Skip to content
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
197 changes: 197 additions & 0 deletions .github/workflows/aws.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,197 @@
name: E2E AWS

on:
workflow_call: {}

permissions:
contents: read
id-token: write

jobs:
up:
runs-on: ubuntu-latest
timeout-minutes: 60
environment: aws-e2e
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Set stack name
run: |
if [ -n "$PR_NUMBER" ]; then
echo "STACK_NAME=ci-aws-pr${PR_NUMBER}-${GITHUB_SHA::7}" >> "$GITHUB_ENV"
else
echo "STACK_NAME=ci-aws-${GITHUB_SHA::7}" >> "$GITHUB_ENV"
fi
env:
PR_NUMBER: ${{ github.event.pull_request.number }}

- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow

Unpinned 3rd party Action 'E2E AWS' step [Uses Step](1) uses 'aws-actions/configure-aws-credentials' with ref 'v4', not a pinned commit hash
with:
role-to-assume: ${{ secrets.AWS_E2E_ROLE_ARN }}
aws-region: us-east-1
role-duration-seconds: 43200

- uses: astral-sh/setup-uv@v5

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow

Unpinned 3rd party Action 'E2E AWS' step [Uses Step](1) uses 'astral-sh/setup-uv' with ref 'v5', not a pinned commit hash

- uses: actions/setup-python@v5
with:
python-version: "3.12"

- name: Install Pulumi CLI
uses: pulumi/actions@v6

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow

Unpinned 3rd party Action 'E2E AWS' step [Uses Step](1) uses 'pulumi/actions' with ref 'v6', not a pinned commit hash

- name: Install kubectl
uses: azure/setup-kubectl@v4

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow

Unpinned 3rd party Action 'E2E AWS' step [Uses Step](1) uses 'azure/setup-kubectl' with ref 'v4', not a pinned commit hash

- name: Run wizard (headless)
id: wizard
env:
PINECONE_API_KEY: ${{ secrets.PINECONE_API_KEY }}
PINECONE_REGION: us-east-1
PINECONE_AZS: "us-east-1a,us-east-1b"
PINECONE_VPC_CIDR: "10.0.0.0/16"
PINECONE_DELETION_PROTECTION: "false"
PINECONE_PUBLIC_ACCESS: "false"
PINECONE_PROJECT_NAME: "pinecone-byoc"
run: |
uv run --with rich --with pyyaml python setup/wizard.py \
--cloud aws \
--headless \
--stack-name "$STACK_NAME" \
--skip-install \
--output-dir ./e2e-project

- name: Patch __main__.py with CI overrides
working-directory: ./e2e-project
run: |
python3 << 'PATCH'
path = "__main__.py"
content = open(path).read()
content = content.replace(
" tags=config.get_object(\"tags\"),",
""" tags=config.get_object("tags"),
global_env=config.require("global-env"),
api_url=config.require("api-url"),
auth0_domain=config.require("auth0-domain"),
gcp_project=config.require("gcp-project"),""",
)
open(path, "w").write(content)
PATCH

- name: Replace PyPI dep with local source
working-directory: ./e2e-project
run: |
sed -i 's|"pulumi-pinecone-byoc\[aws\]"|"pulumi-pinecone-byoc[aws] @ file://'"$GITHUB_WORKSPACE"'"|' pyproject.toml

- name: Install dependencies
working-directory: ./e2e-project
run: uv sync

- name: Setup Pulumi stack
working-directory: ./e2e-project
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
run: |
pulumi stack select --create "$STACK_NAME"

- name: Set Pulumi config
working-directory: ./e2e-project
env:
PINECONE_API_KEY: ${{ secrets.PINECONE_API_KEY }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
run: |
pulumi config set --secret pinecone-api-key "$PINECONE_API_KEY" --stack "$STACK_NAME"
pulumi config set global-env ci --stack "$STACK_NAME"
pulumi config set api-url "https://api-staging.pinecone.io" --stack "$STACK_NAME"
pulumi config set auth0-domain "https://internal-beta-pinecone-io.us.auth0.com" --stack "$STACK_NAME"
pulumi config set gcp-project "development-pinecone" --stack "$STACK_NAME"

- name: Pulumi up
working-directory: ./e2e-project
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
run: pulumi up --yes --stack "$STACK_NAME"

down:
needs: up
if: always() && needs.up.result != 'skipped'
runs-on: ubuntu-latest
timeout-minutes: 60
environment: aws-e2e
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Set stack name
run: |
if [ -n "$PR_NUMBER" ]; then
echo "STACK_NAME=ci-aws-pr${PR_NUMBER}-${GITHUB_SHA::7}" >> "$GITHUB_ENV"
else
echo "STACK_NAME=ci-aws-${GITHUB_SHA::7}" >> "$GITHUB_ENV"
fi
env:
PR_NUMBER: ${{ github.event.pull_request.number }}

- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_E2E_ROLE_ARN }}
aws-region: us-east-1
role-duration-seconds: 43200

- uses: astral-sh/setup-uv@v5

- uses: actions/setup-python@v5
with:
python-version: "3.12"

- name: Install Pulumi CLI
uses: pulumi/actions@v6

- name: Run wizard (headless)
env:
PINECONE_API_KEY: ${{ secrets.PINECONE_API_KEY }}
PINECONE_REGION: us-east-1
PINECONE_AZS: "us-east-1a,us-east-1b"
PINECONE_VPC_CIDR: "10.0.0.0/16"
PINECONE_DELETION_PROTECTION: "false"
PINECONE_PUBLIC_ACCESS: "false"
PINECONE_PROJECT_NAME: "pinecone-byoc"
run: |
uv run --with rich --with pyyaml python setup/wizard.py \
--cloud aws \
--headless \
--stack-name "$STACK_NAME" \
--skip-install \
--output-dir ./e2e-project

- name: Replace PyPI dep with local source
working-directory: ./e2e-project
run: |
sed -i 's|"pulumi-pinecone-byoc\[aws\]"|"pulumi-pinecone-byoc[aws] @ file://'"$GITHUB_WORKSPACE"'"|' pyproject.toml

- name: Install dependencies
working-directory: ./e2e-project
run: uv sync

- name: Cancel stale locks
working-directory: ./e2e-project
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
run: pulumi cancel --yes --stack "$STACK_NAME" 2>/dev/null || true

- name: Pulumi destroy
working-directory: ./e2e-project
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
run: pulumi destroy --yes --stack "$STACK_NAME"

- name: Pulumi stack rm
working-directory: ./e2e-project
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
run: pulumi stack rm "$STACK_NAME" --yes --force
34 changes: 34 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: CI

on:
push:
branches: [main]
pull_request:
branches: [main]

permissions:
contents: read

jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: astral-sh/setup-uv@v5

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow

Unpinned 3rd party Action 'CI' step [Uses Step](1) uses 'astral-sh/setup-uv' with ref 'v5', not a pinned commit hash

- uses: actions/setup-python@v5
with:
python-version: "3.12"

- name: Install dependencies
run: uv sync --all-extras --group dev

- name: Check formatting
run: uv run ruff format --check .

- name: Run linting
run: uv run ruff check .

- name: Run type checking
run: uv run ty check
73 changes: 73 additions & 0 deletions .github/workflows/e2e.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
name: E2E

on:
pull_request:
branches: [main]
workflow_dispatch: {}

concurrency:
group: e2e-${{ github.head_ref || github.ref }}
cancel-in-progress: false

permissions:
contents: read
id-token: write

jobs:
changes:
runs-on: ubuntu-latest
outputs:
aws: ${{ steps.filter.outputs.aws }}
gcp: ${{ steps.filter.outputs.gcp }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
aws:
- 'pulumi_pinecone_byoc/aws/**'
- 'pulumi_pinecone_byoc/common/**'
- 'config/aws.py'
- 'config/base.py'
- 'config/__init__.py'
- 'setup/wizard.py'
- 'setup/aws_wizard.py'
gcp:
- 'pulumi_pinecone_byoc/gcp/**'
- 'pulumi_pinecone_byoc/common/**'
- 'config/gcp.py'
- 'config/base.py'
- 'config/__init__.py'
- 'setup/wizard.py'
- 'setup/gcp_wizard.py'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

E2E path filter misses dependency changes

Medium Severity

The dorny/paths-filter rules in .github/workflows/e2e.yaml exclude root build files like pyproject.toml. Changes to dependencies or packaging can break both cloud deployments, but aws/gcp jobs stay skipped because only selected source paths are watched.

Fix in Cursor Fix in Web


aws:
needs: changes
if: needs.changes.outputs.aws == 'true' || github.event_name == 'workflow_dispatch'
uses: ./.github/workflows/aws.yaml
secrets: inherit

gcp:
needs: changes
if: needs.changes.outputs.gcp == 'true' || github.event_name == 'workflow_dispatch'
uses: ./.github/workflows/gcp.yaml
secrets: inherit

result:
if: always()
needs: [changes, aws, gcp]
runs-on: ubuntu-latest
steps:
- run: |
echo "AWS: ${{ needs.aws.result }}"
echo "GCP: ${{ needs.gcp.result }}"
if [ "${{ needs.aws.result }}" = "failure" ] || [ "${{ needs.gcp.result }}" = "failure" ]; then
echo "E2E failed"
exit 1
fi
if [ "${{ needs.aws.result }}" = "cancelled" ] || [ "${{ needs.gcp.result }}" = "cancelled" ]; then
echo "E2E cancelled"
exit 1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Result job ignores changes job failures

Medium Severity

result only fails on needs.aws.result and needs.gcp.result, but never checks needs.changes.result. If changes fails, both cloud jobs are skipped and result still prints OK, so .github/workflows/e2e.yaml can report a successful E2E run after an internal workflow failure.

Additional Locations (1)

Fix in Cursor Fix in Web

fi
echo "OK"
Loading
Loading