Compare commits
5 Commits
main
...
test-dry-r
| Author | SHA1 | Date | |
|---|---|---|---|
|
6ff1212f21 | ||
|
|
034de8fea1 | ||
|
|
c6f4ae9614 | ||
|
|
f1be3874bb | ||
|
|
fb2a1eddf1 |
@ -6,101 +6,114 @@ on:
|
||||
- "state/*.json"
|
||||
|
||||
jobs:
|
||||
detect:
|
||||
dry-run:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
envs: ${{ steps.changed.outputs.envs }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Detect changed environments
|
||||
id: changed
|
||||
run: |
|
||||
FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} -- 'state/*.json')
|
||||
ENVS="[]"
|
||||
for f in $FILES; do
|
||||
ENV=$(basename "$f" .json)
|
||||
ENVS=$(echo "$ENVS" | jq -c ". + [\"$ENV\"]")
|
||||
done
|
||||
echo "envs=$ENVS" >> "$GITHUB_OUTPUT"
|
||||
echo "Changed environments: $ENVS"
|
||||
|
||||
dry-run:
|
||||
needs: detect
|
||||
runs-on: ubuntu-latest
|
||||
if: needs.detect.outputs.envs != '[]'
|
||||
strategy:
|
||||
matrix:
|
||||
env: ${{ fromJson(needs.detect.outputs.envs) }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Resolve environment secrets
|
||||
id: env
|
||||
run: |
|
||||
ENV_UPPER=$(echo "${{ matrix.env }}" | tr '[:lower:]-' '[:upper:]_')
|
||||
echo "token_key=${ENV_UPPER}_RECONCILER_TOKEN" >> "$GITHUB_OUTPUT"
|
||||
echo "url_key=${ENV_UPPER}_RECONCILER_URL" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Run dry-run reconcile
|
||||
id: plan
|
||||
- name: Dry-run reconcile for changed environments
|
||||
env:
|
||||
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }}
|
||||
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
|
||||
BASE_SHA: ${{ github.event.pull_request.base.sha }}
|
||||
HEAD_SHA: ${{ github.sha }}
|
||||
TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }}
|
||||
TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }}
|
||||
DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }}
|
||||
DEV_RECONCILER_URL: ${{ secrets.DEV_RECONCILER_URL }}
|
||||
PROD_RECONCILER_TOKEN: ${{ secrets.PROD_RECONCILER_TOKEN }}
|
||||
PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }}
|
||||
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
|
||||
GIT_URL: ${{ secrets.GIT_URL }}
|
||||
REPO: ${{ github.repository }}
|
||||
PR_NUMBER: ${{ github.event.pull_request.number }}
|
||||
run: |
|
||||
if [ -z "$RECONCILER_URL" ] || [ -z "$RECONCILER_TOKEN" ]; then
|
||||
echo "No secrets configured for environment '${{ matrix.env }}' — skipping"
|
||||
echo "response={}" >> "$GITHUB_OUTPUT"
|
||||
exit 0
|
||||
fi
|
||||
RESPONSE=$(curl -sf \
|
||||
-X POST \
|
||||
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d @state/${{ matrix.env }}.json \
|
||||
"${RECONCILER_URL}/reconcile?dry_run=true")
|
||||
echo "response<<EOF" >> "$GITHUB_OUTPUT"
|
||||
echo "$RESPONSE" >> "$GITHUB_OUTPUT"
|
||||
echo "EOF" >> "$GITHUB_OUTPUT"
|
||||
python3 <<'SCRIPT'
|
||||
import json, os, subprocess, urllib.request
|
||||
|
||||
- name: Format plan as markdown
|
||||
id: format
|
||||
if: steps.plan.outputs.response != '{}'
|
||||
run: |
|
||||
cat <<'SCRIPT' > format.py
|
||||
import json, sys
|
||||
data = json.loads(sys.stdin.read())
|
||||
# Detect changed state files
|
||||
diff = subprocess.run(
|
||||
["git", "diff", "--name-only", os.environ["BASE_SHA"], os.environ["HEAD_SHA"], "--", "state/*.json"],
|
||||
capture_output=True, text=True, check=True,
|
||||
)
|
||||
envs = [os.path.basename(f).replace(".json", "") for f in diff.stdout.strip().split("\n") if f.strip()]
|
||||
|
||||
if not envs:
|
||||
print("No state files changed")
|
||||
exit(0)
|
||||
|
||||
print(f"Changed environments: {envs}")
|
||||
|
||||
for env in envs:
|
||||
key = env.upper().replace("-", "_")
|
||||
token = os.environ.get(f"{key}_RECONCILER_TOKEN", "")
|
||||
url = os.environ.get(f"{key}_RECONCILER_URL", "")
|
||||
|
||||
if not token or not url:
|
||||
print(f"[{env}] No secrets configured — skipping")
|
||||
continue
|
||||
|
||||
# Call reconciler dry-run
|
||||
with open(f"state/{env}.json", "rb") as f:
|
||||
state_data = f.read()
|
||||
|
||||
req = urllib.request.Request(
|
||||
f"{url}/reconcile?dry_run=true",
|
||||
data=state_data,
|
||||
method="POST",
|
||||
headers={
|
||||
"Authorization": f"Bearer {token}",
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
)
|
||||
try:
|
||||
resp = urllib.request.urlopen(req)
|
||||
data = json.loads(resp.read())
|
||||
except Exception as e:
|
||||
print(f"[{env}] Reconciler call failed: {e}")
|
||||
continue
|
||||
|
||||
# Format as markdown grouped by action
|
||||
ops = data.get("operations", [])
|
||||
summary = data.get("summary", {})
|
||||
env = sys.argv[1]
|
||||
lines = [f"## Reconciliation Plan: `{env}`\n"]
|
||||
if not ops:
|
||||
lines.append("No changes detected.\n")
|
||||
else:
|
||||
lines.append("| Operation | Name |")
|
||||
lines.append("|-----------|------|")
|
||||
groups = {"Create": [], "Update": [], "Delete": []}
|
||||
for op in ops:
|
||||
lines.append(f"| `{op['type']}` | {op['name']} |")
|
||||
lines.append("")
|
||||
s = summary
|
||||
lines.append(f"**Summary:** {s.get('created',0)} create, {s.get('updated',0)} update, {s.get('deleted',0)} delete")
|
||||
print("\n".join(lines))
|
||||
SCRIPT
|
||||
COMMENT=$(echo '${{ steps.plan.outputs.response }}' | python3 format.py "${{ matrix.env }}")
|
||||
echo "comment<<EOF" >> "$GITHUB_OUTPUT"
|
||||
echo "$COMMENT" >> "$GITHUB_OUTPUT"
|
||||
echo "EOF" >> "$GITHUB_OUTPUT"
|
||||
t = op["type"]
|
||||
if t.startswith("create"): groups["Create"].append(op)
|
||||
elif t.startswith("delete"): groups["Delete"].append(op)
|
||||
else: groups["Update"].append(op)
|
||||
|
||||
- name: Post PR comment
|
||||
if: steps.plan.outputs.response != '{}'
|
||||
env:
|
||||
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
|
||||
run: |
|
||||
curl -sf \
|
||||
-X POST \
|
||||
-H "Authorization: token ${GIT_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"body\": $(echo '${{ steps.format.outputs.comment }}' | jq -Rs .)}" \
|
||||
"${{ secrets.GIT_URL }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments"
|
||||
for action, items in groups.items():
|
||||
if not items:
|
||||
continue
|
||||
emoji = {"Create": "+", "Update": "~", "Delete": "-"}[action]
|
||||
lines.append(f"### {action} ({len(items)})\n")
|
||||
lines.append("| Resource | Name |")
|
||||
lines.append("|----------|------|")
|
||||
for op in items:
|
||||
resource = op["type"].split("_", 1)[1] if "_" in op["type"] else op["type"]
|
||||
lines.append(f"| {resource} | {op['name']} |")
|
||||
lines.append("")
|
||||
|
||||
c, u, d = summary.get("created", 0), summary.get("updated", 0), summary.get("deleted", 0)
|
||||
lines.append(f"**Total: {c} create, {u} update, {d} delete**")
|
||||
comment = "\n".join(lines)
|
||||
print(comment)
|
||||
|
||||
# Post PR comment
|
||||
git_token = os.environ.get("GIT_TOKEN", "")
|
||||
git_url = os.environ.get("GIT_URL", "")
|
||||
if git_token and git_url:
|
||||
api_url = f"{git_url}/api/v1/repos/{os.environ['REPO']}/issues/{os.environ['PR_NUMBER']}/comments"
|
||||
body = json.dumps({"body": comment}).encode()
|
||||
req = urllib.request.Request(api_url, data=body, method="POST", headers={
|
||||
"Authorization": f"token {git_token}",
|
||||
"Content-Type": "application/json",
|
||||
})
|
||||
urllib.request.urlopen(req)
|
||||
print(f"Posted comment to PR #{os.environ['PR_NUMBER']}")
|
||||
SCRIPT
|
||||
|
||||
@ -8,103 +8,98 @@ on:
|
||||
- "state/*.json"
|
||||
|
||||
jobs:
|
||||
detect:
|
||||
reconcile:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
envs: ${{ steps.changed.outputs.envs }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 2
|
||||
|
||||
- name: Detect changed environments
|
||||
id: changed
|
||||
run: |
|
||||
FILES=$(git diff --name-only HEAD~1 HEAD -- 'state/*.json')
|
||||
ENVS="[]"
|
||||
for f in $FILES; do
|
||||
ENV=$(basename "$f" .json)
|
||||
ENVS=$(echo "$ENVS" | jq -c ". + [\"$ENV\"]")
|
||||
done
|
||||
echo "envs=$ENVS" >> "$GITHUB_OUTPUT"
|
||||
echo "Changed environments: $ENVS"
|
||||
|
||||
reconcile:
|
||||
needs: detect
|
||||
runs-on: ubuntu-latest
|
||||
if: needs.detect.outputs.envs != '[]'
|
||||
strategy:
|
||||
matrix:
|
||||
env: ${{ fromJson(needs.detect.outputs.envs) }}
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Resolve environment secrets
|
||||
id: env
|
||||
run: |
|
||||
ENV_UPPER=$(echo "${{ matrix.env }}" | tr '[:lower:]-' '[:upper:]_')
|
||||
echo "token_key=${ENV_UPPER}_RECONCILER_TOKEN" >> "$GITHUB_OUTPUT"
|
||||
echo "url_key=${ENV_UPPER}_RECONCILER_URL" >> "$GITHUB_OUTPUT"
|
||||
echo "age_key=${ENV_UPPER}_AGE_PUBLIC_KEY" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Sync events
|
||||
- name: Reconcile changed environments
|
||||
env:
|
||||
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }}
|
||||
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
|
||||
TEST_RECONCILER_TOKEN: ${{ secrets.TEST_RECONCILER_TOKEN }}
|
||||
TEST_RECONCILER_URL: ${{ secrets.TEST_RECONCILER_URL }}
|
||||
DEV_RECONCILER_TOKEN: ${{ secrets.DEV_RECONCILER_TOKEN }}
|
||||
DEV_RECONCILER_URL: ${{ secrets.DEV_RECONCILER_URL }}
|
||||
PROD_RECONCILER_TOKEN: ${{ secrets.PROD_RECONCILER_TOKEN }}
|
||||
PROD_RECONCILER_URL: ${{ secrets.PROD_RECONCILER_URL }}
|
||||
run: |
|
||||
if [ -z "$RECONCILER_URL" ] || [ -z "$RECONCILER_TOKEN" ]; then
|
||||
echo "No secrets configured for environment '${{ matrix.env }}' — skipping"
|
||||
exit 0
|
||||
fi
|
||||
curl -sf \
|
||||
-X POST \
|
||||
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
|
||||
"${RECONCILER_URL}/sync-events"
|
||||
python3 <<'SCRIPT'
|
||||
import json, os, subprocess, urllib.request, sys
|
||||
|
||||
- name: Pull latest (poller may have committed)
|
||||
run: git pull --rebase
|
||||
# Detect changed state files
|
||||
diff = subprocess.run(
|
||||
["git", "diff", "--name-only", "HEAD~1", "HEAD", "--", "state/*.json"],
|
||||
capture_output=True, text=True, check=True,
|
||||
)
|
||||
envs = [os.path.basename(f).replace(".json", "") for f in diff.stdout.strip().split("\n") if f.strip()]
|
||||
|
||||
- name: Apply reconcile
|
||||
id: reconcile
|
||||
env:
|
||||
RECONCILER_TOKEN: ${{ secrets[steps.env.outputs.token_key] }}
|
||||
RECONCILER_URL: ${{ secrets[steps.env.outputs.url_key] }}
|
||||
run: |
|
||||
RESPONSE=$(curl -sf \
|
||||
-X POST \
|
||||
-H "Authorization: Bearer ${RECONCILER_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d @state/${{ matrix.env }}.json \
|
||||
"${RECONCILER_URL}/reconcile")
|
||||
echo "response<<EOF" >> "$GITHUB_OUTPUT"
|
||||
echo "$RESPONSE" >> "$GITHUB_OUTPUT"
|
||||
echo "EOF" >> "$GITHUB_OUTPUT"
|
||||
if not envs:
|
||||
print("No state files changed")
|
||||
exit(0)
|
||||
|
||||
STATUS=$(echo "$RESPONSE" | jq -r '.status')
|
||||
if [ "$STATUS" = "error" ]; then
|
||||
echo "Reconcile failed for ${{ matrix.env }}"
|
||||
echo "$RESPONSE" | jq .
|
||||
exit 1
|
||||
fi
|
||||
print(f"Changed environments: {envs}")
|
||||
failed = []
|
||||
|
||||
- name: Encrypt and upload setup keys
|
||||
if: success()
|
||||
env:
|
||||
AGE_PUBLIC_KEY: ${{ secrets[steps.env.outputs.age_key] }}
|
||||
run: |
|
||||
KEYS=$(echo '${{ steps.reconcile.outputs.response }}' | jq -r '.created_keys // empty')
|
||||
if [ -n "$KEYS" ] && [ "$KEYS" != "{}" ] && [ "$KEYS" != "null" ] && [ -n "$AGE_PUBLIC_KEY" ]; then
|
||||
echo "$KEYS" | age -r "$AGE_PUBLIC_KEY" -o setup-keys-${{ matrix.env }}.age
|
||||
echo "Setup keys for ${{ matrix.env }} encrypted"
|
||||
else
|
||||
echo "No new keys created for ${{ matrix.env }}"
|
||||
exit 0
|
||||
fi
|
||||
for env in envs:
|
||||
key = env.upper().replace("-", "_")
|
||||
token = os.environ.get(f"{key}_RECONCILER_TOKEN", "")
|
||||
url = os.environ.get(f"{key}_RECONCILER_URL", "")
|
||||
|
||||
- name: Upload artifact
|
||||
if: success()
|
||||
uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: setup-keys-${{ matrix.env }}
|
||||
path: setup-keys-${{ matrix.env }}.age
|
||||
if-no-files-found: ignore
|
||||
if not token or not url:
|
||||
print(f"[{env}] No secrets configured — skipping")
|
||||
continue
|
||||
|
||||
# Sync events first
|
||||
try:
|
||||
req = urllib.request.Request(
|
||||
f"{url}/sync-events", method="POST",
|
||||
headers={"Authorization": f"Bearer {token}"},
|
||||
)
|
||||
urllib.request.urlopen(req)
|
||||
print(f"[{env}] Synced events")
|
||||
except Exception as e:
|
||||
print(f"[{env}] Sync events failed (non-fatal): {e}")
|
||||
|
||||
# Apply reconcile
|
||||
with open(f"state/{env}.json", "rb") as f:
|
||||
state_data = f.read()
|
||||
|
||||
req = urllib.request.Request(
|
||||
f"{url}/reconcile",
|
||||
data=state_data,
|
||||
method="POST",
|
||||
headers={
|
||||
"Authorization": f"Bearer {token}",
|
||||
"Content-Type": "application/json",
|
||||
},
|
||||
)
|
||||
try:
|
||||
resp = urllib.request.urlopen(req)
|
||||
data = json.loads(resp.read())
|
||||
except Exception as e:
|
||||
print(f"[{env}] Reconcile FAILED: {e}")
|
||||
failed.append(env)
|
||||
continue
|
||||
|
||||
status = data.get("status", "ok")
|
||||
if status == "error":
|
||||
print(f"[{env}] Reconcile returned error:")
|
||||
print(json.dumps(data, indent=2))
|
||||
failed.append(env)
|
||||
continue
|
||||
|
||||
summary = data.get("summary", {})
|
||||
print(f"[{env}] Reconcile OK: "
|
||||
f"{summary.get('created',0)} created, "
|
||||
f"{summary.get('updated',0)} updated, "
|
||||
f"{summary.get('deleted',0)} deleted")
|
||||
|
||||
keys = data.get("created_keys", {})
|
||||
if keys:
|
||||
print(f"[{env}] Created setup keys: {list(keys.keys())}")
|
||||
|
||||
if failed:
|
||||
print(f"\nFailed environments: {failed}")
|
||||
sys.exit(1)
|
||||
SCRIPT
|
||||
|
||||
@ -12,18 +12,21 @@
|
||||
"type": "one-off",
|
||||
"expires_in": 604800,
|
||||
"usage_limit": 1,
|
||||
"auto_groups": [
|
||||
"ground-stations"
|
||||
],
|
||||
"auto_groups": ["ground-stations"],
|
||||
"enrolled": false
|
||||
},
|
||||
"Pilot-TestHawk-1": {
|
||||
"type": "one-off",
|
||||
"expires_in": 604800,
|
||||
"usage_limit": 1,
|
||||
"auto_groups": [
|
||||
"pilots"
|
||||
],
|
||||
"auto_groups": ["pilots"],
|
||||
"enrolled": false
|
||||
},
|
||||
"Pilot-Vlad-2": {
|
||||
"type": "one-off",
|
||||
"expires_in": 604800,
|
||||
"usage_limit": 1,
|
||||
"auto_groups": ["pilots"],
|
||||
"enrolled": false
|
||||
}
|
||||
},
|
||||
@ -31,12 +34,8 @@
|
||||
"pilots-to-gs": {
|
||||
"description": "",
|
||||
"enabled": true,
|
||||
"sources": [
|
||||
"pilots"
|
||||
],
|
||||
"destinations": [
|
||||
"ground-stations"
|
||||
],
|
||||
"sources": ["pilots"],
|
||||
"destinations": ["ground-stations"],
|
||||
"bidirectional": true,
|
||||
"protocol": "all",
|
||||
"action": "accept",
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user