Merge pull request #1 from FDSoftware/main

Updates on runner dockerfile & new setup script

.github/workflows/docker-publish.yml

@@ -0,0 +1,94 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  push:
+    branches: [ "main" ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
+        with:
+          cosign-release: 'v2.2.4'
+
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

.github/workflows/test-build.yml

@@ -0,0 +1,16 @@
+name: Docker Image CI
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)

Dockerfile

@@ -1,6 +1,6 @@
 FROM ubuntu:22.04 AS builder
 
-ARG RUNNER_VERSION="2.312.0"
+ARG RUNNER_VERSION="2.314.1"
 
 WORKDIR /build
 
@@ -54,6 +54,7 @@ RUN groupadd docker -g $GID &&\
     xxd \
     usbutils \
     openocd \
+    gdb-multiarch \
     sudo \
     ruby-rubygems \
     time \
@@ -87,23 +88,18 @@ RUN groupadd docker -g $GID &&\
     update-alternatives --set java /usr/lib/jvm/temurin-11-jdk-amd64/bin/java
 
 # Install Docker CLI
-RUN curl -fsSL https://get.docker.com -o- | sh && \
+RUN curl -fsSL https://get.docker.com -o- | sh -s -- --version 24 && \
     rm -rf /var/lib/apt/lists/* && \
     apt-get clean
 
-# Install Docker-Compose
-RUN curl -L -o /usr/local/bin/docker-compose \
-    "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" && \
-    chmod +x /usr/local/bin/docker-compose
-
 COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 RUN chmod 644 /etc/supervisor/conf.d/supervisord.conf
 
 WORKDIR /opt
 
 USER docker
 
-RUN dockerd-rootless-setuptool.sh install
+RUN dockerd-rootless-setuptool.sh install --skip-iptables
 
 VOLUME /opt/actions-runner
 

README.md

@@ -1,94 +1,16 @@
 # rusefi-ci
-
 As of October 2024 it's still https://github.com/rusefi/rusefi/wiki/Dev-Quality-Control#hardware-continuous-integration
 
-Current status: abandoned?
-
-This dockerfile will automatically download and configure the github actions self-hosted runner
-
-To run, first build the image with:
-
-`docker build --build-arg GID=$(getent group docker | cut -d ':' -f 3) -t rusefi-ci .`
-
-Then run the newly built image.
-
-```bash
-docker run --detach --privileged \
-    -e RUNNER_NAME=test-runner2 \
-    -e RUNNER_LABELS=ubuntu-latest \
-    -e GITHUB_ACCESS_TOKEN=<Personal Access Token> \
-    -e RUNNER_REPOSITORY_URL=https://github.com/<github user>/rusefi \
-    rusefi-ci
-```
-Replace `<github user>` with your own username if you are running on your own fork.
-If you are running an organization-level runner, you will need to replace `RUNNER_REPOSITORY_URL` with `RUNNER_ORGANIZATION_URL`.
-
-
-Add `--restart=unless-stopped` in order to have the container survive reboots
-
-The container uses a persistent volume mounted at /opt/actions-runner. After initial startup, the container will skip registration unless the peristent volume is erased.
-
-## Environment variables
-
-The following environment variables allows you to control the configuration parameters.
-
-| Name | Description | Required/Default value |
-|------|---------------|-------------|
-| RUNNER_REPOSITORY_URL | The runner will be linked to this repository URL | Required if `RUNNER_ORGANIZATION_URL` is not provided |
-| RUNNER_ORGANIZATION_URL | The runner will be linked to this organization URL. *(Self-hosted runners API for organizations is currently in public beta and subject to changes)* | Required if `RUNNER_REPOSITORY_URL` is not provided |
-| GITHUB_ACCESS_TOKEN | Personal Access Token. Used to dynamically fetch a new runner token (recommended, see below). | Required if `RUNNER_TOKEN` is not provided.
-| RUNNER_TOKEN | Runner token provided by GitHub in the Actions page. These tokens are valid for a short period. | Required if `GITHUB_ACCESS_TOKEN` is not provided
-| RUNNER_WORK_DIRECTORY | Runner's work directory | `"_work"`
-| RUNNER_NAME | Name of the runner displayed in the GitHub UI | Hostname of the container
-| RUNNER_LABELS | Extra labels in addition to the default: 'self-hosted,Linux,X64' (based on your OS and architecture) | `""`
-| RUNNER_REPLACE_EXISTING | `"true"` will replace existing runner with the same name, `"false"` will use a random name if there is conflict | `"true"`
-
-## Runner Token
-
-In order to link your runner to your repository/organization, you need to provide a token. There is two way of passing the token :
-
-* via `GITHUB_ACCESS_TOKEN` (recommended), containing a [fine-grained Personnal Access Token](https://github.com/settings/tokens). This token will be used to dynamically fetch a new runner token, as runner tokens are valid for a short period of time.
-  * For a single-repository runner, select the repository under "Only select repositories", then under "Repository Permissions" set "Administration" to read-write.
-  * For an organization runner, select the repository and set "Organization self hosted runners"to read-write.
-* via `RUNNER_TOKEN`. This token is displayed in the Actions settings page of your organization/repository, when opening the "Add Runner" page.
-
-## Helper Functions
-
-If you stop and start workes often, you may find it useful to have a function for starting workers. I have added the below functions to my .bashrc:
-
-```bash
-ghatoken ()
-{
- echo -n "Paste token:"
- read TOKEN
- KEY=$(echo "$TOKEN" | openssl enc -aes-256-cbc -a -pbkdf2 | tr -d '\n')
- perl -pi -e 's#(?<=TOKEN=\$\(echo\s").*?(?="\s\|)#'"$KEY"'#' $(realpath ~/.bashrc)
- bash
-}
-
-gha ()
-{
-  if ! TOKEN=$(echo "" | openssl enc -aes-256-cbc -a -d -pbkdf2 ); then echo "Error encoding token"; return 1; fi
-  NAME="runner-$1"
-  IMAGE_HASH=$(docker image inspect rusefi-ci --format "{{.Id}}" 2>/dev/null)
-  if CONTAINER_HASH=$(docker container inspect $NAME --format "{{.Image}}" 2>/dev/null) && [ "$IMAGE_HASH" = "$CONTAINER_HASH" ]; then
-    docker start -i "$NAME"
-  else
-    if docker container inspect "$NAME" >/dev/null 2>/dev/null; then
-      docker rm "$NAME"
-    fi
-    docker run -it --privileged -e RUNNER_NAME="$NAME" -e RUNNER_LABELS=ubuntu-latest -e GITHUB_ACCESS_TOKEN="$TOKEN" -e RUNNER_REPOSITORY_URL=https://github.com/<github user>/rusefi --name $NAME rusefi-ci
-  fi
-}
-```
+Current status: WIP
 
-Replace `<github user>` with your own username if you are running on your own fork.
-If you are running an organization-level runner, you will need to replace `RUNNER_REPOSITORY_URL` with `RUNNER_ORGANIZATION_URL`.
+This repository is used to create self-hosted GitHub runners, from a base image, created by a workflow in the same repository, to resolve the issue: https://github.com/rusefi/rusefi/issues/7012
 
-Once the functions are in your .bashrc, and you have sourced your .bashrc, by opening a new shell or by running `. ~/.bashrc`,
-run `ghatoken`, paste in your PAT, and enter a password. This password will be used every time you start a runner.
+Host requirements for the runners host:
+* Ubuntu LTS
+* any STLink or rusEFI board connected to the host will be redirected to the docker
 
-After you have run `ghatoken`, you can now start runners with `gha <id>`. I use sequential ids, e.g. `gha 1`, `gha 2`, etc,
-but you may name them however you like.
+To start, run the `start.sh` script that is responsible for installing all the dependencies for the runner. After the initial setup, you can re-create or add new runners with the same script.
+Some steps, such as the selection of STLink/rusEFI board, were removed from the CI and moved to the creation of the runner as they are more static tasks.
 
-Note that these helper functions start the runner in interactive mode. If you prefer, you can remove the `-i` in `docker start -i` and replace the `-it` in `docker run -it` with `--detach`.
+For details on how to obtain STLink IDs refer to:
+[Gethla](https://github.com/a-v-s/gethla) can automatically find your device and give you the fully escaped serial.

configure_ci.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+echo "--------------------------------------------------------------"
+echo "Step 1/5, OS setup"
+source scripts/01_setup_OS.sh || { exit 1; }
+
+echo "--------------------------------------------------------------"
+echo "Step 2/5, pulling/creating base runner container"
+source scripts/02_setup_runner_container.sh || { exit 1; }
+
+echo "--------------------------------------------------------------"
+echo "Step 3/5, updating udev rules"
+source scripts/03_setup_udev_rules.sh || { exit 1; }
+
+echo "--------------------------------------------------------------"
+echo "Step 4/5, select rusefi board for the runner"
+source scripts/04_clone_rusefi_board_definitions.sh || { exit 1; }
+
+echo "--------------------------------------------------------------"
+echo "Step 5/5, create the runner"
+source scripts/05_create_new_runner.sh || { exit 1; }