Skip to content
Back to pull request #35

lint #295

Sign in to view logs

lint

lint #295

Workflow file for this run

.github/workflows/test.yml at 5afc3c6
name: Test
on:
push:
branches:
- develop
- master
- staging
- release/*
- feature/*
- bugfix/*
- hotfix/*
pull_request:
branches: [ develop, master ]
types: [ synchronize, opened, reopened, ready_for_review ]
concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true
defaults:
run:
shell: bash
permissions:
id-token: write
attestations: write
jobs:
changes:
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
runs-on: ubuntu-latest
timeout-minutes: 1
defaults:
run:
shell: bash
outputs:
run_tests: ${{ steps.changes.outputs.run_tests }}
steps:
- name: Checkout code
uses: actions/[email protected]
- id: changes
name: Check for file changes
uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
with:
base: ${{ github.ref }}
token: ${{ github.token }}
filters: .github/file-filters.yml
- name: info
shell: bash
run: |
force_build="${{ contains(github.event.head_commit.message, 'ci:build') }}"
force_scan="${{ contains(github.event.head_commit.message, 'ci:scan') }}"
force_test="${{ contains(github.event.head_commit.message, 'ci:test') }}"
if [[ $force_build == "true" ]]; then
echo "::notice:: Forced build docker due to commit message"
elif [[ $force_test == "true" ]]; then
echo "::notice:: Forced python tests due to commit message"
elif [[ $force_scan == "true" ]]; then
echo "::notice:: Forced trivy scan due to commit message"
fi
if [[ $force_build == "true" || "${{needs.changes.outputs.run_tests}}" == "true" ]]; then
echo "BUILD=true" >> $GITHUB_ENV
fi
build:
needs: [ changes ]
runs-on: ubuntu-latest
timeout-minutes: 10
defaults:
run:
shell: bash
outputs:
image: ${{ steps.build.outputs.image }}
version: ${{ steps.build.outputs.version }}
created: ${{ steps.build.outputs.created }}
steps:
- name: Checkout code
uses: actions/[email protected]
- id: checksum
uses: ./.github/actions/checksum
- name: Build and Test
id: build
uses: ./.github/actions/docker_build
with:
dryrun: ${{ env.ACT || 'false' }}
rebuild: ${{ contains(github.event.head_commit.message, 'ci:build') }}
image: ${{ vars.DOCKER_IMAGE }}
target: 'python_dev_deps'
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
code_checksum: ${{ steps.checksum.outputs.checksum }}
test:
name: Run Test Suite
needs: [ changes,build ]
if: needs.changes.outputs.run_tests == 'true' || contains(github.event.head_commit.message, 'ci:test')
runs-on: ubuntu-latest
services:
redis:
image: redis
db:
image: postgres:14
env:
POSTGRES_DATABASE: dedupe
POSTGRES_PASSWORD: postgres
POSTGRES_USERNAME: postgres
ports:
- 5432:5432
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
env:
DOCKER_DEFAULT_PLATFORM: linux/amd64
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run tests
run: |
docker run --rm \
-e DATABASE_URL=postgres://postgres:postgres@localhost:5432/dedupe \
-e SECRET_KEY=secret_key \
-e CACHE_URL=redis://redis:6379/0 \
-e CELERY_BROKER_URL=redis://redis:6379/0 \
--network host \
-v $PWD:/code/app \
-w /code/app \
-t ${{needs.build.outputs.image}} \
pytest tests -v --create-db -v --maxfail=10
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
with:
env_vars: OS,PYTHON
fail_ci_if_error: true
files: coverage.xml
token: ${{ secrets.CODECOV_TOKEN }}
verbose: false
name: codecov-${{env.GITHUB_REF_NAME}}
trivy:
name: Check Image with Trivy
runs-on: ubuntu-latest
needs: [ build ]
if: needs.build.outputs.created == 'true' || contains(github.event.head_commit.message, 'ci:scan')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{needs.build.outputs.image}}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
release:
if:
contains('
refs/heads/develop
refs/heads/staging
refs/heads/master
', github.ref) || contains(github.event.head_commit.message, 'ci:release')
name: "Release Docker"
needs: [ test ]
runs-on: ubuntu-latest
timeout-minutes: 10
defaults:
run:
shell: bash
outputs:
image: ${{ steps.build.outputs.image }}
version: ${{ steps.build.outputs.version }}
created: ${{ steps.build.outputs.created }}
steps:
- name: Checkout code
uses: actions/[email protected]
- id: checksum
uses: ./.github/actions/checksum
- name: Build
id: build
uses: ./.github/actions/docker_build
with:
dryrun: ${{ env.ACT || 'false' }}
rebuild: ${{ contains(github.event.head_commit.message, 'ci:build') }}
image: ${{ vars.DOCKER_IMAGE }}
target: 'dist'
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
code_checksum: ${{ contains(github.event.head_commit.message, 'ci:build') && steps.checksum.outputs.checksum || '' }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ steps.build.outputs.image }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true