Merge branch 'main' into membership-audit

.github/workflows/certificate-check.yml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout current repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
       - name: Use Node.js ${{ env.NODE_VERSION }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Check web ceritificate expiry

.github/workflows/push.yml

@@ -8,7 +8,7 @@ jobs:
   Python:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Python 3.7
       uses: actions/setup-python@v4
       with:

.github/workflows/shellcheck.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: ShellCheck
       uses: ludeeus/[email protected]
       with:

GOVERNANCE.md

@@ -4,7 +4,7 @@ The Node.js Build Working Group maintains and controls infrastructure
 used for continuous integration (CI), releases, benchmarks,
 web hosting (of nodejs.org and other Node.js web properties) and more.
 
-Our mission is to provide Node.js Foundation projects with solid computing
+Our mission is to provide Node.js projects with solid computing
 infrastructure in order to improve the quality of the software itself by
 targeting correctness, speed and compatibility and to ensure streamlined
 delivery of binaries and source code to end-users.

ONBOARDING.md

@@ -17,7 +17,8 @@ onboarding session.
     [`GOVERNANCE.md`](./GOVERNANCE.md) and have any questions ready
 - [ ] Schedule a meeting with the member to:
     - [ ] Walk them through the infrastructure and what other members do
-    - [ ] Explain how to decrypt nodejs/secrets 
+    - [ ] Explain how to decrypt nodejs/secrets
+    - [ ] Practice SSH access to the organization's machines. See [`ssh.md`](./doc/ssh.md).
     - [ ] Practice running the `jenkins/worker/create.yml` playbook on one of the machines in the test CI cluster
     - [ ] Answer any questions they may have
 - [ ] PR changes to [README.md](./README.md#build-wg-members) to add the member to build-test

README.md

@@ -28,19 +28,20 @@ to the resources we manage.
 
 <!-- ncu-team-sync.team(nodejs/build) -->
 
-- [@AshCripps](https://github.com/AshCripps) - Ash Cripps
-- [@jbergstroem](https://github.com/jbergstroem) - Johan Bergström
-- [@joaocgreis](https://github.com/joaocgreis) - João Reis
-- [@mhdawson](https://github.com/mhdawson) - Michael Dawson
-- [@MoLow](https://github.com/MoLow) - Moshe Atlow
-- [@MylesBorins](https://github.com/MylesBorins) - Myles Borins
-- [@node-forward-build](https://github.com/node-forward-build) - node-forward build infrastructure
-- [@richardlau](https://github.com/richardlau) - Richard Lau
-- [@rvagg](https://github.com/rvagg) - Rod Vagg
-- [@StefanStojanovic](https://github.com/StefanStojanovic) - Stefan Stojanovic
-- [@sxa](https://github.com/sxa) - Stewart X Addison
-- [@targos](https://github.com/targos) - Michaël Zasso
-- [@UlisesGascon](https://github.com/UlisesGascon) - Ulises Gascón
+* [@AshCripps](https://github.com/AshCripps) - Ash Cripps
+* [@anonrig](https://github.com/anonrig) - Yagiz Nizipli
+* [@jbergstroem](https://github.com/jbergstroem) - Johan Bergström
+* [@joaocgreis](https://github.com/joaocgreis) - João Reis
+* [@mhdawson](https://github.com/mhdawson) - Michael Dawson
+* [@MoLow](https://github.com/MoLow) - Moshe Atlow
+* [@MylesBorins](https://github.com/MylesBorins) - Myles Borins
+* [@node-forward-build](https://github.com/node-forward-build) - node-forward build infrastructure
+* [@richardlau](https://github.com/richardlau) - Richard Lau
+* [@rvagg](https://github.com/rvagg) - Rod Vagg
+* [@StefanStojanovic](https://github.com/StefanStojanovic) - Stefan Stojanovic
+* [@sxa](https://github.com/sxa) - Stewart X Addison
+* [@targos](https://github.com/targos) - Michaël Zasso
+* [@UlisesGascon](https://github.com/UlisesGascon) - Ulises Gascón
 
 <!-- ncu-team-sync end -->
 
@@ -53,6 +54,7 @@ Above list is manually synced with the [gpg member list](https://github.com/node
 * [@jbergstroem](https://github.com/jbergstroem) - Johan Bergström
 * [@joaocgreis](https://github.com/joaocgreis) - João Reis
 * [@mhdawson](https://github.com/mhdawson) - Michael Dawson
+* [@MoLow](https://github.com/MoLow) - Moshe Atlow
 * [@richardlau](https://github.com/richardlau) - Richard Lau
 * [@rvagg](https://github.com/rvagg) - Rod Vagg
 * [@sxa](https://github.com/sxa) - Stewart X Addison
@@ -287,7 +289,6 @@ Build and test orchestration is performed by [Jenkins][21].
 - A summary of build and test jobs can be found at: <https://ci.nodejs.org>
 - A listing of connected servers for testing, building and benchmarking
   can be found at: <https://ci.nodejs.org/computer/>
-- A summary of the general health of the last 100 jobs can be found at: <https://ci-health.nodejs.org/#/job-summary>
 - Monitoring with Grafana: <https://grafana.nodejs.org/>
 
 The Build WG will keep build configuration required for a release line for 6

ansible/MANUAL_STEPS.md

@@ -121,22 +121,49 @@ As root:
 * `sudo xcodebuild -license` - accept license
 * `git` - check that git is working (confirming license has been accepted)
 
+#### OSX Keychain Profile
+
+Create a keychain profile (`NODE_RELEASE_PROFILE`) for the release machine: 
+
+```bash
+sudo xcrun notarytool store-credentials NODE_RELEASE_PROFILE \
+  --apple-id XXXX \
+  --team-id XXXX \
+  --password XXXX \
+  --keychain /Library/Keychains/System.keychain  
+```
+
+Note: `XXXX` values are found in `secrets/build/release/apple.md`
+
+Note2: (`security unlock-keychain -u /Library/Keychains/System.keychain` _may_ be required prior to running this command).
+
+The expected output is:
+
+```
+This process stores your credentials securely in the Keychain. You reference these credentials later using a profile name.
+
+Validating your credentials...
+Success. Credentials validated.
+Credentials saved to Keychain.
+To use them, specify `--keychain-profile "NODE_RELEASE_PROFILE" --keychain /Library/Keychains/System.keychain`
+```
+
 #### Signing certificates
 
 * Go to the `build/release` folder in the secrets repo.
 * Extract from secrets/build/release: `dotgpg cat Apple\ Developer\ ID\ Node.js\ Foundation.p12.base64 | base64 -D > /tmp/Apple\ Developer\ ID\ Node.js\ Foundation.p12`
 * Transfer to release machine (scp to /tmp)
 * `sudo security import /tmp/Apple\ Developer\ ID\ Node.js\ Foundation.p12 -k /Library/Keychains/System.keychain -T /usr/bin/codesign -T /usr/bin/productsign -P 'XXXX'` (where XXXX is found in secrets/build/release/apple.md) (`security unlock-keychain -u /Library/Keychains/System.keychain` _may_ be required prior to running this command).
 
-#### Validating certificates are in date
-
-1. security -i unlock-keychain    (Enter the password for the machine located in secrets)
-2. security find-certificate -c "Developer ID Application" -p > /tmp/app.cert     (outputs the PEM format of the cert so we can properly inspect it)
-3. security find-certificate -c "Developer ID Installer" -p > /tmp/installer.cert
-4. openssl x509 -inform PEM -text -in /tmp/app.cert | less
-5. openssl x509 -inform PEM -text -in /tmp/installer.cert | less
+#### Validating certificates are in date and valid
 
-The last two steps will show the details of the certificates allowing to see expiry dates.
+1. `security -i unlock-keychain` Enter the password for the machine located in secrets
+2. `security find-certificate -c "Developer ID Application" -p > /tmp/app.cert` outputs the PEM format of the cert so we can properly inspect it
+3. `security find-certificate -c "Developer ID Installer" -p > /tmp/installer.cert`
+4. `openssl x509 -inform PEM -text -in /tmp/app.cert | less`
+5. `openssl x509 -inform PEM -text -in /tmp/installer.cert | less`
+6. `security find-identity -p codesigning -v`
+The steps 4 and 5 will show the details of the certificates allowing to see expiry dates.
 
 Example:
 
@@ -145,6 +172,15 @@ Not Before: Jan 22 03:40:05 2020 GMT
 Not After : Jan 22 03:40:05 2025 GMT
 ```
 
+The step 6 will show the list of certificates available on the machine.
+
+Example:
+
+```
+  1) XXXXXXXXXXX "Developer ID Application: Node.js Foundation (XXXXXXX)"
+1 valid identities found
+```
+
 ## macOS
 1. Update Sudoers file:
 
@@ -599,7 +635,7 @@ The preparation script needs to be run in PowerShell (run as Administrator):
 
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-Invoke-WebRequest "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" -OutFile "ConfigureRemotingForAnsible.ps1"
+Invoke-WebRequest "https://raw.githubusercontent.com/ansible/ansible-documentation/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" -OutFile "ConfigureRemotingForAnsible.ps1"
 .\ConfigureRemotingForAnsible.ps1 -ForceNewSSLCert true -CertValidityDays 3650
 ```
 

ansible/README.md

@@ -7,9 +7,10 @@
 
 1. Follow the [instructions to install the latest version of Ansible][ansible-install].
    * In most cases, using pip: `pip install ansible`.
-   * If you use brew, then `brew install python2 ansible`, and then run
-   `export PYTHONPATH=$(pip2 show pyyaml | grep Location | awk '{print $2}') `
+   * If you use brew, then `brew install python3 ansible`, and then run
+   `export PYTHONPATH=$(pip show pyyaml | grep Location | awk '{print $2}') `
    before you use `ansible-playbook`.
+   * If you have Python 2 installed, you may need to add an alias to your shell profile for python 3 as the default python interpreter, like `alias python=/usr/local/bin/python3.11`
 2. Read this document.
 3. For SSH access, see the [SSH guide](../doc/ssh.md).
 

ansible/inventory.yml

@@ -70,10 +70,6 @@ hosts:
         zos24-s390x-1: {ip: 148.100.36.157, user: unix1}
 
     - nearform:
-        macos10.15-x64-1:
-            ip: 83.147.191.69
-            user: administrator
-            ansible_python_interpreter: /usr/bin/python3
         macos11.0-arm64-1:
             ansible_python_interpreter: /usr/bin/python3
             ip: 83.147.191.76
@@ -87,15 +83,14 @@ hosts:
             server_jobs: 6
         centos7-arm64-1: {ip: 140.211.169.7, server_jobs: 2, user: centos}
         centos7-ppc64_le-1: {ip: 140.211.168.61, user: centos}
-        rhel8-arm64-1: {ip: 140.211.169.58, server_jobs: 2, user: cloud-user}
+        rhel8-arm64-1:
+            ip: 140.211.169.58
+            server_jobs: 2
+            user: cloud-user
+            swap_file_size_mb: 4096
         rhel8-ppc64_le-1: {ip: 140.211.168.185, user: cloud-user}
 
     - orka:
-        macos10.15-x64-1:
-            ansible_python_interpreter: /usr/bin/python3
-            ip: 199.7.167.101
-            port: 8825
-            user: administrator
         macos11-x64-1:
             ansible_python_interpreter: /usr/bin/python3
             ip: 199.7.167.100
@@ -125,7 +120,7 @@ hosts:
         msft-win2022_vs2019-x64-4: {ip: nodejs2.eastus.cloudapp.azure.com}
 
     - digitalocean:
-        debian8-x64-1: {ip: 159.203.103.52}
+        debian11-x64-1: {ip: 174.138.79.159}
         debian9-x64-1: {ip: 138.197.97.208}
         fedora32-x64-1: {ip: 159.203.117.50}
         fedora37-x64-1: {ip: 159.65.248.149}
@@ -134,11 +129,11 @@ hosts:
         freebsd12-x64-1: {ip: 45.55.90.237, user: freebsd}
         freebsd12-x64-2: {ip: 107.170.28.213, user: freebsd}
         rhel8-x64-1: {ip: 161.35.139.78, build_test_v8: yes}
-        ubuntu1604-x86-1: {ip: 159.203.77.233}
-        ubuntu1604-x86-2: {ip: 104.131.191.135}
         ubuntu1804_docker-x64-1: {ip: 134.209.55.216}
         ubuntu1804_docker-x64-2: {ip: 159.89.183.200}
         ubuntu1804-x64-1: {ip: 178.128.181.213}
+        ubuntu2204-x64-1: {ip: 138.197.4.1}
+        ubuntu2204-x64-2: {ip: 167.99.124.188}
 
     - equinix:
         ubuntu2004_docker-arm64-1: {ip: 145.40.81.219}
@@ -324,9 +319,16 @@ hosts:
         win2012r2_vs2015-x64-2: {ip: 104.130.141.137}
         win2012r2_vs2019-x64-1: {ip: 162.242.237.124}
         win2012r2_vs2019-x64-2: {ip: 104.130.158.58}
-        win2012r2_vs2019-x64-3: {ip: 119.9.131.63}
-        win2012r2_vs2019-x64-4: {ip: 104.130.219.103}
-        win2012r2_vs2019-x64-6: {ip: 104.130.141.231}
+        win2019_vs2019-x64-1: {}
+        win2019_vs2019-x64-2: {}
+        win2019_vs2019-x64-3: {}
+        win2019_vs2019-x64-4: {}
+        win2022_vs2022-x64-1: {}
+        win2022_vs2022-x64-2: {}
+        win2022_vs2022-x64-3: {}
+        win2022_vs2022-x64-4: {}
+        win2022_vs2022-x64-5: {}
+        win2022_vs2022-x64-6: {}
 
     - softlayer:
         centos7-x64-1: {ip: 50.23.85.250}

ansible/roles/baselayout/vars/main.yml

@@ -16,8 +16,8 @@ sshd_service_map: {
 sshd_service_name: "{{ sshd_service_map[os]|default(sshd_service_map[os|stripversion])|default('sshd') }}"
 
 ntp_service: {
-  chrony: ['rhel8'],
-  systemd: ['debian8', 'debian9', 'debian10', 'ubuntu1604', 'ubuntu1804']
+  chrony: ['rhel8', 'debian11'],
+  systemd: ['debian8', 'debian9', 'debian10', 'ubuntu']
 }
 
 common_packages: [
@@ -71,6 +71,10 @@ packages: {
     'gcc-8,g++-8,ccache,git,curl,libfontconfig1,apt-transport-https,ca-certificates,sudo,python3-pip',
   ],
 
+  debian11: [
+    'gcc-10,g++-10,ccache,git,curl,libfontconfig1,apt-transport-https,ca-certificates,sudo,python3-pip',
+  ],
+
   fedora: [
     'bzip2,ccache,gcc-c++,git,fontconfig,sudo,make,python3-pip',
   ],
@@ -126,7 +130,7 @@ packages: {
   ],
 
   ubuntu: [
-    'ccache,curl,git,libfontconfig1,sudo,python3-pip',
+    'acl,ccache,curl,git,libfontconfig1,sudo,python3-pip',
   ],
 
   # Default gcc/g++ package is 5.
@@ -139,7 +143,8 @@ packages: {
     'gcc-6,g++-6,gcc-8,g++-8,python3.8',
   ],  
 
+  # Default gcc/g++ package is 11.
   ubuntu2204: [
-    'gcc,g++,python2,python3,python-is-python3',
+    'gcc,g++,python3,python-is-python3',
   ],
 }

ansible/roles/bootstrap/tasks/partials/linux-swap.yml

@@ -0,0 +1,40 @@
+---
+
+#
+# Creates a swap file on Linux.
+# Assumes swap_file_size_mb has been set.
+#
+
+- name: create swapfile
+  ansible.builtin.command:
+    cmd: dd if=/dev/zero of=/{{ swap_file }} bs=1M count={{ swap_file_size_mb }}
+    creates: "{{ swap_file }}"
+  become: yes
+  become_user: root
+  register: swap_create
+
+- name: set swapfile permissions
+  ansible.builtin.file:
+    group: root
+    mode: 0600
+    owner: root
+    path: "{{ swap_file }}"
+
+- name: set up swap area
+  ansible.builtin.command:
+    cmd: mkswap {{ swap_file }}
+  when: swap_create.changed
+
+- name: enable swap
+  ansible.builtin.command:
+    cmd: swapon {{ swap_file }}
+  when: swap_create.changed
+
+- name: add swap to fstab
+  ansible.posix.mount:
+    fstype: swap
+    opts: defaults
+    path: swap
+    src: "{{ swap_file }}"
+    state: present
+  when: swap_create.changed

ansible/roles/bootstrap/tasks/partials/rhel8.yml

@@ -15,3 +15,7 @@
     activationkey: "{{ secrets.rh_activationkey }}"
     org_id: "{{ secrets.rh_org }}"
     state: present
+
+- name: set up swap on Linux
+  include_tasks: linux-swap.yml
+  when: swap_file_size_mb is defined

ansible/roles/bootstrap/vars/main.yml

@@ -1 +1,2 @@
 autologon_regpath: 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'
+swap_file: /swapfile