-
Notifications
You must be signed in to change notification settings - Fork 66
223 lines (198 loc) · 7.99 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
name: Test, Lint, Build & Push to ECR & Update Manifests
# IMPORTANT: REFACTOR BACK TO SEPARARATE JOBS AFTER K8s is merged to master and uncomment the deploy.yml
on:
pull_request:
branches:
- k8s
push:
branches:
- k8s
workflow_call:
workflow_dispatch:
workflow_run:
workflows: ["Code Checks"]
types: [completed]
permissions:
contents: read
checks: write
jobs:
linting_and_security:
name: Linting and Security
env:
BUNDLE_ENTERPRISE__CONTRIBSYS__COM: ${{ secrets.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
runs-on: ubuntu-16-cores-latest
steps:
- uses: actions/checkout@v4
# Lock back to an @v1-version once https://github.com/ruby/setup-ruby/pull/491 is merged
- uses: ruby/setup-ruby@v1
with:
bundler-cache: true
- name: Run bundle-audit (checks gems for CVE issues)
run: bundle exec bundle-audit check --update --ignore CVE-2024-27456
- name: Run Rubocop
run: bundle exec rubocop --parallel --format github
- name: Run Brakeman
run: bundle exec brakeman --ensure-latest --confidence-level=2 --format github
tests:
name: Test
env:
BUNDLE_ENTERPRISE__CONTRIBSYS__COM: ${{ secrets.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
CI: true
RAILS_ENV: test
TERM: xterm-256color
DOCKER_BUILDKIT: 1
COMPOSE_DOCKER_CLI_BUILD: 1
runs-on: ubuntu-16-cores-latest
steps:
- uses: actions/checkout@v4
- uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Setup Environment
run: |
echo "USER_ID=$(id -u)" >> $GITHUB_ENV
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker Image
uses: docker/build-push-action@v4
with:
build-args: |
BUNDLE_ENTERPRISE__CONTRIBSYS__COM=${{ env.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
USER_ID=${{ env.USER_ID }}
context: .
push: false
load: true
tags: vets-api
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Setup Database
run: |
docker-compose run web bash \
-c "CI=true RAILS_ENV=test DISABLE_BOOTSNAP=true bundle exec parallel_test -n 13 -e 'bin/rails db:reset'"
- name: Run Specs
run: |
docker-compose run web bash \
-c "CI=true RAILS_ENV=test DISABLE_BOOTSNAP=true bundle exec parallel_rspec spec/ modules/ -n 8 -o '--color --tty'"
- name: Upload Coverage Report
uses: actions/upload-artifact@v4
if: always()
with:
name: Coverage Report
path: coverage
- name: Upload Test Results
uses: actions/upload-artifact@v4
if: always()
with:
name: Test Results
path: log/*.xml
if-no-files-found: ignore
publish_results:
name: Publish Results
if: always()
needs: [tests]
runs-on: ubuntu-16-cores-latest
steps:
- uses: actions/download-artifact@v4
- name: Publish Test Results
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
check_name: Test Results
comment_mode: off
files: Test Results/*.xml
github_token: ${{ secrets.GITHUB_TOKEN }}
check_run_annotations_branch: master, k8s
- name: Fix up coverage report to work with coverage-check-action
run: sed -i 's/"line"/"covered_percent"/g' 'Coverage Report/.last_run.json'
- name: Publish Coverage Report
uses: devmasx/[email protected]
if: hashFiles('Coverage Report/.last_run.json') != ''
with:
type: simplecov
result_path: Coverage Report/.last_run.json
min_coverage: 90
token: ${{ secrets.GITHUB_TOKEN }}
build_and_push:
if: github.ref == 'refs/heads/k8s'
needs: [tests, linting_and_security]
name: Build and Push
env:
BUNDLE_ENTERPRISE__CONTRIBSYS__COM: ${{ secrets.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- name: Setup Environment
run: echo "VETS_API_USER_ID=$(id -u)" >> $GITHUB_ENV
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-gov-west-1
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build Docker Image
uses: docker/build-push-action@v5
with:
build-args: |
BUNDLE_ENTERPRISE__CONTRIBSYS__COM=${{ env.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
USER_ID=${{ env.VETS_API_USER_ID }}
RAILS_ENV=production
context: .
push: true
tags: |
${{ steps.login-ecr.outputs.registry }}/${{ secrets.ECR_REPOSITORY }}:${{ github.sha }}
cache-from: type=registry,ref=$ECR_REGISTRY/$ECR_REPOSITORY
cache-to: type=inline
deploy: # REMOVE THIS AFTER K8s is merged to master and uncomment the deploy.yml
if: github.ref == 'refs/heads/k8s'
needs: [tests, linting_and_security, build_and_push]
uses: department-of-veterans-affairs/vets-api/.github/workflows/deploy-template.yml@k8s #change to master after testing is successful
with:
ecr_repository: "vets-api"
manifests_directory: "vets-api"
auto_deploy_envs: "dev staging prod sandbox"
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
notify_on_failure:
runs-on: ubuntu-latest
if: failure() && github.ref == 'refs/heads/k8s'
needs: [tests, linting_and_security, build_and_push, deploy]
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: "us-gov-west-1"
- uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
with:
ssm_parameter: /devops/VA_VSP_BOT_GITHUB_TOKEN
env_variable_name: VA_VSP_BOT_GITHUB_TOKEN
- name: Checkout VSP actions
uses: actions/checkout@v2
with:
repository: department-of-veterans-affairs/vsp-github-actions
ref: refs/heads/main
token: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
persist-credentials: false
path: ./.github/actions/vsp-github-actions
- uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
with:
ssm_parameter: /devops/github_actions_slack_socket_token
env_variable_name: SLACK_APP_TOKEN
- uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest
with:
ssm_parameter: /devops/github_actions_slack_bot_user_token
env_variable_name: SLACK_BOT_TOKEN
- name: slack notify
uses: ./.github/actions/vsp-github-actions/slack-socket
with:
slack_app_token: ${{ env.SLACK_APP_TOKEN }}
slack_bot_token: ${{ env.SLACK_BOT_TOKEN }}
message: "A packer build of ${{ matrix.build_location }} just failed."
blocks: "[{\"type\": \"divider\"}, {\"type\": \"section\", \"text\": { \"type\": \"mrkdwn\", \"text\": \":blob-disappointed: GitHub Action Runner Workflow ${{ matrix.build_location }} failed! :blob-disappointed:\n <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Workflow: ${{ github.workflow }} Run #${{ github.run_number }}>\"}}, {\"type\": \"divider\"}]"
channel_id: "C039HRTHXDH"