: Copy Nightly from GHCR to AR | |
| if: env.IS_MASTER == 'true' | |
| run: docker buildx imagetools create --tag "${AR_DOCKER_IMAGE}:nightly" "${GHCR_DOCKER_IMAGE}:nightly" | |
| gocd-artifacts: | |
| timeout-minutes: 10 | |
| needs: [build-setup, build-internal, publish-to-ar-internal] | |
| name: Upload build artifacts to gocd | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| # required for google auth | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| env: | |
| REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" | |
| steps: | |
| - name: Google Auth | |
| id: auth | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
| service_account: [email protected] | |
| - name: Configure docker | |
| run: | | |
| gcloud auth configure-docker us-central1-docker.pkg.dev | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@v3" | |
| with: | |
| # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation | |
| # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. | |
| version: ">= 390.0.0" | |
| - uses: actions/download-artifact@v5 | |
| with: | |
| pattern: "internal-${{ matrix.image_name }}@*" | |
| merge-multiple: true | |
| - name: Decrypt Artifacts | |
| run: | | |
| find . -name "*.gpg" | while read file; do | |
| output_file="${file%.gpg}" | |
| gpg --quiet --batch --yes --decrypt \ | |
| --passphrase "${{ secrets.ENCRYPTION_KEY }}" \ | |
| --output "$output_file" "$file" | |
| rm "$file" | |
| done | |
| - name: Upload gocd deployment assets | |
| run: | | |
| set -euxo pipefail | |
| VERSION="$(docker run --rm "us-central1-docker.pkg.dev/internal-sentry/relay/${{ matrix.image_name }}:${REVISION}" --version | cut -d" " -f2)" | |
| echo "${{ matrix.image_name }}@${VERSION}+${REVISION}" > release-name | |
| for PLATFORM in "linux/amd64" "linux/arm64"; do | |
| gsutil -m cp $PLATFORM/relay-debug.zip $PLATFORM/relay.src.zip ./release-name \ | |
| "gs://dicd-team-devinfra-cd--relay/deployment-assets/${REVISION}/${{ matrix.image_name }}/${PLATFORM}/" | |
| done | |
| test_integration: | |
| needs: build-setup | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| # Skip redundant checks for library releases | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| services: | |
| redis: # https://docs.github.com/en/actions/guides/creating-redis-service-containers | |
| image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
| ports: | |
| - 6379:6379 | |
| redis_secondary: | |
| image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
| ports: | |
| - 6380:6379 | |
| zookeeper: | |
| image: ghcr.io/getsentry/image-mirror-confluentinc-cp-zookeeper:6.2.0 | |
| env: | |
| ZOOKEEPER_CLIENT_PORT: 2181 | |
| kafka: | |
| image: ghcr.io/getsentry/image-mirror-confluentinc-cp-kafka:6.2.0 | |
| env: | |
| KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 | |
| KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://127.0.0.1:9092 | |
| KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 | |
| KAFKA_OFFSETS_TOPIC_NUM_PARTITIONS: 1 | |
| ports: | |
| - 9092:9092 | |
| steps: | |
| - name: Install libcurl-dev | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libcurl4-openssl-dev | |
| - uses: actions/[email protected] | |
| with: | |
| submodules: recursive | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - name: Setup SSH agent | |
| if: env.SSH_PRIVATE_KEY != '' | |
| uses: webfactory/[email protected] | |
| with: | |
| ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} | |
| - uses: astral-sh/setup-uv@884ad927a57e558e7a70b92f2bccf9198a4be546 # v6 | |
| with: | |
| version: '0.8.2' | |
| # we just cache the venv-dir directly in action-setup-venv | |
| enable-cache: false | |
| - uses: getsentry/action-setup-venv@3a832a9604b3e1a4202ae559248f26867b467cc7 # v2.1.1 | |
| with: | |
| python-version: 3.11.9 | |
| cache-dependency-path: uv.lock | |
| install-cmd: uv sync --frozen --only-dev --active | |
| - run: make test-integration | |
| env: | |
| PYTEST_N: 6 | |
| RELAY_VERSION_CHAIN: "23.12.0,latest" | |
| sentry-relay-integration-tests: | |
| name: Sentry-Relay Integration Tests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| needs: build-docker | |
| env: | |
| USE_NEW_DEVSERVICES: 1 | |
| RELAY_TEST_KEEP_CONTAINER: true | |
| # Skip redundant checks for library releases | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| steps: | |
| # Checkout Sentry and run integration tests against latest Relay | |
| - name: Checkout Sentry | |
| uses: actions/[email protected] | |
| with: | |
| repository: getsentry/sentry | |
| path: sentry | |
| - name: Setup steps | |
| id: setup | |
| run: | | |
| # GITHUB_SHA in pull requests points to the merge commit | |
| RELAY_TEST_IMAGE=ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }} | |
| echo "We expected GCB to push this image $RELAY_TEST_IMAGE" | |
| echo "relay-test-image=$RELAY_TEST_IMAGE" >> "$GITHUB_OUTPUT" | |
| # We cannot execute actions that are not placed under .github of the main repo | |
| mkdir -p .github/actions | |
| cp -r sentry/.github/actions/setup-sentry .github/actions/ | |
| - name: Setup Sentry | |
| uses: ./.github/actions/setup-sentry | |
| with: | |
| workdir: sentry | |
| mode: symbolicator | |
| - name: Download Docker Image | |
| if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: relay-docker-image | |
| - name: Import Docker Image | |
| if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
| run: docker load -i relay-docker-image | |
| - name: Run Sentry integration tests | |
| working-directory: sentry | |
| env: | |
| RELAY_TEST_IMAGE: ${{ steps.setup.outputs.relay-test-image }} | |
| run: | | |
| echo "Testing against ${RELAY_TEST_IMAGE}" | |
| make test-relay-integration | |
| self-hosted-end-to-end: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 25 | |
| needs: build-docker | |
| # - Skip redundant checks for library releases | |
| # - Skip for dependabot or if it's a fork as the image cannot be uploaded to ghcr since this test attempts to pull | |
| # the image from ghcr | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'" | |
| steps: | |
| - name: Run Sentry self-hosted e2e CI | |
| uses: getsentry/self-hosted@master | |
| with: | |
| project_name: relay | |
| image_url: ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }} | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| - name: Inspect failure | |
| if: failure() | |
| run: | | |
| cd /home/runner/work/_actions/getsentry/self-hosted/master | |
| docker compose ps | |
| docker compose logs | |
| validate-devservices-config: | |
| runs-on: ubuntu-24.04 | |
| needs: devservices-files-changed | |
| if: needs.devservices-files-changed.outputs.devservices-files-changed == 'true' | |
| steps: | |
| - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v4.1.7 | |
| name: Checkout repository | |
| - name: Get devservices version | |
| id: get-devservices-version | |
| run: | | |
| awk -F'"' ' | |
| /name/ { pkg = $2 } | |
| /version/ { if (pkg == "devservices") print "version="$2 } | |
| ' uv.lock >> $GITHUB_OUTPUT | |
| - uses: getsentry/action-validate-devservices-config@711ae7221998ddf81211f25f5e3873ecffd22387 | |
| name: Validate devservices config | |
| with: | |
| devservices-version: ${{ steps.get-devservices-version.outputs.version }} |