Add missing permission to the CI #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: push | |
| name: Run CI | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| env: | |
| DISPLAY: :99 | |
| permissions: | |
| contents: "read" | |
| actions: "read" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| # We need to fetch all branches and commits so that Nx affected has a base to compare against. | |
| fetch-depth: 0 | |
| - name: Set up Xvfb | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y xvfb | |
| - name: Start Xvfb | |
| run: Xvfb :99 -screen 0 1024x768x24 > /dev/null 2>&1 & | |
| - name: Install Node.js | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: 18 | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| # Set convenience variables. Source: https://nx.dev/ci/recipes/set-up/monorepo-ci-github-actions#get-the-commit-of-the-last-successful-build | |
| - name: Derive appropriate SHAs for base and head for `nx affected` commands | |
| uses: nrwl/nx-set-shas@v4 | |
| # This line is needed for nx affected to work when CI is running on a PR | |
| - run: git branch --track main origin/main | |
| if: ${{ github.event_name == 'pull_request' }} | |
| - name: Run lint | |
| run: npx nx affected -t lint | |
| - name: Run tests | |
| run: npx nx affected -t test | |
| # Get all the affected services for the next step. | |
| # Nx calls them "apps" internally. | |
| # IMPORTANT: we exclude dashboard manually here, since Vercel takes care of the deployment for us | |
| # Need to find a better way. | |
| # One possible solution is to introduce a convention for services (web-*, js-*, py-*) | |
| # This will allow us to exclude based on patterns. | |
| - name: Store affected services | |
| id: get-affected-projects | |
| run: | | |
| affected_services=$(npx nx show projects --affected --type app --exclude dashboard) | |
| echo "::set-output name=affected-services::${affected_services}" | |
| deploy: | |
| runs-on: ubuntu-latest | |
| needs: test | |
| if: github.ref == 'refs/heads/main' && ${{ needs.test.outputs.affected-services != '' }} | |
| permissions: | |
| contents: "read" | |
| id-token: "write" | |
| actions: "read" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| # We need to fetch all branches and commits so that Nx affected has a base to compare against. | |
| fetch-depth: 0 | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| # Set convenience variables. Source: https://nx.dev/ci/recipes/set-up/monorepo-ci-github-actions#get-the-commit-of-the-last-successful-build | |
| - name: Derive appropriate SHAs for base and head for `nx affected` commands | |
| uses: nrwl/nx-set-shas@v4 | |
| # This step is relevant for docker images. Right now we use a managed environment in GCP App Engine. | |
| - name: Authenticate to Google Cloud | |
| uses: "google-github-actions/auth@v0.4.0" | |
| with: | |
| workload_identity_provider: "projects/${{ secrets.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/ci-pool/providers/github-actions" | |
| service_account: "app-engine-deployer@merlinn.iam.gserviceaccount.com" | |
| - name: "Set up Google Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@v2" | |
| with: | |
| version: ">= 363.0.0" | |
| project_id: "${{ secrets.GCP_PROJECT_ID }}" | |
| - uses: oNaiPs/secrets-to-env-action@v1 | |
| with: | |
| secrets: ${{ toJSON(secrets) }} | |
| - name: Deploy services | |
| run: npx nx affected -t deploy --type app --exclude dashboard |