ci: add github actions runner sync workflow (#7742)

.github/actions/s3cmd/action.yml

@@ -8,16 +8,16 @@ inputs:
     required: true
     description: "s3 key secret"
   s3_bucket:
-    required: true
+    required: false
     description: "s3 bucket"
   s3_endpoint:
     required: true
     description: "s3 endpoint"
   folder_prefix:
-    required: true
+    required: false
     description: "folder prefix"
   build_preset:
-    required: true
+    required: false
     description: "build preset like relwithdebinfo"
 runs:
   using: "composite"
@@ -35,7 +35,14 @@ runs:
         host_base = storage.yandexcloud.net
         host_bucket = %(bucket)s.storage.yandexcloud.net
         EOF
-        
+      env:
+        s3_key_id: ${{ inputs.s3_key_id }}
+        s3_secret_access_key: ${{ inputs.s3_key_secret }}
+
+    - name: export s3 path variables
+      shell: bash
+      if: inputs.build_preset
+      run: |
         folder="${{ runner.arch == 'X64' && 'x86-64' || runner.arch == 'ARM64' && 'arm64' || 'unknown' }}"
         
         BUILD_PRESET="${{ inputs.build_preset }}"
@@ -58,6 +65,3 @@ runs:
         echo "S3_URL_PREFIX=${{ inputs.s3_endpoint }}/${{ inputs.s3_bucket }}/${{ github.repository }}/${{ github.workflow }}/${{ github.run_id }}/${{ inputs.folder_prefix }}${folder}" >> $GITHUB_ENV
         echo "S3_TEST_ARTIFACTS_BUCKET_PATH=s3://${{ inputs.s3_bucket }}/testing_out_stuff/${{ github.repository }}/${{github.workflow}}/${{ github.run_id }}/${{ inputs.folder_prefix }}${folder}" >> $GITHUB_ENV
         echo "S3_TEST_ARTIFACTS_URL_PREFIX=${{ inputs.s3_endpoint }}/${{ inputs.s3_bucket }}/testing_out_stuff/${{ github.repository }}/${{ github.workflow }}/${{ github.run_id }}/${{ inputs.folder_prefix }}${folder}" >> $GITHUB_ENV
-      env:
-        s3_key_id: ${{ inputs.s3_key_id }}
-        s3_secret_access_key: ${{ inputs.s3_key_secret }}

.github/workflows/sync_github_runner.yaml

@@ -0,0 +1,29 @@
+name: Upload the latest GitHub Actions Runner
+on:
+  schedule:
+    - cron: "15 */12 * * *"  # Two times a day
+  workflow_dispatch:
+jobs:
+  sync:
+    name: Upload the latest GitHub Actions Runner
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            .github
+            ydb/ci/
+      - name: Set up S3cmd cli tool
+        uses: s3-actions/s3cmd@v1.6.1
+      - name: Prepare s3cmd
+        uses: ./.github/actions/s3cmd
+        with:
+          s3_key_id: ${{ secrets.AWS_KEY_ID }}
+          s3_key_secret: ${{ secrets.AWS_KEY_VALUE }}
+      - name: sync
+        run: bash ./ydb/ci/sync_github_runner.sh
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BUCKET_PATH: ${{ vars.RUNNER_MIRROR_S3_BUCKET_PATH }}

ydb/ci/sync_github_runner.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+if [ -z "$BUCKET_PATH" ]; then
+  echo "BUCKET_PATH is empty"
+  exit 1
+fi
+
+set -xeuo pipefail
+
+BUCKET_LATEST_PATH=$BUCKET_PATH/latest
+RELEASES_JSON=https://api.github.com/repos/actions/runner/releases/latest
+
+latest_release=$(gh api $RELEASES_JSON |  jq -r 'limit(1; .assets[] | select(.name | test("-linux-x64-\\d+\\.\\d+\\.\\d+.tar.gz")).browser_download_url)')
+latest_fn=$(basename $latest_release)
+
+s3cmd info $BUCKET_PATH/$latest_fn && ret=$? || ret=$?
+
+# EX_NOTFOUND = 12 (https://github.com/s3tools/s3cmd/blob/master/S3/ExitCodes.py#L10)
+if [ $ret -eq 12 ]; then
+  curl -sSL -w "%{url_effective} %{remote_ip} %{speed_download} %{size_download}\n" -o $latest_fn $latest_release
+  s3cmd put --acl-public --no-preserve $latest_fn $BUCKET_PATH/$latest_fn
+  echo "$latest_fn" | s3cmd put --acl-public - $BUCKET_LATEST_PATH
+elif [ $ret -ne 0 ]; then
+  exit 1
+fi
+

ydb/ci/ydb-ci-cloud/terraform/ydb-ci-cloud/s3-ydb-gh-mirror.tf

@@ -0,0 +1,12 @@
+resource "yandex_storage_bucket" "ydb-gh-runner-mirror" {
+  bucket = "ydb-gh-runner-mirror"
+
+  access_key = yandex_iam_service_account_static_access_key.s3-ydb-gh-logs.access_key
+  secret_key = yandex_iam_service_account_static_access_key.s3-ydb-gh-logs.secret_key
+
+  grant {
+    permissions = ["READ", "WRITE"]
+    type        = "CanonicalUser"
+    id          = yandex_iam_service_account.s3-ydb-gh.id
+  }
+}