Merge branch 'main' into feat/inventory-remove-orka-release

nodejs · Feb 5, 2025 · 175776e · 175776e
2 parents 1343b7d + 7a568fd
commit 175776e
Show file tree

Hide file tree

Showing 80 changed files with 2,858 additions and 960 deletions.
diff --git a/.github/workflows/check_assets-tool.yml b/.github/workflows/check_assets-tool.yml
@@ -0,0 +1,43 @@
+name: Run tests for check_assets
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/check_assets-tool.yml'
+      - 'ansible/www-standalone/tools/promote/expected_assets/*'
+      - 'ansible/www-standalone/tools/promote/check_assets*'
+      - 'ansible/www-standalone/tools/promote/check_r2_assets*'
+      - 'ansible/www-standalone/tools/promote/test/**'
+  push:
+    paths:
+      - '.github/workflows/check_assets-tool.yml'
+      - 'ansible/www-standalone/tools/promote/expected_assets/*'
+      - 'ansible/www-standalone/tools/promote/check_assets*'
+      - 'ansible/www-standalone/tools/promote/check_r2_assets*'
+      - 'ansible/www-standalone/tools/promote/test/**'
+  schedule:
+    - cron: 0 0 * * *
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  # This needs to match the version of Node.js on www.
+  NODE_VERSION: 22
+
+jobs:
+  run-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout current repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Use Node.js ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+      - name: Run tests
+        run: node --test --experimental-test-module-mocks
+        working-directory: ansible/www-standalone/tools/promote/  
diff --git a/.github/workflows/orka-templates.yml b/.github/workflows/orka-templates.yml
@@ -0,0 +1,56 @@
+name: Check ORKA Packer Templates
+
+on:
+  push:
+    paths:
+      - 'orka/**/*.pkr.hcl'
+  pull_request:
+    paths:
+      - 'orka/**/*.pkr.hcl'
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+
+    - name: Set up Packer
+      uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 #v3.1.0
+
+    - name: Initialize Packer
+      run: |
+        for file in $(find . -name '*.pkr.hcl'); do
+          echo "Initializing $file"
+          packer init $file || exit 1
+        done
+      working-directory: orka/templates
+
+    - name: Validate Packer templates
+      env:
+        ORKA_ENDPOINT: 'https://mock-orka-endpoint'
+        ORKA_AUTH_TOKEN: 'mock-orka-auth-token'
+        SSH_DEFAULT_USERNAME: 'mock-ssh-default-username'
+        SSH_DEFAULT_PASSWORD: 'mock-ssh-default-password'
+        SSH_TEST_PASSWORD: 'mock-ssh-test-password'
+        SSH_RELEASE_PASSWORD: 'mock-ssh-release-password'
+        SSH_TEST_PUBLIC_KEY: 'mock-ssh-test-public-key'
+        SSH_RELEASE_PUBLIC_KEY: 'mock-ssh-release-public-key'
+      run: |
+        for file in $(find . -name '*.pkr.hcl'); do
+          echo "Validating $file"
+          vars="-var orka_endpoint=$ORKA_ENDPOINT -var orka_auth_token=$ORKA_AUTH_TOKEN -var ssh_default_username=$SSH_DEFAULT_USERNAME"
+          
+          if echo "$file" | grep -q "release"; then
+            vars="$vars -var ssh_release_password=$SSH_RELEASE_PASSWORD -var ssh_release_public_key=$SSH_RELEASE_PUBLIC_KEY"
+          elif echo "$file" | grep -q "test"; then
+            vars="$vars -var ssh_test_password=$SSH_TEST_PASSWORD -var ssh_test_public_key=$SSH_TEST_PUBLIC_KEY -var ssh_default_password=$SSH_DEFAULT_PASSWORD"
+          fi
+
+          packer validate $vars $file || exit 1
+        done
+      working-directory: orka/templates
diff --git a/.gitignore b/.gitignore
@@ -14,3 +14,6 @@ ansible/host_vars/*
 !ansible/host_vars/*-template
 .venv
 Pipfile.lock
+
+# Orka secrets files including naming mutations
+orka/*/.env*
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
@@ -56,7 +56,9 @@ should be aware of the bounds of their expertise and act accordingly.
   the basics of a trust relationship. The most two most straightforward paths
   to trust are:
   1. An established relationship with the Node.js project and its associated
-     working groups and activities. The longer the better.
+     working groups and activities. The longer the better. In case of doubt,
+     or if the individual is _not_ a Node.js Collaborator, contact the Node.js
+     TSC.
   2. A contractual relationship (such as employment) with a member company of
      the OpenJS Foundation. Contractual relationships carry legal weight and
      provide greater likelihood of a stable trust relationship; at a minimum

diff --git a/README.md b/README.md
@@ -142,7 +142,7 @@ accesses and team roles see [GOVERNANCE.md][].
 ### Emeriti
 
 - [@addaleax](https://github.com/addaleax) - Anna Henningsen
-* [@anonrig](https://github.com/anonrig) - Yagiz Nizipli
+- [@anonrig](https://github.com/anonrig) - Yagiz Nizipli
 - [@bnoordhuis](https://github.com/bnoordhuis) - Ben Noordhuis
 - [@gibfahn](https://github.com/gibfahn) - Gibson Fahnestock
 - [@gireeshpunathil](https://github.com/gireeshpunathil) - Gireesh Punathil

diff --git a/ansible.cfg b/ansible.cfg
@@ -29,6 +29,7 @@ ansible_python_interpreter = /opt/local/bin/python
 
 [hosts:freebsd]
 ansible_python_interpreter = /usr/local/bin/python3
+ansible_shell_allow_world_readable_temp = True
 
 [hosts:ibm]
 become_method             = sudo

diff --git a/ansible/README.md b/ansible/README.md
@@ -255,15 +255,11 @@ Unsorted stuff of things we need to do/think about
 - [ ] move all service-related stuff to handlers
 - [ ] find a nicer way of adding proxyhosts to iptables
 - [ ] add clang/clang++ symlinks for ccache
-- [ ] centos7 needs different ccache path
-- [ ] debian7 needs to update alternative gcc/g++
 - [ ] verify that /usr/local/bin works as ccache install path
 - [x] remove subversion since v8 tests uses git nowadays
 - [ ] assign 192/256mb ram to the jenkins instances that requires it:
       - aix
       - TBD
-- [ ] epel-release for centos - required for centos7 on packet.net arm64
-      before ccache can be installed
 - [x] make .ssh/config and .ssh/id_rsa for release machines, adding config
       for `node-www` and record host key for node-www
 - [ ] add explicit ARCH and DESTCPU for release machines (RV: I'm adding

diff --git a/ansible/inventory.yml b/ansible/inventory.yml
@@ -17,8 +17,8 @@ hosts:
         ubuntu2204-x64-1: {ip: 107.170.240.62, alias: ci}
 
     - ibm:
-        ubuntu1804-x64-1: {ip: 169.45.166.50, alias: ci-release}
         ubuntu2004-x64-1: {ip: 169.60.150.91, alias: ansible}
+        ubuntu2404-x64-1: {ip: 169.61.75.62, alias: ci-release}
 
     - joyent:
         debian10-x64-1: {ip: 147.28.162.110, alias: grafana}
@@ -53,8 +53,6 @@ hosts:
         ibmi73-ppc64_be-1: {ip: 65.183.160.62, user: nodejs}
 
     - joyent:
-        smartos18-x64-2: {ip: 147.28.162.101}
-        smartos20-x64-2: {ip: 147.28.162.108}
         ubuntu1804_docker-x64-1: {ip: 147.28.162.104, user: ubuntu}
 
     - macstadium:
@@ -76,7 +74,6 @@ hosts:
         aix72-ppc64_be-1:
             ip: 140.211.9.77
             server_jobs: 6
-        centos7-arm64-1: {ip: 140.211.169.7, server_jobs: 2, user: centos}
         rhel8-arm64-1:
             ip: 140.211.169.58
             server_jobs: 2
@@ -108,19 +105,19 @@ hosts:
     - digitalocean:
         debian11-x64-1: {ip: 174.138.79.159, swap_file_size_mb: 2048}
         debian12-x64-1: {ip: 159.203.105.159, swap_file_size_mb: 2048}
-        fedora39-x64-1: {ip: 159.203.117.50}
-        fedora39-x64-2: {ip: 134.209.172.40}
         fedora40-x64-1: {ip: 159.65.248.149}
         fedora40-x64-2: {ip: 162.243.187.89}
-        freebsd12-x64-1: {ip: 45.55.90.237, user: freebsd}
-        freebsd12-x64-2: {ip: 107.170.28.213, user: freebsd}
+        fedora41-x64-1: {ip: 165.227.191.35}
+        fedora41-x64-2: {ip: 159.65.246.5}
+        freebsd13-x64-1: {ip: 138.197.25.49, user: freebsd, swap_file_size_mb: 2048}
+        freebsd13-x64-2: {ip: 159.89.188.229, user: freebsd, swap_file_size_mb: 2048}
         rhel8-x64-1: {ip: 161.35.139.78, build_test_v8: yes, swap_file_size_mb: 2048}
         rhel9-x64-1: {ip: 134.122.12.240, swap_file_size_mb: 2048}
         ubuntu2204_docker-x64-1: {ip: 134.209.55.216}
         ubuntu2204_docker-x64-2: {ip: 159.89.183.200}
         ubuntu1804-x64-1: {ip: 178.128.181.213}
-        ubuntu2204-x64-1: {ip: 138.197.4.1}
-        ubuntu2204-x64-2: {ip: 167.99.124.188}
+        ubuntu2204-x64-1: {ip: 138.197.4.1, swap_file_size_mb: 2048}
+        ubuntu2204-x64-2: {ip: 167.99.124.188, swap_file_size_mb: 2048}
 
     - equinix:
         ubuntu2004_docker-arm64-1: {ip: 145.40.81.219}
@@ -152,8 +149,8 @@ hosts:
         rhel8-x64-2: {ip: 169.61.75.58, build_test_v8: yes}
         rhel8-x64-3: {ip: 52.117.26.13, build_test_v8: yes}
         rhel9-x64-1: {ip: 169.60.150.92, swap_file_size_mb: 2048}
+        rhel9-x64-2: {ip: 169.44.168.2}
         ubuntu2204-x64-1: {ip: 169.60.150.82}
-        ubuntu2204-x64-2: {ip: 169.44.168.2}
         # when adding, removing or changing the IPs for any
         # `jenkins-workspace-*` machine, remember to rerun
         # the `ansible/playbooks/create-github-bot.yml` playbook
@@ -162,10 +159,6 @@ hosts:
         ubuntu2204_docker-x64-1: {ip: 52.117.26.9}
 
     - equinix_mnx:
-        smartos18-x64-3: {ip: 147.28.162.102}
-        smartos18-x64-4: {ip: 147.28.162.103}
-        smartos20-x64-3: {ip: 147.28.162.107}
-        smartos20-x64-4: {ip: 147.28.162.109}
         ubuntu1804-x64-1: {ip: 147.28.162.99, user: ubuntu}
 
     - hetzner:
@@ -230,10 +223,23 @@ hosts:
         # to update the Jenkins worker IP allowlist in github-bot
         ubuntu2204-x64-1: {ip: 67.158.54.159, alias: jenkins-workspace-9}
         ubuntu2204-x64-2: {ip: 8.225.232.44, alias: jenkins-workspace-10}
-        smartos21-x64-1: {ip: 8.225.232.135}
-        smartos21-x64-2: {ip: 8.225.232.137}
-        smartos23-x64-1: {ip: 8.225.232.134}
-        smartos23-x64-2: {ip: 8.225.232.141}
+        smartos22-x64-1:
+          ip: 172.16.9.3
+          ansible_ssh_common_args: '-o ProxyCommand="ssh -i ~/.ssh/nodejs_build_test -W %h:%p [email protected]"'
+          ansible_user: root
+        smartos22-x64-2:
+          ip: 172.16.9.3
+          ansible_ssh_common_args: '-o ProxyCommand="ssh -i ~/.ssh/nodejs_build_test -W %h:%p [email protected]"'
+          ansible_user: root
+        smartos23-x64-4:
+          ip: 172.16.9.3
+          ansible_ssh_common_args: '-o ProxyCommand="ssh -i ~/.ssh/nodejs_build_test -W %h:%p [email protected]"'
+          ansible_user: root
+        smartos23-x64-5:
+          ip: 172.16.9.3
+          ansible_ssh_common_args: '-o ProxyCommand="ssh -i ~/.ssh/nodejs_build_test -W %h:%p [email protected]"'
+          ansible_user: root
+
 
     - osuosl:
         # secret for -1 was compromised, do not use -1 name
@@ -250,9 +256,10 @@ hosts:
         rhel8-ppc64_le-2: {ip: 140.211.168.76, user: cloud-user, build_test_v8: yes, swap_file_size_mb: 2048}
         rhel8-ppc64_le-3: {ip: 140.211.168.221, user: cloud-user, build_test_v8: yes, swap_file_size_mb: 2048}
         rhel8-ppc64_le-4: {ip: 140.211.168.194, user: cloud-user, build_test_v8: yes, swap_file_size_mb: 2048}
-        rhel9-ppc64_le-1: {ip: 140.211.10.92, user: cloud-user, swap_file_size_mb: 2048}
-        rhel9-ppc64_le-2: {ip: 140.211.10.69, user: cloud-user, swap_file_size_mb: 2048}
-        rhel9-ppc64_le-3: {ip: 140.211.10.110, user: cloud-user, swap_file_size_mb: 2048}
+        rhel9-ppc64_le-1: {ip: 140.211.10.105, user: cloud-user, swap_file_size_mb: 2048}
+        rhel9-ppc64_le-2: {ip: 140.211.10.98, user: cloud-user, swap_file_size_mb: 2048}
+        rhel9-ppc64_le-3: {ip: 140.211.10.102, user: cloud-user, swap_file_size_mb: 2048}
+        rhel9-ppc64_le-4: {ip: 140.211.10.107, user: cloud-user, swap_file_size_mb: 2048}
         ubuntu2004_docker-arm64-1: {ip: 140.211.169.11, user: ubuntu}
 
     - orka:
@@ -283,21 +290,19 @@ hosts:
             user: admin
 
     - iinthecloud:
-        ibmi73-ppc64_be-1: {ip: 65.183.160.52, user: nodejs}
-        ibmi73-ppc64_be-2: {ip: 65.183.160.59, user: nodejs}
+        ibmi74-ppc64_be-1: {ip: 65.183.160.52, user: nodejs}
+        ibmi74-ppc64_be-2: {ip: 65.183.160.59, user: nodejs}
 
     - rzkh:
-        ibmi73-ppc64_be-1:
+        ibmi74-ppc64_be-1:
             ip: 185.113.4.148
             user: nodejs
             server_jobs: 32
 
     - rackspace:
-        centos7-x64-1: {ip: 119.9.27.82}
-        debian10-x64-1: {ip: 104.239.140.184}
         debian11-x64-1: {ip: 23.253.109.216, swap_file_size_mb: 4096}
-        ubuntu1604-x64-1: {ip: 119.9.51.176}
-        ubuntu1604-x64-2: {ip: 104.130.124.194}
+        debian12-x64-1: {ip: 104.130.124.194, swap_file_size_mb: 4096}
+        ubuntu2204-x64-1: {ip: 119.9.52.75, swap_file_size_mb: 4096, user: ubuntu}
         win2016_vs2015-x64-1: {}
         win2016_vs2015-x64-2: {}
         win2019_vs2019-x64-1: {}
@@ -312,5 +317,4 @@ hosts:
         win2022_vs2022-x64-6: {}
 
     - softlayer:
-        debian10-x64-1: {ip: 169.44.16.126}
         debian12-x64-1: {ip: 169.60.150.88, swap_file_size_mb: 2048}
diff --git a/ansible/playbooks/jenkins/host/create.yml b/ansible/playbooks/jenkins/host/create.yml
@@ -6,7 +6,7 @@
 
 - hosts:
   - infra-digitalocean-ubuntu2204-x64-1 # ci.nodejs.org
-  - infra-ibm-ubuntu1804-x64-1 # ci-release.nodejs.org
+  - infra-ibm-ubuntu2404-x64-1 # ci-release.nodejs.org
 
   roles:
   - bootstrap

diff --git a/ansible/playbooks/jenkins/host/iptables.yml b/ansible/playbooks/jenkins/host/iptables.yml
@@ -9,12 +9,12 @@
 
 - hosts:
   - infra-digitalocean-ubuntu2204-x64-1 # ci.nodejs.org
-  - infra-ibm-ubuntu1804-x64-1 # ci-release.nodejs.org
+  - infra-ibm-ubuntu2404-x64-1 # ci-release.nodejs.org
 
   vars:
     hostgroups: {
       'infra-digitalocean-ubuntu2204-x64-1': 'test',
-      'infra-ibm-ubuntu1804-x64-1': 'release'
+      'infra-ibm-ubuntu2404-x64-1': 'release'
       }
 
   tasks:

diff --git a/ansible/roles/baselayout/files/debian8-ubuntu-trusty-apt-preferences b/ansible/roles/baselayout/files/debian8-ubuntu-trusty-apt-preferences
diff --git a/ansible/roles/baselayout/tasks/main.yml b/ansible/roles/baselayout/tasks/main.yml
@@ -59,7 +59,7 @@
 
 - name: install packages
   when: not os|startswith("zos") and not os|startswith("macos")
-  package: 
+  package:
     name: "{{ package }}"
     state: present
     # Package manager mapping in ansible/roles/package-upgrade/vars/main.yml.
@@ -88,19 +88,6 @@
     - "{{ packages[os|stripversion]|default('[]') }}"
     - "{{ common_packages|default('[]') }}"
 
-- name: centos7_ppc64 | update package alternatives
-  when: os == "centos7" and arch == "ppc64"
-  alternatives:
-    link: /usr/local/bin/{{ cmake }}
-    name: "{{ cmake }}"
-    path: /usr/bin/{{ cmake }}3
-  loop_control:
-    loop_var: cmake
-  with_items:
-    - cmake
-    - cpack
-    - ctest
-
 - name: ubuntu1604 | update package alternatives
   when: os == "ubuntu1604"
   alternatives: link=/usr/bin/{{ gcc }} name={{ gcc }} path=/usr/bin/{{ gcc }}-5
@@ -124,13 +111,6 @@
     name: python3
     path: "/usr/bin/python3.8"
 
-- name: freebsd | update python package alternatives
-  when: os == "freebsd12"
-  file:
-    dest: "/usr/local/bin/python"
-    state: link
-    src: "/usr/local/bin/python2"
-
 - name: remove fortune from login shells
   when: os|stripversion == 'freebsd'
   lineinfile:
@@ -187,10 +167,3 @@
         - "{{ role_path }}/tasks/partials/ntp/{{ os|stripversion }}.yml"
         - "{{ role_path }}/tasks/partials/ntp/{{ os|match_key(ntp_service, raise_error=False) }}.yml"
       skip: true
-
-- name: reset default OpenSSL security level
-  ansible.builtin.replace:
-    path: /etc/ssl/openssl.cnf
-    regexp: "SECLEVEL=2"
-    replace: "SECLEVEL=1"
-  when: "os == 'debian10'"