Skip to content

Commit

Permalink
feat: use github app for VHD automation tasks (#5379) (#5429)
Browse files Browse the repository at this point in the history
Co-authored-by: Cameron Meissner <[email protected]>
Co-authored-by: Cameron Meissner <[email protected]>
  • Loading branch information
3 people authored Dec 16, 2024
1 parent 9ac8b81 commit 45cc0e3
Show file tree
Hide file tree
Showing 9 changed files with 129 additions and 63 deletions.
6 changes: 4 additions & 2 deletions .pipelines/.vsts-vhd-automation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ stages:
- template: ./templates/.configure-azdevops-template.yaml
parameters:
ADO_PAT: $(PAT-aksdevassistant)
- template: ./templates/.generate-github-token.yaml
- template: ./templates/.set-image-version-template.yaml
parameters:
VHD_BUILD_ID: ${{ parameters.VHD_BUILD_ID }}
Expand All @@ -44,7 +45,7 @@ stages:
echo "PR for Image Bumping, Official Branch Cutting"
/bin/bash vhdbuilder/scripts/automate_version_bump.sh
env:
GITHUB_PAT: $(PAT-aks-node-assistant)
GITHUB_TOKEN: $(GITHUB_TOKEN)
IMAGE_VERSION: $(IMAGE_VERSION)
VHD_BUILD_ID: ${{ parameters.VHD_BUILD_ID }}
PR_TARGET_BRANCH: ${{ parameters.PRTargetBranch }}
Expand All @@ -59,6 +60,7 @@ stages:
- template: ./templates/.configure-azdevops-template.yaml
parameters:
ADO_PAT: $(PAT-aksdevassistant)
- template: ./templates/.generate-github-token.yaml
- template: ./templates/.set-image-version-template.yaml
parameters:
VHD_BUILD_ID: ${{ parameters.VHD_BUILD_ID }}
Expand All @@ -67,7 +69,7 @@ stages:
echo "PR for Release Notes"
/bin/bash vhdbuilder/scripts/automate_release_notes.sh
env:
GITHUB_PAT: $(PAT-aks-node-assistant)
GITHUB_TOKEN: $(GITHUB_TOKEN)
IMAGE_VERSION: $(IMAGE_VERSION)
VHD_BUILD_ID: ${{ parameters.VHD_BUILD_ID }}
SKIP_LATEST: $(SKIP_LATEST_RELEASE_NOTES_UPDATE)
Expand Down
50 changes: 21 additions & 29 deletions .pipelines/.vsts-vhd-windows-automation.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,9 @@ pool:

parameters:
- name: ImageBump
displayName: Image Bump + Branch Cutting
displayName: Image Bump
type: boolean
default: false
- name: GithubUserName
displayName: The user name of the owner to push changes
type: string
- name: ReleaseNotes
displayName: Release Notes
type: boolean
Expand All @@ -20,37 +17,32 @@ variables:
- group: "AKS Dev Assistant (KV)"

steps:
- template: ./templates/.configure-azdevops-template.yaml
parameters:
ADO_PAT: $(PAT-aksdevassistant)
- template: ./templates/.generate-github-token.yaml
- bash: |
az extension add -n azure-devops
echo $MAPPED_ADO_PAT | az devops login --organization=https://dev.azure.com/msazure
az devops configure --defaults organization=https://dev.azure.com/msazure project=CloudNativeCompute
echo "Bumping windows VHD base image version"
/bin/bash vhdbuilder/scripts/windows/automate_version_bump.sh "$GITHUB_TOKEN" "$CHERRY_PICK_COMMIT_ID"
env:
MAPPED_ADO_PAT: $(PAT-aksdevassistant)
displayName: 'az devops login'
- bash: |
echo "Bumping windows VHD base image version"
/bin/bash vhdbuilder/scripts/windows/automate_version_bump.sh $MAPPED_GITHUB_PAT '${{ parameters.GithubUserName }}' "$CHERRY_PICK_COMMIT_ID"
env:
MAPPED_GITHUB_PAT: $(GITHUB_PAT)
GITHUB_TOKEN: $(GITHUB_TOKEN)
CHERRY_PICK_COMMIT_ID: $(CHERRY_PICK_COMMIT_ID)
displayName: 'Image Version Bumping'
condition: eq('${{ parameters.ImageBump }}', true)
- bash: |
echo "PR for Release Notes"
az extension add -n azure-devops
echo $MAPPED_ADO_PAT | az devops login --organization=https://dev.azure.com/msazure
az devops configure --defaults organization=https://dev.azure.com/msazure project=CloudNativeCompute
cd vhdbuilder/release-notes/autonotes
VER=$(go version)
echo "Go version is $VER"
go install .
cd ../../..
echo "go run autonotes to shuffle release note files from Azure Pipelines into the AgentBaker repo structure"
go run vhdbuilder/release-notes/autonotes/main.go --build $BUILD_ID --include 2019-containerd,2022-containerd,2022-containerd-gen2,23H2,23H2-gen2
echo "run bash to create pull request for the shuffled release note files"
/bin/bash vhdbuilder/scripts/windows/automate_release_notes.sh $BUILD_ID $MAPPED_GITHUB_PAT '${{ parameters.GithubUserName }}'
echo "PR for Release Notes"
cd vhdbuilder/release-notes/autonotes
VER=$(go version)
echo "Go version is $VER"
go install .
cd ../../..
echo "go run autonotes to shuffle release note files from Azure Pipelines into the AgentBaker repo structure"
go run vhdbuilder/release-notes/autonotes/main.go --build $BUILD_ID --include 2019-containerd,2022-containerd,2022-containerd-gen2,23H2,23H2-gen2
echo "run bash to create pull request for the shuffled release note files"
/bin/bash vhdbuilder/scripts/windows/automate_release_notes.sh "$GITHUB_TOKEN" "$BUILD_ID"
env:
MAPPED_GITHUB_PAT: $(GITHUB_PAT)
MAPPED_ADO_PAT: $(PAT-aksdevassistant)
GITHUB_TOKEN: $(GITHUB_TOKEN)
BUILD_ID: $(BUILD_ID)
displayName: 'Release Notes'
condition: eq('${{ parameters.ReleaseNotes }}', true)

64 changes: 64 additions & 0 deletions .pipelines/templates/.generate-github-token.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
steps:
- bash: |
set -euo pipefail
if [ -z "$PRIVATE_KEY" ]; then
echo "PRIVATE_KEY must be supplied to generate installation token for aks-node-sig-release-assistant"
exit 1
fi
if [ -z "$CLIENT_ID" ]; then
echo "CLIENT_ID must be supplied to generate installation token for aks-node-sig-release-assistant"
exit 1
fi
now=$(date +%s)
iat=$((${now} - 60)) # issues 60 seconds in the past
exp=$((${now} + 600)) # expires 10 minutes in the future
b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
header_json='{
"typ":"JWT",
"alg":"RS256"
}'
# encode the JWT header
header=$(echo -n "${header_json}" | b64enc)
payload_json="{
\"iat\":${iat},
\"exp\":${exp},
\"iss\":\"${CLIENT_ID}\"
}"
# encode the JWT payload
payload=$(echo -n "${payload_json}" | b64enc)
# create the JWT signature
header_payload="${header}"."${payload}"
signature=$(
openssl dgst -sha256 -sign <(echo -n "${PRIVATE_KEY}") \
<(echo -n "${header_payload}") | b64enc
)
# create the JWT
jwt="${header_payload}"."${signature}"
# get the installation token request URL
installation_token_url=$(curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $jwt" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/app/installations | jq -r '.[0].access_tokens_url')
if [ -z "$installation_token_url" ] || [ "$installation_token_url" == "null" ]; then
echo "unable to get installation token URL"
exit 1
fi
# get the installation token
token=$(curl -X POST -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $jwt" -H "X-GitHub-Api-Version: 2022-11-28" "$installation_token_url" | jq -r '.token')
if [ -z "$token" ] || [ "$token" == "null" ]; then
echo "unable to get installation token"
exit 1
fi
echo "generated installation token for aks-node-sig-release-assistant"
echo "##vso[task.setvariable variable=GITHUB_TOKEN;issecret=true]$token"
env:
PRIVATE_KEY: $(aks-node-sig-release-assistant-private-key)
CLIENT_ID: $(aks-node-sig-release-assistant-client-id)
displayName: Generate GitHub token
20 changes: 13 additions & 7 deletions vhdbuilder/scripts/automate_helpers.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
#!/bin/bash
set -x

RELEASE_ASSISTANT_APP_NAME="aks-node-sig-release-assistant[bot]"
RELEASE_ASSISTANT_APP_UID="190555641"

retrycmd_if_failure() {
retries=$1; wait_sleep=$2; shift && shift
for i in $(seq 1 $retries); do
Expand All @@ -18,9 +21,10 @@ retrycmd_if_failure() {
}

set_git_config() {
# git config needs to be set in the agent
git config --global user.email "[email protected]"
git config --global user.name "aks-node-assistant"
# git config needs to be set in the agent as the corresponding GitHub app
# https://github.com/orgs/community/discussions/24664#discussioncomment-3244950
git config --global user.email "${RELEASE_ASSISTANT_APP_UID}+${RELEASE_ASSISTANT_APP_NAME}@users.noreply.github.com"
git config --global user.name "$RELEASE_ASSISTANT_APP_NAME"
git config --list
}

Expand All @@ -41,7 +45,7 @@ create_branch() {

create_pull_request() {
local image_version=$1
local github_pat=$2
local github_token=$2
local branch_name=$3
local base_branch=$4
local target=$5
Expand All @@ -55,8 +59,10 @@ create_pull_request() {
echo "Branch Name is $branch_name"
echo "PR is for $target"

set +x # to avoid logging PAT
git remote set-url origin https://${github_pat}@github.com/Azure/AgentBaker.git # Set remote URL with PAT
set +x # to avoid logging token
# use the installation token to authenticate for HTTP-based git access
# https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation#about-authentication-as-a-github-app-installation
git remote set-url origin https://x-access-token:${github_token}@github.com/Azure/AgentBaker.git
git add .

if [[ "$target" == "ReleaseNotes" ]]; then
Expand All @@ -69,7 +75,7 @@ create_pull_request() {

curl \
-X POST \
-H "Authorization: Bearer $github_pat" \
-H "Authorization: Bearer $github_token" \
https://api.github.com/repos/Azure/AgentBaker/pulls \
-d '{
"head" : "'$branch_name'",
Expand Down
8 changes: 4 additions & 4 deletions vhdbuilder/scripts/automate_release_notes.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ set -euo pipefail
source vhdbuilder/scripts/automate_helpers.sh

set +x
GITHUB_PAT="${GITHUB_PAT:-""}"
GITHUB_TOKEN="${GITHUB_TOKEN:-""}"
set -x

IMAGE_VERSION="${IMAGE_VERSION:-""}"
Expand Down Expand Up @@ -42,8 +42,8 @@ if [ -z "$VHD_BUILD_ID" ]; then
fi

set +x
if [ -z "$GITHUB_PAT" ]; then
echo "GITHUB_PAT must be set to generate release notes"
if [ -z "$GITHUB_TOKEN" ]; then
echo "GITHUB_TOKEN must be set to generate release notes"
fi
set -x

Expand All @@ -65,4 +65,4 @@ fi
retrycmd_if_failure 5 10 generate_release_notes || exit $?
git status
set +x
create_pull_request $IMAGE_VERSION $GITHUB_PAT $BRANCH_NAME $PR_TARGET_BRANCH $PR_TITLE
create_pull_request $IMAGE_VERSION $GITHUB_TOKEN $BRANCH_NAME $PR_TARGET_BRANCH $PR_TITLE
8 changes: 4 additions & 4 deletions vhdbuilder/scripts/automate_version_bump.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ set -euxo pipefail
source vhdbuilder/scripts/automate_helpers.sh

set +x
GITHUB_PAT="${GITHUB_PAT:-""}"
GITHUB_TOKEN="${GITHUB_TOKEN:-""}"
set -x

NEW_IMAGE_VERSION="${IMAGE_VERSION:-""}"
Expand Down Expand Up @@ -62,7 +62,7 @@ create_image_bump_pr() {
update_image_version

set +x
create_pull_request $NEW_IMAGE_VERSION $GITHUB_PAT $BRANCH_NAME $PR_TARGET_BRANCH $PR_TITLE
create_pull_request $NEW_IMAGE_VERSION $GITHUB_TOKEN $BRANCH_NAME $PR_TARGET_BRANCH $PR_TITLE
set -x
}

Expand Down Expand Up @@ -109,8 +109,8 @@ cut_official_branch() {
}

set +x
if [ -z "$GITHUB_PAT" ]; then
echo "GITHUB_PAT must be set in order to bump the image version and create the official branch"
if [ -z "$GITHUB_TOKEN" ]; then
echo "GITHUB_TOKEN must be set in order to bump the image version and create the official branch"
exit 1
fi
set -x
Expand Down
15 changes: 10 additions & 5 deletions vhdbuilder/scripts/windows/automate_helpers.sh
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
#!/bin/bash
set -euxo pipefail

RELEASE_ASSISTANT_APP_NAME="aks-node-sig-release-assistant[bot]"
RELEASE_ASSISTANT_APP_UID="190555641"

set_git_config() {
# git config needs to be set in the agent
github_user_name=$1
git config --global user.email "$github_user_name@microsoft.com"
git config --global user.name "$github_user_name"
# git config needs to be set in the agent as the corresponding GitHub app
# https://github.com/orgs/community/discussions/24664#discussioncomment-3244950
git config --global user.email "${RELEASE_ASSISTANT_APP_UID}+${RELEASE_ASSISTANT_APP_NAME}@users.noreply.github.com"
git config --global user.name "$RELEASE_ASSISTANT_APP_NAME"
git config --list
}

Expand Down Expand Up @@ -91,7 +94,9 @@ create_pull_request() {
echo "Branch Name is $branch_name"
echo "PR is for $pr_purpose"

git remote set-url origin https://$github_user_name:$github_access_token@github.com/Azure/AgentBaker.git # Set remote URL with PAT
# use the installation token to authenticate for HTTP-based git access
# https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation#about-authentication-as-a-github-app-installation
git remote set-url origin https://x-access-token:${github_access_token}@github.com/Azure/AgentBaker.git
git add .

if [[ $pr_purpose == "ReleaseNotes" ]]; then
Expand Down
14 changes: 6 additions & 8 deletions vhdbuilder/scripts/windows/automate_release_notes.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,20 @@ set -euxo pipefail

source vhdbuilder/scripts/windows/automate_helpers.sh

echo "Build Id is $1"

build_id=$1

set +x
github_access_token=$2
github_access_token=$1
set -x

github_user_name=$3
build_id=$2
echo "Build Id is $build_id"


image_version=$(date +"%Y-%m")
branch_name=$github_user_name/win-${image_version}b-release-notes
branch_name=releaseNotes/win-${image_version}b-release-notes

pr_purpose="ReleaseNotes"

set_git_config $github_user_name
set_git_config
if [ `git branch --list $branch_name` ]; then
git checkout $branch_name
git pull origin
Expand Down
7 changes: 3 additions & 4 deletions vhdbuilder/scripts/windows/automate_version_bump.sh
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
#!/bin/bash
set -euxo pipefail

github_user_name=$2
source vhdbuilder/scripts/windows/automate_helpers.sh

az login --identity
Expand All @@ -14,7 +13,7 @@ set +x
github_access_token=$1
set -x

cherry_pick_commit_id=$3
cherry_pick_commit_id=$2

# This function finds the latest windows VHD base Image version from the command az vm image show
find_latest_image_version() {
Expand All @@ -29,7 +28,7 @@ find_latest_image_version() {
echo "Latest windows 23H2 base image version is ${latest_image_version_23H2}"
echo "Latest windows 23H2 Gen 2 base image version is: ${latest_image_version_23H2_g2}"
new_image_version=$(date +"%Y-%m")
branch_name=$github_user_name/win-${new_image_version}b
branch_name=imageBump/win-${new_image_version}b
}

# This function replaces the old Windows 2019 & Windows 2022 (gen1/gen2) base image version with the latest version found by az vm image show in windows-image.env
Expand Down Expand Up @@ -75,6 +74,6 @@ create_image_bump_pr() {
set -x
}

set_git_config $github_user_name
set_git_config
find_latest_image_version
create_image_bump_pr

0 comments on commit 45cc0e3

Please sign in to comment.