The contents of this repository handle the setup for GitHub Actions, including both the runners and the templates for basic pipeline scripts.
If there's an outdated Personal Access Token (PAT), it must first be removed.
You can check existing secrets with oc get secrets. If there's
runner-secrets present, it should only contain one data entry (this can be
confirmed by checking oc get secret runner-secrets -o json) and it can be
removed with oc delete secret runner-secrets. This removal only affects newly
created pods: pre-existing ones will still attempt to use the old token, so
they must be removed and new ones created for the removal/update to be
effective.
To fetch the authorization token for creating new runners, we need a Personal
Access Token (PAT). One can be generated by navigating to GitHub and then
settings > developer settings > personal access tokens > generate new token.
The token only needs to have the public_repo scope, which means that it will
not expose anything about private repositories etc, but it does grant read and
write access to "code, commit statuses, repository projects, collaborators, and
deployment statuses for public repositories and organizations" (see
docs).
There must be a valid PAT in runner-secrets. To save the token there, write
the token into a file called gh_runner_pat and add it into the OC secrets
with the following command:
oc create secret generic runner-secrets --from-file=gh_runner_pat
NB: do NOT check the file into version control: after the secret has been created, the file can be deleted.
You need to change the variables ACTIONS_RUNNER_VERSION and
ACTIONS_RUNNER_CHECKSUM in the dockerfile to match the
version and linux-x64 tar.gz checksum of the newest (or other desired) version
from https://github.com/actions/runner/releases. After that you can proceed to
building, uploading and deploying the pod.
To build a specific runner, you need to provide the path to the directory containing the Dockerfile and the tag for the runner. For the basic python runner, this would be
docker build runners/python-runner -t python-runner
Before uploading you need to authenticate. Authentication command and token are shown in the web UI, after which you can log in to container registry using
docker login -p $(oc whoami -t ) -u unused image-registry.apps.2.rahti.csc.fi
You can tag the container and push it to the registry, e.g. for the basic python runner:
docker tag python-runner image-registry.apps.2.rahti.csc.fi/kp-gh-actions-runners/python-runner:[VERSION]
docker push image-registry.apps.2.rahti.csc.fi/kp-gh-actions-runners/python-runner:[VERSION]
You can check the previous version from the container registry: increment the major/minor/patch version depending on the changes made.
To use the newest version of the container in the soon-to-be-deployed pod, you need to set the image version in the pod specification file.
First you must authenticate to OpenShift. The command and token for authentication can be copied from OpenShift console UI by clicking your name on the upper right corner and choosing "copy login command".
If there are old, outdated pods (e.g. with old secrets), you can list them with
oc get pods and remove them using oc delete pod [pod name]. Remember to
delete the runner in GitHub UI too.
After that you can deploy a new pod for a specific repository with oc process
and oc create, e.g.
oc process -f services/python-runner-pod.yaml -p REPO_NAME=kielipankki-metax-bridge -p REPO_OWNER=cscfi | oc create -f -
and you should now see a new runner in GitHub.
NB: REPO_NAME needs to be provided in all lower case.