diff --git a/.github/workflows/check-pr-fork.yml b/.github/workflows/check-pr-fork.yml new file mode 100644 index 000000000..70a91d971 --- /dev/null +++ b/.github/workflows/check-pr-fork.yml @@ -0,0 +1,57 @@ +name: Check PR (forks) + +on: + pull_request_target: + types: [opened, synchronize, reopened, labeled] + +permissions: + contents: read + +jobs: + check-label: + name: Check label + runs-on: ubuntu-latest + # If this is not a fork do not start this step + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }} + permissions: + pull-requests: write + steps: + - uses: actions/checkout@v3 + with: + persist-credentials: false + - name: Check whether tests are enabled for this PR + run: | + echo "IS_FORK=${{ github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.head.repo.fork }}" >> $GITHUB_ENV + echo "HAS_LABEL=${{ contains(github.event.pull_request.labels.*.name, 'run tests') }}" >> $GITHUB_ENV + - name: Remove 'run tests' label + # If the PR is created by dependabot or is a fork and has the 'run tests' label, remove it + if: ${{ env.IS_FORK == 'true' && env.HAS_LABEL == 'true' }} + run: | + gh pr edit ${{ github.event.pull_request.number }} --remove-label "run tests" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Fail workflow + if: ${{ env.IS_FORK == 'true' && env.HAS_LABEL == 'false' }} + run: | + echo "Not all tests have run for this PR. Please add the `run tests` label to trigger them." + exit 1 + - name: Update PR comment + uses: mshick/add-pr-comment@v2 + if: always() + with: + message: | + ✅ Tests will run for this PR. Once they succeed it can be merged. + message-failure: | + ❌ Not all tests have run for this PR. Please add the `run tests` label to trigger them. + + + tests: + name: Tests + needs: [check-label] + uses: ./.github/workflows/tests.yml + secrets: + SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} + GHOST_CONTENT_KEY: ${{ secrets.GHOST_CONTENT_KEY }} + MONDOO_SECRET: ${{ secrets.MONDOO_SECRET }} + STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }} + STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }} \ No newline at end of file diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml index b7611035c..00069fc61 100644 --- a/.github/workflows/check-pr.yml +++ b/.github/workflows/check-pr.yml @@ -6,87 +6,13 @@ on: branches: [master] jobs: - build-frontend: - name: Build and scan frontend container image - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Build - uses: docker/build-push-action@v3 - env: - NODE_ENV: production - SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} - GHOST_API_URL: https://blog.podkrepi.bg - GHOST_CONTENT_KEY: ${{ secrets.GHOST_CONTENT_KEY }} - with: - push: false - target: runner - build-args: | - SENTRY_AUTH_TOKEN=${{ env.SENTRY_AUTH_TOKEN }} - GHOST_API_URL=${{ env.GHOST_API_URL }} - GHOST_CONTENT_KEY=${{ env.GHOST_CONTENT_KEY }} - tags: ghcr.io/podkrepi-bg/frontend:pr - - - name: Scan with Mondoo - uses: mondoohq/actions/docker-image@main - env: - MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SECRET }} - with: - image: ghcr.io/podkrepi-bg/frontend:pr - - build-maintenance: - name: Build and scan maintenance container image - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Build - uses: docker/build-push-action@v3 - with: - push: false - file: Dockerfile.maintenance - tags: ghcr.io/podkrepi-bg/maintenance:pr - - - name: Scan with Mondoo - uses: mondoohq/actions/docker-image@main - env: - MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SECRET }} - with: - image: ghcr.io/podkrepi-bg/maintenance:pr - - scan-manifests: - name: Scan k8s manifests - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Install kustomize - uses: imranismail/setup-kustomize@v1 - - - name: Build development manifests - run: kustomize build manifests/overlays/development > dev-manifests.yaml - - - name: Scan development manifests with Mondoo - uses: mondoohq/actions/k8s-manifest@main - env: - MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SECRET }} - with: - path: dev-manifests.yaml - - - name: Build production manifests - run: kustomize build manifests/overlays/production > prod-manifests.yaml - - - name: Scan production manifests with Mondoo - uses: mondoohq/actions/k8s-manifest@main - env: - MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SECRET }} - with: - path: prod-manifests.yaml - - run-playwright: - name: Run Playwright - uses: ./.github/workflows/playwright.yml - secrets: inherit + tests: + name: Tests + needs: [check-label] + uses: ./.github/workflows/tests.yml + secrets: + SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} + GHOST_CONTENT_KEY: ${{ secrets.GHOST_CONTENT_KEY }} + MONDOO_SECRET: ${{ secrets.MONDOO_SECRET }} + STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }} + STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }} \ No newline at end of file diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 000000000..aa5203a88 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,101 @@ +name: Tests + +on: + workflow_call: + secrets: + SENTRY_AUTH_TOKEN: + required: true + GHOST_CONTENT_KEY: + required: true + MONDOO_SECRET: + required: true + STRIPE_WEBHOOK_SECRET: + required: true + STRIPE_SECRET_KEY: + required: true + +jobs: + build-frontend: + name: Build and scan frontend container image + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Build + uses: docker/build-push-action@v3 + env: + NODE_ENV: production + SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} + GHOST_API_URL: https://blog.podkrepi.bg + GHOST_CONTENT_KEY: ${{ secrets.GHOST_CONTENT_KEY }} + with: + push: false + target: runner + build-args: | + SENTRY_AUTH_TOKEN=${{ env.SENTRY_AUTH_TOKEN }} + GHOST_API_URL=${{ env.GHOST_API_URL }} + GHOST_CONTENT_KEY=${{ env.GHOST_CONTENT_KEY }} + tags: ghcr.io/podkrepi-bg/frontend:pr + + - name: Scan with Mondoo + uses: mondoohq/actions/docker-image@main + env: + MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SECRET }} + with: + image: ghcr.io/podkrepi-bg/frontend:pr + + build-maintenance: + name: Build and scan maintenance container image + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Build + uses: docker/build-push-action@v3 + with: + push: false + file: Dockerfile.maintenance + tags: ghcr.io/podkrepi-bg/maintenance:pr + + - name: Scan with Mondoo + uses: mondoohq/actions/docker-image@main + env: + MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SECRET }} + with: + image: ghcr.io/podkrepi-bg/maintenance:pr + + scan-manifests: + name: Scan k8s manifests + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Install kustomize + uses: imranismail/setup-kustomize@v1 + + - name: Build development manifests + run: kustomize build manifests/overlays/development > dev-manifests.yaml + + - name: Scan development manifests with Mondoo + uses: mondoohq/actions/k8s-manifest@main + env: + MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SECRET }} + with: + path: dev-manifests.yaml + + - name: Build production manifests + run: kustomize build manifests/overlays/production > prod-manifests.yaml + + - name: Scan production manifests with Mondoo + uses: mondoohq/actions/k8s-manifest@main + env: + MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SECRET }} + with: + path: prod-manifests.yaml + + run-playwright: + name: Run Playwright + uses: ./.github/workflows/playwright.yml + secrets: inherit