Update ci.yml #14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Run build pipeline | |
# Run this workflow every time a new commit pushed to your repository | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- '*' | |
pull_request: | |
workflow_dispatch: | |
env: | |
IMAGE_NAME: floris272/open-producten | |
DJANGO_SETTINGS_MODULE: open_producten.conf.ci | |
DOCKER_BUILDKIT: '1' | |
jobs: | |
tests: | |
name: Run the Django test suite | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres:14 | |
env: | |
POSTGRES_HOST_AUTH_METHOD: trust | |
ports: | |
- 5432:5432 | |
# Needed because the postgres container does not provide a healthcheck | |
options: | |
--health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
--name postgres | |
redis: | |
image: redis:6 | |
ports: | |
- 6379:6379 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up backend environment | |
uses: maykinmedia/setup-django-backend@v1 | |
with: | |
python-version: '3.11' | |
optimize-postgres: 'yes' | |
pg-service: 'postgres' | |
setup-node: 'no' | |
# apt-packages: 'gettext postgresql-client' # the default | |
# npm-ci-flags: '--legacy-peer-deps' -> preferably use a .npmrc file | |
# Any additional services -> create docker-compose setups in a (new) `docker` | |
# subdirectory. | |
# - name: Start CI docker services | |
# run: | | |
# docker-compose -f docker-compose.ci.yml up -d | |
# working-directory: docker | |
- name: Run tests | |
run: | | |
python src/manage.py collectstatic --noinput --link | |
coverage run src/manage.py test src | |
env: | |
SECRET_KEY: dummy | |
DB_USER: postgres | |
DB_PASSWORD: '' | |
- name: Publish coverage report | |
uses: codecov/codecov-action@v4.0.1 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
# API projects: implement the necessary scripts for this. You can take a look | |
# at open-forms for inspiration, using drf-spectacular. | |
# - name: Generate OAS | |
# run: ./bin/generate_oas.sh openapi.yaml | |
# - name: Store generated OAS | |
# uses: actions/upload-artifact@v3 | |
# with: | |
# name: open_producten-oas | |
# path: openapi.yaml | |
# retention-days: 1 | |
# docs: | |
# name: Build and check documentation | |
# runs-on: ubuntu-latest | |
# steps: | |
# - uses: actions/checkout@v3 | |
# - uses: actions/setup-python@v4 | |
# with: | |
# python-version: '3.9' | |
# # - name: Install OS dependencies | |
# # run: | | |
# # sudo apt-get update | |
# # sudo apt-get install libxml2-dev libxmlsec1-dev libxmlsec1-openssl | |
# - name: Install dependencies | |
# run: | | |
# pip install -r requirements/ci.txt | |
# - name: Build and test docs | |
# working-directory: docs | |
# run: pytest check_sphinx.py -v --tb=auto | |
docker: | |
needs: tests | |
name: Build Docker image | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Determine tag/commit hash | |
id: vars | |
run: | | |
# Strip git ref prefix from version | |
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
# Strip "v" prefix from tag name (if present at all) | |
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
# Use Docker `latest` tag convention | |
[ "$VERSION" == "master" ] && VERSION=latest | |
echo "tag=${VERSION}" >> $GITHUB_OUTPUT | |
echo "git_hash=${GITHUB_SHA}" >> $GITHUB_OUTPUT | |
- name: Build the Docker image | |
run: | | |
docker build \ | |
--tag $IMAGE_NAME:${{ steps.vars.outputs.tag }} \ | |
--build-arg COMMIT_HASH=${{ steps.vars.outputs.git_hash }} \ | |
--build-arg RELEASE=${{ steps.vars.outputs.tag }} \ | |
. | |
- run: docker image save -o image.tar $IMAGE_NAME:${{ steps.vars.outputs.tag }} | |
- name: Store image artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: docker-image | |
path: image.tar | |
retention-days: 1 | |
# image_scan: | |
# runs-on: ubuntu-latest | |
# name: Scan docker image | |
# needs: | |
# - docker | |
# steps: | |
# - name: Download built image | |
# uses: actions/download-artifact@v3 | |
# with: | |
# name: docker-image | |
# - name: Scan image with Trivy | |
# uses: aquasecurity/trivy-action@master | |
# with: | |
# input: /github/workspace/image.tar # from download-artifact | |
# format: 'sarif' | |
# output: 'trivy-results-docker.sarif' | |
# ignore-unfixed: true | |
# - name: Upload results to GH Security tab | |
# uses: github/codeql-action/upload-sarif@v3 | |
# with: | |
# sarif_file: 'trivy-results-docker.sarif' | |
publish: | |
needs: | |
- tests | |
- docker | |
name: Push Docker image | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' # exclude PRs | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download built image | |
uses: actions/download-artifact@v3 | |
with: | |
name: docker-image | |
- name: Determine tag/commit hash | |
id: vars | |
run: | | |
# Strip git ref prefix from version | |
VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
# Strip "v" prefix from tag name (if present at all) | |
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
# Use Docker `latest` tag convention | |
[ "$VERSION" == "master" ] && VERSION=latest | |
echo "tag=${VERSION}" >> $GITHUB_OUTPUT | |
- name: Load image | |
run: | | |
docker image load -i image.tar | |
- name: Log into registry | |
run: echo "${{ secrets.DOCKER_TOKEN }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin | |
- name: Push the Docker image | |
run: docker push $IMAGE_NAME:${{ steps.vars.outputs.tag }} |