diff --git a/.github/secrets.env.encrypted b/.github/secrets.env.encrypted new file mode 100644 index 00000000..9599302c --- /dev/null +++ b/.github/secrets.env.encrypted @@ -0,0 +1,12 @@ +{ + "k": "ct", + "c": "mBbKV0G4)-8UdG=fVK^Mgf0{+={6c)WxWPnZ(Cp1Iq=%3}nK4a)CGBx1bjZ=qv8EHV9gp30vQ`13OJxFK&vBuwpyEt$JE{*iks{9CMl@IGpcvQ8gA7RNsgU>j6~vXw+Ir0WKXxrDu|PrlDk@Z@tYC11HTq*7Ufq{V_GxAc=rh+gkkDsiM%LjPyK-fvut?5Fwf*i8>YcD-HELZe^)cc$8aXF;l#4*srYmmdO$ydq-KxbwECzD%{l$#IQh90%*!8$=`lK`!aea=QOICK(5JGRkL1<_eHdY9z1_J8<51L=N29rCD=uup}QKsFs2>$S)|D9?w4r;l>ovY*rGAxmlR14{QFjmRFQP!4d#Q6k6p=#uO(tNpb(^yl7XC+h4xCXFq(gy*@DmrEK>}gF7fQx{^)m{aV4gA&KH|wO)rikb|jF_K@5|f+NpJ*%)`>xuKl=uSaMF4p!PA;EzE4?hdtPnd+5Y4Dk|UC7@wAs%G|M~f`LP3K*__-N~wag5|>u|aHGqB{mnyWcVLsKU&RUA*PLl#znp61^`!uKxq8~0fpsZi%tn;yFzj>-vHH*Zndd0d(|vjSN7XFO6f$aN3~2jD)GOi}6EHaE^o(dM0T6=5c!rBY7_9zJzpt74(wmd&;*o}70+0^HUc9)3GP7-s0il063@(-@;mcA;%pp%{`q+J}@ZQ>Y7i|Que0zv2o~nuk#%2pe^E0UN;J&qv)igfU!(!JHBVN`&s8VknlfK+YI`d6Ex(qIR)))}{j{8ZssNpWrUUpL%CGhk)6bjn`YMP@j&!4b)o5EHb&x(EwT5Re@jO4IK&ZSSQ50Gn`=uvGmBQ_N|c=l+SXHc{Mwe^hT_DK)zCcCW;$(YGqnzo9>AZz%W3Dp9wW9mjKd*NrGw;>G4_yU_>0^X1Ol6KHcL#1|MY;|SC5Hwu<&vtJ>^t3onC{{VkhX", + "ob": null, + "bf": null, + "hm": null, + "i": { + "t": "ci_secrets", + "c": "value" + }, + "v": 2 +} diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 14f995fe..75fd99f1 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -24,24 +24,33 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-test + + - name: Decrypt secrets + uses: cipherstash/protectgh@main + with: + secrets-file: .github/secrets.env.encrypted + env: + CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }} + CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }} + CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }} + CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }} + - run: | mise run postgres:up --extra-args "--detach --wait" + - name: Run benchmark working-directory: tests/benchmark env: - CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }} - CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }} - CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }} - CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }} - CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }} RUST_BACKTRACE: "1" run: mise run benchmark:continuous + # Download previous benchmark result from cache (if exists) - name: Download previous benchmark data uses: actions/cache@v4 with: path: ./cache key: ${{ runner.os }}-benchmark + # Run `github-action-benchmark` action - name: Store benchmark result uses: benchmark-action/github-action-benchmark@v1 @@ -62,4 +71,3 @@ jobs: with: channel: engineering webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }} - diff --git a/.github/workflows/release-aws-marketplace.yml b/.github/workflows/release-aws-marketplace.yml index 396e99e5..5a24619e 100644 --- a/.github/workflows/release-aws-marketplace.yml +++ b/.github/workflows/release-aws-marketplace.yml @@ -35,7 +35,7 @@ env: jobs: build: - name: 🏗️ Build binaries + Docker images + name: Build binaries + Docker images permissions: contents: read packages: write @@ -82,6 +82,16 @@ jobs: - uses: actions/checkout@v4 + - name: Decrypt secrets + uses: cipherstash/protectgh@main + with: + secrets-file: .github/secrets.env.encrypted + env: + CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }} + CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }} + CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }} + CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }} + - uses: jdx/mise-action@v2 with: version: 2025.1.6 # [default: latest] mise version to install @@ -111,6 +121,5 @@ jobs: --fail-with-body \ --url "https://api.developer.multitudes.co/deployments" \ --header "Content-Type: application/json" \ - --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \ + --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \ --data '{"commitSha": "${{ github.sha }}", "environmentName":"marketplace"}' - diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 60bf72ca..ef7167ee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ env: jobs: build: - name: 🏗️ Build binaries + Docker images + name: Build binaries + Docker images strategy: fail-fast: false matrix: @@ -22,6 +22,17 @@ jobs: runs-on: ${{matrix.build.os}} steps: - uses: actions/checkout@v4 + + - name: Decrypt secrets + uses: cipherstash/protectgh@main + with: + secrets-file: .github/secrets.env.encrypted + env: + CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }} + CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }} + CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }} + CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }} + - name: Setup Rust cache uses: Swatinem/rust-cache@v2 if: github.event_name == 'pull_request' # only cache in pull requests @@ -55,8 +66,8 @@ jobs: - name: Login to Docker Hub uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }} + username: ${{ env.DOCKER_HUB_USERNAME }} + password: ${{ env.DOCKER_HUB_PASSWORD }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -92,6 +103,18 @@ jobs: needs: - build steps: + - uses: actions/checkout@v4 + + - name: Decrypt secrets + uses: cipherstash/protectgh@main + with: + secrets-file: .github/secrets.env.encrypted + env: + CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }} + CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }} + CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }} + CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }} + - name: Download digests uses: actions/download-artifact@v4 with: @@ -102,8 +125,8 @@ jobs: - name: Login to Docker Hub uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }} + username: ${{ env.DOCKER_HUB_USERNAME }} + password: ${{ env.DOCKER_HUB_PASSWORD }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -135,5 +158,5 @@ jobs: --fail-with-body \ --url "https://api.developer.multitudes.co/deployments" \ --header "Content-Type: application/json" \ - --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \ + --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \ --data '{"commitSha": "${{ github.sha }}", "environmentName":"dockerhub"}' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fae0a531..d90e4ac5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,22 +24,22 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-test + + - name: Decrypt secrets + uses: cipherstash/protectgh@main + with: + secrets-file: .github/secrets.env.encrypted + env: + CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }} + CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }} + CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }} + CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }} + - run: | mise run postgres:up --extra-args "--detach --wait" - - env: - # REMEMBER TO ADD ENVIRONMENT VARIABLES TO tests/docker-compose.yml - # The tests/docker-compose.yml config passes the ENV vars into the container - CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }} - CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }} - CS_TENANT_KEYSET_ID_1: ${{ secrets.CS_TENANT_KEYSET_ID_1 }} - CS_TENANT_KEYSET_ID_2: ${{ secrets.CS_TENANT_KEYSET_ID_2 }} - CS_TENANT_KEYSET_ID_3: ${{ secrets.CS_TENANT_KEYSET_ID_3 }} - CS_TENANT_KEYSET_NAME_1: ${{ secrets.CS_TENANT_KEYSET_NAME_1 }} - CS_TENANT_KEYSET_NAME_2: ${{ secrets.CS_TENANT_KEYSET_NAME_2 }} - CS_TENANT_KEYSET_NAME_3: ${{ secrets.CS_TENANT_KEYSET_NAME_3 }} - CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }} - CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }} - CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }} + + - name: Run tests + env: RUST_BACKTRACE: "1" run: | mise run --output prefix test @@ -48,4 +48,3 @@ jobs: with: channel: engineering webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }} - diff --git a/.gitignore b/.gitignore index 3f7448bf..1b23d230 100644 --- a/.gitignore +++ b/.gitignore @@ -18,6 +18,9 @@ rust-toolchain.toml # credentials for local dev .env.proxy.docker +# decrypted CI secrets (encrypted file is .github/secrets.env.encrypted) +.github/secrets.env + ## benchmark result data tests/benchmark/results/*.csv tests/benchmark/benchmark-*.png