From 8fd6f7e96d9a318a8c60644689fdbb69d735b7dd Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Sun, 28 Dec 2025 22:59:44 +0100 Subject: [PATCH 1/7] build: wpb-21356 changed the flow of offline.yml - introduced wiab-staging build and split bundle processing with default-build --- .github/workflows/offline.yml | 70 +++++++++++++++++++++++++++++++++-- 1 file changed, 67 insertions(+), 3 deletions(-) diff --git a/.github/workflows/offline.yml b/.github/workflows/offline.yml index aa947a33b..5bb9d308b 100644 --- a/.github/workflows/offline.yml +++ b/.github/workflows/offline.yml @@ -9,6 +9,7 @@ # - No label: No builds run (must add label to trigger builds) # - 'build-default': Builds only default profile # - 'build-demo': Builds only demo profile +# - 'build-wiab-staging' - Builds only wiab-staging profile # - 'build-min': Builds only min profile # - 'build-all': Explicitly builds all profiles (useful for workflow changes) # @@ -16,14 +17,14 @@ # on: push: - branches: [master, develop] + branches: [wpb-21356*] tags: [v*] paths-ignore: - "*.md" - "**/*.md" pull_request: types: [synchronize, reopened, labeled] - branches: [master, develop] + branches: [mwpb-21356*] paths-ignore: - "*.md" - "**/*.md" @@ -34,7 +35,8 @@ jobs: if: | github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'build-all') || - contains(github.event.pull_request.labels.*.name, 'build-default') + contains(github.event.pull_request.labels.*.name, 'build-default') || + contains(github.event.pull_request.labels.*.name, 'build-wiab-staging') runs-on: group: wire-server-deploy outputs: @@ -72,6 +74,28 @@ jobs: AWS_SECRET_ACCESS_KEY: '${{ secrets.AWS_SECRET_ACCESS_KEY }}' AWS_REGION: "eu-west-1" + verify-default: + name: Verify default profile + needs: build-default + if: | + github.event_name == 'push' || + contains(github.event.pull_request.labels.*.name, 'build-all') || + contains(github.event.pull_request.labels.*.name, 'build-default') + runs-on: + group: wire-server-deploy + steps: + - uses: actions/checkout@v2 + with: + submodules: true + - uses: cachix/install-nix-action@v27 + - uses: cachix/cachix-action@v15 + with: + name: wire-server + signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" + + - name: Install nix environment + run: nix-env -f default.nix -iA env + - name: Install terraform uses: hashicorp/setup-terraform@v3 with: @@ -89,6 +113,46 @@ jobs: env: HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' + # verify wiab-staging profile + verify-wiab-staging: + name: Verify wiab staging profile + needs: build-default + if: | + github.event_name == 'push' || + contains(github.event.pull_request.labels.*.name, 'build-all') || + contains(github.event.pull_request.labels.*.name, 'build-wiab-staging') + runs-on: + group: wire-server-deploy + steps: + - uses: actions/checkout@v2 + with: + submodules: true + - uses: cachix/install-nix-action@v27 + - uses: cachix/cachix-action@v15 + with: + name: wire-server + signingKey: "${{ secrets.CACHIX_SIGNING_KEY }}" + + - name: Install nix environment + run: nix-env -f default.nix -iA env + + - name: Install terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "^1.3.7" + terraform_wrapper: false + + - name: Deploy offline wiab-staging environment to hetzner + run: ./offline/cd_staging.sh + env: + HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' + + - name: Clean up hetzner wiab-staging environment; just in case + if: always() + run: (cd terraform/examples/wiab-staging-hetzner ; terraform init && terraform destroy -auto-approve) + env: + HCLOUD_TOKEN: '${{ secrets.HCLOUD_TOKEN }}' + # Build container in parallel build-container: name: Build container From e15704b20c3673662e5cd910f28698c68a9ba06c Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Sun, 28 Dec 2025 23:00:54 +0100 Subject: [PATCH 2/7] build: wpb-21356 update pull_request_template and add new label for build-wiab-staging --- .github/pull_request_template.md | 1 + changelog.d/3-deploy-builds/wiab-staging | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 9f1314e3c..01cfb8cc6 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -25,6 +25,7 @@ Fixes ${ISSUE_URL} Add one or more labels to trigger offline builds: - `build-default` - Full production build (ansible, terraform, all packages) - `build-demo` - Demo/WIAB build +- `build-wiab-staging` - WIAB-staging build - `build-min` - Minimal build (fastest, essential charts only) - `build-all` - Run all three builds diff --git a/changelog.d/3-deploy-builds/wiab-staging b/changelog.d/3-deploy-builds/wiab-staging index cbb040300..fd88872d7 100644 --- a/changelog.d/3-deploy-builds/wiab-staging +++ b/changelog.d/3-deploy-builds/wiab-staging @@ -3,3 +3,4 @@ Changed: Add ansible playbook for wiab-staging VM provisioning Fixed: offline-deploy.sh for SSH_AUTH_SOCK handling and remove defunct passwords for postgresql Added: terraform resources for wiab-staging Added: cd_staging script to verify the default build bundle +Changed: changed the flow of offline.yml - introduced wiab-staging build and split bundle processing with default-build From a13986dbc97d6145bd0949377c6648a88bcc09d3 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Sun, 28 Dec 2025 23:02:48 +0100 Subject: [PATCH 3/7] fix: wpb-21356 offline/cd.sh for demo verification process as github workflow has been updated --- offline/cd.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/offline/cd.sh b/offline/cd.sh index d58bff013..6de7ea894 100755 --- a/offline/cd.sh +++ b/offline/cd.sh @@ -7,6 +7,9 @@ TF_DIR="${CD_DIR}/../terraform/examples/wire-server-deploy-offline-hetzner" ARTIFACTS_DIR="${CD_DIR}/default-build/output" VALUES_DIR="${CD_DIR}/../values" +COMMIT_HASH="${GITHUB_SHA}" +ARTIFACT="wire-server-deploy-static-${COMMIT_HASH}" + # Retry configuration MAX_RETRIES=3 RETRY_DELAY=30 @@ -110,7 +113,11 @@ ssh-add - <<< "$ssh_private_key" terraform output -json static-inventory > inventory.json yq eval -o=yaml '.' inventory.json > inventory.yml -ssh -oStrictHostKeyChecking=accept-new -oConnectionAttempts=10 "root@$adminhost" tar xzv < "$ARTIFACTS_DIR/assets.tgz" +ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 \ + "root@$adminhost" wget -q "https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/${ARTIFACT}.tgz" + +ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 \ + "root@$adminhost" tar xzf "$ARTIFACT.tgz" # override for ingress-nginx-controller values for hetzner environment $TF_DIR/setup_nodes.yml scp -A "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "root@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml" From 59e6acf2e58e15d96f7de60b88df753e9b667007 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 29 Dec 2025 09:04:20 +0100 Subject: [PATCH 4/7] fix: wpb-21356 add host key verification flags for scp commands --- offline/cd.sh | 4 ++-- offline/cd_staging.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/offline/cd.sh b/offline/cd.sh index 6de7ea894..61e1a552f 100755 --- a/offline/cd.sh +++ b/offline/cd.sh @@ -120,9 +120,9 @@ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAt "root@$adminhost" tar xzf "$ARTIFACT.tgz" # override for ingress-nginx-controller values for hetzner environment $TF_DIR/setup_nodes.yml -scp -A "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "root@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml" +scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "root@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml" -scp inventory.yml "root@$adminhost":./ansible/inventory/offline/inventory.yml +scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 inventory.yml "root@$adminhost":./ansible/inventory/offline/inventory.yml ssh "root@$adminhost" cat ./ansible/inventory/offline/inventory.yml || true diff --git a/offline/cd_staging.sh b/offline/cd_staging.sh index 680393f43..f248037dc 100755 --- a/offline/cd_staging.sh +++ b/offline/cd_staging.sh @@ -124,7 +124,7 @@ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAt "demo@$adminhost" tar xzf "$ARTIFACT.tgz" # override for ingress-nginx-controller values for hetzner environment $TF_DIR/setup_nodes.yml -scp -A "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "demo@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml" +scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "demo@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml" # Source and target files SOURCE="inventory.yml" @@ -192,7 +192,7 @@ yq eval -i ".all.vars.ansible_ssh_private_key_file = \"ssh/ssh_private_key\"" "$ echo "created secondary inventory file $TARGET successfully" -scp "$TARGET" "demo@$adminhost":./ansible/inventory/offline/inventory.yml +scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 "$TARGET" "demo@$adminhost":./ansible/inventory/offline/inventory.yml ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 "demo@$adminhost" cat ./ansible/inventory/offline/inventory.yml || true From 9502b87a7fb9c360dd4b7ed5012aa5085239feb5 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 29 Dec 2025 10:22:52 +0100 Subject: [PATCH 5/7] fix: wpb-21356 debugging ssh banner issues --- offline/cd.sh | 10 ++++++---- offline/cd_staging.sh | 6 ++++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/offline/cd.sh b/offline/cd.sh index 61e1a552f..6acbf8347 100755 --- a/offline/cd.sh +++ b/offline/cd.sh @@ -8,6 +8,8 @@ ARTIFACTS_DIR="${CD_DIR}/default-build/output" VALUES_DIR="${CD_DIR}/../values" COMMIT_HASH="${GITHUB_SHA}" +#remove me +COMMIT_HASH="59e6acf2e58e15d96f7de60b88df753e9b667007" ARTIFACT="wire-server-deploy-static-${COMMIT_HASH}" # Retry configuration @@ -113,16 +115,16 @@ ssh-add - <<< "$ssh_private_key" terraform output -json static-inventory > inventory.json yq eval -o=yaml '.' inventory.json > inventory.yml -ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 \ +ssh -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 \ "root@$adminhost" wget -q "https://s3-eu-west-1.amazonaws.com/public.wire.com/artifacts/${ARTIFACT}.tgz" -ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 \ +ssh -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 \ "root@$adminhost" tar xzf "$ARTIFACT.tgz" # override for ingress-nginx-controller values for hetzner environment $TF_DIR/setup_nodes.yml -scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "root@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml" +scp -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 "$VALUES_DIR/ingress-nginx-controller/hetzner-ci.example.yaml" "root@$adminhost:./values/ingress-nginx-controller/prod-values.example.yaml" -scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectionAttempts=10 inventory.yml "root@$adminhost":./ansible/inventory/offline/inventory.yml +scp -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 inventory.yml "root@$adminhost":./ansible/inventory/offline/inventory.yml ssh "root@$adminhost" cat ./ansible/inventory/offline/inventory.yml || true diff --git a/offline/cd_staging.sh b/offline/cd_staging.sh index f248037dc..d0039fd43 100755 --- a/offline/cd_staging.sh +++ b/offline/cd_staging.sh @@ -6,7 +6,10 @@ CD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" TF_DIR="${CD_DIR}/../terraform/examples/wiab-staging-hetzner" ARTIFACTS_DIR="${CD_DIR}/default-build/output" VALUES_DIR="${CD_DIR}/../values" + COMMIT_HASH="${GITHUB_SHA}" +#remove me +COMMIT_HASH="59e6acf2e58e15d96f7de60b88df753e9b667007" ARTIFACT="wire-server-deploy-static-${COMMIT_HASH}" # Retry configuration @@ -113,6 +116,9 @@ chmod 400 ssh_private_key terraform output -json static-inventory > inventory.json yq eval -o=yaml '.' inventory.json > inventory.yml +# remove me +cat inventory.yml + echo "Running ansible playbook setup_nodes.yml via adminhost ($adminhost)..." ansible-playbook -i inventory.yml setup_nodes.yml --private-key "ssh_private_key" From a99a8329eed51674d41746b73cf1bde5eb67a149 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 29 Dec 2025 10:26:00 +0100 Subject: [PATCH 6/7] fix: wpb-21356 disable flows on push and removing the need for the default-build for verify steps --- .github/workflows/offline.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/offline.yml b/.github/workflows/offline.yml index 5bb9d308b..027a5e5a0 100644 --- a/.github/workflows/offline.yml +++ b/.github/workflows/offline.yml @@ -33,7 +33,6 @@ jobs: build-default: name: Build default profile if: | - github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'build-all') || contains(github.event.pull_request.labels.*.name, 'build-default') || contains(github.event.pull_request.labels.*.name, 'build-wiab-staging') @@ -76,7 +75,8 @@ jobs: verify-default: name: Verify default profile - needs: build-default + # uncomment me + # needs: build-default if: | github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'build-all') || @@ -116,7 +116,8 @@ jobs: # verify wiab-staging profile verify-wiab-staging: name: Verify wiab staging profile - needs: build-default + # uncomment me + # needs: build-default if: | github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'build-all') || @@ -182,7 +183,6 @@ jobs: build-demo: name: Build demo profile if: | - github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'build-all') || contains(github.event.pull_request.labels.*.name, 'build-demo') runs-on: @@ -243,7 +243,6 @@ jobs: build-min: name: Build min profile if: | - github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'build-all') || contains(github.event.pull_request.labels.*.name, 'build-min') runs-on: From 594b9227c4fff7ccbbea6eaf357124ce671d7b05 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 29 Dec 2025 11:55:25 +0100 Subject: [PATCH 7/7] fix: wpb-21356 remove static build hashes and enabled bundle build verification in offline.yml workflow --- .github/workflows/offline.yml | 10 +++------- offline/cd.sh | 4 +--- offline/cd_staging.sh | 2 -- 3 files changed, 4 insertions(+), 12 deletions(-) diff --git a/.github/workflows/offline.yml b/.github/workflows/offline.yml index 027a5e5a0..ca98b600e 100644 --- a/.github/workflows/offline.yml +++ b/.github/workflows/offline.yml @@ -24,7 +24,7 @@ on: - "**/*.md" pull_request: types: [synchronize, reopened, labeled] - branches: [mwpb-21356*] + branches: [wpb-21356*] paths-ignore: - "*.md" - "**/*.md" @@ -75,10 +75,8 @@ jobs: verify-default: name: Verify default profile - # uncomment me - # needs: build-default + needs: build-default if: | - github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'build-all') || contains(github.event.pull_request.labels.*.name, 'build-default') runs-on: @@ -116,10 +114,8 @@ jobs: # verify wiab-staging profile verify-wiab-staging: name: Verify wiab staging profile - # uncomment me - # needs: build-default + needs: build-default if: | - github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'build-all') || contains(github.event.pull_request.labels.*.name, 'build-wiab-staging') runs-on: diff --git a/offline/cd.sh b/offline/cd.sh index 6acbf8347..3db06c4d1 100755 --- a/offline/cd.sh +++ b/offline/cd.sh @@ -8,8 +8,6 @@ ARTIFACTS_DIR="${CD_DIR}/default-build/output" VALUES_DIR="${CD_DIR}/../values" COMMIT_HASH="${GITHUB_SHA}" -#remove me -COMMIT_HASH="59e6acf2e58e15d96f7de60b88df753e9b667007" ARTIFACT="wire-server-deploy-static-${COMMIT_HASH}" # Retry configuration @@ -127,7 +125,7 @@ scp -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 "$VALUES_DIR/ing scp -oStrictHostKeyChecking=accept-new -o ConnectionAttempts=10 inventory.yml "root@$adminhost":./ansible/inventory/offline/inventory.yml ssh "root@$adminhost" cat ./ansible/inventory/offline/inventory.yml || true - +ls -ls ssh_private_key || true echo "Running ansible playbook setup_nodes.yml via adminhost ($adminhost)..." ansible-playbook -i inventory.yml setup_nodes.yml --private-key "ssh_private_key" \ -e "ansible_ssh_common_args='-o ProxyCommand=\"ssh -W %h:%p -q root@$adminhost -i ssh_private_key\" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'" diff --git a/offline/cd_staging.sh b/offline/cd_staging.sh index d0039fd43..dcec2997a 100755 --- a/offline/cd_staging.sh +++ b/offline/cd_staging.sh @@ -8,8 +8,6 @@ ARTIFACTS_DIR="${CD_DIR}/default-build/output" VALUES_DIR="${CD_DIR}/../values" COMMIT_HASH="${GITHUB_SHA}" -#remove me -COMMIT_HASH="59e6acf2e58e15d96f7de60b88df753e9b667007" ARTIFACT="wire-server-deploy-static-${COMMIT_HASH}" # Retry configuration