Merge pull request #1086 from PlanoramaEvents/plan-1000-access-contro… #1657
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: "Build Planorame Docker image for Deploy" | |
on: | |
push: | |
branches: | |
- main | |
- staging | |
- development | |
- g24-patch | |
- smofcon40 | |
tags: | |
- 'v*' | |
workflow_dispatch: | |
inputs: | |
logLevel: | |
description: 'Log level' | |
required: true | |
default: 'warning' | |
type: choice | |
options: | |
- info | |
- warning | |
- debug | |
jobs: | |
release: | |
runs-on: ubuntu-20.04 | |
# Temp key for building assets and tests | |
env: | |
DEVISE_SECRET: aa77bb734faa9b935c1f8b68846e37aed9096cc9fb746copypastaf856594409a11b1086535e468edb2e5bbc18482b386b6264ada38703dcdefd94a291ab5a95eb5 | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }} | |
steps: | |
- name: Maximize build space | |
uses: easimon/maximize-build-space@master | |
with: | |
swap-size-mb: 4096 | |
temp-reserve-mb: 4096 | |
root-reserve-mb: 16384 | |
remove-dotnet: 'true' | |
remove-android: 'true' | |
remove-haskell: 'true' | |
- name: Build Space | |
run: | | |
echo "Free space:" | |
df -h | |
- uses: actions/checkout@v3 | |
# | |
# This section logs into registry for Github - so we push here as well as AWS for now | |
# | |
- name: Log in to the Container registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern=latest | |
- name: Extract branch name | |
shell: bash | |
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF##*/})" | |
id: extract_name | |
- name: Define the repository labels | |
run: | | |
echo "CONTAINER_TEST_REPOSITORY=ghcr.io/planoramaevents/planorama:ci-${{ github.sha }}" >> $GITHUB_ENV | |
echo "CONTAINER_DEPLOY_REPOSITORY=ghcr.io/planoramaevents/planorama:${{ steps.extract_name.outputs.branch }}" >> $GITHUB_ENV | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@master | |
- name: Builder instance name | |
run: echo ${{ steps.buildx.outputs.name }} | |
- name: Available platforms | |
run: echo ${{ steps.buildx.outputs.platforms }} | |
- name: Cache Docker layers | |
uses: actions/cache@v3 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-buildx-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-buildx- | |
- name: Build the image | |
id: docker_build | |
uses: docker/build-push-action@v4 | |
with: | |
context: ./ | |
file: ./Dockerfile-prod | |
builder: ${{ steps.buildx.outputs.name }} | |
build-args: | | |
DEVISE_SECRET=${{ env.DEVISE_SECRET }} | |
RAILS_ENV=production | |
NODE_ENV=development | |
push: false | |
load: true | |
# target: development | |
tags: "${{ env.CONTAINER_TEST_REPOSITORY }}" | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new | |
- name: Run specs | |
run: | | |
docker run -d --name="test-database" --hostname "postgres" -e DEVISE_SECRET=${{ env.DEVISE_SECRET }} -e "POSTGRES_PASSWORD=test" postgres:latest | |
docker run --network "container:test-database" -e RAILS_ENV=test -e DEVISE_SECRET=${{ env.DEVISE_SECRET }} -e "POSTGRES_PASSWORD=test" $CONTAINER_TEST_REPOSITORY /bin/sh -c "bundle exec rake db:create db:structure:load; bundle exec rake db:seed; bundle exec rspec" | |
# The docker pull does not work | |
- name: Run security tests | |
if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/security-') }} | |
run: | | |
docker run -e RAILS_ENV=test $CONTAINER_TEST_REPOSITORY bundle update brakeman --quiet | |
docker run -e RAILS_ENV=test $CONTAINER_TEST_REPOSITORY bundle exec brakeman --run-all-checks --no-pager | |
# docker run -e RAILS_ENV=test $CONTAINER_TEST_REPOSITORY bundle exec bundler-audit check --update | |
# docker run -e RAILS_ENV=test $CONTAINER_TEST_REPOSITORY bundle exec ruby-audit check | |
docker run -e RAILS_ENV=production -e NODE_ENV=production $CONTAINER_TEST_REPOSITORY /bin/sh -c "bin/yarn install --frozen-lockfile; yarn check --integrity" | |
- name: Publish the deployable image | |
run: | | |
docker tag $CONTAINER_TEST_REPOSITORY $CONTAINER_DEPLOY_REPOSITORY | |
docker push $CONTAINER_DEPLOY_REPOSITORY | |
# | |
# Push the image to GHRC (does another build) | |
# | |
- name: Push the image | |
id: docker_push | |
uses: docker/build-push-action@v4 | |
with: | |
context: ./ | |
file: ./Dockerfile-prod | |
builder: ${{ steps.buildx.outputs.name }} | |
build-args: | | |
DEVISE_SECRET=${{ env.DEVISE_SECRET }} | |
RAILS_ENV=production | |
NODE_ENV=development | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new | |
# Needed to prevent cache from growing forever (see https://github.com/docker/build-push-action/issues/252) | |
- name: Move cache | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
# I think this is not needed since the "test" image is not pushed | |
# - name: Clean up the CI testing tag | |
# run: | | |
# aws ecr batch-delete-image --repository-name planorama --image-ids imageTag=ci-${{ github.sha }} | |
# TODO: this is python script to do .... ? | |
# - id: deploy | |
# name: Deploy to the target host | |
# if: ${{ startsWith(github.ref, 'refs/heads/staging') }} | |
# run: | | |
# ./deploy/deploy-tag.py "${{ steps.extract_name.outputs.branch }}" --description "@${{ github.actor }} deployed ${{ steps.extract_name.outputs.branch }} to staging from the deploy action" |