Add 'docker-compose' file #3512
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Docs: https://docs.github.com/en/actions | |
name: CI/CD | |
on: | |
push: | |
branches: ["master"] | |
pull_request: | |
branches: ["master"] | |
jobs: | |
lint: | |
name: Linters | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e lint --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/lint/*/python | |
- name: Run Linters | |
run: tox run -e lint | |
mypy: | |
name: Mypy (static type checker) | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e mypy --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/mypy/*/python | |
- name: Run Mypy | |
run: tox run -e mypy | |
docs: | |
name: Build documentation | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e docs --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/docs/*/python | |
- name: Build documentation | |
run: tox run -e docs | |
packaging: | |
name: Packaging | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e packaging --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/packaging/*/python | |
- name: Check packaging | |
run: tox run -e packaging | |
unit: | |
name: "Py:${{ matrix.python-version }} - ${{ matrix.os }}" | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 30 | |
continue-on-error: ${{ matrix.optional }} | |
strategy: | |
matrix: | |
os: ["ubuntu-latest"] | |
python-version: ["3.12"] # Versions to test with coverage | |
tox-prefix: ["coverage"] | |
optional: [false] | |
include: | |
# Test Python beta but allow it to fail | |
- os: "ubuntu-latest" | |
python-version: "3.13.0-alpha.3" | |
optional: true | |
tox-prefix: "test" | |
services: | |
mysql: | |
image: mariadb:10.5.17 | |
env: | |
MYSQL_ROOT_HOST: "%" | |
MYSQL_ROOT_PASSWORD: ims | |
MYSQL_USER: ims | |
MYSQL_PASSWORD: ims | |
ports: | |
- 3306 | |
options: >- | |
--health-cmd="mysqladmin ping" | |
--health-interval=10s | |
--health-timeout=5s | |
--health-retries=5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.codecov.io:443 | |
api.github.com:443 | |
cli.codecov.io:443 | |
codecov.io:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pypi.org:443 | |
storage.googleapis.com:443 | |
uploader.codecov.io:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 2 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: System Python Information | |
uses: twisted/python-info-action@v1 | |
- name: Translate Python version to Tox environment | |
shell: python | |
run: | | |
from os import environ | |
from pathlib import Path | |
py = "${{ matrix.python-version }}" | |
py = "".join(py.split(".")[:2]) # Combine major/minor, toss rest | |
py = py.replace("pypy-", "py") # For Pypy: have a litte less py | |
env = f"${{ matrix.tox-prefix }}-py{py}" | |
print(f"TOX_ENV={env}") | |
p = Path(environ["GITHUB_ENV"]) | |
f = p.open(mode="a") | |
f.write(f"TOX_ENV={env}\n") | |
- name: Set up Tox environment | |
run: | | |
pip install tox | |
tox run -e ${TOX_ENV} --notest | |
- name: Tox Python Information | |
uses: twisted/python-info-action@v1 | |
with: | |
python-path: .tox/${TOX_ENV}/*/python | |
- name: Run unit tests | |
run: tox run -e ${TOX_ENV} | |
env: | |
IMS_TEST_MYSQL_HOST: localhost | |
IMS_TEST_MYSQL_PORT: ${{ job.services.mysql.ports['3306'] }} | |
IMS_TEST_MYSQL_ROOT_PASSWORD: ims | |
IMS_TEST_MYSQL_USERNAME: ims | |
IMS_TEST_MYSQL_PASSWORD: ims | |
- name: Upload Trial log artifact | |
if: ${{ failure() }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: trial | |
path: .tox/${TOX_ENV}/log/trial.log | |
# Use the latest supported Python version for combining coverage to | |
# prevent parsing errors in older versions when looking at modern code. | |
- uses: "actions/setup-python@v5" | |
if: ${{ matrix.tox-prefix == 'coverage' }} | |
with: | |
python-version: "3.12" | |
- name: "Upload coverage to Codecov" | |
uses: "codecov/codecov-action@v4" | |
if: ${{ matrix.tox-prefix == 'coverage' }} | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: .tox/coverage.xml | |
env_vars: GITHUB_REF,GITHUB_COMMIT,GITHUB_USER,GITHUB_WORKFLOW | |
fail_ci_if_error: true | |
env: | |
GITHUB_REF: ${{ github.ref }} | |
GITHUB_COMMIT: ${{ github.sha }} | |
GITHUB_USER: ${{ github.actor }} | |
GITHUB_WORKFLOW: ${{ github.workflow }} | |
docker-build: | |
name: Build Docker image | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
dl-cdn.alpinelinux.org:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
production.cloudflare.docker.com:443 | |
pypi.org:443 | |
registry-1.docker.io:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Build Docker image | |
run: ./bin/build | |
- name: Save Docker image | |
run: docker image save ranger-ims-server:dev | gzip -9 > docker_image.tgz | |
- name: Upload Docker image artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: docker | |
path: docker_image.tgz | |
docker-test: | |
name: Test Docker image | |
needs: [docker-build] | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
github.com:443 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Download Docker image artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: docker | |
- name: Load Docker image | |
run: gzip --uncompress --stdout docker_image.tgz | docker image load | |
- name: Test Docker image | |
run: ./bin/test_docker | |
# Can't figure out how to keep a failed docker-trivy job from marking a build | |
# as failed in the UI and it's driving me nuts so never mind this. | |
# docker-trivy: | |
# name: Trivy (security scan) | |
# needs: [docker-build] | |
# runs-on: ubuntu-latest | |
# timeout-minutes: 10 | |
# continue-on-error: true | |
# steps: | |
# - uses: step-security/[email protected] | |
# with: | |
# egress-policy: audit | |
# - name: Checkout source code | |
# uses: actions/checkout@v4 | |
# - name: Download Docker image artifacts | |
# uses: actions/download-artifact@v4 | |
# with: | |
# name: docker | |
# - name: Load Docker image | |
# run: gzip --uncompress --stdout docker_image.tgz | docker image load | |
# - name: Run Trivy | |
# run: docker run -v /var/run/docker.sock:/var/run/docker.sock --rm aquasec/trivy image --exit-code 1 --no-progress ranger-ims-server:dev | |
deploy-staging: | |
name: Deploy image built from master branch to the staging environment | |
needs: [docker-test, packaging, unit] | |
if: ${{ github.ref == 'refs/heads/master' }} | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
egress-policy: block | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Download Docker image artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: docker | |
- name: Load Docker image | |
run: gzip --uncompress --stdout docker_image.tgz | docker image load | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: Deploy to staging | |
run: ./bin/deploy staging | |
env: | |
# https://github.com/burningmantech/ranger-ims-server/settings/secrets | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} | |
AWS_ECR_IMAGE_NAME: ${{ secrets.AWS_ECR_IMAGE_NAME }} | |
AWS_ECS_CLUSTER_STAGING: rangers | |
AWS_ECS_SERVICE_STAGING: ${{ secrets.AWS_ECS_SERVICE_STAGING }} | |
NOTIFY_SMTP_HOST: ${{ secrets.NOTIFY_SMTP_HOST }} | |
NOTIFY_SMTP_USER: ${{ secrets.NOTIFY_SMTP_USER }} | |
NOTIFY_SMTP_PASSWORD: ${{ secrets.NOTIFY_SMTP_PASSWORD }} | |
NOTIFY_EMAIL_RECIPIENT: ${{ secrets.NOTIFY_EMAIL_RECIPIENT }} | |
NOTIFY_EMAIL_SENDER: ${{ secrets.NOTIFY_EMAIL_SENDER }} | |
CI: true | |
PROJECT_NAME: Ranger IMS Server | |
REPOSITORY_ID: ${{ github.repository }} | |
BUILD_NUMBER: 0 | |
BUILD_URL: https://github.com/burningmantech/ranger-ims-server/commit/${{ github.sha }}/checks | |
COMMIT_ID: ${{ github.event.head_commit.id }} | |
COMMIT_URL: ${{ github.event.head_commit.url }} | |
COMMIT_AUTHOR_USER: ${{ github.event.head_commit.author.username }} | |
COMMIT_AUTHOR_NAME: ${{ github.event.head_commit.author.name }} | |
COMMIT_AUTHOR_EMAIL: ${{ github.event.head_commit.author.email }} | |
COMMIT_MESSAGE: ${{ github.event.head_commit.message }} |