updates ci:lint #294

Workflow file for this run

	name: Test

	on:
	push:
	branches:
	- develop
	- master
	- staging
	- release/*
	- feature/*
	- bugfix/*
	- hotfix/*
	pull_request:
	branches: [ develop, master ]
	types: [ synchronize, opened, reopened, ready_for_review ]

	concurrency:
	group: "${{ github.workflow }}-${{ github.ref }}"
	cancel-in-progress: true

	defaults:
	run:
	shell: bash

	permissions:
	id-token: write
	attestations: write


	jobs:
	changes:
	if: github.event_name != 'pull_request' \|\| github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name

	runs-on: ubuntu-latest
	timeout-minutes: 1
	defaults:
	run:
	shell: bash
	outputs:
	run_tests: ${{ steps.changes.outputs.run_tests }}
	steps:
	- name: Checkout code
	uses: actions/[email protected]
	- id: changes
	name: Check for file changes
	uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
	with:
	base: ${{ github.ref }}
	token: ${{ github.token }}
	filters: .github/file-filters.yml
	- name: info
	shell: bash
	run: \|
	force_build="${{ contains(github.event.head_commit.message, 'ci:build') }}"
	force_scan="${{ contains(github.event.head_commit.message, 'ci:scan') }}"
	force_test="${{ contains(github.event.head_commit.message, 'ci:test') }}"

	if [[ $force_build == "true" ]]; then
	echo "::notice:: Forced build docker due to commit message"
	elif [[ $force_test == "true" ]]; then
	echo "::notice:: Forced python tests due to commit message"
	elif [[ $force_scan == "true" ]]; then
	echo "::notice:: Forced trivy scan due to commit message"
	fi
	if [[ $force_build == "true" \|\| "${{needs.changes.outputs.run_tests}}" == "true" ]]; then
	echo "BUILD=true" >> $GITHUB_ENV
	fi

	build:
	needs: [ changes ]
	runs-on: ubuntu-latest
	timeout-minutes: 10
	defaults:
	run:
	shell: bash
	outputs:
	image: ${{ steps.build.outputs.image }}
	version: ${{ steps.build.outputs.version }}
	created: ${{ steps.build.outputs.created }}
	steps:
	- name: Checkout code
	uses: actions/[email protected]
	- id: checksum
	uses: ./.github/actions/checksum
	- name: Build and Test
	id: build
	uses: ./.github/actions/docker_build
	with:
	dryrun: ${{ env.ACT \|\| 'false' }}
	rebuild: ${{ contains(github.event.head_commit.message, 'ci:build') }}
	image: ${{ vars.DOCKER_IMAGE }}
	target: 'python_dev_deps'
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	code_checksum: ${{ steps.checksum.outputs.checksum }}

	test:
	name: Run Test Suite
	needs: [ changes,build ]
	if: needs.changes.outputs.run_tests == 'true' \|\| contains(github.event.head_commit.message, 'ci:test')
	runs-on: ubuntu-latest
	services:
	redis:
	image: redis
	db:
	image: postgres:14
	env:
	POSTGRES_DATABASE: dedupe
	POSTGRES_PASSWORD: postgres
	POSTGRES_USERNAME: postgres
	ports:
	- 5432:5432
	options: >-
	--health-cmd pg_isready
	--health-interval 10s
	--health-timeout 5s
	--health-retries 5
	env:
	DOCKER_DEFAULT_PLATFORM: linux/amd64
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Run tests
	run: \|
	docker run --rm \
	-e DATABASE_URL=postgres://postgres:postgres@localhost:5432/dedupe \
	-e SECRET_KEY=secret_key \
	-e CACHE_URL=redis://redis:6379/0 \
	-e CELERY_BROKER_URL=redis://redis:6379/0 \
	--network host \
	-v $PWD:/code/app \
	-w /code/app \
	-t ${{needs.build.outputs.image}} \
	pytest tests -v --create-db -v --maxfail=10
	- name: Upload coverage to Codecov
	uses: codecov/codecov-action@v4
	with:
	env_vars: OS,PYTHON
	fail_ci_if_error: true
	files: coverage.xml
	token: ${{ secrets.CODECOV_TOKEN }}
	verbose: false
	name: codecov-${{env.GITHUB_REF_NAME}}

	trivy:
	name: Check Image with Trivy
	runs-on: ubuntu-latest
	needs: [ build ]
	if: needs.build.outputs.created == 'true' \|\| contains(github.event.head_commit.message, 'ci:scan')
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{needs.build.outputs.image}}
	format: 'sarif'
	output: 'trivy-results.sarif'
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'trivy-results.sarif'

	release:
	if:
	contains('
	refs/heads/develop
	refs/heads/staging
	refs/heads/master
	', github.ref) \|\| contains(github.event.head_commit.message, 'ci:release')

	name: "Release Docker"
	needs: [ test ]
	runs-on: ubuntu-latest
	timeout-minutes: 10
	defaults:
	run:
	shell: bash
	outputs:
	image: ${{ steps.build.outputs.image }}
	version: ${{ steps.build.outputs.version }}
	created: ${{ steps.build.outputs.created }}
	steps:
	- name: Checkout code
	uses: actions/[email protected]
	- id: checksum
	uses: ./.github/actions/checksum
	- name: Build
	id: build
	uses: ./.github/actions/docker_build
	with:
	dryrun: ${{ env.ACT \|\| 'false' }}
	rebuild: ${{ contains(github.event.head_commit.message, 'ci:build') }}
	image: ${{ vars.DOCKER_IMAGE }}
	target: 'dist'
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	code_checksum: ${{ contains(github.event.head_commit.message, 'ci:build') && steps.checksum.outputs.checksum \|\| '' }}
	- name: Generate artifact attestation
	uses: actions/attest-build-provenance@v1
	with:
	subject-name: ${{ steps.build.outputs.image }}
	subject-digest: ${{ steps.build.outputs.digest }}
	push-to-registry: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

updates ci:lint #294

Workflow file

updates ci:lint #294

Jobs

Run details

Workflow file for this run