Skip to content

[feature] Multi-repo workflow #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ranger-X wants to merge 85 commits into
base: main
Choose a base branch
from
Open

[feature] Multi-repo workflow #13

Ranger-X wants to merge 85 commits into from

Conversation

@Ranger-X
Copy link

@Ranger-X Ranger-X commented Mar 31, 2025

multi-repo CI workflow differs from basic CI (which in templates) in the following key aspects:

  • In multi-repo workflow we can push to dev and prod registries separately with their own rules (see jobs/multi-repo and/or examples/multi-repo-module.gitlab-ci.yml for example jobs).
  • All werf's caches and other artifacts (from build stage) are stored in Gitlab's module's registry by default. And only final images are pushed to the dev/prod registries. So, even in dev-registry there should be no "build-time garbage" and/or some "extra" images/layers for each module.

Ranger-X added 12 commits March 25, 2025 17:21
@Ranger-X
* default's before_script block in Setup moved to .setup, so it's…
8fb624e 
… will execute only when requested by some job

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add .lint job to lint stage
d76af77 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add workflow D8.Module
40fdc7e 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* revert back to dedicated files instead of workflow, because workflo…
179c7b0 
…w does not work when included via `remote` keyword :-(

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add .publish job to deploy stage
c9d8ddb 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
fix: remove dependencies: .build from .publish
8d9fccb 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add Deploy_DEV job
7a12eb9 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* fix .default_rules
f23c336 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* fix .default_rules
e888650 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add jobs/Deploy_PROD
44afc49 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
refactor: move my multi-repo version to templates/multi-repo
d40fc2e 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* multi-repo readme and example
34cad56 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X Ranger-X self-assigned this Mar 31, 2025
KraMorK
KraMorK reviewed Mar 31, 2025
View reviewed changes
jobs/multi-repo/Deploy_DEV.gitlab-ci.yml
MODULES_MODULE_TAG: pr${CI_MERGE_REQUEST_IID}
rules:
# do not run if some required variables is empty
- if: '$DEV_MODULES_REGISTRY == null || $DEV_MODULES_REGISTRY == "" || $DEV_MODULES_REGISTRY_PATH == null || $DEV_MODULES_REGISTRY_PATH == ""'
Copy link
Member

@KraMorK KraMorK Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only, when and rules don't work well together. If we implement rules, then it's better to get rid of when without rules in the job and only in these jobs.

Copy link
Author

@Ranger-X Ranger-X Apr 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In multi-repo templates (templates/multi-repo/*.yml) I use rules everywhere. Do you mean get rid of only in simple templates (templates/*.yml)?

templates/multi-repo/Setup.gitlab-ci.yml

.setup:
before_script:
# Setup trdl
Copy link
Member

@KraMorK KraMorK Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#in gitlab-ci it is better to use docker-executor, separately prepare the image and call it. this will reduce the busy time of runners, add isolation between jobs, reduce the number of used dependencies (possible points of failure) and increase security. but perhaps they will not agree with me

Copy link
Author

@Ranger-X Ranger-X Apr 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree about a separate image for docker/kubernetes-executor.
But minor/patch versions of Werf/DMT come out quite often and maintaining a separate CI-image can be "more expensive" in terms of time than installing current versions of tools every time pipeline is launched. 😇

I can also be wrong with my conclusions. 😅

@Ranger-X
* fix URL to templates in multi-repo-module.gitlab-ci.yml as it alr…
13fb130 
…eady merged into `main`

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
Ranger-X added 10 commits April 1, 2025 14:45
@Ranger-X
* add Publish default branch to DEV job to Deploy_DEV
f3eb923 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* added Cleanup job
e13130d 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add cleanup include to multi-repo example
36be3a7 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add Auto cleanup job which randomly (if current second is divided…
d7bf265 
… by 10) runs before `build` stage

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* fix auto cleanup job rules
66f58d1 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* allow auto cleanup job to fail
ac682ef 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* refactor PROD deploy with EDITION and parallel.matrix.RELEASE_CHANNEL
f6526e5 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* do not run auto-cleanup when tag defined (release workflow)
d37be2d 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* fix .deploy_prod_rules
faeaae9 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add deploy to PROD EE
615652d 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
Ranger-X and others added 30 commits April 25, 2025 13:39
@Ranger-X
* slightly rename deploy jobs
89dd366 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* slightly rename deploy jobs
c92fc2d 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* slightly rename deploy jobs
61fee16 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* do not download base_images.yml if BASE_IMAGES_VERSION is empty
9d381c3 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* use BASE_IMAGES_VERSION v0.5.2
1accb07 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* fix ROOT_VERSION for dmt's trdl repo
622482f 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* fix ROOT_VERSION for dmt's trdl repo
36b17a0 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add "Login to target registry"
e82b990 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add printenv for debug .publish stage
69cacca 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* remove debug
c4ef564 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
Merge branch 'main' into i-makeev/feature-multirepo-workflow
6070ca6 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
WIP: add Svace setup/init to templates/multi-repo/Setup.gitlab-ci.yml
dd36df0 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* remove werf managed-images ls from Scheduled cleanup task
55e33e7 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* apply private git repo patch before werf cleanup to properly chec…
a668412 
…kout submodules

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* increase Scheduled cleanup timeout to 3 hour
e15f278 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* add "Logging in to registry ..." for easy debug login issues
8b30a26 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* separate MODULES_REGISTRY and MODULES_TARGET_REGISTRY for publish/d…
e62bd77 
…eploy jobs

* add $DEBUG_CI_DRY_RUN variable for dry run production-related jobs

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* set default for MODULES_TARGET_REGISTRY_* variables from source reg…
df08fdf 
…istry variables (MODULES_REGISTRY_*)

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* set default for MODULES_TARGET_REGISTRY_* variables from source reg…
8e962ff 
…istry variables (MODULES_REGISTRY_*)

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* get templates/CVE_Scan from main branch
ec2c5e9 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
[CVE_Scan] feat: generate docker config without docker login
053c4cc 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* deploy tags also to dev-registry when tag is specified
5c9c3c9 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* fix DEV | Publish tags also to dev-registry job
282554e 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
Merge remote-tracking branch 'origin/main' into i-makeev/feature-mult…
6b81bb4 
…irepo-workflow
@Ranger-X
* add Svace integration from main branch
d56add5 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* fix DECKHOUSE_LIB_HELM_VERSION block indent in multi-repo/Setup
4f63159 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* get CVE_Scan from v8.0 branch and patch to auth without docker
30c8df3 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
Merge branch 'main' into i-makeev/feature-multirepo-workflow
ef6b324 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
Multirepo + images signing (#59)
3e1d59a 
* * add sign images code from `feat/signing_images` branch

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * bump WERF_SIGN_VERSION

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * try download werf from fox with CI_JOB_TOKEN

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * try download werf from fox with CI_JOB_TOKEN

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * try download werf from fox with WERF_SIGN_PACKAGE_TOKEN

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * fix werf install

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * debug

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * remove debug statements

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * disable ELF files signing

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * require WERF_VAULT_AUTH_ROLE_ID or WERF_VAULT_AUTH_JWT

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * require WERF_VAULT_AUTH_ROLE_ID or WERF_VAULT_AUTH_JWT

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * add some emojis

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

* * do not enable images signing (comment WERF_SIGN_VERSION var) by default

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>

---------

Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
@Ranger-X
* show WERF_REPO on cleanup
a21918e 
Signed-off-by: Ivan.Makeev <ivan.makeev@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KraMorK KraMorK KraMorK left review comments

@Taior Taior Taior approved these changes

@nabokihms nabokihms Awaiting requested review from nabokihms

@RomanenkoDenys RomanenkoDenys Awaiting requested review from RomanenkoDenys

Assignees

@Ranger-X Ranger-X

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Ranger-X @KraMorK @Taior