More github actions workflows.

newrelic · May 15, 2023 · 54c31bd · 54c31bd
1 parent 4c8b792
commit 54c31bd
Show file tree

Hide file tree

Showing 13 changed files with 312 additions and 66 deletions.
diff --git a/.github/actions/build-apm-jar/action.yml b/.github/actions/build-apm-jar/action.yml
@@ -5,16 +5,31 @@ runs:
   using: composite
 
   steps:
-    - name: Build APM agent
+    - name: Build APM agent zip
       shell: bash
       run: |
         cd newrelic-java-agent 
-        ./gradlew $GRADLE_OPTIONS clean jar
+        ./gradlew $GRADLE_OPTIONS dist --parallel 
         cd ..
 
     - name: Capture custom jar
       uses: actions/upload-artifact@v3
       with:
-        name: custom-newrelic-jar
+        name: newrelic-artifact
         path: |
-          newrelic-java-agent/newrelic-agent/build/newrelicJar/newrelic.jar
+          newrelic-java-agent/newrelic-java/build/zips/newrelic.zip
+
+    - name: configure aws credentials
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: arn:aws:iam::280901927509:role/github-actions/repo
+        aws-region: us-east-2
+
+    - name: Copy final integrated agent artifact to S3
+      shell: bash
+      run: |
+        aws s3 cp newrelic-java-agent/newrelic-java/build/zips/newrelic.zip s3://nr-java-sec-agent/integrated-builds/${{ github.run_id }}-${{ github.run_number }}/newrelic.zip
+        if [ $? -ne 0 ]; then
+          echo "Agent zip upload failed." >> $GITHUB_STEP_SUMMARY
+          #exit 1
+        fi
diff --git a/.github/actions/publish-csec-local/action.yml b/.github/actions/publish-csec-local/action.yml
@@ -5,14 +5,11 @@ runs:
   using: composite
 
   steps:
-    - name: Run instrumentation unit tests
-      shell: bash
-      run: ./gradlew $GRADLE_OPTIONS test
-
     - name: Publish CSEC agent API locally
       shell: bash
-      run: ./gradlew $GRADLE_OPTIONS :newrelic-security-api:publishToMavenLocal
+      run: ./gradlew $GRADLE_OPTIONS :newrelic-security-api:publishToMavenLocal -PbuildNumber=${{ github.run_id }} -PcommitId=${{ github.sha }} --parallel
 
     - name: Publish CSEC agent locally
       shell: bash
-      run: ./gradlew $GRADLE_OPTIONS publishToMavenLocal
+      run: |
+        ./gradlew $GRADLE_OPTIONS publishToMavenLocal -PbuildNumber=${{ github.run_id }} -PcommitId=${{ github.sha }} --parallel
diff --git a/.github/actions/publish-csec/action.yml b/.github/actions/publish-csec/action.yml
@@ -1,14 +1,35 @@
 name: Publish CSEC Agent to central
 description:  Builds the CSEC Agent and the Agent API. Publish to central maven repo via sonatype.
+inputs:
+  sonatype-username:
+    description: 'Sonatype repo access username'
+    required: true
+    default: ''
+  sonatype-password:
+    description: 'Sonatype repo access password'
+    required: true
+    default: ''
 
 runs:
   using: composite
 
   steps:
     - name: Publish CSEC agent API locally
       shell: bash
-      run: ./gradlew $GRADLE_OPTIONS :newrelic-security-api:publish
+      run: ./gradlew $GRADLE_OPTIONS :newrelic-security-api:publish -PbuildNumber=${{ github.run_id }} -PcommitId=${{ github.sha }} --parallel
+      env:
+        SONATYPE_USERNAME: ${{ inputs.sonatype-username }}
+        SONATYPE_PASSWORD: ${{ inputs.sonatype-password }}
+#        ORG_GRADLE_PROJECT_signingKey: ${{ inputs.SIGNING_KEY }}
+#        ORG_GRADLE_PROJECT_signingKeyId: ${{ inputs.SIGNING_KEY_ID }}
+#        ORG_GRADLE_PROJECT_signingPassword: ${{ inputs.SIGNING_PASSWORD }}
 
     - name: Publish CSEC agent locally
       shell: bash
-      run: ./gradlew $GRADLE_OPTIONS publish
+      run: ./gradlew $GRADLE_OPTIONS publish -PbuildNumber=${{ github.run_id }} -PcommitId=${{ github.sha }} --parallel
+      env:
+        SONATYPE_USERNAME: ${{ inputs.sonatype-username }}
+        SONATYPE_PASSWORD: ${{ inputs.sonatype-password }}
+#        ORG_GRADLE_PROJECT_signingKey: ${{ secrets.SIGNING_KEY }}
+#        ORG_GRADLE_PROJECT_signingKeyId: ${{ secrets.SIGNING_KEY_ID }}
+#        ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.SIGNING_PASSWORD }}
diff --git a/.github/actions/send-slack-notification/action.yml b/.github/actions/send-slack-notification/action.yml
@@ -0,0 +1,13 @@
+name: Send slack notification
+description:  Send slack notification to configured webhook.
+runs:
+  using: composite
+
+  steps:
+    - name: Publish CSEC agent API locally
+      shell: bash
+      run: ./gradlew $GRADLE_OPTIONS :newrelic-security-api:publish --parallel
+
+    - name: Publish CSEC agent locally
+      shell: bash
+      run: ./gradlew $GRADLE_OPTIONS publish --parallel
diff --git a/.github/actions/setup-environment/action.yml b/.github/actions/setup-environment/action.yml
@@ -8,7 +8,13 @@ inputs:
   apm-branch:
     description: 'The branch of APM source code to use'
     required: true
-    default: 'k2-integration-build'
+    default: 'k2-integration'
+  apm-aws-access-key-id:
+    description: 'APM AWS S3 access key id'
+  apm-aws-secret-access-key:
+    description: 'APM AWS S3 access key'
+  apm-aws-region:
+    description: 'APM AWS S3 region'
 
 
 # This action expects the csec collector to be checked out at $GITHUB_WORKSPACE and NR APM at $GITHUB_WORKSPACE/newrelic-java-agent.
@@ -27,11 +33,10 @@ runs:
           20
           17
           11
-          8
-        cache: 'gradle'
+          8    
 
     # Rewrite gradle.properties
-    - name: set gradle.properties for csec
+    - name: set gradle.properties for CSEC
       shell: bash
       run: |
         sed -i -e "s|jdk8=8|jdk8=${JAVA_HOME_8_X64}|
@@ -47,26 +52,72 @@ runs:
       shell: bash
       run: echo "GRADLE_OPTIONS=-Porg.gradle.java.installations.auto-detect=false -Porg.gradle.java.installations.fromEnv=JAVA_HOME_8_X64,JAVA_HOME_11_X64,JAVA_HOME_17_X64,JAVA_HOME_19_X64,JAVA_HOME_20_X64" >> $GITHUB_ENV
 
+    # Restore the maven cache
+    - name: Cache local Maven repository
+      uses: actions/cache@v3
+      with:
+        path: ~/.m2/repository
+        key: ${{ runner.os }}-maven-${{ github.ref_name }}
+        restore-keys: |
+          ${{ runner.os }}-maven-${{ github.ref_name }}
+          ${{ runner.os }}-maven-develop
+          ${{ runner.os }}-maven-main
+          ${{ runner.os }}-maven
+
+    # Restore the gradle cache
+    - uses: actions/cache@v2
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        # The docs say to use hashfiles, but gradle itself is smart enough to
+        # re-download dependencies if it couldn't resolve them.
+        # Because our gradle cache is _so big_, I think a 90% cache is far
+        # better than a 0% cache.
+        key: ${{ runner.os }}-gradle-${{ github.ref_name }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-${{ github.ref_name }}
+          ${{ runner.os }}-gradle-develop
+          ${{ runner.os }}-gradle-main
+          ${{ runner.os }}-gradle
+
     - name: Checkout APM agent
       uses: actions/checkout@v3
       with:
         repository: ${{ inputs.apm-repo }}
         ref: ${{ inputs.apm-branch }}
         path: newrelic-java-agent
 
-    - name: set gradle.properties for apm
+    - name: set gradle.properties for APM
       shell: bash
       run: |
+        cd newrelic-java-agent
         sed -i -e "s|jdk8=8|jdk8=${JAVA_HOME_8_X64}|
         s|jdk11=11|jdk11=${JAVA_HOME_11_X64}|
         s|jdk17=17|jdk17=${JAVA_HOME_17_X64}|
         s|jdk20=20|jdk20=${JAVA_HOME_20_X64}|" gradle.properties.gha
         cat gradle.properties.gha >> gradle.properties
+        cd ..
+
+    - name: Setup security agent version info
+      shell: bash
+      run: |
+        echo "SECURITY_VERSION=$(./gradlew properties | grep 'version:' | awk -F': ' '{print $2}')" >> $GITHUB_ENV
+        echo "APM_VERSION=$(./gradlew -p newrelic-java-agent/ properties | grep 'version:' | awk -F': ' '{print $2}')" >> $GITHUB_ENV
+        echo "SECURITY_JSON_VERSION=$(./gradlew properties | grep 'jsonVersion:' | awk -F": " '{print $2}')" >> $GITHUB_ENV
+
+    - name: Configure AWS Credentials
+      if: ${{ inputs.apm-aws-secret-access-key != '' }}
+      uses: aws-actions/configure-aws-credentials@v1-node16
+      with:
+        aws-access-key-id: ${{ inputs.apm-aws-access-key-id }}
+        aws-secret-access-key: ${{ inputs.apm-aws-secret-access-key }}
+        aws-region: ${{ inputs.apm-aws-region }}
 
     - name: Download S3 instrumentation jar zip
       shell: bash
       run: |
-        aws s3 cp s3://nr-java-agent-s3-instrumentation/proprietary-jars-20220805.zip proprietary-jars.zip && unzip proprietary-jars.zip && unzip -d newrelic-java-agent proprietary-jars.zip
+        aws s3 cp s3://nr-java-agent-s3-instrumentation/proprietary-jars-20220805.zip proprietary-jars.zip && unzip proprietary-jars.zip && cp -rf instrumentation/** instrumentation-security/ && unzip -d newrelic-java-agent proprietary-jars.zip
         if [ $? -ne 0 ]; then
           echo "Instrumentation jar zip unavailable." >> $GITHUB_STEP_SUMMARY
         fi

diff --git a/.github/actions/verify-instrumentation-single/action.yml b/.github/actions/verify-instrumentation-single/action.yml
@@ -10,4 +10,6 @@ runs:
   steps:
     - name: Run instrumentation unit tests
       shell: bash
-      run: ./gradlew $GRADLE_OPTIONS :instrumentation:${{ inputs.apm-branch }}:verifyInstrumentation
+      run: ./gradlew $GRADLE_OPTIONS :instrumentation:${{ inputs.apm-branch }}:verifyInstrumentation --parallel
+      env:
+        JAVA_HOME: ${{ env.JAVA_HOME_17_X64 }}
diff --git a/.github/actions/verify-instrumentation/action.yml b/.github/actions/verify-instrumentation/action.yml
@@ -7,4 +7,6 @@ runs:
   steps:
     - name: Run instrumentation unit tests
       shell: bash
-      run: ./gradlew $GRADLE_OPTIONS verifyInstrumentation
+      run: ./gradlew $GRADLE_OPTIONS verifyInstrumentation --parallel
+      env:
+        JAVA_HOME: ${{ env.JAVA_HOME_17_X64 }}
diff --git a/.github/workflows/build-integrated-jar.yml b/.github/workflows/build-integrated-jar.yml
@@ -2,23 +2,39 @@ name: Create Integrated Agent jar
 on:
   workflow_dispatch:
     inputs:
-      agent-ref:
-        description: "Specify branch/tag/hash"
+      source-ref:
+        description: "Specify source-ref/tag/hash"
         required: true
         default: 'github-actions'
       apm-repo:
         description: 'The repo of APM source code to use'
         required: true
         default: 'newrelic/newrelic-java-agent'
-      apm-branch:
-        description: 'The branch of APM source code to use'
+      apm-source-ref:
+        description: 'The source-ref of APM source code to use'
         required: true
-        default: 'k2-integration-build'
+        default: 'k2-integration'
+      csec-run-unittest:
+        description: 'Whether to run CSEC instrumentation unit tests'
+        required: true
+        default: true
+      csec-run-instrumentation-verify:
+        description: 'Whether to run CSEC instrumentation verifier'
+        required: true
+        default: true
+      slack-notify:
+        description: 'Whether to notify build status on slack'
+        required: true
+        default: true
       description:
         description: "A description for the custom jar that will be generated. It will appear in the summary."
         required: true
         default: 'test'
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
 jobs:
   create_integrated_jar:
     name: Create Integrated Agent jar
@@ -28,29 +44,48 @@ jobs:
       - name: Checkout CSEC Java agent
         uses: actions/checkout@v3
         with:
-          ref: ${{ inputs.agent-ref }}
-
-      - name: Configure AWS Credentials
-        if: ${{ env.AWS_KEY != '' }}
-        uses: aws-actions/configure-aws-credentials@v1-node16
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-2
+          ref: ${{ inputs.source-ref }}
 
       - name: Setup environment
         uses: ./.github/actions/setup-environment
         with:
           apm-repo: ${{ inputs.apm-repo }}
-          apm-branch: ${{ inputs.apm-branch }}
+          apm-branch: ${{ inputs.apm-source-ref }}
+          apm-aws-access-key-id: ${{ secrets.APM_AWS_ACCESS_KEY_ID }}
+          apm-aws-secret-access-key: ${{ secrets.APM_AWS_SECRET_ACCESS_KEY }}
+          apm-aws-region: us-east-2
 
-      - name: Run CSEC unit tests
-        uses: ./.github/actions/unit-test
+      - name: Check version compatibility
+        shell: bash
+        run: |
+          APM_CONFIGURED_CSEC_VERSION=$(./gradlew -p newrelic-java-agent/ properties ${BUILD_PROPS} | grep 'csecCollectorVersion:' | awk -F': ' '{print $2}')
+          CSEC_CONFIGURED_APM_VERSION=$(./gradlew properties ${BUILD_PROPS}| grep 'nrAPIVersion:' | awk -F': ' '{print $2}')
+          
+          if [[ "${APM_VERSION}" != "${CSEC_CONFIGURED_APM_VERSION}" ]]
+          then
+            printf "${RED}Version mismatch regarding APM: ${NONE}\n"
+            printf "${RED}Version of APM to build: ${APM_VERSION} ${NONE}\n"
+            printf "${RED}Version of APM API used by CSEC: ${CSEC_CONFIGURED_APM_VERSION} ${NONE}\n"
+            exit 1
+          fi
+          
+          if [[ "${SECURITY_VERSION}" != "${APM_CONFIGURED_CSEC_VERSION}" ]]
+          then
+            printf "${RED}Version mismatch regarding Security: ${NONE}\n"
+            printf "${RED}Version of CSEC to build: ${SECURITY_VERSION} ${NONE}\n"
+            printf "${RED}Version of CSEC API used by APM: ${APM_CONFIGURED_CSEC_VERSION} ${NONE}\n"
+            exit 2
+          fi
 
       - name: Publish CSEC to local
         uses: ./.github/actions/publish-csec-local
 
+      - name: Run CSEC unit tests
+        if: ${{ inputs.csec-run-unittest == 'true' }}
+        uses: ./.github/actions/unit-test
+
       - name: Verify CSEC instrumentation
+        if: ${{ inputs.csec-run-instrumentation-verify == 'true' }}
         uses: ./.github/actions/verify-instrumentation
 
       - name: Build Integrated Agent Jar
@@ -59,4 +94,27 @@ jobs:
       - name: Set summary
         run: |
           echo "${{ inputs.description }}" >> $GITHUB_STEP_SUMMARY
-          echo "This jar was built from the ref (branch/tag/hash): ${{ inputs.ref }}." >> $GITHUB_STEP_SUMMARY
+          echo "This jar was built from the ref (source-ref/tag/hash): ${{ inputs.source-ref }}." >> $GITHUB_STEP_SUMMARY
+
+      - name: Send slack notification
+        uses: slackapi/[email protected]
+        if: ${{ inputs.slack-notify == 'true' }}
+        with:
+          payload: |
+            { 
+              "task": "Integrated jar build",
+              "job-ref": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}",
+              "build-number": "${{ github.run_id }}-${{ github.run_number }}",
+              "apm-full-ref": "${{ github.server_url }}/${{ inputs.apm-repo }}/tree/${{ inputs.apm-source-ref }}",
+              "apm-source-ref": "${{ inputs.apm-source-ref }}",
+              "apm-version": "${{ env.APM_VERSION }}",
+              "security-full-ref": "${{ github.server_url }}/${{ github.repository }}/tree/${{ inputs.source-ref }}",
+              "security-source-ref": "${{ inputs.source-ref }}",
+              "security-version": "${{ env.SECURITY_VERSION }}",
+              "security-json-version": "${{ env.SECURITY_JSON_VERSION }}",
+              "changelog-url": "${{ github.server_url }}/${{ github.repository }}/blob/${{ inputs.source-ref }}/Changelog.md",
+              "custom-message": "${{ inputs.description }}",
+              "artifact-download-link": "https://nr-java-sec-agent.s3.us-west-2.amazonaws.com/integrated-builds/${{ github.run_id }}-${{ github.run_number }}/newrelic.zip"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}