-
Notifications
You must be signed in to change notification settings - Fork 11
211 lines (174 loc) · 6.12 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
---
name: CI
env:
IMAGE_NAME: job-server
PUBLIC_IMAGE_NAME: ghcr.io/opensafely-core/job-server
REGISTRY: ghcr.io
SSH_AUTH_SOCK: /tmp/agent.sock
on:
merge_group:
pull_request:
push:
branches: [main]
jobs:
check:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: "opensafely-core/setup-action@v1"
with:
python-version: "3.12"
install-just: true
- name: Check formatting, linting and import sorting
run: just check
test:
runs-on: ubuntu-22.04
services:
postgres:
image: postgres:13
env:
POSTGRES_USER: user
POSTGRES_PASSWORD: password
POSTGRES_DB: jobserver
ports:
- 5432:5432
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- uses: actions/checkout@v4
- uses: "opensafely-core/setup-action@v1"
with:
python-version: "3.12"
install-just: true
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version-file: ".node-version"
cache: "npm"
cache-dependency-path: package-lock.json
- name: Install node_modules
run: just assets-install --ignore-scripts
- name: Lint assets
run: npm run lint
- name: Run JS tests
run: just assets-test
- name: Build assets
run: just assets-build
- name: Install venv
run: just devenv
- name: Run tests
env:
DATABASE_URL: postgres://user:password@localhost/jobserver
GITHUB_TOKEN: empty
GITHUB_TOKEN_TESTING: ${{ secrets.OPENSAFELY_GITHUB_TESTING_ORG_PAT }}
SECRET_KEY: 12345
SOCIAL_AUTH_GITHUB_KEY: test
SOCIAL_AUTH_GITHUB_SECRET: test
run: |
just check-migrations
# hardcode n because auto=2 in CI for some reason
just test-all --migrations -n 4
- name: Upload HTML coverage report if tests failed
uses: actions/upload-artifact@v4
with:
name: python-coverage-report
path: htmlcov
# don't fail the job because no files were found, we expect this when
# * the tests passed with 100% coverage
# * a test failed and coverage didn't run
if-no-files-found: ignore
if: ${{ failure() }} # only upload when the previous step, run tests, fails
lint-dockerfile:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
with:
dockerfile: docker/Dockerfile
docker-test:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: "opensafely-core/setup-action@v1"
with:
install-just: true
- name: Build docker image for both prod and dev
run: |
just docker-build prod
just docker-build dev
- name: Run unit tests on docker dev image
env:
GITHUB_TOKEN_TESTING: ${{ secrets.OPENSAFELY_GITHUB_TESTING_ORG_PAT }}
GITHUB_WRITEABLE_TOKEN:
run: |
# build docker and run test
just docker-test -n 4 # hardcode n because auto does not dtrt in docker
- name: Run smoke test on prod
run: |
just docker-serve prod -d
sleep 5
just docker-smoke-test || { docker logs job-server_prod_1; exit 1; }
- name: Save docker image
run: |
docker save job-server | zstd --fast -o /tmp/job-server.tar.zst
- name: Upload docker image
uses: actions/upload-artifact@v4
with:
name: job-server-image
path: /tmp/job-server.tar.zst
compression-level: 0
deploy:
needs: [check, test, docker-test, lint-dockerfile]
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
if: github.ref == 'refs/heads/main'
concurrency: deploy-production
steps:
- uses: actions/checkout@v4
- uses: "opensafely-core/setup-action@v1"
with:
install-just: true
- name: Download docker image
uses: actions/download-artifact@v4
with:
name: job-server-image
path: /tmp/image
- name: Import docker image
run: docker image load --input /tmp/image/job-server.tar.zst
- name: Test image we imported from previous job works
run: |
SKIP_BUILD=1 just docker-serve prod -d
sleep 5
just docker-smoke-test || { docker logs job-server_prod_1; exit 1; }
- name: Publish image
run: |
echo ${{ secrets.GITHUB_TOKEN }} | docker login $REGISTRY -u ${{ github.actor }} --password-stdin
docker tag $IMAGE_NAME $PUBLIC_IMAGE_NAME:latest
docker push $PUBLIC_IMAGE_NAME:latest
- name: Deploy image
run: |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null
ssh-add - <<< "${{ secrets.DOKKU4_DEPLOY_SSH_KEY }}"
SHA=$(docker inspect --format='{{index .RepoDigests 0}}' $PUBLIC_IMAGE_NAME:latest)
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" [email protected] git:from-image job-server $SHA
- name: Create Honeycomb Marker
env:
GH_TOKEN: ${{ github.token }}
run: |
gh release download v0.2.10 -R honeycombio/honeymarker -p '*-linux-amd64*' -O honeymarker
chmod 755 ./honeymarker
# --dataset __all__ will ad an marker to *all* production datasets (this writekey is for production)
./honeymarker --writekey ${{ secrets.HC_MARKER_APIKEY }} --dataset job-server add --type deploy --msg "job-server deploy $GITHUB_SHA"
- name: Create Sentry release
uses: getsentry/action-release@e769183448303de84c5a06aaaddf9da7be26d6c7 # v1.7.0
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_RELEASE_INTEGRATION_TOKEN }}
SENTRY_ORG: ebm-datalab
SENTRY_PROJECT: job-server
with:
environment: production