chore: Update & cleanup workflows. Also introduce make to manage de…

…pendencies and testing (#392) * workflow rework, mise, precommit, linting * add a makefile * update readme to include make * remove github token where not needed * comments * restrict permissions on release workflows * verify updatecli * remove test comment * githubcli --------- Co-authored-by: jamie zieziula <[email protected]>
PrefectHQ · Oct 2, 2024 · 16957fc · 16957fc
1 parent 16d85c9
commit 16957fc
Show file tree

Hide file tree

Showing 20 changed files with 259 additions and 139 deletions.
diff --git a/.github/linters/prometheus-prefect-exporter-ct.yaml b/.github/linters/prometheus-prefect-exporter-ct.yaml
@@ -4,5 +4,5 @@ charts:
 chart-repos:
   - bitnami=https://charts.bitnami.com/bitnami
 helm-extra-args: --timeout 600s
-namespace: default
+namespace: prefect
 release-label: prefect
diff --git a/.github/linters/server-ct.yaml b/.github/linters/server-ct.yaml
@@ -4,3 +4,5 @@ charts:
 chart-repos:
   - bitnami=https://charts.bitnami.com/bitnami
 helm-extra-args: --timeout 90s
+namespace: prefect
+release-label: prefect
diff --git a/.github/workflows/deploy-latest-helm-version.yaml b/.github/workflows/deploy-latest-helm-version.yaml
@@ -1,10 +1,14 @@
-name: Deploy latest helm releases to internal cluster
+---
+name: Deploy Latest Helm Releases to Internal Cluster
 
 "on":
   workflow_dispatch:
     inputs:
       release_version:
-        description: Release tag
+        description: The latest release tag
+        required: true
+
+permissions: {}
 
 jobs:
   update_helm_releases:
@@ -21,4 +25,4 @@ jobs:
             --ref main \
             -f release_version=${{ github.event.inputs.release_version }}
         env:
-          GITHUB_TOKEN: ${{ secrets.OPS_CLUSTER_DEPLOYMENT_ACTIONS_RW }}
+          GH_TOKEN: ${{ secrets.OPS_CLUSTER_DEPLOYMENT_ACTIONS_RW }}
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
@@ -1,11 +1,17 @@
-name: Release Helm Chart
+---
+name: Release Prefect Server and Worker Helm Charts
 
 "on":
-  workflow_dispatch:
+  workflow_dispatch: {}
+
+permissions: {}
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      # GitHub considers creating releases and uploading assets as writing contents.
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/helm-unittest.yaml b/.github/workflows/helm-unittest.yaml
@@ -1,10 +1,9 @@
-# https://github.com/marketplace/actions/helm-unit-tests
+---
+name: Run Helm Unit Tests
 
-name: Run Helm unit tests
+"on":
+  pull_request: {}
 
-on: pull_request
-
-# Do not grant jobs any permissions by default
 permissions: {}
 
 jobs:
@@ -15,6 +14,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+
       - uses: d3adb5/helm-unittest-action@v2
         with:
           helm-version: v3.15.3
diff --git a/.github/workflows/notify-on-failure.yaml b/.github/workflows/notify-on-failure.yaml
@@ -0,0 +1,49 @@
+---
+name: Notify on Failure
+
+"on":
+  workflow_run:
+    workflows:
+      - Deploy Latest Helm Releases to Internal Cluster
+      - Release Prefect Server and Worker Helm Charts
+      - Release Prometheus Prefect Exporter Helm Chart
+      - Updatecli Major Dependency Updates
+      - Updatecli Minor Dependency Updates
+    types: [completed]
+
+permissions: {}
+
+jobs:
+  notify:
+    name: Notify on Failure
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
+    permissions:
+      # required to introspect the workflow run
+      actions: read
+      # required to read from the repo
+      contents: read
+    steps:
+      - name: Format date
+        run: |
+          formatted_date=$(date -d "${{ github.event.workflow_run.run_started_at }}" "+%b %d at %I:%M %p")
+          echo "FORMATTED_DATE=$formatted_date" >> $GITHUB_ENV
+
+      - name: Send Slack notification
+        uses: 8398a7/action-slack@v3
+        with:
+          status: custom
+          # https://api.slack.com/reference/messaging/attachments
+          custom_payload: |
+            {
+              attachments: [{
+                pretext: ':x: Workflow triggered by ${{ github.actor }} failed',
+                title: '${{ github.event.workflow_run.display_title }} #${{github.event.workflow_run.run_number}}',
+                title_link: '${{ github.event.workflow_run.html_url }}',
+                footer: '${{ github.repository }} | ${{ env.FORMATTED_DATE }} UTC',
+                footer_icon: 'https://slack-imgs.com/?c=1&o1=wi32.he32.si&url=https%3A%2F%2Fslack.github.com%2Fstatic%2Fimg%2Ffavicon-neutral.png',
+                color: 'danger',
+              }]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_GHA_JOB_STATUS }}
diff --git a/.github/workflows/prometheus-exporter-helm-release.yaml b/.github/workflows/prometheus-exporter-helm-release.yaml
@@ -1,11 +1,17 @@
+---
 name: Release Prometheus Prefect Exporter Helm Chart
 
 "on":
-  workflow_dispatch:
+  workflow_dispatch: {}
+
+permissions: {}
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      # GitHub considers creating releases and uploading assets as writing contents.
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/prometheus-prefect-exporter-lint-and-test.yaml b/.github/workflows/prometheus-prefect-exporter-lint-and-test.yaml
@@ -1,14 +1,20 @@
+---
 name: Lint and Test Prometheus Prefect Exporter Chart
 
 "on":
   pull_request_target:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   lint_test:
     name: "lint-test (${{ matrix.kubernetes }})"
     runs-on: ubuntu-latest
+    permissions:
+      # required to read from the repo
+      contents: read
     strategy:
       matrix:
         kubernetes:

diff --git a/.github/workflows/server-lint-and-test.yaml b/.github/workflows/server-lint-and-test.yaml
@@ -1,11 +1,11 @@
+---
 name: Lint and Test Prefect Server Chart
 
 "on":
   pull_request_target:
     branches:
       - main
 
-# Do not grant jobs any permissions by default
 permissions: {}
 
 jobs:

diff --git a/.github/workflows/update-helm-major-versions.yaml b/.github/workflows/update-helm-major-versions.yaml
diff --git a/.github/workflows/update-helm-minor-versions.yaml b/.github/workflows/update-helm-minor-versions.yaml
diff --git a/.github/workflows/updatecli-major-versions.yaml b/.github/workflows/updatecli-major-versions.yaml
@@ -0,0 +1,27 @@
+---
+name: Updatecli Major Dependency Updates
+
+"on":
+  schedule:
+    - cron: 0 15 1 * *  # First of the month @ 3pm UTC
+  workflow_dispatch: {}
+
+permissions: {}
+
+jobs:
+  updatecli_major:
+    runs-on: ubuntu-latest
+    permissions:
+      # required to write to the repo
+      contents: write
+      # required to open a pr with updatecli changes
+      pull-requests: write
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: updatecli-major-apply
+        uses: prefecthq/actions-updatecli-apply@main
+        with:
+          manifest-path: .github/updatecli/manifest-major.yaml
+          run-type: major
diff --git a/.github/workflows/updatecli-minor-versions.yaml b/.github/workflows/updatecli-minor-versions.yaml
@@ -0,0 +1,27 @@
+---
+name: Updatecli Minor Dependency Updates
+
+"on":
+  schedule:
+    - cron: 0 15 * * 1  # Monday @ 3pm UTC
+  workflow_dispatch: {}
+
+permissions: {}
+
+jobs:
+  updatecli_minor:
+    runs-on: ubuntu-latest
+    permissions:
+      # required to write to the repo
+      contents: write
+      # required to open a pr with updatecli changes
+      pull-requests: write
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+
+      - name: updatecli-minor-apply
+        uses: prefecthq/actions-updatecli-apply@main
+        with:
+          manifest-path: .github/updatecli/manifest-minor.yaml
+          run-type: minor
diff --git a/.github/workflows/validate-updatecli-config.yaml b/.github/workflows/validate-updatecli-config.yaml
@@ -1,33 +1,30 @@
 ---
-name: Validate updatecli config
+name: Validate Updatecli Config
 
-on:
+"on":
   pull_request:
     branches:
       - main
     paths:
       - .github/updatecli/**
 
-# Do not grant jobs any permissions by default
 permissions: {}
 
 jobs:
-  validate_updatecli_config:
+  validate_updatecli_configs:
     runs-on: ubuntu-latest
     permissions:
       # required to read from the repo
       contents: read
-
     steps:
       - name: checkout
         uses: actions/checkout@v4
 
       - name: install updatecli
         uses: updatecli/updatecli-action@v2
 
-      - name: run updatecli diff to validate config
-        run: |
-          updatecli diff --config .github/updatecli/manifest-minor.yaml
-          updatecli diff --config .github/updatecli/manifest-major.yaml
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
+      - name: validate manifest-minor
+        run: updatecli diff --config .github/updatecli/manifest-minor.yaml
+
+      - name: validate manifest-major
+        run: updatecli diff --config .github/updatecli/manifest-major.yaml
diff --git a/.github/workflows/worker-lint-and-test.yaml b/.github/workflows/worker-lint-and-test.yaml
@@ -1,11 +1,11 @@
+---
 name: Lint and Test Prefect Worker Chart
 
 "on":
   pull_request_target:
     branches:
       - main
 
-# Do not grant jobs any permissions by default
 permissions: {}
 
 jobs: