mirror of
https://github.com/ModernRelay/omnigraph.git
synced 2026-06-09 01:35:18 +02:00
7a3bf5c758
Introduces an opt-in AWS Secrets Manager backend for bearer tokens,
behind the `aws` Cargo feature. Default builds (on-prem, local dev)
don't pull in the AWS SDK and don't pay its compile cost.
- New Cargo feature `aws` gates the `aws-config` + `aws-sdk-secretsmanager`
optional deps. Default features remain empty.
- New `auth::aws::SecretsManagerTokenSource` implements `TokenSource` by
fetching a JSON `{"actor_id": "token", ...}` payload from a named
Secrets Manager secret. Credentials resolve via the AWS default chain
(env, shared config, IMDSv2 instance role, ECS task role) so no
explicit plumbing is needed under an IAM role.
- New `resolve_token_source()` dispatches based on the
`OMNIGRAPH_SERVER_BEARER_TOKENS_AWS_SECRET` env var. If the var is set
but the binary was built without `--features aws`, returns a clear
rebuild instruction rather than silently falling back.
- `serve()` now uses `resolve_token_source()` and logs which source was
selected at startup.
- `parse_json_secret_payload()` is factored out as a free function so
the payload validation (trim whitespace, reject blank actor/token,
reject non-object) is unit-testable without the AWS SDK.
- New CI job `test_aws_feature` builds + tests with `--features aws`.
Not in this PR (follow-ups):
- Background refresh loop for rotation. `SecretsManagerTokenSource`
advertises `supports_refresh: true` but the AppState-level refresh
task isn't wired yet.
- Config-YAML dispatch (today the AWS source is selected via env var
only; eventually `server.bearer_tokens.source` in `omnigraph.yaml`).
Tests:
- Default-feature build: 33 lib + 41 integration + 64 openapi.
- `--features aws` build: 32 lib (one test is cfg-gated) + 41 + 64.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
270 lines
8.5 KiB
YAML
270 lines
8.5 KiB
YAML
name: CI
|
|
|
|
on:
|
|
pull_request:
|
|
push:
|
|
branches:
|
|
- main
|
|
tags:
|
|
- "v*"
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ci-${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
classify_changes:
|
|
name: Classify Changes
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
outputs:
|
|
run_full_ci: ${{ steps.filter.outputs.run_full_ci }}
|
|
run_rustfs_ci: ${{ steps.filter.outputs.run_rustfs_ci }}
|
|
steps:
|
|
- name: Checkout source
|
|
uses: actions/checkout@v5.0.1
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Detect text-only changes
|
|
id: filter
|
|
env:
|
|
BEFORE_SHA: ${{ github.event.before }}
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
|
|
PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
|
|
REF_TYPE: ${{ github.ref_type }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
if [[ "$EVENT_NAME" == "workflow_dispatch" || "$REF_TYPE" == "tag" ]]; then
|
|
echo "run_full_ci=true" >> "$GITHUB_OUTPUT"
|
|
echo "run_rustfs_ci=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
if [[ "$EVENT_NAME" == "pull_request" ]]; then
|
|
base="$PR_BASE_SHA"
|
|
head="$PR_HEAD_SHA"
|
|
else
|
|
base="$BEFORE_SHA"
|
|
head="$GITHUB_SHA"
|
|
if [[ "$base" == "0000000000000000000000000000000000000000" ]]; then
|
|
base="$(git rev-parse "${head}^" 2>/dev/null || true)"
|
|
fi
|
|
fi
|
|
|
|
if [[ -z "${base:-}" ]]; then
|
|
echo "run_full_ci=true" >> "$GITHUB_OUTPUT"
|
|
echo "run_rustfs_ci=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
mapfile -t changed < <(git diff --name-only "$base" "$head")
|
|
if [[ "${#changed[@]}" -eq 0 ]]; then
|
|
echo "run_full_ci=true" >> "$GITHUB_OUTPUT"
|
|
echo "run_rustfs_ci=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
run_full_ci=false
|
|
run_rustfs_ci=false
|
|
for path in "${changed[@]}"; do
|
|
case "$path" in
|
|
*.md|*.mdx|*.txt|*.rst|*.adoc) ;;
|
|
*)
|
|
run_full_ci=true
|
|
;;
|
|
esac
|
|
|
|
if [[ "$EVENT_NAME" != "pull_request" ]]; then
|
|
run_rustfs_ci=true
|
|
continue
|
|
fi
|
|
|
|
case "$path" in
|
|
.github/workflows/ci.yml|Cargo.toml|Cargo.lock|crates/*/Cargo.toml) run_rustfs_ci=true ;;
|
|
crates/omnigraph/src/storage.rs) run_rustfs_ci=true ;;
|
|
crates/omnigraph/src/db/manifest.rs|crates/omnigraph/src/db/manifest/*) run_rustfs_ci=true ;;
|
|
crates/omnigraph/tests/s3_storage.rs|crates/omnigraph/tests/helpers/*) run_rustfs_ci=true ;;
|
|
crates/omnigraph-server/tests/server.rs) run_rustfs_ci=true ;;
|
|
crates/omnigraph-cli/tests/system_local.rs) run_rustfs_ci=true ;;
|
|
esac
|
|
done
|
|
|
|
printf 'Changed files:\n'
|
|
printf ' %s\n' "${changed[@]}"
|
|
echo "run_full_ci=$run_full_ci" >> "$GITHUB_OUTPUT"
|
|
echo "run_rustfs_ci=$run_rustfs_ci" >> "$GITHUB_OUTPUT"
|
|
|
|
test:
|
|
name: Test Workspace
|
|
needs: classify_changes
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 45
|
|
permissions:
|
|
contents: read
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
steps:
|
|
- name: Skip heavy CI for text-only changes
|
|
if: needs.classify_changes.outputs.run_full_ci != 'true'
|
|
run: echo "Text-only change detected; skipping workspace test run."
|
|
|
|
- name: Checkout source
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
uses: actions/checkout@v5.0.1
|
|
|
|
- name: Install system dependencies
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y protobuf-compiler libprotobuf-dev
|
|
|
|
- name: Install Rust stable
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
toolchain: stable
|
|
|
|
- name: Cache Rust build data
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
uses: Swatinem/rust-cache@v2
|
|
with:
|
|
workspaces: |
|
|
. -> target
|
|
|
|
- name: Run workspace tests
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
run: cargo test --workspace --locked
|
|
|
|
test_aws_feature:
|
|
name: Test omnigraph-server --features aws
|
|
needs: classify_changes
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
steps:
|
|
- name: Skip for text-only changes
|
|
if: needs.classify_changes.outputs.run_full_ci != 'true'
|
|
run: echo "Text-only change detected; skipping aws feature build."
|
|
|
|
- name: Checkout source
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
uses: actions/checkout@v5.0.1
|
|
|
|
- name: Install system dependencies
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y protobuf-compiler libprotobuf-dev
|
|
|
|
- name: Install Rust stable
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
toolchain: stable
|
|
|
|
- name: Cache Rust build data
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
uses: Swatinem/rust-cache@v2
|
|
with:
|
|
workspaces: |
|
|
. -> target
|
|
key: aws-feature
|
|
|
|
- name: Build omnigraph-server with aws feature
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
run: cargo build --locked -p omnigraph-server --features aws
|
|
|
|
- name: Test omnigraph-server with aws feature
|
|
if: needs.classify_changes.outputs.run_full_ci == 'true'
|
|
run: cargo test --locked -p omnigraph-server --features aws
|
|
|
|
rustfs_integration:
|
|
name: RustFS S3 Integration
|
|
needs:
|
|
- classify_changes
|
|
- test
|
|
if: needs.classify_changes.outputs.run_rustfs_ci == 'true'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 75
|
|
permissions:
|
|
contents: read
|
|
env:
|
|
AWS_ACCESS_KEY_ID: rustfsadmin
|
|
AWS_SECRET_ACCESS_KEY: rustfsadmin
|
|
AWS_REGION: us-east-1
|
|
AWS_ENDPOINT_URL: http://127.0.0.1:9000
|
|
AWS_ENDPOINT_URL_S3: http://127.0.0.1:9000
|
|
AWS_ALLOW_HTTP: "true"
|
|
AWS_S3_FORCE_PATH_STYLE: "true"
|
|
OMNIGRAPH_S3_TEST_BUCKET: omnigraph-ci
|
|
OMNIGRAPH_S3_TEST_PREFIX: github-actions
|
|
CARGO_TERM_COLOR: always
|
|
steps:
|
|
- name: Checkout source
|
|
uses: actions/checkout@v5.0.1
|
|
|
|
- name: Install system dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y protobuf-compiler libprotobuf-dev python3-pip
|
|
|
|
- name: Install Rust stable
|
|
uses: dtolnay/rust-toolchain@stable
|
|
with:
|
|
toolchain: stable
|
|
|
|
- name: Cache Rust build data
|
|
uses: Swatinem/rust-cache@v2
|
|
with:
|
|
workspaces: |
|
|
. -> target
|
|
|
|
- name: Start RustFS
|
|
run: |
|
|
docker rm -f rustfs >/dev/null 2>&1 || true
|
|
docker run -d \
|
|
--name rustfs \
|
|
-p 9000:9000 \
|
|
-p 9001:9001 \
|
|
-e RUSTFS_ACCESS_KEY="${AWS_ACCESS_KEY_ID}" \
|
|
-e RUSTFS_SECRET_KEY="${AWS_SECRET_ACCESS_KEY}" \
|
|
rustfs/rustfs:latest \
|
|
/data
|
|
|
|
- name: Install AWS CLI
|
|
run: |
|
|
python3 -m pip install --user awscli
|
|
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
|
|
|
|
- name: Create RustFS test bucket
|
|
run: |
|
|
for _ in $(seq 1 30); do
|
|
if aws --endpoint-url "${AWS_ENDPOINT_URL_S3}" s3api list-buckets >/dev/null 2>&1; then
|
|
break
|
|
fi
|
|
sleep 2
|
|
done
|
|
aws --endpoint-url "${AWS_ENDPOINT_URL_S3}" \
|
|
s3api create-bucket \
|
|
--bucket "${OMNIGRAPH_S3_TEST_BUCKET}" >/dev/null 2>&1 || true
|
|
|
|
- name: Run RustFS storage tests
|
|
run: cargo test --locked -p omnigraph-engine --test s3_storage -- --nocapture
|
|
|
|
- name: Run RustFS server smoke
|
|
run: cargo test --locked -p omnigraph-server --test server server_opens_s3_repo_directly_and_serves_snapshot_and_read -- --nocapture
|
|
|
|
- name: Run RustFS CLI smoke
|
|
run: cargo test --locked -p omnigraph-cli --test system_local local_cli_s3_end_to_end_init_load_read_flow -- --nocapture
|
|
|
|
- name: Dump RustFS logs on failure
|
|
if: failure()
|
|
run: docker logs rustfs
|