BlastPilot/netbird-gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improved jobs
All checks were successful
Dry Run / detect (pull_request) Successful in 5s
Details
Dry Run / dry-run (pull_request) Successful in 5s
Details

Browse Source
This commit is contained in:
Prox 2026-03-06 18:04:17 +02:00
parent f1be3874bb
commit c6f4ae9614
2 changed files with 142 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
.gitea/workflows/dry-run.yml
View File

@ -32,77 +32,87 @@ jobs:
needs: detect needs: detect
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: needs.detect.outputs.envs != '[]' if: needs.detect.outputs.envs != '[]'
strategy:
matrix:
env: ${{ fromJson(needs.detect.outputs.envs) }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Resolve environment secrets - name: Run dry-run for each changed environment
id: env
run: |
ENV_UPPER=$(echo "${{ matrix.env }}" | tr '[:lower:]-' '[:upper:]_')
echo "token_key=${ENV_UPPER}_RECONCILER_TOKEN" >> "$GITHUB_OUTPUT"
echo "url_key=${ENV_UPPER}_RECONCILER_URL" >> "$GITHUB_OUTPUT"
- name: Run dry-run reconcile
id: plan
env:
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }}
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
run: |
if [ -z "$RECONCILER_URL" ] || [ -z "$RECONCILER_TOKEN" ]; then
echo "No secrets configured for environment '${{ matrix.env }}' — skipping"
echo "response={}" >> "$GITHUB_OUTPUT"
exit 0
fi
RESPONSE=$(curl -sf \
-X POST \
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
-H "Content-Type: application/json" \
-d @state/${{ matrix.env }}.json \
"${RECONCILER_URL}/reconcile?dry_run=true")
echo "response<<EOF" >> "$GITHUB_OUTPUT"
echo "$RESPONSE" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
- name: Format and post PR comment
if: steps.plan.outputs.response != '{}'
env: env:
ENVS: ${{ needs.detect.outputs.envs }}
TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }}
TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }}
DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }}
DEV_RECONCILER_URL: ${{ secrets.DEV_RECONCILER_URL }}
PROD_RECONCILER_TOKEN: ${{ secrets.PROD_RECONCILER_TOKEN }}
PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }}
GIT_TOKEN: ${{ secrets.GIT_TOKEN }} GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
GIT_URL: ${{ secrets.GIT_URL }} GIT_URL: ${{ secrets.GIT_URL }}
RESPONSE: ${{ steps.plan.outputs.response }}
ENV_NAME: ${{ matrix.env }}
REPO: ${{ github.repository }} REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }}
run: | run: |
python3 <<'SCRIPT' python3 <<'SCRIPT'
import json, os, urllib.request, urllib.parse import json, os, urllib.request
data = json.loads(os.environ["RESPONSE"]) envs = json.loads(os.environ["ENVS"])
ops = data.get("operations", [])
summary = data.get("summary", {})
env = os.environ["ENV_NAME"]
lines = [f"## Reconciliation Plan: `{env}`\n"] for env in envs:
if not ops: key = env.upper().replace("-", "_")
lines.append("No changes detected.\n") token = os.environ.get(f"{key}_RECONCILER_TOKEN", "")
else: url = os.environ.get(f"{key}_RECONCILER_URL", "")
lines.append("| Operation | Name |")
lines.append("|-----------|------|")
for op in ops:
lines.append(f"| `{op['type']}` | {op['name']} |")
lines.append("")
s = summary
lines.append(f"**Summary:** {s.get('created',0)} create, {s.get('updated',0)} update, {s.get('deleted',0)} delete")
comment = "\n".join(lines) if not token or not url:
url = f"{os.environ['GIT_URL']}/api/v1/repos/{os.environ['REPO']}/issues/{os.environ['PR_NUMBER']}/comments" print(f"No secrets for '{env}' — skipping")
body = json.dumps({"body": comment}).encode() continue
req = urllib.request.Request(url, data=body, method="POST", headers={
"Authorization": f"token {os.environ['GIT_TOKEN']}", # Call reconciler dry-run
"Content-Type": "application/json", with open(f"state/{env}.json", "rb") as f:
}) state_data = f.read()
urllib.request.urlopen(req)
print(f"Posted comment to PR #{os.environ['PR_NUMBER']}") req = urllib.request.Request(
f"{url}/reconcile?dry_run=true",
data=state_data,
method="POST",
headers={
"Authorization": f"Bearer {token}",
"Content-Type": "application/json",
},
)
try:
resp = urllib.request.urlopen(req)
data = json.loads(resp.read())
except Exception as e:
print(f"Reconciler call failed for '{env}': {e}")
continue
# Format as markdown
ops = data.get("operations", [])
summary = data.get("summary", {})
lines = [f"## Reconciliation Plan: `{env}`\n"]
if not ops:
lines.append("No changes detected.\n")
else:
lines.append("| Operation | Name |")
lines.append("|-----------|------|")
for op in ops:
lines.append(f"| `{op['type']}` | {op['name']} |")
lines.append("")
lines.append(
f"**Summary:** {summary.get('created',0)} create, "
f"{summary.get('updated',0)} update, "
f"{summary.get('deleted',0)} delete"
)
comment = "\n".join(lines)
print(comment)
# Post PR comment
git_token = os.environ.get("GIT_TOKEN", "")
git_url = os.environ.get("GIT_URL", "")
if git_token and git_url:
api_url = f"{git_url}/api/v1/repos/{os.environ['REPO']}/issues/{os.environ['PR_NUMBER']}/comments"
body = json.dumps({"body": comment}).encode()
req = urllib.request.Request(api_url, data=body, method="POST", headers={
"Authorization": f"token {git_token}",
"Content-Type": "application/json",
})
urllib.request.urlopen(req)
print(f"Posted comment to PR #{os.environ['PR_NUMBER']}")
SCRIPT SCRIPT

137
.gitea/workflows/reconcile.yml
View File

@ -34,78 +34,85 @@ jobs:
needs: detect needs: detect
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: needs.detect.outputs.envs != '[]' if: needs.detect.outputs.envs != '[]'
strategy:
matrix:
env: ${{ fromJson(needs.detect.outputs.envs) }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Resolve environment secrets - name: Reconcile each changed environment
id: env
run: |
ENV_UPPER=$(echo "${{ matrix.env }}" | tr '[:lower:]-' '[:upper:]_')
echo "token_key=${ENV_UPPER}_RECONCILER_TOKEN" >> "$GITHUB_OUTPUT"
echo "url_key=${ENV_UPPER}_RECONCILER_URL" >> "$GITHUB_OUTPUT"
echo "age_key=${ENV_UPPER}_AGE_PUBLIC_KEY" >> "$GITHUB_OUTPUT"
- name: Sync events
env: env:
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }} ENVS: ${{ needs.detect.outputs.envs }}
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }} TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }}
TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }}
DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }}
DEV_RECONCILER_URL: ${{ secrets.DEV_RECONCILER_URL }}
PROD_RECONCILER_TOKEN: ${{ secrets.PROD_RECONCILER_TOKEN }}
PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }}
run: | run: |
if [ -z "$RECONCILER_URL" ] || [ -z "$RECONCILER_TOKEN" ]; then python3 <<'SCRIPT'
echo "No secrets configured for environment '${{ matrix.env }}' — skipping" import json, os, urllib.request, sys
exit 0
fi
curl -sf \
-X POST \
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
"${RECONCILER_URL}/sync-events"
- name: Pull latest (poller may have committed) envs = json.loads(os.environ["ENVS"])
run: git pull --rebase failed = []
- name: Apply reconcile for env in envs:
id: reconcile key = env.upper().replace("-", "_")
env: token = os.environ.get(f"{key}_RECONCILER_TOKEN", "")
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }} url = os.environ.get(f"{key}_RECONCILER_URL", "")
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
run: |
RESPONSE=$(curl -sf \
-X POST \
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
-H "Content-Type: application/json" \
-d @state/${{ matrix.env }}.json \
"${RECONCILER_URL}/reconcile")
echo "response<<EOF" >> "$GITHUB_OUTPUT"
echo "$RESPONSE" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
STATUS=$(python3 -c "import json,sys; print(json.loads(sys.stdin.read()).get('status','ok'))" <<< "$RESPONSE") if not token or not url:
if [ "$STATUS" = "error" ]; then print(f"No secrets for '{env}' — skipping")
echo "Reconcile failed for ${{ matrix.env }}" continue
python3 -m json.tool <<< "$RESPONSE"
exit 1
fi
- name: Encrypt and upload setup keys # Sync events first
if: success() try:
env: req = urllib.request.Request(
AGE_PUBLIC_KEY: ${{ secrets[steps.env.outputs.age_key] }} f"{url}/sync-events", method="POST",
RESPONSE: ${{ steps.reconcile.outputs.response }} headers={"Authorization": f"Bearer {token}"},
run: | )
KEYS=$(python3 -c "import json,os; d=json.loads(os.environ['RESPONSE']); k=d.get('created_keys'); print(json.dumps(k) if k and k != {} else '')") urllib.request.urlopen(req)
if [ -n "$KEYS" ] && [ -n "$AGE_PUBLIC_KEY" ]; then print(f"[{env}] Synced events")
echo "$KEYS" | age -r "$AGE_PUBLIC_KEY" -o setup-keys-${{ matrix.env }}.age except Exception as e:
echo "Setup keys for ${{ matrix.env }} encrypted" print(f"[{env}] Sync events failed (non-fatal): {e}")
else
echo "No new keys created for ${{ matrix.env }}"
fi
- name: Upload artifact # Apply reconcile
if: success() with open(f"state/{env}.json", "rb") as f:
uses: actions/upload-artifact@v4 state_data = f.read()
with:
name: setup-keys-${{ matrix.env }} req = urllib.request.Request(
path: setup-keys-${{ matrix.env }}.age f"{url}/reconcile",
if-no-files-found: ignore data=state_data,
method="POST",
headers={
"Authorization": f"Bearer {token}",
"Content-Type": "application/json",
},
)
try:
resp = urllib.request.urlopen(req)
data = json.loads(resp.read())
except Exception as e:
print(f"[{env}] Reconcile FAILED: {e}")
failed.append(env)
continue
status = data.get("status", "ok")
if status == "error":
print(f"[{env}] Reconcile returned error:")
print(json.dumps(data, indent=2))
failed.append(env)
continue
summary = data.get("summary", {})
print(f"[{env}] Reconcile OK: "
f"{summary.get('created',0)} created, "
f"{summary.get('updated',0)} updated, "
f"{summary.get('deleted',0)} deleted")
# Log created keys (names only, not values)
keys = data.get("created_keys", {})
if keys:
print(f"[{env}] Created setup keys: {list(keys.keys())}")
if failed:
print(f"\nFailed environments: {failed}")
sys.exit(1)
SCRIPT