feat(upload): Support deferred upload lengths #23332
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - release/** | |
| - release-library/** | |
| pull_request: | |
| types: [opened, synchronize, reopened, labeled] | |
| merge_group: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RELAY_CARGO_ARGS: "--locked" | |
| IS_MASTER: "${{ github.event_name == 'merge_group' }}" | |
| jobs: | |
| lint: | |
| needs: build-setup | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| steps: | |
| - name: Install libcurl-dev | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libcurl4-openssl-dev | |
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| submodules: recursive | |
| - name: Get changed files | |
| id: changes | |
| uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| with: | |
| list-files: json | |
| filters: | | |
| all: | |
| - added|modified: '**/*' | |
| - name: Setup SSH agent | |
| if: env.SSH_PRIVATE_KEY != '' | |
| uses: webfactory/ssh-agent@v0.9.0 | |
| with: | |
| ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} | |
| - name: Install Rust Toolchain | |
| run: | | |
| rustup toolchain install stable --profile minimal --no-self-update | |
| rustup component add clippy rustfmt rust-docs --toolchain stable | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - uses: astral-sh/setup-uv@884ad927a57e558e7a70b92f2bccf9198a4be546 # v6 | |
| with: | |
| version: '0.8.2' | |
| # we just cache the venv-dir directly in action-setup-venv | |
| enable-cache: false | |
| - uses: getsentry/action-setup-venv@5a80476d175edf56cb205b08bc58986fa99d1725 # v3.2.0 | |
| with: | |
| cache-dependency-path: uv.lock | |
| install-cmd: uv sync --frozen --only-dev --active | |
| - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| with: | |
| path: ~/.cache/pre-commit | |
| key: cache-epoch-1|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml', 'uv.lock') }} | |
| - name: Setup pre-commit | |
| run: pre-commit install-hooks | |
| - name: Run pre-commit | |
| run: | | |
| jq '.[]' --raw-output <<< '${{steps.changes.outputs.all_files}}' | | |
| # Run pre-commit to lint and format check files that were changed (but not deleted) | |
| xargs pre-commit run --files | |
| # running lint-python will unnecessarily go through setup-venv via devenv | |
| # we want to take advantage of cached action-setup-venv | |
| - run: make style-rust lint-rust | |
| - name: Check Docs | |
| run: cargo doc --workspace --all-features --no-deps --document-private-items | |
| env: | |
| RUSTDOCFLAGS: -Dwarnings | |
| lint_default: | |
| name: Lint Rust Default Features | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install libcurl-dev | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libcurl4-openssl-dev | |
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| submodules: recursive | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --component clippy --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - name: Run Clippy | |
| run: cargo clippy --workspace --all-targets --no-deps -- -D warnings | |
| devservices-files-changed: | |
| name: detect what files changed | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 3 | |
| outputs: | |
| devservices-files-changed: ${{ steps.changes.outputs.devservices-files-changed }} | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
| name: Check for file changes | |
| id: changes | |
| with: | |
| token: ${{ github.token }} | |
| filters: | | |
| devservices-files-changed: | |
| - 'devservices/**' | |
| - '.github/workflows/ci.yml' | |
| test: | |
| needs: build-setup | |
| timeout-minutes: 20 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [macos-latest, windows-latest] | |
| name: Test (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| # Skip redundant checks for library releases | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| submodules: recursive | |
| - name: Setup SSH agent | |
| if: env.SSH_PRIVATE_KEY != '' | |
| # Windows needs an older versino of the ssh agent: https://github.com/webfactory/ssh-agent/pull/17 | |
| uses: webfactory/ssh-agent@v0.7.0 | |
| with: | |
| ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - name: Run Cargo Tests | |
| env: | |
| # Faster compilation on slower CI runners. | |
| CARGO_PROFILE_DEV_OPT_LEVEL: 0 | |
| run: | | |
| cargo test --workspace | |
| test_all: | |
| needs: build-setup | |
| timeout-minutes: 15 | |
| name: Test All Features (ubuntu-latest) | |
| runs-on: ubuntu-latest | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| # Skip redundant checks for library releases | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| # Testing all features requires Docker container operations that are only available on | |
| # `ubuntu-latest`. This `test-all` job is to be seen as complementary to the `test` job. If | |
| # services become available on other platforms, the jobs should be consolidated. See | |
| # https://docs.github.com/en/actions/guides/about-service-containers | |
| services: | |
| redis: # https://docs.github.com/en/actions/guides/creating-redis-service-containers | |
| image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
| ports: | |
| - 6379:6379 | |
| steps: | |
| - name: Install libcurl-dev | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libcurl4-openssl-dev | |
| - name: Start objectstore | |
| run: | | |
| docker run -d \ | |
| --name objectstore \ | |
| -p 8888:8888 \ | |
| ghcr.io/getsentry/objectstore:nightly \ | |
| run | |
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| submodules: recursive | |
| - name: Setup SSH agent | |
| if: env.SSH_PRIVATE_KEY != '' | |
| uses: webfactory/ssh-agent@v0.9.0 | |
| with: | |
| ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - name: Run Cargo Tests | |
| env: | |
| # Faster compilation on slower CI runners. | |
| CARGO_PROFILE_DEV_OPT_LEVEL: 0 | |
| run: cargo test --workspace --all-features | |
| test_py: | |
| # Skip redundant checks for binary releases | |
| if: "!startsWith(github.ref, 'refs/heads/release/')" | |
| name: Test Python | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| submodules: recursive | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| - uses: astral-sh/setup-uv@884ad927a57e558e7a70b92f2bccf9198a4be546 # v6 | |
| with: | |
| version: '0.8.2' | |
| # we just cache the venv-dir directly in action-setup-venv | |
| enable-cache: false | |
| - uses: getsentry/action-setup-venv@5a80476d175edf56cb205b08bc58986fa99d1725 # v3.2.0 | |
| with: | |
| cache-dependency-path: uv.lock | |
| install-cmd: uv sync --frozen --active | |
| - name: Build and Install Library | |
| run: uv pip install py/ | |
| env: | |
| RELAY_DEBUG: 1 | |
| - name: Run Python Tests | |
| run: pytest -v py | |
| build-setup: | |
| name: Setup build metadata | |
| runs-on: ubuntu-latest | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| env: | |
| FULL_CI: "${{ | |
| github.ref == 'refs/heads/master' | |
| || github.event_name == 'merge_group' | |
| || startsWith(github.ref, 'refs/heads/release/') | |
| || contains(github.event.pull_request.labels.*.name, 'Trigger: Full-CI') | |
| }}" | |
| steps: | |
| - id: set-outputs | |
| run: | | |
| echo "full_ci=$FULL_CI" >> $GITHUB_OUTPUT | |
| if [[ "$FULL_CI" == "true" ]]; then | |
| echo "Running full CI" | |
| echo 'image_names=["relay", "relay-pop"]' >> $GITHUB_OUTPUT | |
| echo 'targets=["x86_64-unknown-linux-gnu", "aarch64-unknown-linux-gnu"]' >> $GITHUB_OUTPUT | |
| echo 'platforms=["linux/amd64","linux/arm64"]' >> $GITHUB_OUTPUT | |
| else | |
| echo "Skipping some CI steps" | |
| echo 'image_names=["relay"]' >> $GITHUB_OUTPUT | |
| echo 'targets=["x86_64-unknown-linux-gnu"]' >> $GITHUB_OUTPUT | |
| echo 'platforms=["linux/amd64"]' >> $GITHUB_OUTPUT | |
| fi | |
| if [[ ("${{ github.event.pull_request.head.repo.fork }}" != "true" && "${{ github.actor }}" != "dependabot[bot]") || "${{ needs.build-setup.outputs.full_ci }}" == "true" ]]; then | |
| echo "rustflags=--cfg sentry --cfg tokio_unstable" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "rustflags=--cfg tokio_unstable" >> "$GITHUB_OUTPUT" | |
| fi | |
| outputs: | |
| image_names: "${{ steps.set-outputs.outputs.image_names }}" | |
| targets: "${{ steps.set-outputs.outputs.targets }}" | |
| platforms: "${{ steps.set-outputs.outputs.platforms }}" | |
| full_ci: "${{ steps.set-outputs.outputs.full_ci }}" | |
| rustflags: "${{ steps.set-outputs.outputs.rustflags }}" | |
| build: | |
| needs: build-setup | |
| timeout-minutes: 30 | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| target: ${{ fromJson(needs.build-setup.outputs.targets) }} | |
| name: Build Relay Binary | |
| runs-on: |- | |
| ${{fromJson('{ | |
| "x86_64-unknown-linux-gnu": "ubuntu-22.04", | |
| "aarch64-unknown-linux-gnu": "ubuntu-22.04-arm" | |
| }')[matrix.target] }} | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| env: | |
| RELAY_BIN: "target/${{ matrix.target }}/release/relay" | |
| FEATURES: |- | |
| ${{fromJson('{ | |
| "relay": "processing,crash-handler", | |
| "relay-pop": "crash-handler" | |
| }')[matrix.image_name] }} | |
| DOCKER_PLATFORM: |- | |
| ${{fromJson('{ | |
| "x86_64-unknown-linux-gnu": "linux/amd64", | |
| "aarch64-unknown-linux-gnu": "linux/arm64" | |
| }')[matrix.target] }} | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y llvm curl libcurl4-openssl-dev | |
| - name: Install sentry-cli | |
| run: | | |
| curl -sL https://sentry.io/get-cli/ | bash | |
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| submodules: recursive | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}" | |
| - name: Compile | |
| run: | | |
| cargo build --release --locked --features "${FEATURES}" --target "${{ matrix.target }}" | |
| - name: Split debug info | |
| run: | | |
| llvm-objcopy --only-keep-debug "${RELAY_BIN}"{,.debug} | |
| llvm-objcopy --strip-debug --strip-unneeded "${RELAY_BIN}" | |
| llvm-objcopy --add-gnu-debuglink "${RELAY_BIN}"{.debug,} | |
| sentry-cli difutil bundle-sources "${RELAY_BIN}.debug" | |
| zip "${RELAY_BIN}-debug.zip" "${RELAY_BIN}.debug" | |
| - name: Prepare Artifacts | |
| run: | | |
| mkdir -p "artifacts/${DOCKER_PLATFORM}" | |
| cp "${RELAY_BIN}"{,-debug.zip,.src.zip} "artifacts/${DOCKER_PLATFORM}" | |
| - name: Upload Artifacts | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| retention-days: 1 | |
| name: ${{ matrix.image_name }}@${{ matrix.target }} | |
| path: "./artifacts/*" | |
| build-internal: | |
| needs: build-setup | |
| timeout-minutes: 30 | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| target: ${{ fromJson(needs.build-setup.outputs.targets) }} | |
| name: Build Internal Relay Binary | |
| runs-on: |- | |
| ${{fromJson('{ | |
| "x86_64-unknown-linux-gnu": "ubuntu-22.04", | |
| "aarch64-unknown-linux-gnu": "ubuntu-22.04-arm" | |
| }')[matrix.target] }} | |
| if: "(!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]') || needs.build-setup.outputs.full_ci == 'true'" | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| RELAY_BIN: "target/${{ matrix.target }}/release/relay" | |
| FEATURES: |- | |
| ${{fromJson('{ | |
| "relay": "processing,crash-handler", | |
| "relay-pop": "crash-handler" | |
| }')[matrix.image_name] }} | |
| DOCKER_PLATFORM: |- | |
| ${{fromJson('{ | |
| "x86_64-unknown-linux-gnu": "linux/amd64", | |
| "aarch64-unknown-linux-gnu": "linux/arm64" | |
| }')[matrix.target] }} | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y llvm curl libcurl4-openssl-dev | |
| - name: Install sentry-cli | |
| run: | | |
| curl -sL https://sentry.io/get-cli/ | bash | |
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| submodules: recursive | |
| - uses: dtolnay/rust-toolchain@stable | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}" | |
| - uses: webfactory/ssh-agent@v0.9.0 | |
| with: | |
| ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} | |
| - name: Compile | |
| run: | | |
| cargo build --release --locked --features "${FEATURES}" --target "${{ matrix.target }}" | |
| - name: Split debug info | |
| run: | | |
| llvm-objcopy --only-keep-debug "${RELAY_BIN}"{,.debug} | |
| llvm-objcopy --strip-debug --strip-unneeded "${RELAY_BIN}" | |
| llvm-objcopy --add-gnu-debuglink "${RELAY_BIN}"{.debug,} | |
| sentry-cli difutil bundle-sources "${RELAY_BIN}.debug" | |
| zip "${RELAY_BIN}-debug.zip" "${RELAY_BIN}.debug" | |
| - name: Prepare and Encrypt Artifacts | |
| run: | | |
| mkdir -p "artifacts/${DOCKER_PLATFORM}" | |
| for file in "${RELAY_BIN}" "${RELAY_BIN}-debug.zip" "${RELAY_BIN}.src.zip"; do | |
| gpg --quiet --batch --yes --symmetric --cipher-algo AES256 \ | |
| --passphrase "${{ secrets.ENCRYPTION_KEY }}" \ | |
| --output "artifacts/${DOCKER_PLATFORM}/$(basename $file).gpg" "$file" | |
| done | |
| - name: Upload Artifacts | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| retention-days: 1 | |
| name: internal-${{ matrix.image_name }}@${{ matrix.target }} | |
| path: "./artifacts/*" | |
| build-docker: | |
| timeout-minutes: 5 | |
| needs: [build-setup, build] | |
| name: Build Docker Image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| env: | |
| PLATFORMS: "${{ join(fromJson(needs.build-setup.outputs.platforms), ',') }}" | |
| DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}" | |
| REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: actions/download-artifact@v7 | |
| with: | |
| pattern: "${{ matrix.image_name }}@*" | |
| merge-multiple: true | |
| - name: Build and push to ghcr.io | |
| if: "!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'" | |
| uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 | |
| with: | |
| image_name: ${{ matrix.image_name }} | |
| platforms: ${{ env.PLATFORMS }} | |
| dockerfile_path: "./Dockerfile.release" | |
| ghcr: true | |
| tag_nightly: true | |
| tag_latest: true | |
| google_ar: false | |
| publish_on_pr: true | |
| - name: Build and publish docker artifact | |
| if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
| uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 | |
| with: | |
| image_name: ${{ matrix.image_name }} | |
| platforms: ${{ env.PLATFORMS }} | |
| dockerfile_path: "./Dockerfile.release" | |
| ghcr: false | |
| google_ar: false | |
| outputs: "type=docker,dest=${{ matrix.image_name }}-docker-image" | |
| tags: "ghcr.io/getsentry/${{ matrix.image_name }}:${{ github.event.pull_request.head.sha || github.sha }}" | |
| - name: Upload docker image | |
| if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| retention-days: 1 | |
| name: ${{ matrix.image_name }}-docker-image | |
| path: "${{ matrix.image_name }}-docker-image" | |
| publish-to-ar-internal: | |
| timeout-minutes: 5 | |
| needs: [build-setup, build-internal] | |
| name: Publish Relay to Internal AR | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| env: | |
| PLATFORMS: "${{ join(fromJson(needs.build-setup.outputs.platforms), ',') }}" | |
| AR_DOCKER_IMAGE: "us-central1-docker.pkg.dev/internal-sentry/relay/${{ matrix.image_name }}" | |
| REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| - uses: docker/setup-qemu-action@v3 | |
| - uses: docker/setup-buildx-action@v3 | |
| # Logic taken from: publish-to-gcr | |
| - name: Google Auth | |
| id: auth | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
| service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com | |
| - name: Configure docker | |
| run: | | |
| gcloud auth configure-docker us-central1-docker.pkg.dev | |
| # Logic taken from: build-docker | |
| - uses: actions/download-artifact@v7 | |
| with: | |
| pattern: "internal-${{ matrix.image_name }}@*" | |
| merge-multiple: true | |
| - name: Decrypt Artifacts | |
| run: | | |
| find . -name "*.gpg" | while read file; do | |
| output_file="${file%.gpg}" | |
| gpg --quiet --batch --yes --decrypt \ | |
| --passphrase "${{ secrets.ENCRYPTION_KEY }}" \ | |
| --output "$output_file" "$file" | |
| rm "$file" | |
| done | |
| - name: Build and push to Internal AR | |
| uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01 | |
| with: | |
| image_name: ${{ matrix.image_name }} | |
| platforms: ${{ env.PLATFORMS }} | |
| dockerfile_path: "./Dockerfile.release" | |
| ghcr: false | |
| publish_on_pr: true | |
| tag_latest: true | |
| google_ar: true | |
| google_ar_image_name: ${{ env.AR_DOCKER_IMAGE }} | |
| google_workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
| google_service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com | |
| publish-to-gcr: | |
| timeout-minutes: 5 | |
| needs: [build-setup, build-docker] | |
| name: Publish Relay to GCR | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| # required for google auth | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| env: | |
| GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}" | |
| AR_DOCKER_IMAGE: "us-central1-docker.pkg.dev/sentryio/relay/${{ matrix.image_name }}" | |
| REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| # Skip redundant checks for library releases | |
| # Skip for dependabot and if run on a fork | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" | |
| steps: | |
| - name: Google Auth | |
| id: auth | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
| service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@v3" | |
| with: | |
| # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation | |
| # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. | |
| version: ">= 390.0.0" | |
| - name: Configure docker | |
| run: | | |
| gcloud auth configure-docker us-central1-docker.pkg.dev | |
| - name: Copy Image from GHCR to AR | |
| run: docker buildx imagetools create --tag "${AR_DOCKER_IMAGE}:${REVISION}" "${GHCR_DOCKER_IMAGE}:${REVISION}" | |
| - name: Copy Nightly from GHCR to AR | |
| if: env.IS_MASTER == 'true' | |
| run: docker buildx imagetools create --tag "${AR_DOCKER_IMAGE}:nightly" "${GHCR_DOCKER_IMAGE}:nightly" | |
| gocd-artifacts: | |
| timeout-minutes: 10 | |
| needs: [build-setup, build-internal, publish-to-ar-internal] | |
| name: Upload build artifacts to gocd | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
| # required for google auth | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| env: | |
| REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" | |
| steps: | |
| - name: Google Auth | |
| id: auth | |
| uses: google-github-actions/auth@v3 | |
| with: | |
| workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
| service_account: gha-gcr-push@sac-prod-sa.iam.gserviceaccount.com | |
| - name: Configure docker | |
| run: | | |
| gcloud auth configure-docker us-central1-docker.pkg.dev | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@v3" | |
| with: | |
| # https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation | |
| # You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. | |
| version: ">= 390.0.0" | |
| - uses: actions/download-artifact@v7 | |
| with: | |
| pattern: "internal-${{ matrix.image_name }}@*" | |
| merge-multiple: true | |
| - name: Decrypt Artifacts | |
| run: | | |
| find . -name "*.gpg" | while read file; do | |
| output_file="${file%.gpg}" | |
| gpg --quiet --batch --yes --decrypt \ | |
| --passphrase "${{ secrets.ENCRYPTION_KEY }}" \ | |
| --output "$output_file" "$file" | |
| rm "$file" | |
| done | |
| - name: Upload gocd deployment assets | |
| run: | | |
| set -euxo pipefail | |
| VERSION="$(docker run --rm "us-central1-docker.pkg.dev/internal-sentry/relay/${{ matrix.image_name }}:${REVISION}" --version | cut -d" " -f2)" | |
| echo "${{ matrix.image_name }}@${VERSION}+${REVISION}" > release-name | |
| for PLATFORM in "linux/amd64" "linux/arm64"; do | |
| gsutil -m cp $PLATFORM/relay-debug.zip $PLATFORM/relay.src.zip ./release-name \ | |
| "gs://dicd-team-devinfra-cd--relay/deployment-assets/${REVISION}/${{ matrix.image_name }}/${PLATFORM}/" | |
| done | |
| test_integration: | |
| needs: build-setup | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| env: | |
| RUSTFLAGS: ${{ needs.build-setup.outputs.rustflags }} | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| # Skip redundant checks for library releases | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| services: | |
| redis: # https://docs.github.com/en/actions/guides/creating-redis-service-containers | |
| image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
| ports: | |
| - 6379:6379 | |
| kafka: | |
| image: ghcr.io/getsentry/image-mirror-confluentinc-cp-kafka:7.5.0 | |
| env: | |
| # KRaft mode configuration (no Zookeeper) | |
| KAFKA_PROCESS_ROLES: broker,controller | |
| KAFKA_CONTROLLER_QUORUM_VOTERS: 1001@127.0.0.1:29093 | |
| KAFKA_CONTROLLER_LISTENER_NAMES: CONTROLLER | |
| KAFKA_NODE_ID: 1001 | |
| CLUSTER_ID: MkU3OEVBNTcwNTJENDM2Qk | |
| KAFKA_LISTENERS: PLAINTEXT://0.0.0.0:29092,EXTERNAL://0.0.0.0:9092,CONTROLLER://0.0.0.0:29093 | |
| KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://127.0.0.1:29092,EXTERNAL://127.0.0.1:9092 | |
| KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,EXTERNAL:PLAINTEXT,CONTROLLER:PLAINTEXT | |
| KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT | |
| KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 | |
| KAFKA_OFFSETS_TOPIC_NUM_PARTITIONS: 1 | |
| ports: | |
| - 9092:9092 | |
| steps: | |
| - name: Install libcurl-dev | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libcurl4-openssl-dev | |
| - name: Start objectstore | |
| run: | | |
| docker run -d \ | |
| --name objectstore \ | |
| -p 8888:8888 \ | |
| ghcr.io/getsentry/objectstore:nightly \ | |
| run | |
| - uses: actions/checkout@v6.0.2 | |
| with: | |
| submodules: recursive | |
| - name: Install Rust Toolchain | |
| run: rustup toolchain install stable --profile minimal --no-self-update | |
| - uses: swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ github.job }} | |
| cache-on-failure: "true" | |
| - name: Setup SSH agent | |
| if: env.SSH_PRIVATE_KEY != '' | |
| uses: webfactory/ssh-agent@v0.9.0 | |
| with: | |
| ssh-private-key: ${{ env.SSH_PRIVATE_KEY }} | |
| - uses: astral-sh/setup-uv@884ad927a57e558e7a70b92f2bccf9198a4be546 # v6 | |
| with: | |
| version: '0.8.2' | |
| # we just cache the venv-dir directly in action-setup-venv | |
| enable-cache: false | |
| - uses: getsentry/action-setup-venv@5a80476d175edf56cb205b08bc58986fa99d1725 # v3.2.0 | |
| with: | |
| cache-dependency-path: uv.lock | |
| install-cmd: uv sync --frozen --only-dev --active | |
| - run: make test-integration | |
| env: | |
| PYTEST_N: 6 | |
| RELAY_VERSION_CHAIN: "23.12.0,latest" | |
| sentry-relay-integration-tests: | |
| name: Sentry-Relay Integration Tests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| needs: build-docker | |
| env: | |
| USE_NEW_DEVSERVICES: 1 | |
| RELAY_TEST_KEEP_CONTAINER: true | |
| # Skip redundant checks for library releases | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
| steps: | |
| # Checkout Sentry and run integration tests against latest Relay | |
| - name: Checkout Sentry | |
| uses: actions/checkout@v6.0.2 | |
| with: | |
| repository: getsentry/sentry | |
| path: sentry | |
| - name: Setup steps | |
| id: setup | |
| run: | | |
| # GITHUB_SHA in pull requests points to the merge commit | |
| RELAY_TEST_IMAGE=ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }} | |
| echo "We expected GCB to push this image $RELAY_TEST_IMAGE" | |
| echo "relay-test-image=$RELAY_TEST_IMAGE" >> "$GITHUB_OUTPUT" | |
| # We cannot execute actions that are not placed under .github of the main repo | |
| mkdir -p .github/actions | |
| cp -r sentry/.github/actions/setup-sentry .github/actions/ | |
| - name: Setup Sentry | |
| uses: ./.github/actions/setup-sentry | |
| with: | |
| workdir: sentry | |
| mode: symbolicator | |
| - name: Download Docker Image | |
| if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: relay-docker-image | |
| - name: Import Docker Image | |
| if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
| run: docker load -i relay-docker-image | |
| - name: Run Sentry integration tests | |
| working-directory: sentry | |
| env: | |
| RELAY_TEST_IMAGE: ${{ steps.setup.outputs.relay-test-image }} | |
| run: | | |
| echo "Testing against ${RELAY_TEST_IMAGE}" | |
| make test-relay-integration | |
| self-hosted-end-to-end: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 25 | |
| needs: build-docker | |
| # - Skip redundant checks for library releases | |
| # - Skip for dependabot or if it's a fork as the image cannot be uploaded to ghcr since this test attempts to pull | |
| # the image from ghcr | |
| if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'" | |
| steps: | |
| - name: Run Sentry self-hosted e2e CI | |
| uses: getsentry/self-hosted@master | |
| with: | |
| project_name: relay | |
| image_url: ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }} | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| - name: Inspect failure | |
| if: failure() | |
| run: | | |
| cd /home/runner/work/_actions/getsentry/self-hosted/master | |
| docker compose ps | |
| docker compose logs | |
| validate-devservices-config: | |
| runs-on: ubuntu-24.04 | |
| needs: devservices-files-changed | |
| if: needs.devservices-files-changed.outputs.devservices-files-changed == 'true' | |
| steps: | |
| - uses: actions/checkout@v6.0.2 | |
| name: Checkout repository | |
| - name: Get devservices version | |
| id: get-devservices-version | |
| run: | | |
| awk -F'"' ' | |
| /name/ { pkg = $2 } | |
| /version/ { if (pkg == "devservices") print "version="$2 } | |
| ' uv.lock >> $GITHUB_OUTPUT | |
| - uses: getsentry/action-validate-devservices-config@711ae7221998ddf81211f25f5e3873ecffd22387 | |
| name: Validate devservices config | |
| with: | |
| devservices-version: ${{ steps.get-devservices-version.outputs.version }} |