fix: ensure nested frontend builds get secret translation (#7595) #1

Workflow file for this run

.github/workflows/publish.yml at 058730d

	name: Publish CLI & Engine
	on:
	push:
	branches: ["main"]
	tags: ["v**"]

	# Run tests in a PR when an SDK has a default CLI version bump
	pull_request:
	types:
	- opened
	- synchronize
	- reopened
	- ready_for_review
	paths:
	- sdk/go/internal/engineconn/version.gen.go
	- sdk/python/src/dagger/_engine/_version.py
	- sdk/typescript/provisioning/default.ts

	jobs:
	publish:
	if: ${{ github.repository == 'dagger/dagger' && github.event_name == 'push' }}
	# Use our own Dagger runner when running in the dagger/dagger repo (including PRs)
	runs-on: dagger-v0-11-6-16c-nvme
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version: "1.22"
	cache-dependency-path: "ci/go.sum"
	- name: "Publish Engine & CLI"
	run: \|
	cd ci/mage
	if [ $GITHUB_REF_NAME == 'main' ]; then
	# this is a push to the main branch, publish to the commit we're at
	go run main.go -w ../.. dagger:publish ${{ github.sha }}
	else
	# this is a tag push, publish to that tag
	go run main.go -w ../.. dagger:publish ${{ github.ref_name }}
	fi
	env:
	GH_ORG_NAME: ${{ vars.GH_ORG_NAME }}
	GITHUB_TOKEN: ${{ secrets.RELEASE_DAGGER_CI_TOKEN }}
	DAGGER_ENGINE_IMAGE: ${{ secrets.RELEASE_DAGGER_ENGINE_IMAGE }}
	AWS_ACCESS_KEY_ID: ${{ secrets.RELEASE_AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.RELEASE_AWS_SECRET_ACCESS_KEY }}
	AWS_REGION: ${{ secrets.RELEASE_AWS_REGION }}
	AWS_BUCKET: ${{ secrets.RELEASE_AWS_BUCKET }}
	ARTEFACTS_FQDN: ${{ secrets.RELEASE_FQDN }}
	GORELEASER_KEY: ${{ secrets.GORELEASER_PRO_LICENSE_KEY }}
	DAGGER_ENGINE_IMAGE_REGISTRY: ghcr.io
	DAGGER_ENGINE_IMAGE_USERNAME: ${{ github.actor }}
	DAGGER_ENGINE_IMAGE_PASSWORD: ${{ secrets.RELEASE_DAGGER_CI_TOKEN }}
	_EXPERIMENTAL_DAGGER_RUNNER_HOST: "unix:///var/run/buildkit/buildkitd.sock"
	- name: "Bump SDK Engine Dependencies"
	uses: peter-evans/create-pull-request@v3
	if: github.ref_name != 'main'
	with:
	add-paths: ./sdk/
	committer: Dagger CI <[email protected]>
	author: Dagger CI <[email protected]>
	commit-message: "sdk: Bump engine dependency to ${{ github.ref_name }}"
	signoff: true
	base: main
	title: "sdk: Bump engine dependency to ${{ github.ref_name }}"
	body: \|
	This PR was auto-generated.
	delete-branch: true
	branch: bump-engine
	draft: true

	notify:
	if: github.ref_type == 'tag'
	needs: publish
	uses: ./.github/workflows/_new_release_notification.yml
	secrets: inherit
	with:
	message: "🚙 Engine + 🚗 CLI: https://github.com/${{ github.repository }}/releases/tag/${{ github.ref_name }}"

	scan-engine:
	name: "Scan Engine Image for Vulnerabilities"
	needs: publish
	# only run this on push events, not in PRs (since we only publish images during pushes)
	if: github.event_name == 'push' && github.repository == 'dagger/dagger'
	uses: ./.github/workflows/_dagger_call.yml
	secrets: inherit
	with:
	function: engine scan

	test-provision-macos:
	name: "Test SDK Provision / macos"
	# We want to test the SDKs in a CLI dependency bump PR, in which case publish
	# has to be skipped, AND after every push to main/tags, in which case publish
	# must run first. This is unfortunately quite annoying to express in yaml...
	# https://github.com/actions/runner/issues/491#issuecomment-850884422
	needs: publish
	if: \|
	always() &&
	github.repository == 'dagger/dagger' &&
	(needs.publish.result == 'success' \|\| needs.publish.result == 'skipped')
	runs-on: macos-12
	steps:
	- name: "Set CLI Test URL"
	run: \|
	if [ ${{ github.event_name }} == 'push' ]; then
	BASE_URL="https://${{ secrets.RELEASE_FQDN }}/dagger"
	if [ $GITHUB_REF_NAME == 'main' ]; then
	# this is a push to the main branch
	ARCHIVE_URL="${BASE_URL}/main/${GITHUB_SHA}/dagger_${GITHUB_SHA}_darwin_amd64.tar.gz"
	CHECKSUMS_URL="${BASE_URL}/main/${GITHUB_SHA}/checksums.txt"
	RUNNER_HOST="docker-image://${{ secrets.RELEASE_DAGGER_ENGINE_IMAGE }}:${GITHUB_SHA}"
	else
	# this is a tag push
	ARCHIVE_URL="${BASE_URL}/releases/${GITHUB_REF_NAME:1}/dagger_${GITHUB_REF_NAME}_darwin_amd64.tar.gz"
	CHECKSUMS_URL="${BASE_URL}/releases/${GITHUB_REF_NAME:1}/checksums.txt"
	RUNNER_HOST="docker-image://${{ secrets.RELEASE_DAGGER_ENGINE_IMAGE }}:${GITHUB_REF_NAME}"
	fi
	echo "_INTERNAL_DAGGER_TEST_CLI_URL=${ARCHIVE_URL}" >> $GITHUB_ENV
	echo "_INTERNAL_DAGGER_TEST_CLI_CHECKSUMS_URL=${CHECKSUMS_URL}" >> $GITHUB_ENV
	echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=${RUNNER_HOST}" >> $GITHUB_ENV
	fi
	shell: bash
	- name: "Install Docker"
	run: \|
	echo "Install docker CLI..."
	brew install docker
	echo "Start Docker daemon via Colima..."
	echo "⚠️ Use mount-type 9p so that launched containers can chown: https://github.com/abiosoft/colima/issues/54#issuecomment-1250217077"
	colima start --mount-type 9p

	- uses: actions/checkout@v4

	- uses: actions/setup-go@v5
	with:
	go-version: "1.22"
	- name: "Test Go SDK"
	run: \|
	cd sdk/go
	go test -v -run TestProvision ./...

	- uses: actions/setup-python@v4
	with:
	python-version: "3.11"
	cache: "pip"
	cache-dependency-path: "sdk/python/requirements.txt"
	- name: "Test Python SDK"
	run: \|
	cd sdk/python
	pip install -r requirements.txt .
	pytest -xm provision

	- uses: actions/setup-node@v2
	with:
	node-version: 18
	- uses: oven-sh/setup-bun@v1
	with:
	bun-version: 1.0.x
	- name: "Test TypeScript SDK (Node)"
	run: \|
	cd sdk/typescript
	yarn install
	yarn test:node -g 'Automatic Provisioned CLI Binary'
	- name: "Test TypeScript SDK (Bun)"
	run: \|
	cd sdk/typescript
	yarn install
	yarn test:bun -g 'Automatic Provisioned CLI Binary'

	- name: "ALWAYS print engine logs - especially useful on failure"
	if: always()
	run: docker logs $(docker ps -q --filter name=dagger-engine)

	test-provision-go-linux:
	name: "Test SDK Provision / go / linux"
	needs: publish
	if: \|
	always() &&
	github.repository == 'dagger/dagger' &&
	(needs.publish.result == 'success' \|\| needs.publish.result == 'skipped')
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: "Set CLI Test URL"
	run: \|
	if [ ${{ github.event_name }} == 'push' ]; then
	BASE_URL="https://${{ secrets.RELEASE_FQDN }}/dagger"
	if [ $GITHUB_REF_NAME == 'main' ]; then
	# this is a push to the main branch
	ARCHIVE_URL="${BASE_URL}/main/${GITHUB_SHA}/dagger_${GITHUB_SHA}_linux_amd64.tar.gz"
	CHECKSUMS_URL="${BASE_URL}/main/${GITHUB_SHA}/checksums.txt"
	RUNNER_HOST="docker-image://${{ secrets.RELEASE_DAGGER_ENGINE_IMAGE }}:${GITHUB_SHA}"
	else
	# this is a tag push
	ARCHIVE_URL="${BASE_URL}/releases/${GITHUB_REF_NAME:1}/dagger_${GITHUB_REF_NAME}_linux_amd64.tar.gz"
	CHECKSUMS_URL="${BASE_URL}/releases/${GITHUB_REF_NAME:1}/checksums.txt"
	RUNNER_HOST="docker-image://${{ secrets.RELEASE_DAGGER_ENGINE_IMAGE }}:${GITHUB_REF_NAME}"
	fi
	echo "_INTERNAL_DAGGER_TEST_CLI_URL=${ARCHIVE_URL}" >> $GITHUB_ENV
	echo "_INTERNAL_DAGGER_TEST_CLI_CHECKSUMS_URL=${CHECKSUMS_URL}" >> $GITHUB_ENV
	echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=${RUNNER_HOST}" >> $GITHUB_ENV
	fi
	shell: bash
	- uses: actions/setup-go@v5
	with:
	go-version: "1.22"
	- name: "Test Go SDK"
	run: \|
	cd sdk/go
	go test -v -run TestProvision ./...
	- name: "ALWAYS print engine logs - especially useful on failure"
	if: always()
	run: docker logs $(docker ps -q --filter name=dagger-engine)

	test-provision-python-linux:
	name: "Test SDK Provision / python / linux"
	needs: publish
	if: \|
	always() &&
	github.repository == 'dagger/dagger' &&
	(needs.publish.result == 'success' \|\| needs.publish.result == 'skipped')
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: "Set CLI Test URL"
	run: \|
	if [ ${{ github.event_name }} == 'push' ]; then
	BASE_URL="https://${{ secrets.RELEASE_FQDN }}/dagger"
	if [ $GITHUB_REF_NAME == 'main' ]; then
	# this is a push to the main branch
	ARCHIVE_URL="${BASE_URL}/main/${GITHUB_SHA}/dagger_${GITHUB_SHA}_linux_amd64.tar.gz"
	CHECKSUMS_URL="${BASE_URL}/main/${GITHUB_SHA}/checksums.txt"
	RUNNER_HOST="docker-image://${{ secrets.RELEASE_DAGGER_ENGINE_IMAGE }}:${GITHUB_SHA}"
	else
	# this is a tag push
	ARCHIVE_URL="${BASE_URL}/releases/${GITHUB_REF_NAME:1}/dagger_${GITHUB_REF_NAME}_linux_amd64.tar.gz"
	CHECKSUMS_URL="${BASE_URL}/releases/${GITHUB_REF_NAME:1}/checksums.txt"
	RUNNER_HOST="docker-image://${{ secrets.RELEASE_DAGGER_ENGINE_IMAGE }}:${GITHUB_REF_NAME}"
	fi
	echo "_INTERNAL_DAGGER_TEST_CLI_URL=${ARCHIVE_URL}" >> $GITHUB_ENV
	echo "_INTERNAL_DAGGER_TEST_CLI_CHECKSUMS_URL=${CHECKSUMS_URL}" >> $GITHUB_ENV
	echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=${RUNNER_HOST}" >> $GITHUB_ENV
	fi
	shell: bash
	- uses: actions/setup-python@v4
	with:
	python-version: "3.11"
	cache: "pip"
	cache-dependency-path: "sdk/python/requirements.txt"
	- name: "Test Python SDK"
	run: \|
	cd sdk/python
	pip install -r requirements.txt .
	pytest -xm provision
	- name: "ALWAYS print engine logs - especially useful on failure"
	if: always()
	run: docker logs $(docker ps -q --filter name=dagger-engine)

	test-provision-typescript-linux:
	name: "Test SDK Provision / TypeScript / linux"
	needs: publish
	if: \|
	always() &&
	github.repository == 'dagger/dagger' &&
	(needs.publish.result == 'success' \|\| needs.publish.result == 'skipped')
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: "Set CLI Test URL"
	run: \|
	if [ ${{ github.event_name }} == 'push' ]; then
	BASE_URL="https://${{ secrets.RELEASE_FQDN }}/dagger"
	if [ $GITHUB_REF_NAME == 'main' ]; then
	# this is a push to the main branch
	ARCHIVE_URL="${BASE_URL}/main/${GITHUB_SHA}/dagger_${GITHUB_SHA}_linux_amd64.tar.gz"
	CHECKSUMS_URL="${BASE_URL}/main/${GITHUB_SHA}/checksums.txt"
	RUNNER_HOST="docker-image://${{ secrets.RELEASE_DAGGER_ENGINE_IMAGE }}:${GITHUB_SHA}"
	else
	# this is a tag push
	ARCHIVE_URL="${BASE_URL}/releases/${GITHUB_REF_NAME:1}/dagger_${GITHUB_REF_NAME}_linux_amd64.tar.gz"
	CHECKSUMS_URL="${BASE_URL}/releases/${GITHUB_REF_NAME:1}/checksums.txt"
	RUNNER_HOST="docker-image://${{ secrets.RELEASE_DAGGER_ENGINE_IMAGE }}:${GITHUB_REF_NAME}"
	fi
	echo "_INTERNAL_DAGGER_TEST_CLI_URL=${ARCHIVE_URL}" >> $GITHUB_ENV
	echo "_INTERNAL_DAGGER_TEST_CLI_CHECKSUMS_URL=${CHECKSUMS_URL}" >> $GITHUB_ENV
	echo "_EXPERIMENTAL_DAGGER_RUNNER_HOST=${RUNNER_HOST}" >> $GITHUB_ENV
	fi
	shell: bash
	- uses: actions/setup-node@v2
	with:
	node-version: 18
	- uses: oven-sh/setup-bun@v1
	with:
	bun-version: 1.0.x
	- name: "Test TypeScript SDK (Node)"
	run: \|
	cd sdk/typescript
	yarn install
	yarn test:node -g 'Automatic Provisioned CLI Binary'
	- name: "Test TypeScript SDK (Bun)"
	run: \|
	cd sdk/typescript
	yarn install
	yarn test:bun -g 'Automatic Provisioned CLI Binary'
	- name: "ALWAYS print engine logs - especially useful on failure"
	if: always()
	run: docker logs $(docker ps -q --filter name=dagger-engine)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: ensure nested frontend builds get secret translation (#7595) #1

Workflow file

fix: ensure nested frontend builds get secret translation (#7595) #1

Jobs

Run details

Workflow file for this run