[gha] comment ops + recreate_vm

Author: vulkoingim

Diff for: .github/actions/preview-create/entrypoint.sh

@@ -16,6 +16,15 @@ gcloud auth activate-service-account --key-file "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
 leeway run dev/preview/previewctl:download
 previewctl get-credentials --gcp-service-account "${PREVIEW_ENV_DEV_SA_KEY_PATH}"
 
+replace="module.preview_gce[0].google_compute_instance.default"
+if [[ "${INPUT_INFRASTRUCTURE_PROVIDER}" = "harvester " ]]; then
+  replace="module.preview_harvester[0].harvester_virtualmachine.harvester"
+fi
+
+if [[ "${INPUT_RECREATE_VM:-x}" == "true" ]]; then
+  export TF_CLI_ARGS_plan="-replace=${replace}"
+fi
+
 TF_VAR_preview_name="$(previewctl get-name --branch "${INPUT_NAME}")"
 export TF_VAR_preview_name
 export TF_VAR_infra_provider="${INPUT_INFRASTRUCTURE_PROVIDER}"

Diff for: .github/actions/preview-create/metadata.yml

@@ -17,6 +17,10 @@ inputs:
     previewctl_hash:
         description: "The Leeway hash of the dev/preview/previewctl:docker package to be used when downloading previewclt"
         required: false
+    recreate_vm:
+        description: "Whether to recreate the VM"
+        required: false
+        default: "false"
 runs:
     using: "docker"
     image: "Dockerfile"

Diff for: .github/workflows/build.yml

@@ -1,10 +1,15 @@
 name: Build
 on:
   pull_request:
-    types: [ opened, synchronize, edited ]
+    types: [ opened, edited ]
   push:
-    branches: [ main ]
   workflow_dispatch:
+    inputs:
+      recreate_vm:
+        required: true
+        type: string
+        description: "Whether to recreate the VM"
+        default: "false"
 
 jobs:
   configuration:
@@ -16,42 +21,48 @@ jobs:
     outputs:
       is_main_branch: ${{ (github.head_ref || github.ref) == 'refs/heads/main' }}
       version: ${{ steps.branches.outputs.sanitized-branch-name }}-gha.${{github.run_number}}
-      with_github_actions: ${{ contains(github.event.pull_request.body, '[x] /werft with-github-actions') }}
-      preview_enable: ${{ contains(github.event.pull_request.body, '[x] /werft with-preview') }}
-      preview_infra_provider: ${{ contains(github.event.pull_request.body, '[X] /werft with-gce-vm') && 'gce' || 'harvester' }}
-      build_no_cache: ${{ contains(github.event.pull_request.body, '[x] leeway-no-cache') }}
-      build_no_test: ${{ contains(github.event.pull_request.body, '[x] /werft no-test') }}
+      with_github_actions: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft with-github-actions') }}
+      preview_enable: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft with-preview') }}
+      preview_infra_provider: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft with-gce-vm') && 'gce' || 'harvester' }}
+      build_no_cache: ${{ contains( steps.pr-details.outputs.pr_body, '[x] leeway-no-cache') }}
+      build_no_test: ${{ contains( steps.pr-details.outputs.pr_body, '[x] /werft no-test') }}
       build_leeway_target: ${{ steps.output.outputs.build_leeway_target }}
-      with_large_vm: ${{ contains(github.event.pull_request.body, '[X] /werft with-large-vm') }}
-      publish_to_npm: ${{ contains(github.event.pull_request.body, '[X] /werft publish-to-npm') }}
-      publish_to_jbmp: ${{ contains(github.event.pull_request.body, '[X] /werft publish-to-jb-marketplace') }}
-      with_ws_manager_mk2: ${{ contains(github.event.pull_request.body, '[X] with-ws-manager-mk2') }}
-      with_dedicated_emulation: ${{ contains(github.event.pull_request.body, '[X] with-dedicated-emulation') }}
-      with_ee_license: ${{ contains(github.event.pull_request.body, '[X] with-ee-license') }}
-      with_slow_database: ${{ contains(github.event.pull_request.body, '[X] with-slow-database') }}
-      analytics: ${{ contains(github.event.pull_request.body, '[X] analytics') }}
+      with_large_vm: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft with-large-vm') }}
+      publish_to_npm: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft publish-to-npm') }}
+      publish_to_jbmp: ${{ contains( steps.pr-details.outputs.pr_body, '[X] /werft publish-to-jb-marketplace') }}
+      with_ws_manager_mk2: ${{ contains( steps.pr-details.outputs.pr_body, '[X] with-ws-manager-mk2') }}
+      with_dedicated_emulation: ${{ contains( steps.pr-details.outputs.pr_body, '[X] with-dedicated-emulation') }}
+      with_ee_license: ${{ contains( steps.pr-details.outputs.pr_body, '[X] with-ee-license') }}
+      with_slow_database: ${{ contains( steps.pr-details.outputs.pr_body, '[X] with-slow-database') }}
+      analytics: ${{ contains( steps.pr-details.outputs.pr_body, '[X] analytics') }}
       workspace_feature_flags: ${{ steps.output.outputs.workspace_feature_flags }}
       pr_no_diff_skip: ${{ steps.pr-diff.outputs.pr_no_diff_skip }}
     steps:
       - name: "Determine Branch"
         id: branches
         uses: transferwise/sanitize-branch-name@v1
+        # Since we trigger this worklow on other event types, besides pull_request
+        # We use this action to help us get the pr body, as it's not included in push/workflow_dispatch events
+      - uses: 8BitJonny/[email protected]
+        id: pr-details
+        with:
+          sha: ${{ github.event.pull_request.head.sha }}
         # If the PR got edited, but no checkbox changes occurred, we don't want to run the whole build
         # Therefore we set a flag and use it to skip the next jobs
       - name: "Check PR diff"
         id: pr-diff
+        if: (github.event_name == 'pull_request' && github.event.action == 'edited')
         env:
-          PR_DESC: '${{ github.event.pull_request.body }}'
+          PR_DESC: '${{  steps.pr-details.outputs.pr_body }}'
           OLD_BODY: '${{ github.event.changes.body.from }}'
-        if: (github.event_name == 'pull_request' && github.event.action == 'edited')
         run: |
           if ! diff <(echo "$OLD_BODY") <(echo "$PR_DESC") | grep -e '\[x\]' -e '\[X\]'; then
              echo "pr_no_diff_skip=true" >> $GITHUB_OUTPUT
           fi
       - name: "Set outputs"
         id: output
         env:
-          PR_DESC: '${{ github.event.pull_request.body }}'
+          PR_DESC: '${{ steps.pr-details.outputs.pr_body }}'
         shell: bash
         run: |
           {
@@ -116,6 +127,7 @@ jobs:
           infrastructure_provider: ${{ needs.configuration.outputs.preview_infra_provider }}
           previewctl_hash: ${{ needs.build-previewctl.outputs.previewctl_hash }}
           large_vm: ${{ needs.configuration.outputs.with_large_vm }}
+          recreate_vm: ${{ inputs.recreate_vm }}
 
   build-gitpod:
     name: Build Gitpod

Diff for: .github/workflows/comment-action.yaml

@@ -0,0 +1,101 @@
+name: comment-ops
+
+on:
+  issue_comment:
+    types: [ created ]
+
+# This action *ALWAYS* runs on main.
+# Any changes done to it, will not have an effect, until said changes have landed on the main branch
+# This has a side effect that always `head_ref == main` and `head_sha == main_head_sha`
+# Therefore we can't find out easily which PR the comment that triggered the action belongs to
+
+jobs:
+  configure:
+    # We *MUST* always check the author_association, which tells us if the person is an owner of the repo, or member of the org (i.e. has permissions)
+    # Otherwise they can execute arbitrary code if the triggered workflow (i.e. the build) is modified, as it's being run by the github-actions bot, and it always has permissions
+    if: |
+      (github.event.issue.author_association == 'OWNER' || github.event.issue.author_association == 'MEMBER') &&
+      (github.event.issue.pull_request && contains(github.event.comment.body, '/gh run'))
+    runs-on: [ self-hosted ]
+    # Technically we don't need these here, as we don't reuse them between jobs, but it's good to have them in a single place
+    outputs:
+      branch: ${{ steps.comment-branch.outputs.head_ref }}
+      run_url: ${{ steps.run_outputs.outputs.run_url }}
+      run_id: ${{ steps.run_outputs.outputs.run_id }}
+      recreate_vm: ${{ steps.configure.outputs.recreate-vm }}
+    steps:
+      # In order for us to find out from which PR the comment originates, we use the `xt0rted/pull-request-comment-branch@v1` action
+      - uses: xt0rted/pull-request-comment-branch@v1
+        id: comment-branch
+      # Set outputs we can reuse in the steps
+      - name: Set outputs
+        id: outputs
+        run: |
+          {
+            echo "recreate-vm=${{ contains(github.event.comment.body, 'recreate-vm') }}"
+          } >> $GITHUB_OUTPUT
+      # Trigger the build workflow with the input we got from the comment
+      # In the triggered job (build), we'll combine the information from the PR description, with the input we pass here
+      # Also we use workflow_dispatch, instead of a workflow_call ( uses: ./build.yaml with: ...)
+      # Because with the latter it's not possible to trigger a dynamic one (i.e. based on a branch) - the name has to be hardcoded
+      - name: Trigger Workflow
+        uses: actions/github-script@v6
+        with:
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'build.yaml',
+              ref: '${{ steps.comment-branch.outputs.head_ref }}',
+              inputs: {
+                "recreate_vm": '${{ steps.configure.outputs.recreate-vm }}'
+              }
+            })
+      # Getting the ID of the workflow we triggered above is a bit tricky, as it's async :(
+      # There is a trick we can do - add an input with a unique id, get the list of worklow runs, and check for that input in them until we can find it
+      # But it's an overkill for now
+      # Instead, we wait a little, and grab the last job that was triggered by a `workflow_dispatch` event, AND is not completed, and we hope for the best 🤞
+      - name: Get run URL
+        id: run_outputs
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          sleep 5
+          url=$(gh run list --repo '${{ github.repository }}' --workflow build.yaml -b ${{ steps.comment-branch.outputs.head_ref }} --json event,url,status -q '[.[] | select(.event=="workflow_dispatch") | select(.status!="completed").url][0]')
+          {
+            echo "run_url=${url}"
+            echo "run_id=${url##*/}"
+          } >> $GITHUB_OUTPUT
+      # Comment with a link to the job that got triggered
+      - uses: actions/github-script@v6
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: ${{ github.event.issue.number }},
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `#### Comment triggered a workflow run
+
+              Started workflow run: [${{ needs.configure.outputs.run_id }}](${{ needs.configure.outputs.run_url }})
+              * \`recreate_vm: ${{ steps.configure.outputs.recreate-vm }}\``
+            })
+
+  # Comment if this job failed, so there's some feedback
+  comment-fail:
+    if: failure()
+    runs-on: [ self-hosted ]
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          github-token: ${{ github.token }}
+          script: |
+            let commentBody = '${{ github.event.comment.body }}'
+            commentBody += "\n\n Chat ops job failed. See [${{ github.run_id }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details"
+            github.rest.issues.updateComment({
+              issue_number: ${{ github.event.issue.number }},
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: ${{ github.event.comment.id }},
+              body: commentBody
+            })