Skip to content

feat: new rafiki release pipeline and nodejs bump to v20 #2

feat: new rafiki release pipeline and nodejs bump to v20

feat: new rafiki release pipeline and nodejs bump to v20 #2

Workflow file for this run

name: Node Build
on:
workflow_dispatch:
pull_request:
branches:
- '**'
push:
branches:
- main
- release/v*
jobs:
prerequisite:
runs-on: ubuntu-latest
timeout-minutes: 1
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/rafiki/env-setup
- run: pnpm checks
backend:
runs-on: ubuntu-latest
needs: prerequisite
timeout-minutes: 25
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/rafiki/env-setup
- run: pnpm --filter backend build:deps
- run: NODE_OPTIONS=--max-old-space-size=4096 pnpm --filter backend test:ci
- name: AsyncAPI extension
run: |
echo "{\"extends\":[\"spectral:oas\",\"spectral:asyncapi\"]}" >> .spectral.json
- name: Validate Open API specs
run: |
npx @stoplight/spectral-cli lint ./packages/backend/openapi/*.yaml
frontend:
runs-on: ubuntu-latest
needs: prerequisite
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/rafiki/env-setup
- run: pnpm --filter frontend typecheck
- run: pnpm --filter frontend build
auth:
runs-on: ubuntu-latest
needs: prerequisite
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/rafiki/env-setup
- run: pnpm --filter auth build:deps
- run: pnpm --filter auth test
- name: AsyncAPI extension
run: |
echo "{\"extends\":[\"spectral:oas\",\"spectral:asyncapi\"]}" >> .spectral.json
- name: Validate Open API specs
run: |
npx @stoplight/spectral-cli lint ./packages/auth/openapi/*.yaml
token-introspection:
runs-on: ubuntu-latest
needs: prerequisite
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/rafiki/env-setup
- run: pnpm --filter token-introspection test
- name: AsyncAPI extension
run: |
echo "{\"extends\":[\"spectral:oas\",\"spectral:asyncapi\"]}" >> .spectral.json
- name: Validate Open API specs
run: |
npx @stoplight/spectral-cli lint ./packages/token-introspection/openapi/*.yaml
mock-account-servicing-entity:
runs-on: ubuntu-latest
needs: prerequisite
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/rafiki/env-setup
- run: pnpm --filter mock-account-servicing-entity typecheck
- run: pnpm --filter mock-account-servicing-entity build
graphql:
runs-on: ubuntu-latest
needs: prerequisite
strategy:
matrix:
package: [auth, backend]
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/rafiki/env-setup
- name: generate ${{ matrix.package }} graphql
run: pnpm --filter ${{ matrix.package }} generate
- name: verify changed files
uses: tj-actions/verify-changed-files@v19
id: verify-changed-files
with:
files: |
**/generated/graphql.*
- name: fail if GraphQL was generated
if: steps.verify-changed-files.outputs.files_changed == 'true'
run: exit 1
codeql-analyze:
runs-on: ubuntu-latest
needs: prerequisite
timeout-minutes: 5
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'javascript' ]
config:
- './.github/codeql/source.yml'
- './.github/codeql/tests.yml'
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/rafiki/env-setup
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
config-file: ${{ matrix.config }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
node-build:
runs-on: ubuntu-latest
timeout-minutes: 5
needs: [auth, backend, frontend, token-introspection, mock-account-servicing-entity, graphql, codeql-analyze]
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/rafiki/env-setup
- run: pnpm build
version-generator:
runs-on: ubuntu-latest
if: startsWith(github.ref_name, 'release/v')
outputs:
version: ${{ steps.version-generator.outputs.NEW_VERSION }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
- name: Configure git
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
- id: version-generator
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION_PREFIX=$(echo "${{ github.ref_name }}" | sed 's|release/||')
read major minor patch pre_release <<< $(echo "$VERSION_PREFIX" | awk -F'[.v-]' '{print $2, $3, $4, $5}')
version_search="v$major.$minor.*"
if [ -n "$pre_release" ]; then
version_search="$version_search-$pre_release"
fi
echo "VERSION_SEARCH: $version_search"
VERSION_PREFIX=$(git tag -l $version_search --sort=-taggerdate | head -n 1)
if [ -n "$VERSION_PREFIX" ]; then
read major minor patch pre_release <<< $(echo "$VERSION_PREFIX" | awk -F'[.v-]' '{print $2, $3, $4, $5}')
patch=$((patch + 1))
fi
NEW_VERSION="v${major}.${minor}.${patch}"
if [ -n "$pre_release" ]; then
NEW_VERSION="$NEW_VERSION-${pre_release}"
fi
echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_OUTPUT
echo "New version will be: $NEW_VERSION"
git tag -a $NEW_VERSION -m "$NEW_VERSION"
git push origin $NEW_VERSION
docker-build:
runs-on: ubuntu-latest
needs: version-generator
timeout-minutes: 5
strategy:
matrix:
package: [auth, backend, frontend]
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build
uses: docker/build-push-action@v5
with:
push: false
platforms: linux/amd64,linux/arm64
file: packages/${{ matrix.package }}/Dockerfile
tags: ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ needs.version-generator.outputs.version }}
outputs: type=docker,dest=/tmp/${{ matrix.package }}.tar
- name: Save docker image to cache
uses: actions/cache@v4
with:
path: /tmp/${{ matrix.package }}.tar
key: ${{ github.sha }}
docker-grype:
name: Docker Grype Scan
needs: docker-build
runs-on: ubuntu-latest
timeout-minutes: 5
strategy:
matrix:
package: [auth, backend, frontend]
steps:
- name: Fetch docker image from cache
uses: actions/cache/restore@v4
with:
path: /tmp/${{ matrix.package }}.tar
key: ${{ github.sha }}
- name: Scan docker image
uses: anchore/scan-action@v3
with:
image: /tmp/${{ matrix.package }}.tar
fail-build: true
only-fixed: true
severity-cutoff: high
output-format: table
docker-trivy:
name: Docker Trivy Scan
needs: [docker-build]
runs-on: ubuntu-latest
timeout-minutes: 5
strategy:
matrix:
package: [auth, backend, frontend]
steps:
- name: Fetch docker image from cache
uses: actions/cache/restore@v4
with:
path: /tmp/${{ matrix.package }}.tar
key: ${{ github.sha }}
- name: Download Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /tmp
- name: Scan docker image
run: |
/tmp/trivy image --ignore-unfixed --format table --vuln-type os,library --exit-code 1 --severity HIGH --input /tmp/${{ matrix.package }}.tar
push:
name: Push to registry
needs: [docker-grype, docker-trivy, version-generator, node-build]
runs-on: ubuntu-latest
strategy:
matrix:
package: [auth, backend, frontend]
steps:
- name: Fetch docker image from cache
uses: actions/cache/restore@v4
with:
path: /tmp/${{ matrix.package }}.tar
key: ${{ github.sha }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Load image into Docker
run: |
docker load --input /tmp/${{ matrix.package }}.tar
- name: List docker images
run: docker images
- name: Push to registry
run: |
docker push ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ needs.version-generator.outputs.version }}
generate-release:
runs-on: ubuntu-latest
needs: [push, version-generator]
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Generate CHANGELOG data
id: changelog
uses: requarks/changelog-action@v1
with:
token: ${{ github.token }}
tag: ${{ needs.version-generator.outputs.version }}
- name: Create Release
uses: ncipollo/release-action@v1.14.0
with:
allowUpdates: true
draft: false
makeLatest: true
prerelease: endsWith(needs.version-generator.outputs.version, '-alpha')
name: ${{ needs.version-generator.outputs.version }}
body: ${{ steps.changelog.outputs.changes }}
tag: ${{ needs.version-generator.outputs.version }}
token: ${{ github.token }}