backport: Disable Rack Attack #1341
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CI/CD" | |
on: [push] | |
env: | |
CI: "true" | |
SIMPLECOV: "true" | |
RSPEC_FORMAT: "documentation" | |
RUBY_VERSION: 2.7.5 | |
RAILS_ENV: test | |
NODE_VERSION: 16.9.1 | |
RUBYOPT: '-W:no-deprecated' | |
# Set locales available for i18n tasks | |
ENFORCED_LOCALES: "en,fr" | |
AVAILABLE_LOCALES: "en,fr" | |
jobs: | |
todo: | |
name: TODO | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- name: "TODO to Issue" | |
uses: "alstr/todo-to-issue-action@v4" | |
lint: | |
name: Lint code | |
runs-on: ubuntu-latest | |
if: "!startsWith(github.head_ref, 'chore/l10n')" | |
timeout-minutes: 60 | |
steps: | |
- uses: rokroskar/[email protected] | |
if: "github.ref != 'refs/heads/develop'" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- uses: OpenSourcePolitics/lint-action@master | |
with: | |
ruby_version: ${{ env.RUBY_VERSION }} | |
node_version: ${{ env.NODE_VERSION }} | |
tests: | |
strategy: | |
fail-fast: false | |
matrix: | |
slice: [ "0-2", "1-2" ] | |
name: Tests | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres:11 | |
ports: ["5432:5432"] | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
env: | |
POSTGRES_PASSWORD: postgres | |
env: | |
DATABASE_USERNAME: postgres | |
DATABASE_PASSWORD: postgres | |
DATABASE_HOST: localhost | |
steps: | |
- uses: rokroskar/[email protected] | |
if: "github.ref != 'refs/heads/master' || github.ref != 'refs/heads/develop'" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ env.RUBY_VERSION }} | |
bundler-cache: true | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Install dependencies | |
run: yarn install --prefer-offline --frozen-lockfile | |
- name: Create db | |
run: | | |
bundle exec rails parallel:create parallel:migrate | |
- name: Register cache hash | |
id: cache-hash | |
run: | | |
echo "::set-output name=hash::$(bundle exec rake test:assets_hash)" | |
- uses: OpenSourcePolitics/cache-precompile-action@master | |
with: | |
key: asset-cache-${{ runner.os }}-${{ steps.cache-hash.outputs.hash }} | |
- run: mkdir -p ./spec/tmp/screenshots | |
name: Create the screenshots folder | |
- uses: nanasess/setup-chromedriver@v2 | |
- run: bundle exec rake "test:run[exclude, spec/system/**/*_spec.rb, ${{ matrix.slice }}]" | |
name: RSpec | |
- run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH | |
name: Upload coverage | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: screenshots | |
path: ./spec/tmp/screenshots | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: assets-manifest-${{ matrix.slice }} | |
path: ./tmp/assets_manifest.json | |
system_tests: | |
strategy: | |
matrix: | |
slice: [ "0-4", "1-4", "2-4", "3-4" ] | |
name: System tests | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres:11 | |
ports: ["5432:5432"] | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
env: | |
POSTGRES_PASSWORD: postgres | |
env: | |
DATABASE_USERNAME: postgres | |
DATABASE_PASSWORD: postgres | |
DATABASE_HOST: localhost | |
steps: | |
- uses: rokroskar/[email protected] | |
if: "github.ref != 'refs/heads/master' || github.ref != 'refs/heads/develop'" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ env.RUBY_VERSION }} | |
bundler-cache: true | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Install dependencies | |
run: yarn install --prefer-offline --frozen-lockfile | |
- name: Create db | |
run: | | |
bundle exec rails parallel:create parallel:migrate | |
- name: Register cache hash | |
id: cache-hash | |
run: | | |
echo "::set-output name=hash::$(bundle exec rake test:assets_hash)" | |
- uses: OpenSourcePolitics/cache-precompile-action@master | |
with: | |
key: asset-cache-${{ runner.os }}-${{ steps.cache-hash.outputs.hash }} | |
- run: mkdir -p ./spec/tmp/screenshots | |
name: Create the screenshots folder | |
- uses: nanasess/setup-chromedriver@v2 | |
- run: bundle exec rake "test:run[include, spec/system/**/*_spec.rb, ${{ matrix.slice }}]" | |
name: RSpec | |
- run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH | |
name: Upload coverage | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: screenshots | |
path: ./spec/tmp/screenshots | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: assets-manifest-${{ matrix.slice }} | |
path: ./tmp/assets_manifest.json | |
test_build: | |
name: Test build docker image | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres:11 | |
ports: [ "5432:5432" ] | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
env: | |
POSTGRES_PASSWORD: postgres | |
env: | |
DATABASE_USERNAME: postgres | |
DATABASE_PASSWORD: postgres | |
DATABASE_HOST: host.docker.internal | |
steps: | |
- uses: OpenSourcePolitics/build-and-test-images-action@master | |
with: | |
registry: ${{ vars.REGISTRY_ENDPOINT }} | |
namespace: ${{ vars.REGISTRY_NAMESPACE }} | |
image_name: ${{ vars.IMAGE_NAME }} | |
tag: ${{ github.ref }} | |
password: ${{ secrets.TOKEN }} | |
database_username: ${{ env.DATABASE_USERNAME }} | |
database_password: ${{ env.DATABASE_PASSWORD }} | |
database_host: ${{ env.DATABASE_HOST }} | |
deploy_develop: | |
if: "github.ref == 'refs/heads/develop'" | |
needs: [lint, tests, system_tests, test_build] | |
name: Deploy develop branch on develop instance | |
runs-on: ubuntu-latest | |
steps: | |
- name: Run Ansible playbook | |
uses: appleboy/[email protected] | |
with: | |
host: ${{ secrets.ANSIBLE_HOST }} | |
username: ${{ secrets.ANSIBLE_USERNAME }} | |
key: ${{ secrets.ANSIBLE_KEY }} | |
port: ${{ secrets.SSH_PORT }} | |
script: ansible-playbook -u ${{ secrets.ANSIBLE_USERNAME }} --private-key="~/.ssh/ansible-deploy/ansible-deploy" -i /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/inventories/develop.yml /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/playbooks/update_decidim_app.yml | |
deploy_rc: | |
if: "github.ref == 'refs/heads/rc'" | |
needs: [lint, tests, system_tests, test_build] | |
name: Deploy rc branch on RC instance | |
runs-on: ubuntu-latest | |
steps: | |
- name: Run Ansible playbook | |
uses: appleboy/[email protected] | |
with: | |
host: ${{ secrets.ANSIBLE_HOST }} | |
username: ${{ secrets.ANSIBLE_USERNAME }} | |
key: ${{ secrets.ANSIBLE_KEY }} | |
port: ${{ secrets.SSH_PORT }} | |
script: ansible-playbook -u ${{ secrets.ANSIBLE_USERNAME }} --private-key="~/.ssh/ansible-deploy/ansible-deploy" -i /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/inventories/rc.yml /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/playbooks/update_decidim_app.yml | |
deploy_staging: | |
if: "github.ref == 'refs/heads/master'" | |
needs: [lint, tests, system_tests, test_build] | |
name: Deploy staging branch on staging instance | |
runs-on: ubuntu-latest | |
steps: | |
- name: Run Ansible playbook | |
uses: appleboy/[email protected] | |
with: | |
host: ${{ secrets.ANSIBLE_HOST }} | |
username: ${{ secrets.ANSIBLE_USERNAME }} | |
key: ${{ secrets.ANSIBLE_KEY }} | |
port: ${{ secrets.SSH_PORT }} | |
script: ansible-playbook -u ${{ secrets.ANSIBLE_USERNAME }} --private-key="~/.ssh/ansible-deploy/ansible-deploy" -i /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/inventories/staging.yml /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/playbooks/update_decidim_app.yml | |
build_and_push_image_dev: | |
name: Build and push image to Registry | |
if: "github.ref == 'refs/heads/develop'" | |
needs: [lint, tests, system_tests, test_build] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: OpenSourcePolitics/build-and-push-images-action@master | |
with: | |
registry: ${{ vars.REGISTRY_ENDPOINT }} | |
namespace: ${{ vars.REGISTRY_NAMESPACE }} | |
password: ${{ secrets.TOKEN }} | |
image_name: ${{ vars.IMAGE_NAME }} | |
tag: "develop" | |
generate_release: | |
name: Generate release | |
needs: [lint, tests, system_tests, test_build] | |
if: "github.ref == 'refs/heads/master'" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- uses: mathieudutour/[email protected] | |
name: Bump version and push tag | |
id: tag_version | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: ncipollo/release-action@v1 | |
name: Create a GitHub release | |
with: | |
generateReleaseNotes: true | |
tag: ${{ steps.tag_version.outputs.new_tag }} | |
name: Release ${{ steps.tag_version.outputs.new_tag }} | |
body: ${{ steps.tag_version.outputs.changelog }} | |
- uses: OpenSourcePolitics/build-and-push-images-action@master | |
with: | |
registry: ${{ vars.REGISTRY_ENDPOINT }} | |
namespace: ${{ vars.REGISTRY_NAMESPACE }} | |
password: ${{ secrets.TOKEN }} | |
image_name: ${{ vars.IMAGE_NAME }} | |
tag: ${{ steps.tag_version.outputs.new_tag }} |