From 97f616dc316486a1161223e1622f38735b7c751e Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 6 Nov 2024 22:57:01 +0500 Subject: [PATCH 01/11] Update pr-deploy.yaml --- .github/workflows/pr-deploy.yaml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 2ef388f7f9221..c55935d04582d 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -437,10 +437,9 @@ jobs: echo "password=$password" >> $GITHUB_OUTPUT coder login \ - --first-user-username coder \ + --first-user-username pr${{ env.PR_NUMBER }}-admin \ --first-user-email pr${{ env.PR_NUMBER }}@coder.com \ --first-user-password $password \ - --first-user-trial=false \ --use-token-as-session \ https://${{ env.PR_HOSTNAME }} @@ -452,6 +451,15 @@ jobs: coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y coder stop kube -y + # Create a user for the github.actor + coder users create \ + --user ${{ github.actor }} + --password $password + --email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" + --login-type github + + # TODO promote the user to admin role + - name: Send Slack notification if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' run: | @@ -462,7 +470,7 @@ jobs: "pr_url": "'"${{ env.PR_URL }}"'", "pr_title": "'"${{ env.PR_TITLE }}"'", "pr_access_url": "'"https://${{ env.PR_HOSTNAME }}"'", - "pr_username": "'"test"'", + "pr_username": "'"pr${{ env.PR_NUMBER }}-admin"'", "pr_email": "'"pr${{ env.PR_NUMBER }}@coder.com"'", "pr_password": "'"${{ steps.setup_deployment.outputs.password }}"'", "pr_actor": "'"${{ github.actor }}"'" From 4b2e915cfcdd21ed00361db148fa486114633232 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Thu, 7 Nov 2024 15:21:50 +0000 Subject: [PATCH 02/11] chore: improve PR deployments - Correct user creation command with proper formatting. - Update Slack notification condition for deployment actions. --- .github/workflows/pr-deploy.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index c55935d04582d..5a91ea24ee032 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -453,12 +453,12 @@ jobs: # Create a user for the github.actor coder users create \ - --user ${{ github.actor }} - --password $password - --email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" + --user ${{ github.actor }} \ + --password $password \ + --email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" \ # this will be overwritten by the user's email when they login via github --login-type github - # TODO promote the user to admin role + # promote the user to admin role - name: Send Slack notification if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' From 9eaf130e0d9d905f1810576a492114faebd2bc38 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Thu, 7 Nov 2024 15:23:43 +0000 Subject: [PATCH 03/11] chore: improve PR deployments - Correct user creation command with proper formatting. - Update Slack notification condition for deployment actions. --- .github/workflows/pr-deploy.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 5a91ea24ee032..106dcf3fbc294 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -459,6 +459,7 @@ jobs: --login-type github # promote the user to admin role + # coder org members edit-role ${{ github.actor }} owner - name: Send Slack notification if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' From 1a6ec33ebbdcf653ee0571f5f1554cda37da2131 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Thu, 7 Nov 2024 15:30:00 +0000 Subject: [PATCH 04/11] chore: update actionlint version in CI workflow --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 55e14f0e6e1f7..dbd4bf43b9c33 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -211,7 +211,7 @@ jobs: - name: Check workflow files run: | - bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.6.22 + bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.4 ./actionlint -color -shellcheck= -ignore "set-output" shell: bash From 93c830353c18440066552388dc9bf9ea4a624a1c Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Thu, 7 Nov 2024 15:52:59 +0000 Subject: [PATCH 05/11] fix(workflow): correct kube config permissions and reorder steps Change kube config file permission to 600 for better security and reorder the template and workspace creation steps to after user promotion. --- .github/workflows/pr-deploy.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 106dcf3fbc294..6106e65c06f94 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -110,7 +110,7 @@ jobs: set -euo pipefail mkdir -p ~/.kube echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config - chmod 644 ~/.kube/config + chmod 600 ~/.kube/config export KUBECONFIG=~/.kube/config - name: Check if the helm deployment already exists @@ -284,7 +284,7 @@ jobs: set -euo pipefail mkdir -p ~/.kube echo "${{ secrets.PR_DEPLOYMENTS_KUBECONFIG_BASE64 }}" | base64 --decode > ~/.kube/config - chmod 644 ~/.kube/config + chmod 600 ~/.kube/config export KUBECONFIG=~/.kube/config - name: Check if image exists @@ -443,14 +443,6 @@ jobs: --use-token-as-session \ https://${{ env.PR_HOSTNAME }} - # Create template - cd ./.github/pr-deployments/template - coder templates push -y --variable namespace=pr${{ env.PR_NUMBER }} kubernetes - - # Create workspace - coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y - coder stop kube -y - # Create a user for the github.actor coder users create \ --user ${{ github.actor }} \ @@ -459,7 +451,15 @@ jobs: --login-type github # promote the user to admin role - # coder org members edit-role ${{ github.actor }} owner + coder org members edit-role ${{ github.actor }} owner + + # Create template + cd ./.github/pr-deployments/template + coder templates push -y --variable namespace=pr${{ env.PR_NUMBER }} kubernetes + + # Create workspace + coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y + coder stop kube -y - name: Send Slack notification if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' From 8a146ca63d2b65299f8d66804d48d017a553ee21 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Thu, 7 Nov 2024 16:02:01 +0000 Subject: [PATCH 06/11] Separate user creation from deployments --- .github/workflows/pr-deploy.yaml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 6106e65c06f94..2ecf105868fdd 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -421,7 +421,7 @@ jobs: "${DEST}" version mv "${DEST}" /usr/local/bin/coder - - name: Create first user, template and workspace + - name: Create first user if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' id: setup_deployment run: | @@ -453,14 +453,6 @@ jobs: # promote the user to admin role coder org members edit-role ${{ github.actor }} owner - # Create template - cd ./.github/pr-deployments/template - coder templates push -y --variable namespace=pr${{ env.PR_NUMBER }} kubernetes - - # Create workspace - coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y - coder stop kube -y - - name: Send Slack notification if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' run: | @@ -504,3 +496,14 @@ jobs: cc: @${{ github.actor }} reactions: rocket reactions-edit-mode: replace + + - name: Create template and workspace + if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' + run: | + set -euo pipefail + cd .github/pr-deployments/template + coder templates push -y --variable namespace=pr${{ env.PR_NUMBER }} kubernetes + + # Create workspace + coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y + coder stop kube -y From 92c06b2fc02d8644bc065acf90be6f74c94a2556 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Thu, 7 Nov 2024 17:33:19 +0000 Subject: [PATCH 07/11] Fix pr-deploy user creation and role setup - Correct user creation command with proper formatting. - Update user role promotion to use `organization-admin`. --- .github/workflows/pr-deploy.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 2ecf105868fdd..717e8ca2faae4 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -440,18 +440,18 @@ jobs: --first-user-username pr${{ env.PR_NUMBER }}-admin \ --first-user-email pr${{ env.PR_NUMBER }}@coder.com \ --first-user-password $password \ + --first-user-trial=false \ --use-token-as-session \ https://${{ env.PR_HOSTNAME }} # Create a user for the github.actor coder users create \ - --user ${{ github.actor }} \ - --password $password \ - --email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" \ # this will be overwritten by the user's email when they login via github + --username ${{ github.actor }} \ + --email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" \ --login-type github # promote the user to admin role - coder org members edit-role ${{ github.actor }} owner + coder org members edit-role ${{ github.actor }} organization-admin - name: Send Slack notification if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' From dd00be01351ad66b180198823306820515489c68 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 11 Nov 2024 14:10:03 +0500 Subject: [PATCH 08/11] debug --- .github/workflows/pr-deploy.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 717e8ca2faae4..ec624b7b6db09 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -497,6 +497,10 @@ jobs: reactions: rocket reactions-edit-mode: replace + # debug with tmate session + - name: Debug with tmate session + uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # v3.19 + - name: Create template and workspace if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' run: | From c127969f04279cab1773ae209bbe9846a36e7c76 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 11 Nov 2024 15:30:23 +0500 Subject: [PATCH 09/11] Improve PR deployment user and debug setup - Use public email if available for user creation, else default. - Ensure `GH_TOKEN` is set for the workflow. - Move tmate debug session to trigger only on failure. --- .github/workflows/pr-deploy.yaml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index ec624b7b6db09..2195d79d98ab7 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -424,6 +424,8 @@ jobs: - name: Create first user if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' id: setup_deployment + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -euo pipefail @@ -445,9 +447,14 @@ jobs: https://${{ env.PR_HOSTNAME }} # Create a user for the github.actor + # Try to fetch the public email if it is set otherwise fallback to a default one + EMAIL=$(gh api /user/${{ github.actor }} | jq -r '.email') + if [ -z "$EMAIL" ]; then + EMAIL="${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" + fi coder users create \ --username ${{ github.actor }} \ - --email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" \ + --email "$EMAIL" \ --login-type github # promote the user to admin role @@ -497,10 +504,6 @@ jobs: reactions: rocket reactions-edit-mode: replace - # debug with tmate session - - name: Debug with tmate session - uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # v3.19 - - name: Create template and workspace if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true' run: | @@ -511,3 +514,8 @@ jobs: # Create workspace coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y coder stop kube -y + + # debug with tmate session + - name: Debug with tmate session + if: failure() + uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # v3.19 From d454ebde6985cfe69b130dd74aaa52409026acb4 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 11 Nov 2024 15:56:24 +0500 Subject: [PATCH 10/11] Remove tmate session from PR deploy workflow --- .github/workflows/pr-deploy.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 2195d79d98ab7..9f34ba77dc8ca 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -514,8 +514,3 @@ jobs: # Create workspace coder create --template="kubernetes" kube --parameter cpu=2 --parameter memory=4 --parameter home_disk_size=2 -y coder stop kube -y - - # debug with tmate session - - name: Debug with tmate session - if: failure() - uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # v3.19 From 350e76c8efc0f3978ebfcd50ffdd6cec40d271f6 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Mon, 11 Nov 2024 17:30:26 +0500 Subject: [PATCH 11/11] comment github user creation --- .github/workflows/pr-deploy.yaml | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 9f34ba77dc8ca..6f3a95f681fb8 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -429,8 +429,6 @@ jobs: run: | set -euo pipefail - # Create first user - # create a masked random password 12 characters long password=$(openssl rand -base64 16 | tr -d "=+/" | cut -c1-12) @@ -447,18 +445,14 @@ jobs: https://${{ env.PR_HOSTNAME }} # Create a user for the github.actor - # Try to fetch the public email if it is set otherwise fallback to a default one - EMAIL=$(gh api /user/${{ github.actor }} | jq -r '.email') - if [ -z "$EMAIL" ]; then - EMAIL="${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" - fi - coder users create \ - --username ${{ github.actor }} \ - --email "$EMAIL" \ - --login-type github + # TODO: update once https://github.com/coder/coder/issues/15466 is resolved + # coder users create \ + # --username ${{ github.actor }} \ + # --login-type github # promote the user to admin role - coder org members edit-role ${{ github.actor }} organization-admin + # coder org members edit-role ${{ github.actor }} organization-admin + # TODO: update once https://github.com/coder/internal/issues/207 is resolved - name: Send Slack notification if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'