generated from opensafely-core/repo-template
-
Notifications
You must be signed in to change notification settings - Fork 0
183 lines (148 loc) · 4.57 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
---
name: CI
env:
IMAGE_NAME: metrics
PUBLIC_IMAGE_NAME: ghcr.io/ebmdatalab/metrics
REGISTRY: ghcr.io
SSH_AUTH_SOCK: /tmp/agent.sock
on:
workflow_dispatch:
pull_request:
push:
branches: [main]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: "opensafely-core/setup-action@v1"
with:
python-version: "3.12"
install-just: true
- name: Check formatting, linting and import sorting
run: just check
test:
runs-on: ubuntu-latest
services:
timescaledb:
# mirror what's in timescaledb/Dockerfile
image: timescale/timescaledb:pg14-latest@sha256:c453fa2d290d578a5983b5823e9ffbf16f478735d8c121620436c4a9c6e55df5
env:
POSTGRES_USER: user
POSTGRES_PASSWORD: password
POSTGRES_DB: metrics
TIMESCALEDB_TELEMETRY: off
ports:
- 5432:5432
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- uses: actions/checkout@v4
- uses: "opensafely-core/setup-action@v1"
with:
python-version: "3.12"
install-just: true
- name: Run tests
env:
GITHUB_EBMDATALAB_TOKEN:
GITHUB_OS_CORE_TOKEN:
SLACK_SIGNING_SECRET:
SLACK_TECH_SUPPORT_CHANNEL_ID:
SLACK_TOKEN:
TIMESCALEDB_URL: postgresql://user:password@localhost/metrics
run: |
just test
lint-dockerfile:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
with:
dockerfile: docker/Dockerfile
docker-test-dev:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: "opensafely-core/setup-action@v1"
with:
python-version: "3.12"
install-just: true
- name: Build docker image for dev
run: |
just docker-build dev
- name: Run the smoke test on the prod image
run: |
docker compose up -d timescaledb
SKIP_BUILD=1 just docker/test
docker-build-prod:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: "opensafely-core/setup-action@v1"
with:
install-just: true
- name: Build docker image for prod
run: |
just docker-build prod
- name: Run the smoke test on the prod image
run: |
SKIP_BUILD=1 just docker-run prod
- name: Save docker image
run: |
docker save metrics | gzip > /tmp/metrics.tar.gz
- name: Upload docker image
uses: actions/upload-artifact@v4
with:
name: metrics-image
path: /tmp/metrics.tar.gz
required-checks:
if: always()
needs:
- check
- test
- docker-test-dev
- docker-build-prod
- lint-dockerfile
runs-on: Ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
jobs: ${{ toJSON(needs) }}
deploy:
needs: [required-checks]
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
if: github.ref == 'refs/heads/main'
concurrency: deploy-production-ci
steps:
- uses: actions/checkout@v4
- uses: "opensafely-core/setup-action@v1"
with:
install-just: true
- name: Download docker image
uses: actions/download-artifact@v4
with:
name: metrics-image
path: /tmp/image
- name: Import docker image
run: gunzip -c /tmp/image/metrics.tar.gz | docker load
- name: Test image we imported from previous job works
run: |
SKIP_BUILD=1 just docker-run prod
- name: Publish image
run: |
echo ${{ secrets.GITHUB_TOKEN }} | docker login "$REGISTRY" -u ${{ github.actor }} --password-stdin
docker tag "$IMAGE_NAME" "$PUBLIC_IMAGE_NAME":latest
docker push "$PUBLIC_IMAGE_NAME":latest
- name: Deploy image
run: |
ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null
ssh-add - <<< "${{ secrets.DOKKU3_DEPLOY_SSH_KEY }}"
SHA=$(docker inspect --format='{{index .RepoDigests 0}}' "$PUBLIC_IMAGE_NAME":latest)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" [email protected] git:from-image metrics "$SHA"