feat(relay): add view hierarchy scrubbing #17128
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- master | |
- release/** | |
- release-library/** | |
pull_request: | |
types: [opened, synchronize, reopened, labeled] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
env: | |
CARGO_TERM_COLOR: always | |
RELAY_CARGO_ARGS: "--locked" | |
jobs: | |
lint: | |
name: Lint | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install libcurl-dev | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libcurl4-openssl-dev | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.11" | |
- name: Install Rust Toolchain | |
run: rustup toolchain install stable --profile minimal --component clippy rustfmt rust-docs --no-self-update | |
- uses: swatinem/rust-cache@v2 | |
with: | |
key: ${{ github.job }} | |
- run: make style lint | |
- name: Check Docs | |
run: cargo doc --workspace --all-features --no-deps --document-private-items | |
env: | |
RUSTDOCFLAGS: -Dwarnings | |
lint_default: | |
name: Lint Rust Default Features | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install libcurl-dev | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libcurl4-openssl-dev | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install Rust Toolchain | |
run: rustup toolchain install stable --profile minimal --component clippy --no-self-update | |
- uses: swatinem/rust-cache@v2 | |
with: | |
key: ${{ github.job }} | |
- name: Run Clippy | |
run: cargo clippy --workspace --all-targets --no-deps -- -D warnings | |
devservices-files-changed: | |
name: detect what files changed | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 3 | |
outputs: | |
devservices-files-changed: ${{ steps.changes.outputs.devservices-files-changed }} | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | |
name: Check for file changes | |
id: changes | |
with: | |
token: ${{ github.token }} | |
filters: | | |
devservices-files-changed: | |
- 'devservices/**' | |
- '.github/workflows/ci.yml' | |
test: | |
timeout-minutes: 20 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [macos-latest, windows-latest] | |
name: Test (${{ matrix.os }}) | |
runs-on: ${{ matrix.os }} | |
# Skip redundant checks for library releases | |
if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install Rust Toolchain | |
run: rustup toolchain install stable --profile minimal --no-self-update | |
- uses: swatinem/rust-cache@v2 | |
with: | |
key: ${{ github.job }} | |
- name: Run Cargo Tests | |
run: cargo test --workspace | |
test_all: | |
timeout-minutes: 15 | |
name: Test All Features (ubuntu-latest) | |
runs-on: ubuntu-latest | |
# Skip redundant checks for library releases | |
if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
# Testing all features requires Docker container operations that are only available on | |
# `ubuntu-latest`. This `test-all` job is to be seen as complementary to the `test` job. If | |
# services become available on other platforms, the jobs should be consolidated. See | |
# https://docs.github.com/en/actions/guides/about-service-containers | |
services: | |
redis: # https://docs.github.com/en/actions/guides/creating-redis-service-containers | |
image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
ports: | |
- 6379:6379 | |
redis_secondary: | |
image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
ports: | |
- 6380:6379 | |
steps: | |
- name: Install libcurl-dev | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libcurl4-openssl-dev | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install Rust Toolchain | |
run: rustup toolchain install stable --profile minimal --no-self-update | |
- uses: swatinem/rust-cache@v2 | |
with: | |
key: ${{ github.job }} | |
- name: Run Cargo Tests | |
run: cargo test --workspace --all-features | |
test_py: | |
# Skip redundant checks for binary releases | |
if: "!startsWith(github.ref, 'refs/heads/release/')" | |
name: Test Python | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install Rust Toolchain | |
run: rustup toolchain install stable --profile minimal --no-self-update | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Install Dependencies | |
run: pip install -U pytest | |
- uses: swatinem/rust-cache@v2 | |
with: | |
key: ${{ github.job }} | |
- name: Build and Install Library | |
run: pip install -v --editable py | |
env: | |
RELAY_DEBUG: 1 | |
- name: Run Python Tests | |
run: pytest -v py | |
build-setup: | |
name: Setup build metadata | |
runs-on: ubuntu-latest | |
if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
env: | |
FULL_CI: "${{ | |
github.ref == 'refs/heads/master' | |
|| startsWith(github.ref, 'refs/heads/release/') | |
|| contains(github.event.pull_request.labels.*.name, 'Trigger: Full-CI') | |
}}" | |
steps: | |
- id: set-outputs | |
run: | | |
echo "full_ci=$FULL_CI" >> $GITHUB_OUTPUT | |
if [[ "$FULL_CI" == "true" ]]; then | |
echo "Running full CI" | |
echo 'image_names=["relay", "relay-pop"]' >> $GITHUB_OUTPUT | |
echo 'targets=["x86_64-unknown-linux-gnu", "aarch64-unknown-linux-gnu"]' >> $GITHUB_OUTPUT | |
echo 'platforms=["linux/amd64","linux/arm64"]' >> $GITHUB_OUTPUT | |
else | |
echo "Skipping some CI steps" | |
echo 'image_names=["relay"]' >> $GITHUB_OUTPUT | |
echo 'targets=["x86_64-unknown-linux-gnu"]' >> $GITHUB_OUTPUT | |
echo 'platforms=["linux/amd64"]' >> $GITHUB_OUTPUT | |
fi | |
outputs: | |
image_names: "${{ steps.set-outputs.outputs.image_names }}" | |
targets: "${{ steps.set-outputs.outputs.targets }}" | |
platforms: "${{ steps.set-outputs.outputs.platforms }}" | |
full_ci: "${{ steps.set-outputs.outputs.full_ci }}" | |
build: | |
needs: build-setup | |
timeout-minutes: 30 | |
strategy: | |
matrix: | |
image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
target: ${{ fromJson(needs.build-setup.outputs.targets) }} | |
name: Build Relay Binary | |
runs-on: |- | |
${{fromJson('{ | |
"x86_64-unknown-linux-gnu": "ubuntu-20.04", | |
"aarch64-unknown-linux-gnu": "ubuntu-22.04-arm64-relay" | |
}')[matrix.target] }} | |
if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
env: | |
RELAY_BIN: "target/${{ matrix.target }}/release/relay" | |
FEATURES: |- | |
${{fromJson('{ | |
"relay": "processing,crash-handler", | |
"relay-pop": "crash-handler" | |
}')[matrix.image_name] }} | |
DOCKER_PLATFORM: |- | |
${{fromJson('{ | |
"x86_64-unknown-linux-gnu": "linux/amd64", | |
"aarch64-unknown-linux-gnu": "linux/arm64" | |
}')[matrix.target] }} | |
steps: | |
- name: Install dependencies | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y llvm curl | |
- name: Install sentry-cli | |
run: | | |
curl -sL https://sentry.io/get-cli/ | bash | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- uses: dtolnay/rust-toolchain@stable | |
- uses: swatinem/rust-cache@v2 | |
with: | |
key: "${{ github.job }}-${{ matrix.target }}-${{ matrix.image_name }}" | |
- name: Compile | |
run: | | |
cargo build --release --locked --features "${FEATURES}" --target "${{ matrix.target }}" | |
- name: Split debug info | |
run: | | |
llvm-objcopy --only-keep-debug "${RELAY_BIN}"{,.debug} | |
llvm-objcopy --strip-debug --strip-unneeded "${RELAY_BIN}" | |
llvm-objcopy --add-gnu-debuglink "${RELAY_BIN}"{.debug,} | |
sentry-cli difutil bundle-sources "${RELAY_BIN}.debug" | |
zip "${RELAY_BIN}-debug.zip" "${RELAY_BIN}.debug" | |
- name: Prepare Artifacts | |
run: | | |
mkdir -p "artifacts/${DOCKER_PLATFORM}" | |
cp "${RELAY_BIN}"{,-debug.zip,.src.zip} "artifacts/${DOCKER_PLATFORM}" | |
- name: Upload Artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
retention-days: 1 | |
name: ${{ matrix.image_name }}@${{ matrix.target }} | |
path: "./artifacts/*" | |
build-docker: | |
timeout-minutes: 5 | |
needs: [build-setup, build] | |
name: Build Docker Image | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
env: | |
PLATFORMS: "${{ join(fromJson(needs.build-setup.outputs.platforms), ',') }}" | |
DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}" | |
REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: docker/setup-qemu-action@v3 | |
- uses: docker/setup-buildx-action@v3 | |
- uses: actions/download-artifact@v4 | |
with: | |
pattern: "${{ matrix.image_name }}@*" | |
merge-multiple: true | |
- name: Build and push to ghcr.io | |
if: "!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'" | |
run: | | |
docker login --username '${{ github.actor }}' --password '${{ secrets.GITHUB_TOKEN }}' ghcr.io | |
docker buildx build \ | |
--platform "${PLATFORMS}" \ | |
--tag "${DOCKER_IMAGE}:${REVISION}" \ | |
$( [[ "${GITHUB_REF}" == "refs/heads/master" ]] && printf %s "--tag ${DOCKER_IMAGE}:nightly" ) \ | |
--file Dockerfile.release \ | |
--push \ | |
. | |
- name: Build and publish docker artifact | |
if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
run: | | |
docker buildx build \ | |
--platform "${PLATFORMS}" \ | |
--tag "${DOCKER_IMAGE}:${REVISION}" \ | |
--file Dockerfile.release \ | |
--output type=docker,dest=${{ matrix.image_name }}-docker-image \ | |
. | |
- name: Upload docker image | |
if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
uses: actions/upload-artifact@v4 | |
with: | |
retention-days: 1 | |
name: ${{ matrix.image_name }}-docker-image | |
path: "${{ matrix.image_name }}-docker-image" | |
publish-to-dockerhub: | |
needs: [build-setup, build-docker] | |
runs-on: ubuntu-20.04 | |
name: Publish Relay to DockerHub | |
strategy: | |
matrix: | |
image_name: ["relay"] # Don't publish relay-pop (for now) | |
if: ${{ (github.ref_name == 'master') }} | |
env: | |
GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}" | |
DH_DOCKER_IMAGE: "getsentry/${{ matrix.image_name }}" | |
REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
steps: | |
- name: Login to DockerHub | |
run: docker login --username=sentrybuilder --password ${{ secrets.DOCKER_HUB_RW_TOKEN }} | |
- name: Copy Image from GHCR to DockerHub | |
run: | | |
# We push 3 tags to Dockerhub: | |
# 1) the full sha of the commit | |
docker buildx imagetools create --tag "${DH_DOCKER_IMAGE}:${REVISION}" "${GHCR_DOCKER_IMAGE}:${REVISION}" | |
# 2) the short sha | |
SHORT_SHA=$(echo ${GITHUB_SHA} | cut -c1-8) | |
docker buildx imagetools create --tag "${DH_DOCKER_IMAGE}:${SHORT_SHA}" "${GHCR_DOCKER_IMAGE}:${REVISION}" | |
# 3) nightly | |
docker buildx imagetools create --tag "${DH_DOCKER_IMAGE}:nightly" "${GHCR_DOCKER_IMAGE}:${REVISION}" | |
publish-to-gcr: | |
timeout-minutes: 5 | |
needs: [build-setup, build-docker] | |
name: Publish Relay to GCR | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
# required for google auth | |
permissions: | |
contents: "read" | |
id-token: "write" | |
env: | |
GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}" | |
AR_DOCKER_IMAGE: "us-central1-docker.pkg.dev/sentryio/relay/${{ matrix.image_name }}" | |
REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
# Skip redundant checks for library releases | |
# Skip for dependabot and if run on a fork | |
if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" | |
steps: | |
- name: Google Auth | |
id: auth | |
uses: google-github-actions/auth@v2 | |
with: | |
workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
service_account: [email protected] | |
- name: "Set up Cloud SDK" | |
uses: "google-github-actions/setup-gcloud@v2" | |
with: | |
# https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation | |
# You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. | |
version: ">= 390.0.0" | |
- name: Configure docker | |
run: | | |
gcloud auth configure-docker us-central1-docker.pkg.dev | |
- name: Copy Image from GHCR to AR | |
run: docker buildx imagetools create --tag "${AR_DOCKER_IMAGE}:${REVISION}" "${GHCR_DOCKER_IMAGE}:${REVISION}" | |
- name: Copy Nightly from GHCR to AR | |
if: github.ref == 'refs/heads/master' | |
run: docker buildx imagetools create --tag "${AR_DOCKER_IMAGE}:nightly" "${GHCR_DOCKER_IMAGE}:nightly" | |
gocd-artifacts: | |
timeout-minutes: 5 | |
needs: [build-setup, build-docker] | |
name: Upload build artifacts to gocd | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
image_name: ${{ fromJson(needs.build-setup.outputs.image_names) }} | |
# required for google auth | |
permissions: | |
contents: "read" | |
id-token: "write" | |
env: | |
GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}" | |
REVISION: "${{ github.event.pull_request.head.sha || github.sha }}" | |
if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && needs.build-setup.outputs.full_ci == 'true'" | |
steps: | |
- name: Google Auth | |
id: auth | |
uses: google-github-actions/auth@v2 | |
with: | |
workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool | |
service_account: [email protected] | |
- name: "Set up Cloud SDK" | |
uses: "google-github-actions/setup-gcloud@v2" | |
with: | |
# https://github.com/google-github-actions/auth#authenticating-via-workload-identity-federation | |
# You must use the Cloud SDK version 390.0.0 or later to authenticate the bq and gsutil tools. | |
version: ">= 390.0.0" | |
- name: Upload gocd deployment assets | |
run: | | |
set -euxo pipefail | |
VERSION="$(docker run --rm "${GHCR_DOCKER_IMAGE}:${REVISION}" --version | cut -d" " -f2)" | |
echo "${{ matrix.image_name }}@${VERSION}+${REVISION}" > release-name | |
docker run --rm --entrypoint cat "${GHCR_DOCKER_IMAGE}:${REVISION}" /opt/relay-debug.zip > relay-debug.zip | |
docker run --rm --entrypoint cat "${GHCR_DOCKER_IMAGE}:${REVISION}" /opt/relay.src.zip > relay.src.zip | |
docker run --rm --entrypoint tar "${GHCR_DOCKER_IMAGE}:${REVISION}" -cf - /lib/x86_64-linux-gnu > libs.tar | |
# debugging for mysterious "Couldn't write tracker file" issue: | |
(env | grep runner) || true | |
ls -ld \ | |
/home \ | |
/home/runner \ | |
/home/runner/.gsutil \ | |
/home/runner/.gsutil/tracker-files \ | |
/home/runner/.gsutil/tracker-files/upload_TRACKER_*.rc.zip__JSON.url \ | |
|| true | |
gsutil -m cp -L gsutil.log ./libs.tar ./relay-debug.zip ./relay.src.zip ./release-name \ | |
"gs://dicd-team-devinfra-cd--relay/deployment-assets/${REVISION}/${{ matrix.image_name }}/" || status=$? && status=$? | |
cat gsutil.log | |
exit "$status" | |
test_integration: | |
name: Integration Tests | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
# Skip redundant checks for library releases | |
if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
services: | |
redis: # https://docs.github.com/en/actions/guides/creating-redis-service-containers | |
image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
ports: | |
- 6379:6379 | |
redis_secondary: | |
image: ghcr.io/getsentry/image-mirror-library-redis:5.0-alpine | |
ports: | |
- 6380:6379 | |
zookeeper: | |
image: ghcr.io/getsentry/image-mirror-confluentinc-cp-zookeeper:6.2.0 | |
env: | |
ZOOKEEPER_CLIENT_PORT: 2181 | |
kafka: | |
image: ghcr.io/getsentry/image-mirror-confluentinc-cp-kafka:6.2.0 | |
env: | |
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 | |
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://127.0.0.1:9092 | |
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 | |
KAFKA_OFFSETS_TOPIC_NUM_PARTITIONS: 1 | |
ports: | |
- 9092:9092 | |
steps: | |
- name: Install libcurl-dev | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libcurl4-openssl-dev | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install Rust Toolchain | |
run: rustup toolchain install stable --profile minimal --no-self-update | |
- uses: swatinem/rust-cache@v2 | |
with: | |
key: ${{ github.job }} | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.11" | |
- run: make test-integration | |
env: | |
PYTEST_N: 6 | |
RELAY_VERSION_CHAIN: "23.12.0,latest" | |
sentry-relay-integration-tests: | |
name: Sentry-Relay Integration Tests | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
needs: build-docker | |
# Skip redundant checks for library releases | |
if: "!startsWith(github.ref, 'refs/heads/release-library/')" | |
steps: | |
# Checkout Sentry and run integration tests against latest Relay | |
- name: Checkout Sentry | |
uses: actions/checkout@v4 | |
with: | |
repository: getsentry/sentry | |
path: sentry | |
- name: Setup steps | |
id: setup | |
run: | | |
# GITHUB_SHA in pull requests points to the merge commit | |
RELAY_TEST_IMAGE=ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }} | |
echo "We expected GCB to push this image $RELAY_TEST_IMAGE" | |
echo "relay-test-image=$RELAY_TEST_IMAGE" >> "$GITHUB_OUTPUT" | |
# We cannot execute actions that are not placed under .github of the main repo | |
mkdir -p .github/actions | |
cp -r sentry/.github/actions/setup-sentry .github/actions/ | |
- name: Setup Sentry | |
uses: ./.github/actions/setup-sentry | |
with: | |
workdir: sentry | |
snuba: true | |
kafka: true | |
symbolicator: true | |
- name: Download Docker Image | |
if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
uses: actions/download-artifact@v4 | |
with: | |
name: relay-docker-image | |
- name: Import Docker Image | |
if: "github.event.pull_request.head.repo.fork || github.actor == 'dependabot[bot]'" | |
run: docker load -i relay-docker-image | |
- name: Run Sentry integration tests | |
working-directory: sentry | |
env: | |
RELAY_TEST_IMAGE: ${{ steps.setup.outputs.relay-test-image }} | |
run: | | |
echo "Testing against ${RELAY_TEST_IMAGE}" | |
make test-relay-integration | |
self-hosted-end-to-end: | |
runs-on: ubuntu-latest | |
timeout-minutes: 25 | |
needs: build-docker | |
# - Skip redundant checks for library releases | |
# - Skip for dependabot or if it's a fork as the image cannot be uploaded to ghcr since this test attempts to pull | |
# the image from ghcr | |
if: "!startsWith(github.ref, 'refs/heads/release-library/') && !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]'" | |
steps: | |
- name: Run Sentry self-hosted e2e CI | |
uses: getsentry/self-hosted@master | |
with: | |
project_name: relay | |
image_url: ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }} | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
validate-devservices-config: | |
runs-on: ubuntu-24.04 | |
needs: devservices-files-changed | |
if: ${{ needs.devservices-files-changed.outputs.devservices-files-changed == 'true' }} | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
name: Checkout repository | |
- uses: getsentry/action-validate-devservices-config@6477ef1e9c96e456bfad726006e731f89fcd81db | |
name: Validate devservices config | |
with: | |
requirements-file-path: requirements-dev.txt |