ci: move to GitHub Actions

WORK IN PROGRESS

Change-Id: I671dbbcbbe9d00a3ebf6f74edb01143fb2b05855

Author: primiano

.github/workflows/test_runner.yml

@@ -0,0 +1,151 @@
+name: Perfetto CI
+on:
+  # 1. continuous
+  schedule:
+    # Run every 6 hours
+    - cron: "0 */6 * * *"
+
+  # 2. postsubmit
+  push:
+    branches:
+      - main
+      - test
+
+  # 3. presubmits
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+      - test
+
+
+jobs:
+  test:
+    runs-on: self-hosted
+    timeout-minutes: 45
+    strategy:
+      matrix:
+        config:
+          # - name: linux-clang-x86_64-debug
+          #   PERFETTO_TEST_GN_ARGS: 'is_debug=true is_hermetic_clang=false non_hermetic_clang_stdlib="libc++" enable_perfetto_merged_protos_check=true'
+          #   PERFETTO_TEST_SCRIPT: 'test/ci/linux_tests.sh'
+          #   PERFETTO_INSTALL_BUILD_DEPS_ARGS: ''
+          # - name: linux-clang-x86_64-tsan
+          #   PERFETTO_TEST_GN_ARGS: 'is_debug=false is_tsan=true'
+          #   PERFETTO_TEST_SCRIPT: 'test/ci/linux_tests.sh'
+          #   PERFETTO_INSTALL_BUILD_DEPS_ARGS: ''
+          # - name: linux-clang-x86_64-msan
+          #   PERFETTO_TEST_GN_ARGS: 'is_debug=false is_msan=true'
+          #   PERFETTO_TEST_SCRIPT: 'test/ci/linux_tests.sh'
+          #   PERFETTO_INSTALL_BUILD_DEPS_ARGS: ''
+          # - name: linux-clang-x86_64-asan_lsan
+          #   PERFETTO_TEST_GN_ARGS: 'is_debug=false is_asan=true is_lsan=true'
+          #   PERFETTO_TEST_SCRIPT: 'test/ci/linux_tests.sh'
+          #   PERFETTO_INSTALL_BUILD_DEPS_ARGS: ''
+          # - name: linux-clang-x86-release
+          #   PERFETTO_TEST_GN_ARGS: 'is_debug=false target_cpu="x86"'
+          #   PERFETTO_TEST_SCRIPT: 'test/ci/linux_tests.sh'
+          #   PERFETTO_INSTALL_BUILD_DEPS_ARGS: ''
+          # - name: linux-gcc8-x86_64-release
+          #   PERFETTO_TEST_GN_ARGS: 'is_debug=false is_clang=false enable_perfetto_grpc=true cc="gcc-8" cxx="g++-8"'
+          #   PERFETTO_TEST_SCRIPT: 'test/ci/linux_tests.sh'
+          #   PERFETTO_INSTALL_BUILD_DEPS_ARGS: '--grpc'
+          # - name: android-clang-arm-release
+          #   PERFETTO_TEST_GN_ARGS: 'is_debug=false target_os="android" target_cpu="arm"'
+          #   PERFETTO_TEST_SCRIPT: 'test/ci/android_tests.sh'
+          #   PERFETTO_INSTALL_BUILD_DEPS_ARGS: '--android'
+          # - name: linux-clang-x86_64-libfuzzer
+          #   PERFETTO_TEST_GN_ARGS: 'is_debug=false is_fuzzer=true is_asan=true'
+          #   PERFETTO_TEST_SCRIPT: 'test/ci/fuzzer_tests.sh'
+          #   PERFETTO_INSTALL_BUILD_DEPS_ARGS: ''
+          - name: linux-clang-x86_64-bazel
+            PERFETTO_TEST_GN_ARGS: ''
+            PERFETTO_TEST_SCRIPT: 'test/ci/bazel_tests.sh'
+            PERFETTO_INSTALL_BUILD_DEPS_ARGS: '--bazel'
+          - name: ui-clang-x86_64-release
+            PERFETTO_TEST_GN_ARGS: 'is_debug=false'
+            PERFETTO_TEST_SCRIPT: 'test/ci/ui_tests.sh'
+            PERFETTO_INSTALL_BUILD_DEPS_ARGS: '--ui'
+
+    env:
+      # /tmp/cache contains {ccache, bazelcache} and generally any other cache
+      # that should be persisted across jobs, but only updated from the main
+      # branch. This is populated by the "actions/cache/restore" step below.
+      # TODO here check this between docker and this. DNS
+      PERFETTO_CACHE_DIR: /ci/ramdisk
+      PERFETTO_TEST_GN_ARGS: ${{ matrix.config.PERFETTO_TEST_GN_ARGS }}
+      PERFETTO_TEST_SCRIPT: ${{ matrix.config.PERFETTO_TEST_SCRIPT }}
+      PERFETTO_INSTALL_BUILD_DEPS_ARGS: ${{ matrix.config.PERFETTO_INSTALL_BUILD_DEPS_ARGS }}
+      PERFETTO_TEST_JOB: gh-${{ github.run_id }}-${{ matrix.config.name }}
+      PERFETTO_TEST_NINJA_ARGS:  # Deliberately empty, set in some other env
+    steps:
+      - name: Set up artifacts
+        # TODO un-hardcode /ci/artifacts, pass through PERFETTO_ARTIFACTS_DIR
+        run: |
+          echo "PERFETTO_ARTIFACTS_DIR=/ci/artifacts/$PERFETTO_TEST_JOB" >> $GITHUB_ENV
+          echo "Job id ${{ github.run_id }}-${{ github.job }}"
+
+      - name: Set up tmpfs dirs
+        run: |
+          mkdir -p "${{ env.PERFETTO_CACHE_DIR }}"
+          mkdir -p "${{ env.PERFETTO_ARTIFACTS_DIR }}"
+
+      # Check out code.
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Set up cache
+        # By default ccache uses the mtime of the compiler. This doesn't work
+        # because our compilers are hermetic and their mtime is the time when we
+        # run install-build-deps. Given that the toolchain is rolled via
+        # install-build-deps we use that file as an identity function for the
+        # compiler check.
+        run: |
+          mkdir -p "${{ env.PERFETTO_CACHE_DIR }}/ccache"
+          DEPS_SHA=$(shasum "tools/install-build-deps" | awk '{print $1}')
+          echo "DEPS_SHA=$DEPS_SHA" >> $GITHUB_ENV
+          echo "CCACHE_COMPILERCHECK=string:$DEPS_SHA" >> $GITHUB_ENV
+          echo "CCACHE_BASEDIR=${{ github.workspace }}" >> $GITHUB_ENV
+          echo "CCACHE_DIR=${{ env.PERFETTO_CACHE_DIR }}/ccache" >> $GITHUB_ENV
+          echo "CCACHE_MAXSIZE=8G" >> $GITHUB_ENV
+          echo "CCACHE_SLOPPINESS=include_file_ctime,include_file_mtime" >> $GITHUB_ENV
+          echo "CCACHE_NOCOMPRESS=1" >> $GITHUB_ENV
+          echo "CCACHE_COMPILERCHECK=string:$(shasum tools/install-build-deps)" >> $GITHUB_ENV
+          echo "CCACHE_UMASK=000" >> $GITHUB_ENV
+          echo "CCACHE_DEPEND=1" >> $GITHUB_ENV
+
+      # TODO remove this
+      - name: Print env vars
+        run: pwd; ls -la; env;
+
+      - name: Restore cache and buildtools from GitHub cache
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.PERFETTO_CACHE_DIR }}
+            buildtools
+          key: cache-${{ matrix.config.name }}-${{ env.DEPS_SHA }}
+
+      # TODO remove the two entries below, debug only.
+      - name: ls buildtools
+        run: ls -la buildtools/
+
+      - name: ls cache
+        run: ls -laR ${{ env.PERFETTO_CACHE_DIR }}
+
+      - name: Build and test
+        run: ${{ env.PERFETTO_TEST_SCRIPT }}
+        shell: bash
+
+      - name: ccache stats
+        run: ccache --show-stats
+
+      - name: Update cache (if on main)
+        if: github.ref == 'refs/heads/main'
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            ${{ env.PERFETTO_CACHE_DIR }}
+            buildtools
+          key: cache-${{ matrix.config.name }}-${{ env.DEPS_SHA }}

docs/design-docs/continuous-integration.md

@@ -272,7 +272,7 @@ docker run worker-N ...
 - It streams the container stdout/stderr to the DB.
 - It upload the build artifacts to GCS.
 
-### [testrunner.sh](/infra/ci/sandbox/testrunner.sh)
+### testrunner.sh
 
 - It is pinned in the container image. Does NOT depend on the particular
   revision being tested.

infra/ci/Makefile

@@ -77,11 +77,10 @@ clean:
 		--maintenance-policy=MIGRATE \
 		--service-account=gce-ci-worker@${PROJECT}.iam.gserviceaccount.com \
 		--scopes=${GCE_SCOPES} \
-		--image=cos-85-13310-1209-10 \
-		--image-project=cos-cloud \
+		--image=projects/cos-cloud/global/images/cos-117-18613-164-81 \
 		--boot-disk-size=100GB \
 		--boot-disk-type=pd-ssd \
-		--boot-disk-device-name=ci-worker-template \
+		--boot-disk-device-name=${GCE_TEMPLATE} \
 		--local-ssd=interface=NVME \
 		--local-ssd=interface=NVME
 	touch $@
@@ -102,7 +101,7 @@ gcloud compute --project=${PROJECT} \
 	instance-groups managed create ${GCE_GROUP_NAME}-$1 \
 	--region=$1 \
 	--base-instance-name=ci-$1 \
-	--template=ci-worker-template \
+	--template=${GCE_TEMPLATE} \
 	--size=1
 gcloud compute --quiet --project=$(PROJECT) \
 	instance-groups managed set-autoscaling ${GCE_GROUP_NAME}-$1 \
@@ -137,14 +136,14 @@ stop-worker-for-testing:
 	gcloud compute --quiet \
 		--project ${PROJECT} \
 		instances delete ${GCE_VM_NAME} \
-		--zone us-central1-f
+		--zone us-west1-c
 
 .PHONY: start-worker-for-testing
 start-worker-for-testing: .deps/gce-template
 	gcloud compute --quiet \
 		--project ${PROJECT} \
 		instances create ${GCE_VM_NAME} \
-		--zone us-central1-f \
+		--zone us-west1-c \
 		--source-instance-template=${GCE_TEMPLATE}
 
 # Debugging client to make OAuth2 authenticated requests manually.

infra/ci/config.py

@@ -30,14 +30,20 @@
 GERRIT_VOTING_ENABLED = True
 LOGLEVEL = 'info'
 
+
+# IDs for the Perfetto CI GitHub app.
+GITHUB_REPO = 'google/perfetto'
+GITHUB_APP_ID = 1184402
+GITHUB_APP_INSTALLATION_ID = 62928975
+
 # Cloud config (GCE = Google Compute Engine, GAE = Google App Engine)
 PROJECT = 'perfetto-ci'
 
 GAE_VERSION = 'prod'
 DB_ROOT = 'https://%s.firebaseio.com' % PROJECT
 DB = DB_ROOT + '/ci'
-SANDBOX_IMG = 'us-docker.pkg.dev/%s/containers/sandbox' % PROJECT
-WORKER_IMG = 'us-docker.pkg.dev/%s/containers/worker' % PROJECT
+SANDBOX_IMG = 'us-docker.pkg.dev/%s/containers/gh-sandbox' % PROJECT
+WORKER_IMG = 'us-docker.pkg.dev/%s/containers/gh-worker' % PROJECT
 CI_SITE = 'https://ci.perfetto.dev'
 GCS_ARTIFACTS = 'perfetto-ci-artifacts'
 
@@ -47,11 +53,12 @@
 TRUSTED_EMAILS = '^.*@google.com$'
 
 GCE_REGIONS = 'us-west1'
-GCE_VM_NAME = 'ci-worker'
+GCE_VM_NAME = 'gh-worker'
 GCE_VM_TYPE = 'c2d-standard-32'
-GCE_TEMPLATE = 'ci-worker-template'
+GCE_TEMPLATE = 'gh-worker-template'
 GCE_GROUP_NAME = 'ci'
-MAX_VMS_PER_REGION = 8
+# MAX_VMS_PER_REGION = 8  TODO restore to 8 after killing old CI
+MAX_VMS_PER_REGION = 1
 NUM_WORKERS_PER_VM = 4
 
 GCE_SCOPES = [
@@ -64,66 +71,10 @@
     'https://www.googleapis.com/auth/userinfo.email',
 ]
 
-# Only variables starting with PERFETTO_ are propagated into the sandbox.
-JOB_CONFIGS = {
-    'linux-clang-x86_64-debug': {
-        'PERFETTO_TEST_GN_ARGS': 'is_debug=true is_hermetic_clang=false '
-                                 'non_hermetic_clang_stdlib="libc++" '
-                                 'enable_perfetto_merged_protos_check=true',
-        'PERFETTO_TEST_SCRIPT': 'test/ci/linux_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS': '',
-    },
-    'linux-clang-x86_64-tsan': {
-        'PERFETTO_TEST_GN_ARGS': 'is_debug=false is_tsan=true',
-        'PERFETTO_TEST_SCRIPT': 'test/ci/linux_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS': '',
-    },
-    'linux-clang-x86_64-msan': {
-        'PERFETTO_TEST_GN_ARGS': 'is_debug=false is_msan=true',
-        'PERFETTO_TEST_SCRIPT': 'test/ci/linux_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS': '',
-    },
-    'linux-clang-x86_64-asan_lsan': {
-        'PERFETTO_TEST_GN_ARGS': 'is_debug=false is_asan=true is_lsan=true',
-        'PERFETTO_TEST_SCRIPT': 'test/ci/linux_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS': '',
-    },
-    'linux-clang-x86-release': {
-        'PERFETTO_TEST_GN_ARGS': 'is_debug=false target_cpu="x86"',
-        'PERFETTO_TEST_SCRIPT': 'test/ci/linux_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS': '',
-    },
-    'linux-gcc8-x86_64-release': {
-        'PERFETTO_TEST_GN_ARGS':
-            'is_debug=false is_clang=false enable_perfetto_grpc=true '
-            'cc="gcc-8" cxx="g++-8"',
-        'PERFETTO_TEST_SCRIPT': 'test/ci/linux_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS': '--grpc',
-    },
-    'android-clang-arm-release': {
-        'PERFETTO_TEST_GN_ARGS':
-            'is_debug=false target_os="android" target_cpu="arm"',
-        'PERFETTO_TEST_SCRIPT':
-            'test/ci/android_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS':
-            '--android',
-    },
-    'linux-clang-x86_64-libfuzzer': {
-        'PERFETTO_TEST_GN_ARGS': 'is_debug=false is_fuzzer=true is_asan=true',
-        'PERFETTO_TEST_SCRIPT': 'test/ci/fuzzer_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS': '',
-    },
-    'linux-clang-x86_64-bazel': {
-        'PERFETTO_TEST_GN_ARGS': '',
-        'PERFETTO_TEST_SCRIPT': 'test/ci/bazel_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS': '--bazel',
-    },
-    'ui-clang-x86_64-release': {
-        'PERFETTO_TEST_GN_ARGS': 'is_debug=false',
-        'PERFETTO_TEST_SCRIPT': 'test/ci/ui_tests.sh',
-        'PERFETTO_INSTALL_BUILD_DEPS_ARGS': '--ui',
-    },
-}
+SANDBOX_SVC_ACCOUNT = 'gce-ci-sandbox@perfetto-ci.iam.gserviceaccount.com'
+
+# TODO remove this
+JOB_CONFIGS = {}
 
 if __name__ == '__main__':
   import os

infra/ci/sandbox/Dockerfile

@@ -30,16 +30,12 @@ RUN set -ex; \
                        openjdk-11-jdk; \
     apt-get -y install libc++-8-dev libc++abi-8-dev clang-8; \
     update-alternatives --install /usr/bin/python python /usr/bin/python3.7 1; \
+    pip3 install protobuf pandas grpcio; \
     gcc-8 --version; \
     g++-8 --version; \
     clang-8 --version; \
     clang++-8 --version; \
-    java --version; \
-    pip3 install protobuf pandas grpcio; \
-    groupadd -g 1337 perfetto; \
-    useradd -d /ci/ramdisk -u 1337 -g perfetto perfetto; \
-    apt-get -y autoremove; \
-    rm -rf /var/lib/apt/lists/* /usr/share/man/* /usr/share/doc/*;
+    java --version;
 
 # Chrome/puppeteer deps.
 RUN set -ex; \
@@ -55,16 +51,32 @@ RUN set -ex; \
                xdg-utils fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei \
                fonts-thai-tlwg fonts-kacst fonts-freefont-ttf
 
-# Cleanup to reduce image size
-RUN     apt-get -y autoremove; \
-        rm -rf /var/lib/apt/lists/* /usr/share/man/* /usr/share/doc/*; \
-        rm -rf /root/.cache/;
+RUN set -ex; \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get -y install jq python3-jwt python3-requests
+
 
-COPY testrunner.sh /ci/testrunner.sh
-COPY init.sh /ci/init.sh
+RUN set -ex; \
+    mkdir -p /ci; \
+    groupadd -g 1001 perfetto; \
+    useradd -m -d /ci/ramdisk -u 1001 -g perfetto perfetto; \
+    apt-get -y autoremove; \
+    rm -rf /var/lib/apt/lists/* /usr/share/man/* /usr/share/doc/*; \
+    rm -rf /var/lib/apt/lists/* /usr/share/man/* /usr/share/doc/*; \
+    rm -rf /root/.cache/;
+
+COPY sandbox.sh /ci/sandbox.sh
 RUN chmod -R a+rx /ci/
 
+# Download GitHub Actions runner
+RUN set -ex; \
+    mkdir /opt/github-action-runner; \
+    cd /opt/github-action-runner; \
+    RUNNER_URL=$(curl -s https://api.github.com/repos/actions/runner/releases/latest | jq -r .assets[].browser_download_url | grep "linux-x64"); \
+    curl -o actions-runner.tar.gz -L "$RUNNER_URL"; \
+    tar xzf actions-runner.tar.gz; \
+    rm -f actions-runner.tar.gz;
+
 VOLUME [ "/ci/cache", "/ci/ramdisk", "/ci/artifacts" ]
 ENTRYPOINT [ "tini", "-g", "--" ]
-CMD [ "bash", "/ci/init.sh" ]
-
+CMD [ "bash", "/ci/sandbox.sh" ]

infra/ci/sandbox/init.sh infra/ci/sandbox/sandbox.sh

@@ -13,11 +13,28 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Performs initialization that requires root, then runs the test as non-root.
+# Performs initialization that requires root, then runs the GitHub action runner
+# as non-root.
 
-set -eux
+set -eu
 chmod 777 /ci/cache /ci/artifacts
 chown perfetto.perfetto /ci/ramdisk
 cd /ci/ramdisk
 ls -A1 | xargs rm -rf
-exec sudo -u perfetto -g perfetto -EH bash /ci/testrunner.sh
+
+cat << EOF > /ci/run.sh
+cd /opt/github-action-runner
+
+# Configure the runner (replace with org or repo URL as required)
+./config.sh --unattended --ephemeral --replace \
+            --url "https://github.com/$GITHUB_REPO" \
+            --token "$GITHUB_TOKEN"
+
+# Run the GitHub Action Runner
+GITHUB_TOKEN="" ./run.sh
+
+EOF
+
+chmod 755 /ci/run.sh
+
+exec sudo -u perfetto -g perfetto -EH /ci/run.sh

infra/ci/sandbox/testrunner.sh

@@ -12,36 +12,54 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# docker:stable is an Alpine-based distro.
-FROM docker:stable
+FROM debian:bookworm
 
-RUN apk update && apk add python3 py-pip sudo tini
-RUN pip3 install oauth2client httplib2 google-auth google-cloud requests;
+RUN set -ex; \
+    export DEBIAN_FRONTEND=noninteractive; \
+    apt-get update; \
+    apt-get -y install ca-certificates curl gnupg lsb-release sudo tini \
+            python3 python3-jwt python3-requests python3-oauth2client \
+            python3-httplib2 python3-google-auth python3-google-auth-oauthlib \
+            python3-googleapi
 
+# Install docker
+RUN curl -fsSL https://download.docker.com/linux/debian/gpg | \
+    gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg; \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \
+    https://download.docker.com/linux/debian $(lsb_release -cs) stable" | \
+    tee /etc/apt/sources.list.d/docker.list > /dev/null; \
+    apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io
+
+
+# Install gcloud
+RUN curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | \
+    gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg; \
+    echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
+    | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list; \
+    apt-get update && apt-get install -y google-cloud-cli
 
 # Unfortunately Docker doesn't allow to copy a file from ../. So we copy instead
 # the config files into tmp/ from the Makefile that runs docker build.
-COPY tmp/config.py /home/perfetto/config.py
-COPY tmp/common_utils.py /home/perfetto/common_utils.py
-COPY artifacts_uploader.py /home/perfetto/
-COPY perf_metrics_uploader.py /home/perfetto/
-COPY run_job.py /home/perfetto/
-COPY worker.py /home/perfetto/
+COPY tmp/config.py /home/worker/config.py
+COPY tmp/common_utils.py /home/worker/common_utils.py
+COPY artifacts_uploader.py /home/worker/
+COPY worker.py /home/worker/
+COPY get_github_token.py /home/worker/
 
 # Allow the worker to spawn new docker containers (for the jobs' sandboxes).
-# This makes the worker container highly priviledged (effectiveely can run  any
+# This makes the worker container highly priviledged (effectiveely can run any
 # commands on the GCE vm). The worker container is trusted and must never run
-# code from a tryjob (which instead is run into the sandbox containers).
+# code from a GitHub action (which instead is run into the sandbox containers).
 RUN set -e; \
     echo 'root ALL=(ALL) ALL' /etc/sudoers; \
-    echo 'perfetto ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers; \
-    addgroup -S --gid 1337 perfetto; \
-    adduser -S --uid 1337 -h /home/perfetto perfetto perfetto; \
-    chown perfetto.perfetto -R /home/perfetto; \
-    chmod -R 755 /home/perfetto;
+    echo 'worker ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers; \
+    groupadd -g 1091 worker; \
+    useradd -d /home/worker -u 1091 -g worker worker; \
+    chown worker:worker -R /home/worker; \
+    chmod -R 755 /home/worker;
 
-USER perfetto:perfetto
-WORKDIR /home/perfetto
+USER worker:worker
+WORKDIR /home/worker
 
 ENTRYPOINT [ "tini", "--" ]
-CMD [ "python3", "/home/perfetto/worker.py" ]
+CMD [ "python3", "/home/worker/worker.py" ]

infra/ci/worker/Dockerfile

@@ -49,9 +49,9 @@ def get_http_obj():
   return tls.http
 
 
-def upload_one_file(fpath):
+def upload_one_file(fpath, base):
   http = get_http_obj()
-  relpath = os.path.relpath(fpath, os.getenv('ARTIFACTS_DIR'))
+  relpath = os.path.relpath(fpath, base)
   logging.debug('Uploading %s', relpath)
   assert (os.path.exists(fpath))
   fsize = os.path.getsize(fpath)
@@ -71,9 +71,9 @@ def upload_one_file(fpath):
   return fsize
 
 
-def upload_one_file_with_retries(fpath):
+def upload_one_file_with_retries(fpath, base):
   for retry in [0.5, 1.5, 3]:
-    res = upload_one_file(fpath)
+    res = upload_one_file(fpath, base)
     if res >= 0:
       return res
     logging.warning('Upload of %s failed, retrying in %s seconds', fpath, retry)
@@ -88,15 +88,6 @@ def list_files(path):
         yield fpath
 
 
-def scan_and_upload_perf_folder(job_id, dirpath):
-  perf_folder = os.path.join(dirpath, 'perf')
-  if not os.path.isdir(perf_folder):
-    return
-  uploader = os.path.join(CUR_DIR, 'perf_metrics_uploader.py')
-  for path in list_files(perf_folder):
-    subprocess.call([uploader, '--job-id', job_id, path])
-
-
 def main():
   init_logging()
   signal.alarm(WATCHDOG_SEC)
@@ -105,13 +96,12 @@ def main():
   parser = argparse.ArgumentParser()
   parser.add_argument('--rm', action='store_true', help='Removes the directory')
   parser.add_argument(
-      '--job-id',
+      '--dir',
       type=str,
       required=True,
-      help='The Perfetto CI job ID to tie this upload to')
+      help='The directory containing the artifacts')
   args = parser.parse_args()
-  job_id = args.job_id
-  dirpath = os.path.join(os.getenv('ARTIFACTS_DIR', default=os.curdir), job_id)
+  dirpath = args.dir
   if not os.path.isdir(dirpath):
     logging.error('Directory not found: %s', dirpath)
     return 1
@@ -126,15 +116,14 @@ def main():
   failures = 0
   files = list_files(dirpath)
   pool = ThreadPool(processes=10)
-  for upl_size in pool.imap_unordered(upload_one_file_with_retries, files):
+  upload_fn = lambda x: upload_one_file_with_retries(x, dirpath)
+  for upl_size in pool.imap_unordered(upload_fn, files):
     uploads += 1 if upl_size >= 0 else 0
     failures += 1 if upl_size < 0 else 0
     total_size += max(upl_size, 0)
 
   logging.info('Uploaded artifacts for %s: %d files, %s failures, %d KB',
-               job_id, uploads, failures, total_size / 1e3)
-
-  scan_and_upload_perf_folder(job_id, dirpath)
+               dirpath, uploads, failures, total_size / 1e3)
 
   if args.rm:
     subprocess.call(['sudo', 'rm', '-rf', dirpath])

infra/ci/worker/artifacts_uploader.py

@@ -27,6 +27,9 @@ SANDBOX_IMG=$(curl --silent --fail -H'Metadata-Flavor:Google' $URL)
 URL="$ATTRS/worker-img"
 WORKER_IMG=$(curl --silent --fail -H'Metadata-Flavor:Google' $URL)
 
+# We largely use tmpfs for checkout + build + cache. Add swap so we can exceed
+# physical ram. It's still faster than operating on a real filesystem because in
+# most cases we make very limited use of swap.
 for SSD in /dev/nvme0n*; do
 mkswap $SSD
 swapon -p -1 $SSD
@@ -84,7 +87,8 @@ docker run -d \
   --env SANDBOX_TMP="$SANDBOX_TMP" \
   --env WORKER_HOST="$(hostname)" \
   --name worker-$i \
-  --hostname worker-$i \
+  --hostname $(hostname)-worker-$i \
+  --privileged \
   --log-driver gcplogs \
   $WORKER_IMG
 done

infra/ci/worker/gce-startup-script.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env python3
+# Copyright (C) 2025 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the 'License');
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an 'AS IS' BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+""" This script does all the token dance to register a GitHub action runner
+
+- The script impersonates the Perfetto CI App GitHub App using the app private
+  key.
+- It then obtains the app installation token, which binds the app to the
+  Perfetto GitHub repo.
+- From that obtains the "Runner registration token".
+- This token is then passed to the sandbox, so it can run the
+  GitHub Action Runner (./config --unmanned --token=...)
+"""
+
+import jwt
+import time
+import requests
+import subprocess
+
+from config import PROJECT, GITHUB_REPO, GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID
+
+GITHUB_API_URL = 'https://api.github.com'
+
+
+def generate_jwt():
+  private_key = subprocess.check_output([
+      'gcloud', '--project', PROJECT, 'secrets', 'versions', 'access', 'latest',
+      '--secret=perfetto_ci_github_private_key'
+  ]).decode()
+
+  now = int(time.time())
+  payload = {
+      'iat': now,
+      'exp': now + (10 * 60),  # JWT valid for 10 minutes
+      'iss': GITHUB_APP_ID
+  }
+  return jwt.encode(payload, private_key, algorithm='RS256')
+
+
+def get_installation_token(jwt_token, installation_id):
+  url = f'{GITHUB_API_URL}/app/installations/{installation_id}/access_tokens'
+  headers = {
+      'Authorization': f'Bearer {jwt_token}',
+      'Accept': 'application/vnd.github.v3+json'
+  }
+  response = requests.post(url, headers=headers)
+  response.raise_for_status()
+  return response.json()['token']
+
+
+def get_runner_registration_token(inst_token):
+  url = f'{GITHUB_API_URL}/repos/{GITHUB_REPO}/actions/runners/registration-token'
+  headers = {
+      'Authorization': f'token {inst_token}',
+      'Accept': 'application/vnd.github.v3+json'
+  }
+  response = requests.post(url, headers=headers)
+  response.raise_for_status()
+  return response.json()['token']
+
+
+def get_github_token():
+  jwt_token = generate_jwt()
+  inst_token = get_installation_token(jwt_token, GITHUB_APP_INSTALLATION_ID)
+  registration_token = get_runner_registration_token(inst_token)
+  return registration_token
+
+
+if __name__ == '__main__':
+  print(get_github_token)

infra/ci/worker/get_github_token.py

@@ -12,9 +12,10 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-''' Worker main loop. Pulls jobs from the DB and runs them in the sandbox
+''' Worker main loop.
 
-It also handles timeouts and graceful container termination.
+Runs a github action ephemeral runner in a nested  sandboxed docker container.
+It also handles graceful container termination.
 '''
 
 import logging
@@ -26,174 +27,112 @@
 import time
 import traceback
 
-from config import DB, JOB_TIMEOUT_SEC
-from common_utils import req, utc_now_iso, init_logging
-from common_utils import ConcurrentModificationError, SCOPES
+from config import DB, SANDBOX_IMG, GITHUB_REPO, SANDBOX_SVC_ACCOUNT
 
-CUR_DIR = os.path.dirname(__file__)
-SCOPES.append('https://www.googleapis.com/auth/firebase.database')
-SCOPES.append('https://www.googleapis.com/auth/userinfo.email')
-WORKER_NAME = '%s-%s' % (os.getenv(
-    'WORKER_HOST', 'local').split('-')[-1], socket.gethostname())
-sigterm = threading.Event()
-
-
-def try_acquire_job(job_id):
-  ''' Transactionally acquire the given job.
-
-  Returns the job JSON object if it managed to acquire and put it into the
-  STARTED state, None if another worker got there first.
-  '''
-  logging.debug('Trying to acquire job %s', job_id)
+from get_github_token import get_github_token
 
-  uri = '%s/jobs/%s.json' % (DB, job_id)
-  job, etag = req('GET', uri, req_etag=True)
-  if job['status'] != 'QUEUED':
-    return None  # Somebody else took it or the job is CANCELLED/INTERRUPTED
-  try:
-    job['status'] = 'STARTED'
-    job['time_started'] = utc_now_iso()
-    job['worker'] = WORKER_NAME
-    req('PUT', uri, body=job, etag=etag)
-    return job
-  except ConcurrentModificationError:
-    return None
+CUR_DIR = os.path.dirname(__file__)
 
+# The container name will be deadb33f-sandbox-N.
+SANDBOX_NAME = socket.gethostname().replace('-worker-', '-sandbox-')
 
-def make_worker_obj(status, job_id=None):
-  return {
-      'job_id': job_id,
-      'status': status,
-      'last_update': utc_now_iso(),
-      'host': os.getenv('WORKER_HOST', '')
-  }
+sigterm = threading.Event()
 
 
 def worker_loop():
-  ''' Pulls a job from the queue and runs it invoking run_job.py  '''
-  uri = '%s/jobs_queued.json?orderBy="$key"&limitToLast=100' % DB
-  jobs = req('GET', uri)
-  if not jobs:
-    return
-
-  # Work out the worker number from the hostname. We try to distribute the load
-  # (via the time.sleep below) so that we fill first all the worker-1 of each
-  # vm, then worker-2 and so on. This is designed so that if there is only one
-  # CL (hence N jobs) in the queue, each VM gets only one job, maximizing the
-  # cpu efficiency of each VM.
-  try:
-    worker_num = int(socket.gethostname().split('-')[-1])
-  except ValueError:
-    worker_num = 1
-
-  # Transactionally acquire a job. Deal with races (two workers trying to
-  # acquire the same job).
-  job = None
-  job_id = None
-  for job_id in sorted(jobs.keys(), reverse=True):
-    job = try_acquire_job(job_id)
-    if job is not None:
-      break
-    time.sleep(worker_num)
-  if job is None:
-    logging.error('Failed to acquire a job')
-    return
-
-  logging.info('Starting job %s', job_id)
-
-  # Update the db, move the job to the running queue.
-  patch_obj = {
-      'jobs_queued/' + job_id: {},  # = DELETE
-      'jobs_running/' + job_id: {
-          'worker': WORKER_NAME
-      },
-      'workers/' + WORKER_NAME: make_worker_obj('RUNNING', job_id=job_id)
-  }
-  req('PATCH', '%s.json' % DB, body=patch_obj)
-
-  cmd = [os.path.join(CUR_DIR, 'run_job.py'), job_id]
-
-  # Propagate the worker's PERFETTO_  vars and merge with the job-specific vars.
-  env = dict(os.environ, **{k: str(v) for (k, v) in job['env'].items()})
-  job_runner = subprocess.Popen(cmd, env=env)
-
-  # Run the job in a python subprocess, to isolate the main loop from logs
-  # uploader failures.
-  res = None
-  cancelled = False
-  timed_out = False
-  time_started = time.time()
-  time_last_db_poll = time_started
-  polled_status = 'STARTED'
-  while res is None:
-    time.sleep(0.25)
-    res = job_runner.poll()
-    now = time.time()
-    if now - time_last_db_poll > 10:  # Throttle DB polling.
-      polled_status = req('GET', '%s/jobs/%s/status.json' % (DB, job_id))
-      time_last_db_poll = now
-    if now - time_started > JOB_TIMEOUT_SEC:
-      logging.info('Job %s timed out, terminating', job_id)
-      timed_out = True
-      job_runner.terminate()
-    if (sigterm.is_set() or polled_status != 'STARTED') and not cancelled:
-      logging.info('Job %s cancelled, terminating', job_id)
-      cancelled = True
-      job_runner.terminate()
-
-  status = ('INTERRUPTED' if sigterm.is_set() else 'CANCELLED' if cancelled else
-            'TIMED_OUT' if timed_out else 'COMPLETED' if res == 0 else 'FAILED')
-  logging.info('Job %s %s with code %s', job_id, status, res)
-
-  # Update the DB, unless the job has been cancelled. The "is not None"
-  # condition deals with a very niche case, that is, avoid creating a partial
-  # job entry after doing a full clear of the DB (which is super rare, happens
-  # only when re-deploying the CI).
-  if polled_status is not None:
-    patch = {
-        'jobs/%s/status' % job_id: status,
-        'jobs/%s/exit_code' % job_id: {} if res is None else res,
-        'jobs/%s/time_ended' % job_id: utc_now_iso(),
-        'jobs_running/%s' % job_id: {},  # = DELETE
-    }
-    req('PATCH', '%s.json' % (DB), body=patch)
+  # Remove stale jobs, if any.
+  subprocess.call(['sudo', 'docker', 'rm', '-f', SANDBOX_NAME])
+
+  # Impersonate the sandbox service account. This creates a temporary downgraded
+  # service account that we pass to the sandbox. The sandbox service account
+  # is allowed only storage object creation for untrusted CI artifacts.
+  # sandbox_svc_token = subprocess.check_output([
+  #     'gcloud', 'auth', 'application-default',
+  #     'print-access-token'
+  #     '--impersonate-service-account=%s' % SANDBOX_SVC_ACCOUNT,
+  # ])
+
+  # Run the nested docker container that will execute the ephemeral GitHub
+  # action runner in the sandbox image.
+  cmd = [
+      'sudo', 'docker', 'run', '--rm', '--name', SANDBOX_NAME, '--hostname',
+      SANDBOX_NAME, '--cap-add', 'SYS_PTRACE', '--tmpfs', '/tmp:exec'
+  ]
+
+  # Obtain the (short-lived) token to register the Github Action Runner and
+  # pass it to the sandbox.
+  github_token = get_github_token()
+  cmd += ['--env', 'GITHUB_TOKEN=%s' % github_token]
+  cmd += ['--env', 'GITHUB_REPO=%s' % GITHUB_REPO]
+  # cmd += ['--env', 'SANDBOX_SVC_TOKEN=%s' % sandbox_svc_token]
+
+  # Propagate PERFETTO_ environment variables
+  for kv in [kv for kv in os.environ.items() if kv[0].startswith('PERFETTO_')]:
+    cmd += ['--env', '%s=%s' % kv]
+
+  # We use the tmpfs mount created by gce-startup-script.sh, if present. The
+  # problem is that Docker doesn't allow to both override the tmpfs-size and
+  # prevent the "-o noexec". In turn the default tmpfs-size depends on the host
+  # phisical memory size.
+  if os.getenv('SANDBOX_TMP'):
+    cmd += ['-v', '%s:/ci/ramdisk' % os.getenv('SANDBOX_TMP')]
+  else:
+    cmd += ['--tmpfs', '/ci/ramdisk:exec']
+
+  # Rationale for the conditional branches below: when running in the real GCE
+  # environment, the gce-startup-script.sh mounts these directories in the right
+  # locations, so that they are shared between all workers.
+  # When running the worker container outside of GCE (i.e.for local testing) we
+  # leave these empty. The VOLUME directive in the dockerfile will cause docker
+  # to automatically mount a scratch volume for those.
+  # This is so that the CI containers can be tested without having to do the
+  # work that gce-startup-script.sh does.
+  if os.getenv('SHARED_WORKER_CACHE'):
+    cmd += ['--volume=%s:/ci/cache' % os.getenv('SHARED_WORKER_CACHE')]
+
+  artifacts_dir = None
+  if os.getenv('ARTIFACTS_DIR'):
+    artifacts_dir = os.path.join(os.getenv('ARTIFACTS_DIR'), SANDBOX_NAME)
+    subprocess.call(['sudo', 'rm', '-rf', artifacts_dir])
+    os.mkdir(artifacts_dir)
+    cmd += ['--volume=%s:/ci/artifacts' % artifacts_dir]
+
+  cmd += os.getenv('SANDBOX_NETWORK_ARGS', '').split()
+  cmd += [SANDBOX_IMG]
+
+  # This spawns the sandbox that runs one ephemeral GitHub Action job and
+  # terminates when done.
+  subprocess.call(cmd)
+
+  if artifacts_dir:
+    artifacts_uploader = os.path.join(CUR_DIR, 'artifacts_uploader.py')
+    cmd = ['setsid', artifacts_uploader, '--dir=' + artifacts_dir, '--rm']
+    subprocess.call(cmd)
 
 
 def sig_handler(_, __):
   logging.warning('Interrupted by signal, exiting worker')
+  subprocess.call(['sudo', 'docker', 'kill', SANDBOX_NAME])
   sigterm.set()
 
 
 def main():
-  init_logging()
+  logging.basicConfig(
+      format='%(levelname)-8s %(asctime)s %(message)s',
+      level=logging.DEBUG if os.getenv('VERBOSE') else logging.INFO,
+      datefmt=r'%Y-%m-%d %H:%M:%S')
   logging.info('Worker started')
   signal.signal(signal.SIGTERM, sig_handler)
   signal.signal(signal.SIGINT, sig_handler)
 
   while not sigterm.is_set():
-    logging.debug('Starting poll cycle')
     try:
       worker_loop()
-      req('PUT',
-          '%s/workers/%s.json' % (DB, WORKER_NAME),
-          body=make_worker_obj('IDLE'))
     except:
       logging.error('Exception in worker loop:\n%s', traceback.format_exc())
     if sigterm.is_set():
       break
-
-    # Synchronize sleeping with the wall clock. This is so all VMs wake up at
-    # the same time. See comment on distributing load above in this file.
-    poll_time_sec = 5
-    time.sleep(poll_time_sec - (time.time() % poll_time_sec))
-
-  # The use case here is the VM being terminated by the GCE infrastructure.
-  # We mark the worker as terminated and the job as cancelled so we don't wait
-  # forever for it.
-  logging.warning('Exiting the worker loop, got signal: %s', sigterm.is_set())
-  req('PUT',
-      '%s/workers/%s.json' % (DB, WORKER_NAME),
-      body=make_worker_obj('TERMINATED'))
+    time.sleep(1)
 
 
 if __name__ == '__main__':

infra/ci/worker/perf_metrics_uploader.py

@@ -22,7 +22,7 @@ echo "skipping build + test runs"
 exit 0
 fi
 
-BAZEL_DISK_CACHE_FOLDER="/ci/cache/bazel-disk-cache-$(hostname)"
+BAZEL_DISK_CACHE_FOLDER="$PERFETTO_CACHE_DIR/bazel-disk-cache-$(hostname)"
 readonly BAZEL_DISK_CACHE_FOLDER
 # Cleanup the cache if any of the two conditions are true.
 BAZEL_DISK_CACHE_GC_OPTIONS="--experimental_disk_cache_gc_max_age=7d --experimental_disk_cache_gc_max_size=10G"
@@ -43,7 +43,7 @@ tools/bazel build //python:all ${BAZEL_DISK_CACHE_FLAGS} --verbose_failures
 ./bazel-bin/traced &
 ./bazel-bin/traced_probes &
 sleep 5
-TRACE=/ci/artifacts/bazel.trace
+TRACE="$PERFETTO_ARTIFACTS_DIR/bazel.trace"
 ./bazel-bin/perfetto -c :test -o $TRACE
 kill $(jobs -p)
 ./bazel-bin/trace_processor_shell -q <(echo 'select count(1) from sched') $TRACE

infra/ci/worker/run_job.py

@@ -20,6 +20,12 @@ OUT_PATH="out/dist"
 
 export PYTHONUNBUFFERED=1
 
+export PERFETTO_CACHE_DIR="${PERFETTO_CACHE_DIR:-/tmp/cache}"
+mkdir -p "$PERFETTO_CACHE_DIR"
+
+export PERFETTO_ARTIFACTS_DIR="${PERFETTO_ARTIFACTS_DIR:-/tmp/artifacts}"
+mkdir -p "$PERFETTO_ARTIFACTS_DIR"
+
 tools/install-build-deps $PERFETTO_INSTALL_BUILD_DEPS_ARGS
 
 # Assumes Linux. Windows should use /win/clang instead.

infra/ci/worker/worker.py

@@ -42,10 +42,10 @@ if [ ! -f ${HOST_OUT_PATH}/trace_processor_shell ]; then
   HOST_OUT_PATH=${OUT_PATH}
 fi
 
-mkdir -p /ci/artifacts/perf
+mkdir -p "$PERFETTO_ARTIFACTS_DIR/perf"
 
 tools/diff_test_trace_processor.py \
-  --perf-file=/ci/artifacts/perf/tp-perf-all.json \
+  --perf-file=$PERFETTO_ARTIFACTS_DIR/perf/tp-perf-all.json \
   ${HOST_OUT_PATH}/trace_processor_shell
 
 python/run_tests.py ${HOST_OUT_PATH}

test/ci/bazel_tests.sh

@@ -21,16 +21,16 @@ infra/perfetto.dev/build
 
 ui/build --out ${OUT_PATH}
 
-cp -a ${OUT_PATH}/ui/dist/ /ci/artifacts/ui
+cp -a ${OUT_PATH}/ui/dist/ "$PERFETTO_ARTIFACTS_DIR/ui"
 
 ui/run-unittests --out ${OUT_PATH} --no-build
 
 set +e
 
 # Install chrome
 (
-  mkdir /ci/ramdisk/chrome
-  cd /ci/ramdisk/chrome
+  mkdir /tmp/chrome
+  cd /tmp/chrome
   CHROME_VERSION=134.0.6998.35
   curl -Ls -o chrome.deb https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${CHROME_VERSION}-1_amd64.deb
   dpkg-deb -x chrome.deb  .
@@ -42,7 +42,7 @@ set +x
 
 # Copy the output of screenshots diff testing.
 if [ -d ${OUT_PATH}/ui-test-artifacts ]; then
-  cp -a ${OUT_PATH}/ui-test-artifacts /ci/artifacts/ui-test-artifacts
+  cp -a ${OUT_PATH}/ui-test-artifacts "$PERFETTO_ARTIFACTS_DIR/ui-test-artifacts"
   echo "UI integration test report with screnshots:"
   echo "https://storage.googleapis.com/perfetto-ci-artifacts/$PERFETTO_TEST_JOB/ui-test-artifacts/index.html"
   echo ""

test/ci/common.sh

@@ -20,7 +20,7 @@ const isCi = Boolean(process.env.CI);
 const outDir = process.env.OUT_DIR ?? '../out/ui';
 
 // Installed by test/ci/ui_tests.sh
-const ciChromePath = '/ci/ramdisk/chrome/opt/google/chrome/google-chrome';
+const ciChromePath = '/tmp/chrome/opt/google/chrome/google-chrome';
 
 export default defineConfig({
   testDir: './src',