github actions: support PR-triggered kernelCI runs and forked repo workflows#993
github actions: support PR-triggered kernelCI runs and forked repo workflows#993roxanan1996 wants to merge 2 commits intomainfrom
Conversation
roxanan1996
requested review from
PlaidCat,
bmastbergen,
kerneltoast and
shreeya-patel98
as code owners
bmastbergen
left a comment
bmastbergen
left a comment
There was a problem hiding this comment.
LGTM except we might want some validation on ARCHITECTURES and MAYBE HEAD_REPO_FULL_NAME
|
Hi! Marking this under draft since I managed to trigger it at least for existing PRs. Having a common action for the metadata stuff and adding extra checks for all params. |
PlaidCat
left a comment
PlaidCat
left a comment
There was a problem hiding this comment.
Just s a couple of minor things
roxanan1996
force-pushed
the
{rnicolescu}_kernelCI_split
branch
from
bc55abc to
2bbf90b
Compare
roxanan1996
changed the title
roxanan1996
added
the
high priority
|
We will soon have PR for LTP created and this PR is going to create a lot of conflicts with it since we are changing quite many things there along with some kselftest changes. I suggest we should merge this after we integrate LTP changes otherwise it's going to be some extra work. |
I announced this task 2 weeks ago, I would appreciate if I can merge this before. Thanks! |
It is not about who announced it when, we need to make things work in the best way possible. We will have to do extra testing of fork PRs again if we merged this first and then LTP PRs. We also have changes related to Kselftest in the LTP PRs, which was necessary. |
…rkflows Split the monolithic workflow into a trigger/runner pair to enable kernelCI on manually opened PRs from forks, where the PR context lacks access to repository secrets. - kernel-build-and-test-multiarch-trigger.yml: lightweight trigger that validates and saves PR metadata as a signed artifact; runs safely in the PR (fork) context - kernel-build-and-test-multiarch.yml: converted from workflow_call to workflow_run so it always executes in the base repo context with full secret access; also supports workflow_dispatch for manual testing PR creation behavior: - PRs created by kernelCI are labeled "created-by-kernelci"; subsequent pushes update the PR body only when this label is present - For manually created PRs, kernelCI appends results as a comment to avoid overwriting the original PR body - PR creation is restricted to push events only All metadata passed between workflows is validated against injection before use. Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
roxanan1996
force-pushed
the
{rnicolescu}_kernelCI_split
branch
from
2bbf90b to
611594e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
After the split, the actual kernelCI workflow will always run from the mainline branch. Hence searching for jobs that match the HEAD_BRANCH of this job is obsolete. There is no way of knowing the HEAD_BRANCH of the kernelCI workflow without publishing the HEAD_BRANCH in the artifacts. When we search for jobs that run in the past to compare kselftests against, we now check the pr_ref from the artifacts and try to match the HEAD_BRANCH. Increased the timeout to 5 minutes, since we have to download an extra artifact in this step (head_reaf). Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
roxanan1996
force-pushed
the
{rnicolescu}_kernelCI_split
branch
from
0b1215a to
542e8b4
Compare
Description
Split the monolithic workflow into a trigger/runner pair to enable
kernelCI on manually opened PRs from forks, where the PR context
lacks access to repository secrets.
validates and saves PR metadata as a signed artifact; runs safely in
the PR (fork) context
workflow_run so it always executes in the base repo context with full
secret access; also supports workflow_dispatch for manual testing
PR creation behavior:
pushes update the PR body only when this label is present
avoid overwriting the original PR body
All metadata passed between workflows is validated against injection
before use.
Important
Duplication between the validate worklow and this will be addressed in a separate PR later.
First I want to get this merged to avoid possible conflicts.
Initial Testing
Please check the jira ticket that describes the tests done.
https://ciqinc.atlassian.net/browse/KERNEL-729
I tested every kernel that we have except from rlc-10. kselftests take super long there. But rlc-9 and rlc-8 should suffice.
Split into 2:
PRs created:
manually created ones from a forked REPO
[cbr7.9] TEST fork #1039
[lts8.6] TEST fork #1040
[lts9.2] TEST fork #1041
[lts9.4] TEST fork] #1042
[lts9.6] TEST fork #1043
created by kernelCI
[ciqcbr7_9] Multiple patches tested (2 commits) #1044
[ciqlts8_6] Multiple patches tested (13 commits) #1045
[ciqlts9_2] Multiple patches tested (2 commits) [skip ci] #1052
[ciqlts9_4] Multiple patches tested (2 commits) #1049
[ciqlts9_6] Multiple patches tested (2 commits) #1047
[rlc-8/4.18.0-553.109.1.el8_10] Multiple patches tested (2 commits) #1046
[rlc-9/5.14.0-611.36.1.el9_7] Multiple patches tested (2 commits) #1058
Please check the first commit here that use the trigger workflow and allow it for pull_request as well.
This is done only for the lts kernels. For rlc, we don't need external PRs.
Final testing after addressing feedback
A. I tested skip ci functionality as well
PR that exists
NO PR, a push event from a user branch
same as above, github takes care of it automatically, I cannot see the workflow trigger at all in the action page
B. Forked repos no comparison result
While dealing with that, I realized the step where we downloaded older kselftests result for comparison is outdated for the current split.
I added an extra commit on top:
"After the split, the actual kernelCI workflow will always run from the
mainline branch. Hence searching for jobs that match the HEAD_BRANCH of this
job is obsolete.
There is no way of knowing the HEAD_BRANCH of the kernelCI workflow without
publishing the HEAD_BRANCH in the artifacts.
When we search for jobs that run in the past to compare kselftests against,
we now check the pr_ref from the artifacts and try to match the HEAD_BRANCH.
Increased the timeout to 5 minutes, since we have to download an extra artifact
in this step (head_reaf).
"
Unfortunately it is pretty hard to test this, because there are no official workflows (that are triggered after the split) that publish the head ref and have also been merged before.
EDIT, I looked again at the code and I discovered a bug in the way we check for the merge request in the download for previous result step. That check is useless tbh, because it does not check if that workflow was part of a PR that was merged, it just searches if a PR that has the same base was merged. That logic has to be revesited (I haven't touched it at all here).
BUT, the artifacts are in fact from a previous run that has the same HEAD_BRANCH.
See example here
#1067
The second run was compared against the previous
With everyone permission, I suggest to go ahead and merge this. First PRs won't have kselftest comparison (which is fine because they will be the ones updating the workflow anyway). Then I'll monitor the next PRs to see everything looks ok.
Notes
Tested was done from another branch
rnicolescu_test. But I wanted to keep this PR that was opened last week (kinda by mistake), so I rebased here. Sorry for the confusion.