The contents of this repository handle the setup for GitHub Actions, including both the runners and the templates for basic pipeline scripts.

If there's an outdated Personal Access Token (PAT), it must first be removed. You can check existing secrets with oc get secrets. If there's runner-secrets present, it should only contain one data entry (this can be confirmed by checking oc get secret runner-secrets -o json) and it can be removed with oc delete secret runner-secrets. This removal only affects newly created pods: pre-existing ones will still attempt to use the old token, so they must be removed and new ones created for the removal/update to be effective.

To fetch the authorization token for creating new runners, we need a Personal Access Token (PAT). One can be generated by navigating to GitHub and then settings > developer settings > personal access tokens > generate new token. The token only needs to have the public_repo scope, which means that it will not expose anything about private repositories etc, but it does grant read and write access to "code, commit statuses, repository projects, collaborators, and deployment statuses for public repositories and organizations" (see docs).

There must be a valid PAT in runner-secrets. To save the token there, write the token into a file called gh_runner_pat and add it into the OC secrets with the following command:

oc create secret generic runner-secrets --from-file=gh_runner_pat

NB: do NOT check the file into version control: after the secret has been created, the file can be deleted.

You need to change the variables ACTIONS_RUNNER_VERSION and ACTIONS_RUNNER_CHECKSUM in the dockerfile to match the version and linux-x64 tar.gz checksum of the newest (or other desired) version from https://github.com/actions/runner/releases. After that you can proceed to building, uploading and deploying the pod.

To build a specific runner, you need to provide the path to the directory containing the Dockerfile and the tag for the runner. For the basic python runner, this would be

docker build runners/python-runner -t python-runner

Before uploading you need to authenticate. Authentication command and token are shown in the container registry UI. After that you can tag the container and push it to the registry, e.g. for the basic python runner:

docker tag python-runner docker-registry.rahti.csc.fi/kielipankki-github-runners/python-runner:[VERSION]
docker push docker-registry.rahti.csc.fi/kielipankki-github-runners/python-runner:[VERSION]

You can check the previous version from the container registry: increment the major/minor/patch version depending on the changes made.

To use the newest version of the container in the soon-to-be-deployed pod, you need to set the image version in the pod specification file.

First you must authenticate to OpenShift. The command and token for authentication can be copied from OpenShift console UI by clicking your name on the upper right corner and choosing "copy login command".

If there are old, outdated pods (e.g. with old secrets), you can list them with oc get pods and remove them using oc delete pod [pod name]. Remember to delete the runner in GitHub UI too.

After that you can deploy a new pod for a specific repository with oc process and oc create, e.g.

oc process -f services/python-runner-pod.yaml -p REPO_NAME=kielipankki-metax-bridge -p REPO_OWNER=cscfi | oc create -f -

and you should now see a new runner in GitHub.

NB: REPO_NAME needs to be provided in all lower case.