From 4890d685c9f6598d30d91b9a86573fa22a8d9135 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 17 Apr 2026 13:58:45 -0500 Subject: [PATCH 01/25] ci: migrate from CircleCI to GitHub Actions - Add GitHub Actions workflows for CI, linting, integration tests, Windows builds, docs checks, and releases - Remove TILT_CLOUD_TOKEN dependency from release-ci.sh - Workflows replicate CircleCI functionality with equivalent GitHub Actions Co-Authored-By: Claude Opus 4.5 Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 101 ++++++++++++++++++++++++ .github/workflows/docs.yml | 64 ++++++++++++++++ .github/workflows/integration.yml | 115 ++++++++++++++++++++++++++++ .github/workflows/lint.yml | 24 ++++++ .github/workflows/release.yml | 123 ++++++++++++++++++++++++++++++ .github/workflows/windows.yml | 74 ++++++++++++++++++ scripts/release-ci.sh | 8 -- 7 files changed, 501 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/docs.yml create mode 100644 .github/workflows/integration.yml create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/windows.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..9aea6edc82 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,101 @@ +name: CI + +on: + push: + branches: [master] + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + build-linux: + runs-on: ubuntu-latest + container: + image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 + steps: + - uses: actions/checkout@v4 + + - name: Set up Docker + uses: docker/setup-buildx-action@v3 + + - name: Pull registry image + run: docker pull registry:2 + + - name: Build + run: make install + + - name: Lint + run: make lint + + - name: Version check + run: make test_install_version_check + + - name: Wire check + run: make wire-check + + - name: Check codegen + run: ./scripts/check-codegen.sh + + - name: Run tests + run: make test-go-ci + + - name: Upload test results + uses: actions/upload-artifact@v4 + if: always() + with: + name: go-test-results + path: test-results/ + + - name: Notify Slack on failure + if: failure() && github.ref == 'refs/heads/master' + uses: slackapi/slack-github-action@v2 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "text": "build-linux failed on master: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + } + + build-js: + runs-on: ubuntu-latest + needs: build-linux + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: '22.14.0' + cache: 'yarn' + cache-dependency-path: web/yarn.lock + + - name: Check JS + run: make check-js + + - name: Test JS + run: make test-js-ci + env: + JEST_JUNIT_OUTPUT_DIR: reports/junit/js-test-results.xml + + - name: Test Storybook + run: make test-storybook + + - name: Upload test results + uses: actions/upload-artifact@v4 + if: always() + with: + name: js-test-results + path: web/reports/junit/ + + - name: Notify Slack on failure + if: failure() && github.ref == 'refs/heads/master' + uses: slackapi/slack-github-action@v2 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "text": "build-js failed on master: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + } diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml new file mode 100644 index 0000000000..1440bb346b --- /dev/null +++ b/.github/workflows/docs.yml @@ -0,0 +1,64 @@ +name: Docs + +on: + push: + branches: [master] + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + check-docs: + runs-on: ubuntu-latest + container: + image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check for Go changes + id: changes + run: | + if ! ./scripts/ci-has-go-changes.sh; then + echo "skip=true" >> $GITHUB_OUTPUT + fi + + - name: Setup SSH + if: steps.changes.outputs.skip != 'true' + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.TILT_BUILD_DEPLOY_KEY }} + + - name: Clone tilt.build repo + if: steps.changes.outputs.skip != 'true' + run: | + mkdir -p ~/.ssh + ssh-keyscan github.com >> ~/.ssh/known_hosts + git clone git@github.com:tilt-dev/tilt.build ../tilt.build + + - name: Build Tilt + if: steps.changes.outputs.skip != 'true' + run: make install + + - name: Generate and verify docs + if: steps.changes.outputs.skip != 'true' + working-directory: ../tilt.build + run: | + tilt dump cli-docs --dir="./docs/cli" + tilt dump api-docs --dir="./api" + make cli-toc + make api + + - name: Notify Slack on failure + if: failure() && github.ref == 'refs/heads/master' + uses: slackapi/slack-github-action@v2 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "text": "check-docs failed on master: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + } diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml new file mode 100644 index 0000000000..5d73091f03 --- /dev/null +++ b/.github/workflows/integration.yml @@ -0,0 +1,115 @@ +name: Integration + +on: + push: + branches: [master] + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + check-changes: + runs-on: ubuntu-latest + outputs: + has-go-changes: ${{ steps.check.outputs.go-changes }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check for Go changes + id: check + run: | + if ./scripts/ci-has-go-changes.sh; then + echo "go-changes=true" >> $GITHUB_OUTPUT + else + echo "go-changes=false" >> $GITHUB_OUTPUT + fi + + build-integration: + needs: check-changes + if: needs.check-changes.outputs.has-go-changes == 'true' + runs-on: ubuntu-latest + container: + image: docker/tilt-integration-ci@sha256:9821f02b3304ede7a09ec0564e0a68abea9375bf596b64f34aa683c613db69f4 + options: --privileged + services: + dind: + image: docker:dind + options: --privileged + env: + DOCKER_TLS_CERTDIR: "" + env: + DOCKER_HOST: tcp://dind:2375 + steps: + - uses: actions/checkout@v4 + + - name: Wait for Docker + run: | + timeout 30 sh -c 'until docker info; do sleep 1; done' + + - name: Setup Kind cluster + run: ctlptl create cluster kind --registry=ctlptl-registry + + - name: Build and run integration tests + run: make build-js integration + + - name: Upload test results + uses: actions/upload-artifact@v4 + if: always() + with: + name: integration-test-results + path: test-results/ + + - name: Notify Slack on failure + if: failure() && github.ref == 'refs/heads/master' + uses: slackapi/slack-github-action@v2 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "text": "build-integration failed on master: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + } + + test-extensions: + needs: check-changes + if: needs.check-changes.outputs.has-go-changes == 'true' + runs-on: ubuntu-latest + container: + image: docker/tilt-extensions-ci@sha256:c22a39c287c7c3afba182f4f46044475b43bd2d4e2bb89f41136eae7d4f4b94d + options: --privileged + services: + dind: + image: docker:dind + options: --privileged + env: + DOCKER_TLS_CERTDIR: "" + env: + DOCKER_HOST: tcp://dind:2375 + PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + steps: + - uses: actions/checkout@v4 + + - name: Wait for Docker + run: | + timeout 30 sh -c 'until docker info; do sleep 1; done' + + - name: Setup Kind cluster + run: ctlptl create cluster kind --registry=ctlptl-registry + + - name: Build and test extensions + run: make build-js install test-extensions + + - name: Notify Slack on failure + if: failure() && github.ref == 'refs/heads/master' + uses: slackapi/slack-github-action@v2 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "text": "test-extensions failed on master: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + } diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000000..2df19d946b --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,24 @@ +name: Lint + +on: + push: + branches: [master] + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run ShellCheck + uses: ludeeus/action-shellcheck@master + with: + scandir: './scripts' + severity: warning + env: + SHELLCHECK_OPTS: -e SC2001 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..81e5457ad9 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,123 @@ +name: Release + +on: + push: + branches: [master] + tags: + - 'v[0-9]+.[0-9]+.[0-9]+' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + release-dry-run: + # Run on master branch pushes only (not tags) + if: github.ref == 'refs/heads/master' + runs-on: ubuntu-latest + container: + image: docker/tilt-releaser@sha256:304fa435c4b18d71d1aeae4578762625fc43ab69bc24656e20d150ee23dc2b2b + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build JS + run: make build-js + + - name: Goreleaser dry run + run: goreleaser --verbose --clean --skip=publish --snapshot + timeout-minutes: 20 + + - name: Notify Slack on failure + if: failure() + uses: slackapi/slack-github-action@v2 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "text": "release-dry-run failed: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + } + + release: + # Run only on version tags + if: startsWith(github.ref, 'refs/tags/v') + runs-on: ubuntu-latest + container: + image: docker/tilt-releaser@sha256:304fa435c4b18d71d1aeae4578762625fc43ab69bc24656e20d150ee23dc2b2b + env: + DOCKER_CLI_EXPERIMENTAL: enabled + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Notify Slack - Release Started + uses: slackapi/slack-github-action@v2 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "text": "A Tilt release has started! Version: ${{ github.ref_name }}" + } + + - name: Docker login + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + + - name: Setup SSH for repo updates + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.DEPLOY_SSH_KEY }} + + - name: Configure Git + run: | + git config --global user.email "hi@tilt.dev" + git config --global user.name "Tilt Dev" + mkdir -p ~/.ssh + ssh-keyscan github.com >> ~/.ssh/known_hosts + + - name: Run release + run: ./scripts/release-ci.sh + timeout-minutes: 20 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} + + - name: Notify Slack - Release Complete + if: success() + uses: slackapi/slack-github-action@v2 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "text": "Tilt release ${{ github.ref_name }} completed successfully!" + } + + - name: Notify Slack - Release Failed + if: failure() + uses: slackapi/slack-github-action@v2 + with: + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "text": "Tilt release ${{ github.ref_name }} FAILED: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + } diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml new file mode 100644 index 0000000000..734e0460a5 --- /dev/null +++ b/.github/workflows/windows.yml @@ -0,0 +1,74 @@ +name: Windows + +on: + push: + branches: [master] + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + check-changes: + runs-on: ubuntu-latest + outputs: + has-go-changes: ${{ steps.check.outputs.go-changes }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check for Go changes + id: check + run: | + if ./scripts/ci-has-go-changes.sh; then + echo "go-changes=true" >> $GITHUB_OUTPUT + else + echo "go-changes=false" >> $GITHUB_OUTPUT + fi + + build-windows: + needs: check-changes + if: needs.check-changes.outputs.has-go-changes == 'true' + runs-on: windows-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version: '1.25' + + - name: Install dependencies + run: | + choco install make -y + choco install kustomize -y + choco install kubernetes-helm -y + choco install docker-compose -y + choco install mingw --version=12.2.0.03042023 -y + + - name: Install gotestsum + run: go install gotest.tools/gotestsum@latest + + - name: Build Windows binary + run: go install -mod vendor ./cmd/tilt + env: + CGO_ENABLED: 1 + CGO_LDFLAGS: -static + + - name: Run tests + run: make shorttest-ci + env: + CGO_ENABLED: 1 + CGO_LDFLAGS: -static + + - name: Test PowerShell installer + run: ./scripts/install.ps1 + shell: pwsh + + - name: Upload test results + uses: actions/upload-artifact@v4 + if: always() + with: + name: windows-test-results + path: test-results/ diff --git a/scripts/release-ci.sh b/scripts/release-ci.sh index 262b8aaa62..c83d08182a 100755 --- a/scripts/release-ci.sh +++ b/scripts/release-ci.sh @@ -20,19 +20,11 @@ if [[ "$DOCKER_TOKEN" == "" ]]; then exit 1 fi -if [[ "$TILT_CLOUD_TOKEN" == "" ]]; then - echo "Missing Tilt release token" - exit 1 -fi - DIR=$(dirname "$0") cd "$DIR/.." echo "$DOCKER_TOKEN" | docker login --username "$DOCKER_USERNAME" --password-stdin -mkdir -p ~/.windmill -echo "$TILT_CLOUD_TOKEN" > ~/.windmill/token - git fetch --tags git config --global user.email "tilt-team@docker.com" git config --global user.name "Tilt Dev" From bf12ae306ba30f706008afab15236eb80371d1ad Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Thu, 23 Apr 2026 14:02:16 -0500 Subject: [PATCH 02/25] ci: use GitHub App token instead of SSH deploy keys Replace SSH deploy keys (TILT_BUILD_DEPLOY_KEY, DEPLOY_SSH_KEY) with GitHub App token generation using actions/create-github-app-token. - docs.yml: checkout tilt.build via actions/checkout with app token - release.yml: generate token with access to tilt, tilt.build, cloud.tilt.dev, tilt-extensions repos for release script pushes - update git config email to tilt-team@docker.com Also pin all actions to their commit shas. Signed-off-by: Nick Sieger Co-Authored-By: Claude Opus 4.5 --- .github/workflows/ci.yml | 16 ++++++------- .github/workflows/docs.yml | 25 ++++++++++++-------- .github/workflows/integration.yml | 12 +++++----- .github/workflows/lint.yml | 4 ++-- .github/workflows/release.yml | 38 ++++++++++++++++--------------- .github/workflows/windows.yml | 8 +++---- 6 files changed, 55 insertions(+), 48 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9aea6edc82..3ded2f5703 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,10 +15,10 @@ jobs: container: image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Docker - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Pull registry image run: docker pull registry:2 @@ -42,7 +42,7 @@ jobs: run: make test-go-ci - name: Upload test results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: go-test-results @@ -50,7 +50,7 @@ jobs: - name: Notify Slack on failure if: failure() && github.ref == 'refs/heads/master' - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook @@ -63,9 +63,9 @@ jobs: runs-on: ubuntu-latest needs: build-linux steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '22.14.0' cache: 'yarn' @@ -83,7 +83,7 @@ jobs: run: make test-storybook - name: Upload test results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: js-test-results @@ -91,7 +91,7 @@ jobs: - name: Notify Slack on failure if: failure() && github.ref == 'refs/heads/master' - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 1440bb346b..1eb546a1f0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -15,7 +15,7 @@ jobs: container: image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -26,18 +26,23 @@ jobs: echo "skip=true" >> $GITHUB_OUTPUT fi - - name: Setup SSH + - name: Generate GitHub App token if: steps.changes.outputs.skip != 'true' - uses: webfactory/ssh-agent@v0.9.0 + id: app-token + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 with: - ssh-private-key: ${{ secrets.TILT_BUILD_DEPLOY_KEY }} + app-id: ${{ vars.TILT_APP_ID }} + private-key: ${{ secrets.TILT_APP_PRIVATE_KEY }} + owner: tilt-dev + repositories: tilt.build - - name: Clone tilt.build repo + - name: Checkout tilt.build repo if: steps.changes.outputs.skip != 'true' - run: | - mkdir -p ~/.ssh - ssh-keyscan github.com >> ~/.ssh/known_hosts - git clone git@github.com:tilt-dev/tilt.build ../tilt.build + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + repository: tilt-dev/tilt.build + token: ${{ steps.app-token.outputs.token }} + path: ../tilt.build - name: Build Tilt if: steps.changes.outputs.skip != 'true' @@ -54,7 +59,7 @@ jobs: - name: Notify Slack on failure if: failure() && github.ref == 'refs/heads/master' - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 5d73091f03..16673bd442 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -15,7 +15,7 @@ jobs: outputs: has-go-changes: ${{ steps.check.outputs.go-changes }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -44,7 +44,7 @@ jobs: env: DOCKER_HOST: tcp://dind:2375 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Wait for Docker run: | @@ -57,7 +57,7 @@ jobs: run: make build-js integration - name: Upload test results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: integration-test-results @@ -65,7 +65,7 @@ jobs: - name: Notify Slack on failure if: failure() && github.ref == 'refs/heads/master' - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook @@ -91,7 +91,7 @@ jobs: DOCKER_HOST: tcp://dind:2375 PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Wait for Docker run: | @@ -105,7 +105,7 @@ jobs: - name: Notify Slack on failure if: failure() && github.ref == 'refs/heads/master' - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2df19d946b..e8ca9b9ff3 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,10 +13,10 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 with: scandir: './scripts' severity: warning diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81e5457ad9..89ce911d4e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,15 +18,15 @@ jobs: container: image: docker/tilt-releaser@sha256:304fa435c4b18d71d1aeae4578762625fc43ab69bc24656e20d150ee23dc2b2b steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Build JS run: make build-js @@ -37,7 +37,7 @@ jobs: - name: Notify Slack on failure if: failure() - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook @@ -55,18 +55,18 @@ jobs: env: DOCKER_CLI_EXPERIMENTAL: enabled steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Notify Slack - Release Started - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook @@ -76,33 +76,35 @@ jobs: } - name: Docker login - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - - name: Setup SSH for repo updates - uses: webfactory/ssh-agent@v0.9.0 + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 with: - ssh-private-key: ${{ secrets.DEPLOY_SSH_KEY }} + app-id: ${{ vars.TILT_APP_ID }} + private-key: ${{ secrets.TILT_APP_PRIVATE_KEY }} + owner: tilt-dev + repositories: tilt,tilt.build,cloud.tilt.dev,tilt-extensions - name: Configure Git run: | - git config --global user.email "hi@tilt.dev" + git config --global user.email "tilt-team@docker.com" git config --global user.name "Tilt Dev" - mkdir -p ~/.ssh - ssh-keyscan github.com >> ~/.ssh/known_hosts - name: Run release run: ./scripts/release-ci.sh timeout-minutes: 20 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} - name: Notify Slack - Release Complete if: success() - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook @@ -113,7 +115,7 @@ jobs: - name: Notify Slack - Release Failed if: failure() - uses: slackapi/slack-github-action@v2 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 with: webhook: ${{ secrets.SLACK_WEBHOOK_URL }} webhook-type: incoming-webhook diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 734e0460a5..51a3d3b025 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -15,7 +15,7 @@ jobs: outputs: has-go-changes: ${{ steps.check.outputs.go-changes }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -33,9 +33,9 @@ jobs: if: needs.check-changes.outputs.has-go-changes == 'true' runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: actions/setup-go@v5 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.25' @@ -67,7 +67,7 @@ jobs: shell: pwsh - name: Upload test results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: windows-test-results From 216f740691af8ca74ff187ffef905389c7f7395a Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Thu, 23 Apr 2026 14:06:48 -0500 Subject: [PATCH 03/25] ci: use actions/checkout@v6 Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 4 ++-- .github/workflows/integration.yml | 6 +++--- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/windows.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3ded2f5703..11e318f722 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: container: image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 @@ -63,7 +63,7 @@ jobs: runs-on: ubuntu-latest needs: build-linux steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 16673bd442..ec394a69c0 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -15,7 +15,7 @@ jobs: outputs: has-go-changes: ${{ steps.check.outputs.go-changes }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -44,7 +44,7 @@ jobs: env: DOCKER_HOST: tcp://dind:2375 steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Wait for Docker run: | @@ -91,7 +91,7 @@ jobs: DOCKER_HOST: tcp://dind:2375 PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Wait for Docker run: | diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e8ca9b9ff3..b0eeb6ae92 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,7 +13,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run ShellCheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 89ce911d4e..cf69c8371a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: container: image: docker/tilt-releaser@sha256:304fa435c4b18d71d1aeae4578762625fc43ab69bc24656e20d150ee23dc2b2b steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -55,7 +55,7 @@ jobs: env: DOCKER_CLI_EXPERIMENTAL: enabled steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 51a3d3b025..d139b749a8 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -15,7 +15,7 @@ jobs: outputs: has-go-changes: ${{ steps.check.outputs.go-changes }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -33,7 +33,7 @@ jobs: if: needs.check-changes.outputs.has-go-changes == 'true' runs-on: windows-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: From 00939a29f8e7612056ead1eba8ee748dbb7364b0 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Thu, 23 Apr 2026 14:25:42 -0500 Subject: [PATCH 04/25] ci: try mounting docker socket Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11e318f722..d50c8b66c6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,8 @@ jobs: runs-on: ubuntu-latest container: image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 + volumes: + - /var/run/docker.sock:/var/run/docker.sock steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 From 08788fca509fbcf4b5a12d816f3d7a7a38a656f3 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Thu, 23 Apr 2026 14:30:03 -0500 Subject: [PATCH 05/25] ci: bump to newer buildx and qemu actions Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 2 +- .github/workflows/release.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d50c8b66c6..bf4b140cf6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Pull registry image run: docker pull registry:2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cf69c8371a..3345e07c98 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,10 +23,10 @@ jobs: fetch-depth: 0 - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Build JS run: make build-js @@ -60,10 +60,10 @@ jobs: fetch-depth: 0 - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Notify Slack - Release Started uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 From 39d8f832574aaf5b936e3235c6601dccd396abcb Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Thu, 23 Apr 2026 14:38:38 -0500 Subject: [PATCH 06/25] fix(ci): run container job as root to access Docker socket The mounted Docker socket is owned by root:docker on the host, requiring elevated permissions from within the container. Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bf4b140cf6..5dd3fc31ed 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,7 @@ jobs: runs-on: ubuntu-latest container: image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 + options: --user root volumes: - /var/run/docker.sock:/var/run/docker.sock steps: From b4d515fcd941052cd6359e5fdeefd1da042d5375 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Thu, 23 Apr 2026 14:41:54 -0500 Subject: [PATCH 07/25] fix(ci): mark workspace as Git safe directory and fetch master - Running as root causes Git ownership mismatch with files checked out by the container default user - Fetch master branch ref for `git merge-base master HEAD` in build Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5dd3fc31ed..4c82c46ad8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,14 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Configure Git safe directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + + - name: Fetch master branch + run: | + git fetch origin master:refs/remotes/origin/master + git branch -f master origin/master + - name: Set up Docker uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 From 385d12c43623d48e1a62945a70b27db7efcc9675 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Thu, 23 Apr 2026 15:13:27 -0500 Subject: [PATCH 08/25] fix: pull full clone fixes fatal: ambiguous argument '': unknown revision or path not in the working tree. Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4c82c46ad8..3409f2113b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,15 +19,12 @@ jobs: - /var/run/docker.sock:/var/run/docker.sock steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 - name: Configure Git safe directory run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - - name: Fetch master branch - run: | - git fetch origin master:refs/remotes/origin/master - git branch -f master origin/master - - name: Set up Docker uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 From c9d8f6620c44c575c171920f8a81a9c8250d40aa Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Thu, 23 Apr 2026 15:35:38 -0500 Subject: [PATCH 09/25] fix(ci): use Docker socket mounting instead of dind service The dind service has DNS resolution issues in GitHub Actions container jobs. Switch to mounting the host Docker socket, which is simpler and more reliable. Requires --user root and git safe directory config. Signed-off-by: Nick Sieger --- .github/workflows/integration.yml | 33 ++++++++++--------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index ec394a69c0..b0d023304f 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -34,21 +34,14 @@ jobs: runs-on: ubuntu-latest container: image: docker/tilt-integration-ci@sha256:9821f02b3304ede7a09ec0564e0a68abea9375bf596b64f34aa683c613db69f4 - options: --privileged - services: - dind: - image: docker:dind - options: --privileged - env: - DOCKER_TLS_CERTDIR: "" - env: - DOCKER_HOST: tcp://dind:2375 + options: --privileged --user root + volumes: + - /var/run/docker.sock:/var/run/docker.sock steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Wait for Docker - run: | - timeout 30 sh -c 'until docker info; do sleep 1; done' + - name: Configure Git safe directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Setup Kind cluster run: ctlptl create cluster kind --registry=ctlptl-registry @@ -80,22 +73,16 @@ jobs: runs-on: ubuntu-latest container: image: docker/tilt-extensions-ci@sha256:c22a39c287c7c3afba182f4f46044475b43bd2d4e2bb89f41136eae7d4f4b94d - options: --privileged - services: - dind: - image: docker:dind - options: --privileged - env: - DOCKER_TLS_CERTDIR: "" + options: --privileged --user root + volumes: + - /var/run/docker.sock:/var/run/docker.sock env: - DOCKER_HOST: tcp://dind:2375 PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Wait for Docker - run: | - timeout 30 sh -c 'until docker info; do sleep 1; done' + - name: Configure Git safe directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE" - name: Setup Kind cluster run: ctlptl create cluster kind --registry=ctlptl-registry From 2b14dd697214638bb97829e778be1fff5b94dba7 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 10:16:21 -0500 Subject: [PATCH 10/25] ci: use updated app variables Signed-off-by: Nick Sieger --- .github/workflows/docs.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 1eb546a1f0..0ffb4f812e 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -31,8 +31,8 @@ jobs: id: app-token uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 with: - app-id: ${{ vars.TILT_APP_ID }} - private-key: ${{ secrets.TILT_APP_PRIVATE_KEY }} + client-id: ${{ vars.TILT_GITHUB_CLIENT_ID }} + private-key: ${{ secrets.TILT_GITHUB_PRIVATE_KEY_BASE64 }} owner: tilt-dev repositories: tilt.build diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3345e07c98..9e59b26194 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -85,8 +85,8 @@ jobs: id: app-token uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 with: - app-id: ${{ vars.TILT_APP_ID }} - private-key: ${{ secrets.TILT_APP_PRIVATE_KEY }} + client-id: ${{ vars.TILT_GITHUB_CLIENT_ID }} + private-key: ${{ secrets.TILT_GITHUB_PRIVATE_KEY_BASE64 }} owner: tilt-dev repositories: tilt,tilt.build,cloud.tilt.dev,tilt-extensions From 0ebc66ad0e51d09371727b8e33466728f4f182dc Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 10:41:31 -0500 Subject: [PATCH 11/25] fix: fix shellcheck SC2155 Signed-off-by: Nick Sieger --- scripts/update-codegen.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/update-codegen.sh b/scripts/update-codegen.sh index b8209e3b6c..7dbafa20da 100755 --- a/scripts/update-codegen.sh +++ b/scripts/update-codegen.sh @@ -11,8 +11,9 @@ if [[ $CI == true ]]; then # TODO - get this working in CI # scripts/update-protobuf-helper.sh - export CODEGEN_UID=$(id -u) - export CODEGEN_GID=$(id -g) + CODEGEN_UID=$(id -u) + CODEGEN_GID=$(id -g) + export CODEGEN_UID CODEGEN_GID scripts/update-codegen-helper.sh exit 0 fi From 40787fd8fd209b12489eafc9904e540e86034f93 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 10:43:44 -0500 Subject: [PATCH 12/25] fix(ci): use most recent create-github-app-token Signed-off-by: Nick Sieger --- .github/workflows/docs.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0ffb4f812e..e3b1a6993c 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -29,7 +29,7 @@ jobs: - name: Generate GitHub App token if: steps.changes.outputs.skip != 'true' id: app-token - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: client-id: ${{ vars.TILT_GITHUB_CLIENT_ID }} private-key: ${{ secrets.TILT_GITHUB_PRIVATE_KEY_BASE64 }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9e59b26194..f97f922326 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -83,7 +83,7 @@ jobs: - name: Generate GitHub App token id: app-token - uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: client-id: ${{ vars.TILT_GITHUB_CLIENT_ID }} private-key: ${{ secrets.TILT_GITHUB_PRIVATE_KEY_BASE64 }} From b180cf500ece2101484a9eeb95406ca2a5e0163e Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 10:58:27 -0500 Subject: [PATCH 13/25] fix: don't need app token to checkout public tilt.build Signed-off-by: Nick Sieger --- .github/workflows/docs.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index e3b1a6993c..0f8daf4712 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -26,22 +26,11 @@ jobs: echo "skip=true" >> $GITHUB_OUTPUT fi - - name: Generate GitHub App token - if: steps.changes.outputs.skip != 'true' - id: app-token - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 - with: - client-id: ${{ vars.TILT_GITHUB_CLIENT_ID }} - private-key: ${{ secrets.TILT_GITHUB_PRIVATE_KEY_BASE64 }} - owner: tilt-dev - repositories: tilt.build - - name: Checkout tilt.build repo if: steps.changes.outputs.skip != 'true' uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: tilt-dev/tilt.build - token: ${{ steps.app-token.outputs.token }} path: ../tilt.build - name: Build Tilt From e5a9ebe1c0a00afe7858add87ef739b75ae513df Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 11:08:26 -0500 Subject: [PATCH 14/25] fix(ci): docs: check out tilt and tilt.build in subdirectories Signed-off-by: Nick Sieger --- .github/workflows/docs.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0f8daf4712..3ca19f9944 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -18,6 +18,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + path: tilt - name: Check for Go changes id: changes @@ -25,21 +26,23 @@ jobs: if ! ./scripts/ci-has-go-changes.sh; then echo "skip=true" >> $GITHUB_OUTPUT fi + working-directory: tilt - name: Checkout tilt.build repo if: steps.changes.outputs.skip != 'true' uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: tilt-dev/tilt.build - path: ../tilt.build + path: tilt.build - name: Build Tilt if: steps.changes.outputs.skip != 'true' run: make install + working-directory: tilt - name: Generate and verify docs if: steps.changes.outputs.skip != 'true' - working-directory: ../tilt.build + working-directory: tilt.build run: | tilt dump cli-docs --dir="./docs/cli" tilt dump api-docs --dir="./api" From 2312847cf9677f8233fef01aa64f7f333ae4a756 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 11:16:28 -0500 Subject: [PATCH 15/25] fix(ci): add master branch ref to workflows that run make install The Makefile's install target uses `git merge-base master HEAD`, which requires a local master branch. actions/checkout only fetches the PR branch, so we need to explicitly fetch master and create the local ref. - ci.yml: add Fetch master branch step - integration.yml: add fetch-depth: 0 and Fetch master branch step to build-integration and test-extensions jobs - docs.yml: add git safe directory and Fetch master branch step Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 5 +++++ .github/workflows/docs.yml | 9 +++++++++ .github/workflows/integration.yml | 14 ++++++++++++++ 3 files changed, 28 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3409f2113b..8c91dc02f7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,6 +25,11 @@ jobs: - name: Configure Git safe directory run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Fetch master branch + run: | + git fetch origin master:refs/remotes/origin/master + git branch -f master origin/master + - name: Set up Docker uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 3ca19f9944..79adba0d40 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -20,6 +20,15 @@ jobs: fetch-depth: 0 path: tilt + - name: Configure Git safe directory + run: git config --global --add safe.directory "$GITHUB_WORKSPACE/tilt" + + - name: Fetch master branch + run: | + git fetch origin master:refs/remotes/origin/master + git branch -f master origin/master + working-directory: tilt + - name: Check for Go changes id: changes run: | diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index b0d023304f..d67370c880 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -39,10 +39,17 @@ jobs: - /var/run/docker.sock:/var/run/docker.sock steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 - name: Configure Git safe directory run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Fetch master branch + run: | + git fetch origin master:refs/remotes/origin/master + git branch -f master origin/master + - name: Setup Kind cluster run: ctlptl create cluster kind --registry=ctlptl-registry @@ -80,10 +87,17 @@ jobs: PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 - name: Configure Git safe directory run: git config --global --add safe.directory "$GITHUB_WORKSPACE" + - name: Fetch master branch + run: | + git fetch origin master:refs/remotes/origin/master + git branch -f master origin/master + - name: Setup Kind cluster run: ctlptl create cluster kind --registry=ctlptl-registry From eb57f474d5c9636ae9a0a74a869922c52d10a0e0 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 11:45:12 -0500 Subject: [PATCH 16/25] fix: increase execer timeouts for CI Signed-off-by: Nick Sieger --- internal/controllers/core/cmd/execer_unix_test.go | 2 +- internal/localexec/execer_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/controllers/core/cmd/execer_unix_test.go b/internal/controllers/core/cmd/execer_unix_test.go index 122d859ad3..0f92f0a818 100644 --- a/internal/controllers/core/cmd/execer_unix_test.go +++ b/internal/controllers/core/cmd/execer_unix_test.go @@ -54,5 +54,5 @@ echo BACKGROUND $! assert.Eventually(t, func() bool { err := grandkid.Signal(syscall.SIGCONT) return err != nil && strings.Contains(err.Error(), "process already finished") - }, time.Second, time.Millisecond) + }, 5*time.Second, 10*time.Millisecond) } diff --git a/internal/localexec/execer_test.go b/internal/localexec/execer_test.go index d1c012183b..aead0f1d18 100644 --- a/internal/localexec/execer_test.go +++ b/internal/localexec/execer_test.go @@ -86,7 +86,7 @@ func TestProcessExecer_Run_ProcessGroup(t *testing.T) { childProcStopped := assert.Eventually(t, func() bool { err = proc.Signal(syscall.Signal(0)) return errors.Is(err, os.ErrProcessDone) - }, time.Second, 50*time.Millisecond, "Child process was still running") + }, 5*time.Second, 50*time.Millisecond, "Child process was still running") if !childProcStopped { _ = proc.Kill() } From d02948063079367e6f97c98c1460558d50124ce0 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 11:50:22 -0500 Subject: [PATCH 17/25] ci: use tiltdev images Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 4 ++-- .github/workflows/integration.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8c91dc02f7..178e05988e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,8 +13,8 @@ jobs: build-linux: runs-on: ubuntu-latest container: - image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 - options: --user root + image: tiltdev/tilt-ci@sha256:fb737aaed8f1d44d56d4797c1c96046ec940cf2a238d76be29527da2784e8f1e + # options: --user root volumes: - /var/run/docker.sock:/var/run/docker.sock steps: diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index d67370c880..63e700c6b8 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -33,8 +33,8 @@ jobs: if: needs.check-changes.outputs.has-go-changes == 'true' runs-on: ubuntu-latest container: - image: docker/tilt-integration-ci@sha256:9821f02b3304ede7a09ec0564e0a68abea9375bf596b64f34aa683c613db69f4 - options: --privileged --user root + image: tiltdev/tilt-integration-ci@sha256:d0dd2ae941a5d67d8c194ce0f72feae4018c88b40ef5cbba89f98c1bf44e9e9c + # options: --privileged --user root volumes: - /var/run/docker.sock:/var/run/docker.sock steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f97f922326..2c362d8954 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: if: github.ref == 'refs/heads/master' runs-on: ubuntu-latest container: - image: docker/tilt-releaser@sha256:304fa435c4b18d71d1aeae4578762625fc43ab69bc24656e20d150ee23dc2b2b + image: tiltdev/tilt-releaser@sha256:8e9de835faefee4934c7a50271f927c410084bb4955d294c260418b09ade6cff steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -51,7 +51,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest container: - image: docker/tilt-releaser@sha256:304fa435c4b18d71d1aeae4578762625fc43ab69bc24656e20d150ee23dc2b2b + image: tiltdev/tilt-releaser@sha256:8e9de835faefee4934c7a50271f927c410084bb4955d294c260418b09ade6cff env: DOCKER_CLI_EXPERIMENTAL: enabled steps: From 3c388a0e4d92c3cd71d6adc9621cd408d55a9a47 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 12:48:03 -0500 Subject: [PATCH 18/25] ci: try --group-add docker Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 2 +- .github/workflows/docs.yml | 3 +++ .github/workflows/integration.yml | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 178e05988e..b3a25bdcd7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest container: image: tiltdev/tilt-ci@sha256:fb737aaed8f1d44d56d4797c1c96046ec940cf2a238d76be29527da2784e8f1e - # options: --user root + options: --group-add docker volumes: - /var/run/docker.sock:/var/run/docker.sock steps: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 79adba0d40..bc2620e171 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -14,6 +14,9 @@ jobs: runs-on: ubuntu-latest container: image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 + options: --group-add docker + volumes: + - /var/run/docker.sock:/var/run/docker.sock steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 63e700c6b8..d8f031b2c8 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-latest container: image: tiltdev/tilt-integration-ci@sha256:d0dd2ae941a5d67d8c194ce0f72feae4018c88b40ef5cbba89f98c1bf44e9e9c - # options: --privileged --user root + options: --group-add docker volumes: - /var/run/docker.sock:/var/run/docker.sock steps: @@ -80,7 +80,7 @@ jobs: runs-on: ubuntu-latest container: image: docker/tilt-extensions-ci@sha256:c22a39c287c7c3afba182f4f46044475b43bd2d4e2bb89f41136eae7d4f4b94d - options: --privileged --user root + options: --group-add docker volumes: - /var/run/docker.sock:/var/run/docker.sock env: From 6042265390ebbc6c9859b3b55e845e6b71d1054c Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 13:06:12 -0500 Subject: [PATCH 19/25] ci: update release containers Signed-off-by: Nick Sieger --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2c362d8954..f22fbd2ab5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: if: github.ref == 'refs/heads/master' runs-on: ubuntu-latest container: - image: tiltdev/tilt-releaser@sha256:8e9de835faefee4934c7a50271f927c410084bb4955d294c260418b09ade6cff + image: tiltdev/tilt-releaser@sha256:fe043664aa543e4abd8aa6df29828c00bc3d3205d76296226e084f900a855016 steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -51,7 +51,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest container: - image: tiltdev/tilt-releaser@sha256:8e9de835faefee4934c7a50271f927c410084bb4955d294c260418b09ade6cff + image: tiltdev/tilt-releaser@sha256:fe043664aa543e4abd8aa6df29828c00bc3d3205d76296226e084f900a855016 env: DOCKER_CLI_EXPERIMENTAL: enabled steps: From f617c7100ff7a10ac44036611c6e4e1f39457a04 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 13:06:53 -0500 Subject: [PATCH 20/25] ci: temporary workflow to show docker socket permissions Signed-off-by: Nick Sieger --- .github/workflows/tempdocker.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/tempdocker.yml diff --git a/.github/workflows/tempdocker.yml b/.github/workflows/tempdocker.yml new file mode 100644 index 0000000000..cc2bf10b03 --- /dev/null +++ b/.github/workflows/tempdocker.yml @@ -0,0 +1,15 @@ +name: Temp Docker Inspection + +on: + pull_request: + +jobs: + build-linux: + runs-on: ubuntu-latest + container: + image: alpine + volumes: + - /var/run/docker.sock:/var/run/docker.sock + steps: + - name: Print docker sock permissions + run: ls -an /var/run/docker.sock From 4d5051824d7cda5117a118384f4e4baa6b62e50c Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 13:10:47 -0500 Subject: [PATCH 21/25] ci: try --group-add 118 Fail the run if the docker socket isn't connected to gid 118 Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 11 ++++++++++- .github/workflows/docs.yml | 11 ++++++++++- .github/workflows/integration.yml | 22 ++++++++++++++++++++-- .github/workflows/tempdocker.yml | 15 --------------- 4 files changed, 40 insertions(+), 19 deletions(-) delete mode 100644 .github/workflows/tempdocker.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b3a25bdcd7..cf8909396a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,10 +14,19 @@ jobs: runs-on: ubuntu-latest container: image: tiltdev/tilt-ci@sha256:fb737aaed8f1d44d56d4797c1c96046ec940cf2a238d76be29527da2784e8f1e - options: --group-add docker + options: --group-add 118 volumes: - /var/run/docker.sock:/var/run/docker.sock steps: + - name: Check docker sock permissions + run: | + ls -n /var/run/docker.sock + gid=$(ls -n /var/run/docker.sock | awk '{print$4}') + if [ "$gid" -ne 118 ]; then + echo "::error::Unexpected Group ID ($gid) for Docker socket" >> $GITHUB_OUTPUT + exit 1 + fi + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index bc2620e171..43135f957e 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -14,10 +14,19 @@ jobs: runs-on: ubuntu-latest container: image: docker/tilt-ci@sha256:3b83314ab36d9a529f5af8ca788b00d0926d16ed981a929317aab62696a88d77 - options: --group-add docker + options: --group-add 118 volumes: - /var/run/docker.sock:/var/run/docker.sock steps: + - name: Check docker sock permissions + run: | + ls -n /var/run/docker.sock + gid=$(ls -n /var/run/docker.sock | awk '{print$4}') + if [ "$gid" -ne 118 ]; then + echo "::error::Unexpected Group ID ($gid) for Docker socket" >> $GITHUB_OUTPUT + exit 1 + fi + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index d8f031b2c8..410a6e4fd2 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -34,10 +34,19 @@ jobs: runs-on: ubuntu-latest container: image: tiltdev/tilt-integration-ci@sha256:d0dd2ae941a5d67d8c194ce0f72feae4018c88b40ef5cbba89f98c1bf44e9e9c - options: --group-add docker + options: --group-add 118 volumes: - /var/run/docker.sock:/var/run/docker.sock steps: + - name: Check docker sock permissions + run: | + ls -n /var/run/docker.sock + gid=$(ls -n /var/run/docker.sock | awk '{print$4}') + if [ "$gid" -ne 118 ]; then + echo "::error::Unexpected Group ID ($gid) for Docker socket" >> $GITHUB_OUTPUT + exit 1 + fi + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -80,12 +89,21 @@ jobs: runs-on: ubuntu-latest container: image: docker/tilt-extensions-ci@sha256:c22a39c287c7c3afba182f4f46044475b43bd2d4e2bb89f41136eae7d4f4b94d - options: --group-add docker + options: --group-add 118 volumes: - /var/run/docker.sock:/var/run/docker.sock env: PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} steps: + - name: Check docker sock permissions + run: | + ls -n /var/run/docker.sock + gid=$(ls -n /var/run/docker.sock | awk '{print$4}') + if [ "$gid" -ne 118 ]; then + echo "::error::Unexpected Group ID ($gid) for Docker socket" >> $GITHUB_OUTPUT + exit 1 + fi + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/tempdocker.yml b/.github/workflows/tempdocker.yml deleted file mode 100644 index cc2bf10b03..0000000000 --- a/.github/workflows/tempdocker.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Temp Docker Inspection - -on: - pull_request: - -jobs: - build-linux: - runs-on: ubuntu-latest - container: - image: alpine - volumes: - - /var/run/docker.sock:/var/run/docker.sock - steps: - - name: Print docker sock permissions - run: ls -an /var/run/docker.sock From 1392cc5d47a0b9974ee43cbfb5fc333ff985423e Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 13:56:42 -0500 Subject: [PATCH 22/25] fix(ci): set GOBIN for test-extensions job When running as non-root, go install puts binaries in $HOME/go/bin (/github/home/go/bin), but the container PATH only includes /root/go/bin. Set GOBIN=/usr/local/bin to install tilt to a directory that's already in PATH. Also require build-integration to succeed first before running. Signed-off-by: Nick Sieger --- .github/workflows/integration.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 410a6e4fd2..50a23ef98f 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -84,7 +84,9 @@ jobs: } test-extensions: - needs: check-changes + needs: + - check-changes + - build-integration if: needs.check-changes.outputs.has-go-changes == 'true' runs-on: ubuntu-latest container: @@ -93,6 +95,7 @@ jobs: volumes: - /var/run/docker.sock:/var/run/docker.sock env: + GOBIN: /usr/local/bin PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} steps: - name: Check docker sock permissions From 27f8e610d0efd54aaf6f9e1e11e4cfb3271d862c Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 14:00:50 -0500 Subject: [PATCH 23/25] fix(ci): add Docker cleanup to prevent OOM in integration tests Exit code 137 indicates the process was killed by OOM killer. Unlike CircleCI's setup_remote_docker which provides isolation, GitHub Actions socket mounting shares the host's Docker resources and memory pool. Add docker system prune before setting up Kind clusters to free memory from unused containers, images, and volumes accumulated from previous runs or other jobs on the same runner. Signed-off-by: Nick Sieger --- .github/workflows/integration.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 50a23ef98f..391e875a39 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -59,6 +59,9 @@ jobs: git fetch origin master:refs/remotes/origin/master git branch -f master origin/master + - name: Clean Docker resources + run: docker system prune -af --volumes || true + - name: Setup Kind cluster run: ctlptl create cluster kind --registry=ctlptl-registry @@ -119,6 +122,9 @@ jobs: git fetch origin master:refs/remotes/origin/master git branch -f master origin/master + - name: Clean Docker resources + run: docker system prune -af --volumes || true + - name: Setup Kind cluster run: ctlptl create cluster kind --registry=ctlptl-registry From 3a331ea29a53a24c62476dbc08987befcf9e98e6 Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 14:09:10 -0500 Subject: [PATCH 24/25] fix(ci): split integration tests into parallel matrix jobs Split integration tests into 4 parallel jobs to reduce memory pressure and prevent OOM kills: - quick: Analytics, config, crash, CRD, demo, env tests (19 tests) - docker-compose: Docker Compose tests (3 tests) - live-update: Live update tests (5 tests) - k8s-deploy: K8s deployment and job tests (14 tests) Each job sets up its own Kind cluster and runs a subset of tests, reducing peak memory usage. Jobs run in parallel with fail-fast disabled so failures in one group don't cancel others. Signed-off-by: Nick Sieger --- .github/workflows/integration.yml | 32 ++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 391e875a39..4985ff0922 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -32,6 +32,22 @@ jobs: needs: check-changes if: needs.check-changes.outputs.has-go-changes == 'true' runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + # Group 1: Quick K8s tests (analytics, config, crash, crd, demo, env, event, etc.) + - name: quick + pattern: "Test(Opt|ConfigMap|Crash|CRD|TiltDemo|EnvInit|Event|Idempotent|Ignores|ImageTags|LocalResource|NamespaceFlag|TiltArgs|TiltCI|CLI_DockerPrune)" + # Group 2: Docker Compose tests + - name: docker-compose + pattern: "Test(DockerCompose|OneDockerCompose|DisableDC)" + # Group 3: Live Update tests + - name: live-update + pattern: "TestLiveUpdate" + # Group 4: K8s deployment tests (jobs, oneup, watch, etc.) + - name: k8s-deploy + pattern: "Test(Job|OneUp|OneWatch|WatchExec|K8sCustomDeploy|DisableK8s|RestartProcess|SameImg|Shortlived|TooMany|TTLJob)" container: image: tiltdev/tilt-integration-ci@sha256:d0dd2ae941a5d67d8c194ce0f72feae4018c88b40ef5cbba89f98c1bf44e9e9c options: --group-add 118 @@ -65,15 +81,13 @@ jobs: - name: Setup Kind cluster run: ctlptl create cluster kind --registry=ctlptl-registry - - name: Build and run integration tests - run: make build-js integration + - name: Build JS assets + run: make build-js - - name: Upload test results - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - if: always() - with: - name: integration-test-results - path: test-results/ + - name: Run integration tests (${{ matrix.name }}) + run: | + go test -mod vendor -v -count 1 -tags 'integration' -timeout 30m \ + -run '${{ matrix.pattern }}' ./integration - name: Notify Slack on failure if: failure() && github.ref == 'refs/heads/master' @@ -83,7 +97,7 @@ jobs: webhook-type: incoming-webhook payload: | { - "text": "build-integration failed on master: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + "text": "build-integration (${{ matrix.name }}) failed on master: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" } test-extensions: From 7d91dedf4ff6448520023f972364738eb6ebf90a Mon Sep 17 00:00:00 2001 From: Nick Sieger Date: Fri, 24 Apr 2026 14:22:40 -0500 Subject: [PATCH 25/25] fix(ci): login to avoid anonymous pull 429s Signed-off-by: Nick Sieger --- .github/workflows/ci.yml | 8 ++++++++ .github/workflows/integration.yml | 12 ++++++++++++ 2 files changed, 20 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cf8909396a..c3de53905c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,6 +17,8 @@ jobs: options: --group-add 118 volumes: - /var/run/docker.sock:/var/run/docker.sock + env: + GOBIN: /usr/local/bin steps: - name: Check docker sock permissions run: | @@ -39,6 +41,12 @@ jobs: git fetch origin master:refs/remotes/origin/master git branch -f master origin/master + - name: Docker login + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + - name: Set up Docker uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 4985ff0922..40d1c9c0e1 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -75,6 +75,12 @@ jobs: git fetch origin master:refs/remotes/origin/master git branch -f master origin/master + - name: Docker login + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + - name: Clean Docker resources run: docker system prune -af --volumes || true @@ -136,6 +142,12 @@ jobs: git fetch origin master:refs/remotes/origin/master git branch -f master origin/master + - name: Docker login + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + - name: Clean Docker resources run: docker system prune -af --volumes || true