Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added a CI job for WPCloud testing of wpcomsh. #39258

Open
wants to merge 22 commits into
base: trunk
Choose a base branch
from
Open
Changes from 2 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
3a57a51
Added a CI job for WPCloud testing of wpcomsh.
zinigor Sep 5, 2024
2ab2c4a
Add pnpm and install.
zinigor Sep 5, 2024
0d40db9
Testing WPCloud on a new test site for jetpackisbestpack.
zinigor Oct 7, 2024
a8da4b4
Merge branch 'trunk' into add/wpcomsh-wpcloud-testing
zinigor Oct 7, 2024
a3a5533
Temporarily marking wpcomsh as always changed.
zinigor Oct 7, 2024
8b74cdf
Merge branch 'trunk' into add/wpcomsh-wpcloud-testing
zinigor Oct 23, 2024
4df8ed7
Added transferring of tests.
zinigor Oct 23, 2024
b102738
Added DB password slash escaping.
zinigor Oct 23, 2024
27bbd07
changelog
zinigor Oct 23, 2024
aad27e3
Added a mock for get_option_and_ensure_autoload.
zinigor Oct 23, 2024
9e892e4
Added a missing cache expulsion function.
zinigor Oct 24, 2024
dfb7439
Removed set -x from test installer.
zinigor Oct 24, 2024
bf302d5
Using pnpm to not bother with linking binaries.
zinigor Oct 24, 2024
8f1f194
Added a build step.
zinigor Oct 24, 2024
df0ed81
Merge branch 'trunk' into add/wpcomsh-wpcloud-testing
zinigor Oct 25, 2024
3618211
Created a separate job to avoid re-building on a re-run, h/t @anomiex.
zinigor Oct 25, 2024
510482f
Added cache saving and restoring, moved if to parent job.
zinigor Oct 25, 2024
747555d
Added the before file.
zinigor Oct 25, 2024
cdff320
Trying with instead of .
zinigor Oct 25, 2024
a60df09
Fixing var schema.
zinigor Oct 25, 2024
4f4f451
Merge branch 'trunk' into add/wpcomsh-wpcloud-testing
zinigor Nov 21, 2024
f2ff12f
Merge branch 'trunk' into add/wpcomsh-wpcloud-testing
zinigor Dec 2, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 105 additions & 0 deletions .github/workflows/wpcloud.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
name: WPCloud Unit Testing for WPCOMSH

on:
pull_request:
push:
branches: ['trunk', '*/branch-*']
concurrency:
group: wpcloud-${{ github.event_name }}-${{ github.ref }}
cancel-in-progress: true

jobs:
deploy:
name: Run phpunit on WPCloud site
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# codecov.io requires a fetch depth > 1.
fetch-depth: 2

# For pull requests, list-changed-projects.sh needs the merge base.
# But it doesn't have to be checked out.
- name: Deepen to merge base
if: github.event_name == 'pull_request'
uses: ./.github/actions/deepen-to-merge-base
with:
checkout: false

- name: Setup tools
uses: ./.github/actions/tool-setup
with:
php: ${{ matrix.php }}
node: ${{ matrix.node }}
- name: Monorepo install
run: |
echo "::group::Pnpm"
pnpm install
echo "::endgroup::"
- name: Detect if wpcomsh has changed
id: changed
run: |
CHANGED="$(EXTRA=test .github/files/list-changed-projects.sh)"

WPCOMSH_CHANGED="$(jq --argjson changed "$CHANGED" -n '$changed | has( "plugins/wpcomsh" ) ')"
echo "wpcomsh=${WPCOMSH_CHANGED}" >> "$GITHUB_OUTPUT"

- name: Configure Github to be able to SSH to the Atomic site
if: steps.changed.outputs.wpcomsh == 'true'
run: |
echo "Intializing"
echo "::group::setup"

mkdir -vp ~/.ssh/
chmod -v 700 ~/.ssh

touch ~/.ssh/id_site
chmod 600 ~/.ssh/id_site
echo "$WPCLOUD_SSH_KEY" > ~/.ssh/id_site
echo "wrote ~/.ssh/id_site"

touch ~/.ssh/askpass
chmod -v 700 ~/.ssh/askpass
cat >>~/.ssh/askpass <<END
#!/bin/bash
echo "\$WPCLOUD_SSH_KEY_PASSPHRASE"
END
echo "wrote ~/.ssh/askpass"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we could switch to a key with no password, so we could skip this. Is there an attack scenario where someone could steal the key but not also steal this file with the password?


cat >>~/.ssh/config <<END
Host *
StrictHostKeyChecking no
END
echo "wrote ~/.ssh/config"

touch ~/.ssh/stdin
chmod -v 600 ~/.ssh/stdin
cat >>~/.ssh/stdin <<END
$WPCLOUD_STDIN
END
echo "wrote ~/.ssh/stdin"

export SSH_ASKPASS="$HOME/.ssh/askpass"
echo "exported SSH_ASKPASS"
export SSH_ASKPASS_REQUIRE="force"
echo "exported SSH_ASKPASS_REQUIRE"
export DISPLAY=":"
echo "exported DISPLAY"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(this along with the comment on lines 61–67 above)


echo "::endgroup::"

echo "::group::execution"
cat ~/.ssh/stdin | setsid ssh -i ~/.ssh/id_site -l "$WPCLOUD_SSH_USER" ssh.atomicsites.net "$WPCLOUD_SSH_COMMAND" || CODE=$?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm left wondering what's in WPCLOUD_SSH_COMMAND that we can't just put it in here.

Is whatever this runs going to work if multiple PRs run this at the same time?

echo "::endgroup::"

echo "::group::teardown"
rm -rvf ~/.ssh/
echo "::endgroup::"
echo "Exiting with exit code $CODE"
exit $CODE
env:
WPCLOUD_SSH_KEY: ${{ secrets.WPCLOUD_SSH_KEY }}
WPCLOUD_SSH_KEY_PASSPHRASE: ${{ secrets.WPCLOUD_SSH_KEY_PASSPHRASE }}
WPCLOUD_SSH_USER: ${{ secrets.WPCLOUD_SSH_USER }}
WPCLOUD_SSH_COMMAND: ${{ secrets.WPCLOUD_SSH_COMMAND }}
WPCLOUD_STDIN: ${{ toJSON(github) }}
Loading