Securing Open-Source CI/CD Pipelines on Secure HPC Systems Using GitHub Actions

The Trilinos Project is a large, open-sourced collection of mathematical software libraries that is well established in the scientific programming domain. Configuring, building, and testing the entirety of the Trilinos Project requires extensive computing resources and many hours of execution time, which makes Pull Request testing a long and strenuous process. Autotester, the current CI/CD pipeline, was built to ensure Pull Requests could be tested on secure HPC systems, with minimal exposure to security risks. However, it is not efficient enough to keep up with the number of Pull Requests needed to test. Autotester is slow, lacks parallelization, does not provide feedback to external developers, and has many potential points of failure due to its complicated architecture. This project addresses all these issues using a GitHub Actions based CI/CD pipeline, while still maintaining the security that Autotester guarantees. GitHub Actions workflows can start multiple runners at once, thus enabling parallelization of pull request testing. HPC runners perform pull request testing within a container on HPC clusters which external developers have access to, thus giving them the ability to develop and test within the same environment. The architecture of a GitHub Actions based CI/CD pipeline is simple, allowing Trilinos developers to efficiently debug the system in case an area of the pipeline fails. Finally, GitHub Actions will provide results of pull request testing in real-time, allowing developers to debug their changes efficiently. We showcase improvement in CI/CD performance and throughput and describe strategies for working securely with open-source software hosting platforms.

---

Contributors:

• Reed Milewicz