dms-2024-i5-r1 #413
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test | |
on: [pull_request] | |
jobs: | |
test: | |
strategy: | |
matrix: | |
ruby-version: | |
- '3.1.6' | |
# - '3.2' # Not yet tested on CentOS 7. Ideally move to rails 7.0 first | |
name: Ruby ${{ matrix.ruby-version }} | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres | |
env: | |
POSTGRES_USER: rails | |
POSTGRES_PASSWORD: rails_password | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- 5432:5432 | |
env: | |
DB_HOST: localhost | |
DB_PORT: 5432 | |
DB_USERNAME: rails | |
DB_PASSWORD: rails_password | |
# Prep the whole stack in test-only mode: | |
RAILS_ENV: test | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Remove mini_racer CentOS 7 shim from Gemfile.lock | |
run: sed -i.bak -e '/mini_racer ([0-9.]*-x86_64-linux)/,+1d' Gemfile.lock | |
- name: Remove tests confirming mini_racer CentOS 7 shim in Gemfile.lock | |
run: rm -f test/lib/gemfile_test.rb | |
- name: Set up Ruby + Bundle | |
uses: ruby/setup-ruby@v1 | |
with: | |
bundler-cache: true | |
ruby-version: ${{ matrix.ruby-version }} | |
- name: Inject configuration | |
run: cp config/database.yml{.ci,} | |
- name: Prepare the database | |
run: bin/rails db:setup | |
- name: Precompile assets | |
# Since ruby/setup-ruby@v1 moved to Node.js v18 we need the extra options | |
# until we move to newer webpacker / stop using it. | |
# I've tried using a newer hash function in config/webpack/environment.js | |
# by adding the following line, but this didn't help with github actions | |
# # environment.config.set('output.hashFunction', 'sha256') | |
# https://stackoverflow.com/questions/69692842/error-message-error0308010cdigital-envelope-routinesunsupported/73465262#73465262 | |
run: NODE_OPTIONS=--openssl-legacy-provider bin/rails assets:precompile | |
- name: Run tests | |
run: bin/rails test | |
brakeman: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Remove mini_racer CentOS 7 shim from Gemfile.lock | |
run: sed -i.bak -e '/mini_racer ([0-9.]*-x86_64-linux)/,+1d' Gemfile.lock | |
- name: Set up Ruby + Bundle | |
uses: ruby/setup-ruby@v1 | |
with: | |
bundler-cache: true | |
- name: Run Brakeman analysis | |
run: bundle exec brakeman | |
bundle-audit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Remove mini_racer CentOS 7 shim from Gemfile.lock | |
run: sed -i.bak -e '/mini_racer ([0-9.]*-x86_64-linux)/,+1d' Gemfile.lock | |
- name: Set up Ruby + Bundle | |
uses: ruby/setup-ruby@v1 | |
with: | |
bundler-cache: true | |
- name: Audit the bundle | |
# Ignore bootstrap version 3 warning: https://nhsd-jira.digital.nhs.uk/browse/NDRS2-1676 | |
run: bundle exec bundle-audit check --update --ignore CVE-2024-6484 | |
# run: bundle exec bundle-audit check --update | |
# A utility job upon which Branch Protection can depend, | |
# thus remaining agnostic of the matrix. | |
test_matrix: | |
if: ${{ always() }} | |
runs-on: ubuntu-latest | |
name: Matrix | |
needs: test | |
steps: | |
- name: Check build matrix status | |
if: ${{ needs.test.result != 'success' }} | |
run: exit 1 | |
notify: | |
# Run only on master, but regardless of whether tests past: | |
if: ${{ always() && github.ref == 'refs/heads/master' }} | |
needs: | |
- test_matrix | |
- brakeman | |
- bundle-audit | |
runs-on: ubuntu-latest | |
steps: | |
- uses: 8398a7/action-slack@v3 | |
with: | |
status: custom | |
fields: workflow,commit,author | |
custom_payload: | | |
{ | |
channel: 'CSEPN7EES', | |
username: 'CI', | |
icon_emoji: ':hammer_and_wrench:', | |
attachments: [{ | |
color: '${{ needs.test.result }}' === 'success' ? 'good' : '${{ needs.test.result }}' === 'failure' ? 'danger' : 'warning', | |
text: `${process.env.AS_WORKFLOW} against \`${{ github.ref }}\` (${process.env.AS_COMMIT}) for ${{ github.actor }} resulted in *${{ needs.test.result }}*.` | |
},{ | |
color: '${{ needs.brakeman.result }}' === 'success' ? 'good' : '${{ needs.brakeman.result }}' === 'failure' ? 'danger' : 'warning', | |
text: `Brakeman checks returned *${{ needs.brakeman.result }}*.` | |
},{ | |
color: '${{ needs.bundle-audit.result }}' === 'success' ? 'good' : '${{ needs.bundle-audit.result }}' === 'failure' ? 'danger' : 'warning', | |
text: `Bundle Audit checks returned *${{ needs.bundle-audit.result }}*.` | |
}] | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |