Back merge master >> STG #5212
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- develop | |
- staging | |
- master | |
- ephemeral-* | |
pull_request: | |
branches: | |
- develop | |
- staging | |
- master | |
- ephemeral-* | |
- long-term/* | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
frontend_tests: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Use Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '18' | |
- name: Cache dependencies | |
uses: actions/cache@v4 | |
with: | |
path: | | |
src/frontend/node_modules | |
src/frontend/.yarn | |
src/frontend/.yarn/cache | |
key: ${{ runner.os }}-node-${{ hashFiles('frontend/yarn.lock') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
- run: yarn install --frozen-lockfile | |
working-directory: src/frontend | |
- run: yarn lint | |
working-directory: src/frontend | |
- run: yarn test --watchAll=false | |
working-directory: src/frontend | |
build_and_push_dev: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: DockerHub login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Determine Branch Name | |
id: branch_name | |
run: | | |
if [ "${{ github.event_name }}" = "push" ]; then | |
echo "BRANCH_NAME=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
fi | |
- name: Push dev | |
run: | | |
docker buildx create --use | |
tags="-t ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
-t ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-latest-dev" | |
if [ -n "${{ env.BRANCH_NAME }}" ]; then | |
tags="$tags -t ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ env.BRANCH_NAME }}-latest-dev" | |
fi | |
docker buildx build \ | |
--cache-from ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-${{ github.sha }}-dev \ | |
--cache-from ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-latest-dev \ | |
--cache-to ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-${{ github.sha }}-dev \ | |
--cache-to ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-latest-dev \ | |
$tags \ | |
-f ./docker/Dockerfile \ | |
--target dev \ | |
--push \ | |
./ | |
isort: | |
runs-on: ubuntu-latest | |
needs: [build_and_push_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: DockerHub login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Check | |
run: | | |
docker run --rm -i \ | |
${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
isort . --check-only | |
black: | |
runs-on: ubuntu-latest | |
needs: [build_and_push_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: DockerHub login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Check | |
run: | | |
docker run --rm -i \ | |
${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
black . --check | |
flake8: | |
runs-on: ubuntu-latest | |
needs: [build_and_push_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: DockerHub login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Check | |
run: | | |
docker run --rm -i \ | |
${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
flake8 . | |
mypy: | |
runs-on: ubuntu-latest | |
needs: [build_and_push_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: DockerHub login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Check | |
run: | | |
docker run --rm -i \ | |
${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
mypy . | |
build_and_push_dist: | |
needs: [build_and_push_dev] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: DockerHub login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Determine Branch Name | |
id: branch_name | |
run: | | |
if [ "${{ github.event_name }}" = "push" ]; then | |
echo "BRANCH_NAME=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
fi | |
- name: Push dist | |
run: | | |
docker buildx create --use | |
tags="-t ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dist \ | |
-t ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}" | |
if [ -n "${{ env.BRANCH_NAME }}" ]; then | |
tags="$tags -t ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ env.BRANCH_NAME }}-latest-dist" | |
fi | |
# Base part of the command | |
build_command="docker buildx build \ | |
--progress=plain \ | |
--cache-from ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-${{ github.sha }}-dev \ | |
--cache-from ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-latest-dev \ | |
--cache-from ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-${{ github.sha }}-dist \ | |
--cache-from ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-latest-dist \ | |
--cache-to ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-${{ github.sha }}-dist \ | |
--cache-to ${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:cache-core-latest-dist \ | |
$tags \ | |
-f ./docker/Dockerfile \ | |
--target dist \ | |
--push ./" | |
if [ "${{ github.ref }}" = "refs/heads/master" ]; then | |
version=$(python3 -c "import sys; version=None; [version:=line.split('=')[1].strip().strip('\"') for line in open('pyproject.toml', 'r') if line.strip().startswith('version =')]; print(version if version else sys.exit(1))") | |
tagged_image=${{ vars.DOCKERHUB_ORGANIZATION }}/hope:core-$version | |
build_command="$build_command -t $tagged_image" | |
fi | |
eval $build_command | |
unit_tests: | |
runs-on: ubuntu-latest | |
needs: [build_and_push_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: DockerHub login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Unit tests | |
run: | | |
dev_backend_image=${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev docker compose \ | |
-f ./.github/helpers/docker-compose.tst.yml \ | |
--profile unit \ | |
run backend ./dev.sh test | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
with: | |
files: ./tests/test-coverage/coverage.xml | |
flags: unittests | |
token: ${{ secrets.CODECOV_TOKEN }} | |
verbose: true | |
e2e_tests: | |
runs-on: ubuntu-latest | |
needs: [build_and_push_dist] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: DockerHub login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: E2E tests | |
run: | | |
extra_options="" | |
if [ "${{ github.event_name }}" = "pull_request" ]; then | |
extra_options="-m 'not night'" | |
fi | |
dist_backend_image=${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dist dev_backend_image=${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev docker compose \ | |
-f ./.github/helpers/docker-compose.tst.yml \ | |
-f ./.github/helpers/docker-compose.selenium.yml \ | |
run backend bash -c " | |
waitforit -host=db -port=5432 -timeout=30 | |
pytest -svvv -n 2 ./tests/selenium --cov-report xml:test-coverage/coverage.xml --html-report=./tests/selenium/output_data/report/report.html --randomly-seed=42 " | |
- name: Upload Artifact | |
uses: actions/upload-artifact@v4 | |
if: always() | |
continue-on-error: true | |
with: | |
name: report | |
path: ./tests/selenium/output_data/ | |
retention-days: 5 | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
if: always() | |
continue-on-error: true | |
with: | |
files: ./test-coverage/coverage.xml | |
flags: e2e | |
token: ${{ secrets.CODECOV_TOKEN }} | |
verbose: true | |
trivy: | |
runs-on: ubuntu-latest | |
needs: [build_and_push_dist] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: DockerHub login | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Run Trivy vulnerability scanner | |
continue-on-error: true # due to getting TOOMANYREQUESTS | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: '${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}' | |
format: 'table' | |
exit-code: '0' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
deploy: | |
runs-on: ubuntu-latest | |
needs: [e2e_tests, unit_tests, isort, black, flake8, mypy, frontend_tests] | |
if: | | |
github.event_name == 'push' && | |
( | |
github.ref == 'refs/heads/develop' || | |
github.ref == 'refs/heads/staging' || | |
github.ref == 'refs/heads/master' || | |
github.ref == 'refs/heads/ephemeral-1' || | |
github.ref == 'refs/heads/ephemeral-2' || | |
github.ref == 'refs/heads/ephemeral-3' | |
) | |
steps: | |
- name: Trigger deploy | |
run: | | |
# TODO: make it prettier | |
if [ ${{ github.ref }} == 'refs/heads/develop' ]; then | |
pipelineId=1159 | |
elif [ ${{ github.ref }} == 'refs/heads/staging' ]; then | |
pipelineId=1160 | |
elif [ ${{ github.ref }} == 'refs/heads/master' ]; then | |
pipelineId=1161,1165 | |
elif [ ${{ github.ref }} == 'refs/heads/ephemeral-1' ]; then | |
pipelineId=1164 | |
elif [ ${{ github.ref }} == 'refs/heads/ephemeral-2' ]; then | |
pipelineId=1253 | |
elif [ ${{ github.ref }} == 'refs/heads/ephemeral-3' ]; then | |
pipelineId=1283 | |
else | |
echo "No pipeline to trigger for ref ${{ github.ref }}" | |
exit 0 | |
fi | |
IFS=',' read -ra pipelines <<< "$pipelineId" | |
for pipeline in "${pipelines[@]}"; do | |
jsonBody='{"variables": {"sha": {"isSecret": false, "value": "${{ github.sha }}"}, "tag": {"isSecret": false, "value": "core-${{ github.sha }}"}}}' | |
contentLength=$(echo -n $jsonBody | wc -c) | |
project=ICTD-HCT-MIS | |
organization=unicef | |
echo Triggering deploy for pipeline $pipeline | |
echo JSON body: $jsonBody | |
curl -v -L \ | |
-u ":${{ secrets.AZURE_PAT }}" \ | |
-H "Content-Type: application/json" \ | |
-H "Content-Length: $contentLength" \ | |
-d "$jsonBody" \ | |
https://dev.azure.com/$organization/$project/_apis/pipelines/$pipeline/runs?api-version=7.1-preview.1 | |
if [ $? -ne 0 ]; then | |
echo "Failed to trigger deploy for pipeline $pipeline" | |
exit 1 | |
fi | |
done |