From 630f9f2feb36892dded19f50f9bbaeff684af7b4 Mon Sep 17 00:00:00 2001 From: Arjun Raja Yogidas Date: Wed, 8 Oct 2025 22:20:21 +0000 Subject: [PATCH 1/6] ci: update headers and footers for release-please Signed-off-by: Arjun Raja Yogidas --- release-please-config.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/release-please-config.json b/release-please-config.json index 4c4ff1a90..73ad5609e 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -55,5 +55,7 @@ ], "packages": { ".": {} - } + }, + "pull-request-header": "Ready for new finch release - Please verify the checklist items in the bottom of this PR before merging", + "pull-request-footer": "> [!IMPORTANT]\n> Please verify the following before merging this PR.\n> -[ ] The Sync Submodules wortkflow has completed successfully in finch-core repo. \n> -[ ] The Sync Submodules and Dependencies Workflow has completed successfully in this repo" } From ac44cf7e81ad54b51f7ec9e459fd6baeabee9863 Mon Sep 17 00:00:00 2001 From: Arjun Raja Yogidas Date: Wed, 8 Oct 2025 23:24:59 +0000 Subject: [PATCH 2/6] chore: testing Signed-off-by: Arjun Raja Yogidas --- .github/workflows/release-automation.yaml | 10 +++++++--- .github/workflows/release-please.yaml | 3 ++- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-automation.yaml b/.github/workflows/release-automation.yaml index 1ab83738c..d1344a58e 100644 --- a/.github/workflows/release-automation.yaml +++ b/.github/workflows/release-automation.yaml @@ -3,6 +3,10 @@ on: workflow_dispatch: workflow_call: +permissions: + id-token: write + contents: write + jobs: get-latest-tag: name: Get the latest release tag @@ -62,7 +66,7 @@ jobs: # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings id-token: write - contents: read # this is required for actions/checkout + contents: write # this is required for actions/checkout secrets: inherit with: ref_name: ${{ needs.get-latest-tag.outputs.tag }} @@ -74,7 +78,7 @@ jobs: # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings id-token: write - contents: read # this is required for actions/checkout + contents: write # this is required for actions/checkout secrets: inherit with: ref_name: ${{ needs.get-latest-tag.outputs.tag }} @@ -101,7 +105,7 @@ jobs: runs-on: ubuntu-latest permissions: id-token: write - contents: read + contents: write steps: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index e4cacc043..1e895252b 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -6,7 +6,8 @@ on: name: release-please permissions: - contents: read + contents: write + id-token: write pull-requests: write jobs: From 30290cc7029e7ff534f9a70f217c1bfca8644430 Mon Sep 17 00:00:00 2001 From: Arjun Raja Yogidas Date: Wed, 8 Oct 2025 23:41:09 +0000 Subject: [PATCH 3/6] feat: add testing for release-please footer Signed-off-by: Arjun Raja Yogidas --- release-please-config.json | 2 +- test.txt | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 test.txt diff --git a/release-please-config.json b/release-please-config.json index 73ad5609e..23d3ec622 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -57,5 +57,5 @@ ".": {} }, "pull-request-header": "Ready for new finch release - Please verify the checklist items in the bottom of this PR before merging", - "pull-request-footer": "> [!IMPORTANT]\n> Please verify the following before merging this PR.\n> -[ ] The Sync Submodules wortkflow has completed successfully in finch-core repo. \n> -[ ] The Sync Submodules and Dependencies Workflow has completed successfully in this repo" + "pull-request-footer": "-[ ] The Sync Submodules wortkflow has completed successfully in finch-core repo." } diff --git a/test.txt b/test.txt new file mode 100644 index 000000000..07a15723a --- /dev/null +++ b/test.txt @@ -0,0 +1 @@ +> [!IMPORTANT]\n> Please verify the following before merging this PR.\n> -[ ] The Sync Submodules wortkflow has completed successfully in finch-core repo. \n> -[ ] The Sync Submodules and Dependencies Workflow has completed successfully in this repo \ No newline at end of file From e753b32bd76e5eebb432dbce6beca5eb9c5adc9c Mon Sep 17 00:00:00 2001 From: Arjun Raja Yogidas Date: Thu, 9 Oct 2025 20:30:51 +0000 Subject: [PATCH 4/6] ci: add debian canaries Signed-off-by: Arjun Raja Yogidas --- .github/workflows/canary-deb.yaml | 43 +++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/canary-deb.yaml diff --git a/.github/workflows/canary-deb.yaml b/.github/workflows/canary-deb.yaml new file mode 100644 index 000000000..0f34f2c99 --- /dev/null +++ b/.github/workflows/canary-deb.yaml @@ -0,0 +1,43 @@ +name: Deb Canary + +on: + # This workflow will run from the release-automation.yaml automation on each merge + workflow_dispatch: + inputs: + ref_name: + required: true + type: string + workflow_call: + inputs: + ref_name: + required: true + type: string + + # This workflow will run every 5 min + schedule: + - cron: '*/5 * * * *' + +jobs: + canary-deb: + # define all different arch's our supported CodeBuild fleets can run on + runs-on: ubuntu-latest + timeout-minutes: 3 + steps: + - name: Clean ubuntu runner workspace + run: | + rm -rf ${{ github.workspace }}/* + - name: Install Finch with APT + run: | + sudo apt install runfinch-finch -y + - name: Verify version + run: | + version=$(finch -v) + if [[ $version == "finch version ${{inputs.ref_name}}" ]]; then + echo "Version matches: $version" + else + echo "Version mismatch. Found: $version, Expected: ${{inputs.ref_name}}" + exit 1 + fi + - name: Clean up environment + run: | + sudo apt remove runfinch-finch -y \ No newline at end of file From 25bf6169a16ccffac7d449d57f835212c39c957e Mon Sep 17 00:00:00 2001 From: Arjun Raja Yogidas Date: Thu, 9 Oct 2025 21:08:33 +0000 Subject: [PATCH 5/6] ci: test Signed-off-by: Arjun Raja Yogidas --- .github/workflows/canary-deb.yaml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/.github/workflows/canary-deb.yaml b/.github/workflows/canary-deb.yaml index 0f34f2c99..f1bf1bac1 100644 --- a/.github/workflows/canary-deb.yaml +++ b/.github/workflows/canary-deb.yaml @@ -12,8 +12,24 @@ on: ref_name: required: true type: string - - # This workflow will run every 5 min + pull_request: + branches: + - main + paths: + - '**.go' + - 'go.mod' + - 'go.sum' + - '.github/workflows/e2e-macos.yaml' + - '.github/workflows/e2e-windows.yaml' + - '.github/workflows/e2e-linux.yaml' + - 'contrib/packaging/**' + - 'deps/**' + - 'finch.yaml.d/**' + - 'winres' + - 'Makefile*' + - '.golangci.yaml' + - '!contrib/hello-finch/**' +# This workflow will run every 5 min schedule: - cron: '*/5 * * * *' From 0eec2ea65818f4b5fc91e9079beeb8b43fa0d7d8 Mon Sep 17 00:00:00 2001 From: Arjun Raja Yogidas Date: Thu, 9 Oct 2025 21:30:28 +0000 Subject: [PATCH 6/6] chore: test deb Signed-off-by: Arjun Raja Yogidas --- .github/workflows/canary-deb.yaml | 80 ++++++++++++++----- .../virtual_machine_settings_darwin_test.go | 1 + 2 files changed, 62 insertions(+), 19 deletions(-) diff --git a/.github/workflows/canary-deb.yaml b/.github/workflows/canary-deb.yaml index f1bf1bac1..b78d13077 100644 --- a/.github/workflows/canary-deb.yaml +++ b/.github/workflows/canary-deb.yaml @@ -34,26 +34,68 @@ on: - cron: '*/5 * * * *' jobs: + get-latest-tag: + name: Get the latest release tag + runs-on: ubuntu-latest + timeout-minutes: 2 + outputs: + tag: ${{ steps.latest-tag.outputs.tag }} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + - name: 'Get the latest tag' + id: latest-tag + uses: "WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce" # v1.4.0 + canary-deb: - # define all different arch's our supported CodeBuild fleets can run on + name: Test Finch APT installation runs-on: ubuntu-latest timeout-minutes: 3 + needs: get-latest-tag steps: - - name: Clean ubuntu runner workspace - run: | - rm -rf ${{ github.workspace }}/* - - name: Install Finch with APT - run: | - sudo apt install runfinch-finch -y - - name: Verify version - run: | - version=$(finch -v) - if [[ $version == "finch version ${{inputs.ref_name}}" ]]; then - echo "Version matches: $version" - else - echo "Version mismatch. Found: $version, Expected: ${{inputs.ref_name}}" - exit 1 - fi - - name: Clean up environment - run: | - sudo apt remove runfinch-finch -y \ No newline at end of file + - name: Clean ubuntu runner workspace + run: rm -rf ${{ github.workspace }}/* + + - name: Install Finch dependencies + run: | + sudo apt-get update + sudo apt install build-essential libseccomp-dev pkg-config zlib1g-dev -y + + - name: Add Finch APT Repository + run: | + ARCH=$(dpkg --print-architecture) + echo "Detected architecture: $ARCH" + + curl -fsSL https://artifact.runfinch.com/deb/GPG_KEY.pub | sudo gpg --dearmor -o /usr/share/keyrings/runfinch-finch-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/runfinch-finch-archive-keyring.gpg arch=$ARCH] https://artifact.runfinch.com/deb noble main" | sudo tee /etc/apt/sources.list.d/runfinch-finch.list + sudo apt update + + - name: Prepare clean environment for Finch + run: | + sudo apt remove containerd containerd.io docker.io docker-ce docker-ce-cli runc -y || true + sudo apt autoremove -y + + - name: Install Finch with APT + run: sudo apt install runfinch-finch -y + + - name: Verify version matches latest release + run: | + LATEST_TAG="${{ needs.get-latest-tag.outputs.tag }}" + echo "Latest repository tag: $LATEST_TAG" + + INSTALLED_VERSION=$(finch -v) + echo "Installed Finch version: $INSTALLED_VERSION" + + EXPECTED_VERSION="finch version $LATEST_TAG" + if [[ "$INSTALLED_VERSION" == "$EXPECTED_VERSION" ]]; then + echo "✅ Version matches: $INSTALLED_VERSION" + else + echo "❌ Version mismatch!" + echo " Expected: $EXPECTED_VERSION" + echo " Found: $INSTALLED_VERSION" + exit 1 + fi + + - name: Clean up environment + run: sudo apt remove runfinch-finch -y diff --git a/cmd/finch/virtual_machine_settings_darwin_test.go b/cmd/finch/virtual_machine_settings_darwin_test.go index 05a058346..44fcbc11c 100644 --- a/cmd/finch/virtual_machine_settings_darwin_test.go +++ b/cmd/finch/virtual_machine_settings_darwin_test.go @@ -26,6 +26,7 @@ func TestNewSettingsMCommand(t *testing.T) { assert.Equal(t, cmd.Name(), "settings") } +// testing the deb workflow func TestSettingsVMAction_runAdapter(t *testing.T) { t.Parallel()