Skip to content

backport: Add layer of security and download p7zip-full lib on docker #1344

backport: Add layer of security and download p7zip-full lib on docker

backport: Add layer of security and download p7zip-full lib on docker #1344

Workflow file for this run

name: "CI/CD"
on: [push]
env:
CI: "true"
SIMPLECOV: "true"
RSPEC_FORMAT: "documentation"
RUBY_VERSION: 3.0.6
CHROME_VERSION: 126.0.6478.182
RAILS_ENV: test
NODE_VERSION: 16.9.1
RUBYOPT: '-W:no-deprecated'
# Set locales available for i18n tasks
ENFORCED_LOCALES: "en,fr,ca,es"
AVAILABLE_LOCALES: "en,fr,ca,es"
jobs:
todo:
name: TODO
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 1
- name: "TODO to Issue"
uses: "alstr/todo-to-issue-action@v4"
lint:
name: Lint code
runs-on: ubuntu-latest
if: "!startsWith(github.head_ref, 'chore/l10n')"
timeout-minutes: 60
steps:
- uses: rokroskar/[email protected]
if: "github.ref != 'refs/heads/develop'"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- uses: OpenSourcePolitics/lint-action@master
with:
ruby_version: ${{ env.RUBY_VERSION }}
node_version: ${{ env.NODE_VERSION }}
zeitwerk:
name: Check for Zeitwerk errors
runs-on: ubuntu-latest
if: "!startsWith(github.head_ref, 'chore/l10n')"
timeout-minutes: 60
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 1
- uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ env.RUBY_VERSION }}
bundler-cache: true
- name: Check for Zeitwerk errors
run: |
bundle exec rails zeitwerk:check
tests:
strategy:
fail-fast: false
matrix:
slice: [ "0-2", "1-2" ]
name: Tests
runs-on: ubuntu-latest
services:
postgres:
image: postgres:11
ports: ["5432:5432"]
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
env:
POSTGRES_PASSWORD: postgres
env:
DATABASE_USERNAME: postgres
DATABASE_PASSWORD: postgres
DATABASE_HOST: localhost
steps:
- uses: rokroskar/[email protected]
if: "github.ref != 'refs/heads/master' || github.ref != 'refs/heads/develop'"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- uses: actions/checkout@v3
with:
fetch-depth: 1
- uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ env.RUBY_VERSION }}
bundler-cache: true
- run: |
sudo apt install libu2f-udev
wget --no-verbose -O /tmp/chrome.deb https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${{env.CHROME_VERSION}}-1_amd64.deb
sudo dpkg -i /tmp/chrome.deb
rm /tmp/chrome.deb
name: Install Chrome version ${{ env.CHROME_VERSION }}
- uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: yarn install --prefer-offline --frozen-lockfile
- name: Create db
run: |
bundle exec rails parallel:create parallel:migrate
- name: Register cache hash
id: cache-hash
run: |
echo "::set-output name=hash::$(bundle exec rake test:assets_hash)"
- uses: OpenSourcePolitics/cache-precompile-action@master
with:
key: asset-cache-${{ runner.os }}-${{ steps.cache-hash.outputs.hash }}
- run: mkdir -p ./spec/tmp/screenshots
name: Create the screenshots folder
- uses: nanasess/setup-chromedriver@v2
with:
chromedriver-version: ${{ env.CHROME_VERSION }}
- run: bundle exec rake "test:run[exclude, spec/system/**/*_spec.rb, ${{ matrix.slice }}]"
name: RSpec
# - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH
# name: Upload coverage
- uses: actions/upload-artifact@v3
if: always()
with:
name: screenshots
path: ./spec/tmp/screenshots
- uses: actions/upload-artifact@v3
if: always()
with:
name: assets-manifest-${{ matrix.slice }}
path: ./tmp/assets_manifest.json
system_tests:
strategy:
fail-fast: false
matrix:
slice: [ "0-4", "1-4", "2-4", "3-4" ]
name: System tests
runs-on: ubuntu-latest
services:
postgres:
image: postgres:11
ports: ["5432:5432"]
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
env:
POSTGRES_PASSWORD: postgres
env:
DATABASE_USERNAME: postgres
DATABASE_PASSWORD: postgres
DATABASE_HOST: localhost
steps:
- uses: rokroskar/[email protected]
if: "github.ref != 'refs/heads/master' || github.ref != 'refs/heads/develop'"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- uses: actions/checkout@v3
with:
fetch-depth: 1
- uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ env.RUBY_VERSION }}
bundler-cache: true
- run: |
sudo apt install libu2f-udev
wget --no-verbose -O /tmp/chrome.deb https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${{env.CHROME_VERSION}}-1_amd64.deb
sudo dpkg -i /tmp/chrome.deb
rm /tmp/chrome.deb
name: Install Chrome version ${{ env.CHROME_VERSION }}
- uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install dependencies
run: yarn install --prefer-offline --frozen-lockfile
- name: Create db
run: |
bundle exec rails parallel:create parallel:migrate
- name: Register cache hash
id: cache-hash
run: |
echo "::set-output name=hash::$(bundle exec rake test:assets_hash)"
- uses: OpenSourcePolitics/cache-precompile-action@master
with:
key: asset-cache-${{ runner.os }}-${{ steps.cache-hash.outputs.hash }}
- run: mkdir -p ./spec/tmp/screenshots
name: Create the screenshots folder
- uses: nanasess/setup-chromedriver@v2
with:
chromedriver-version: ${{ env.CHROME_VERSION }}
- run: bundle exec rake "test:run[include, spec/system/**/*_spec.rb, ${{ matrix.slice }}]"
name: RSpec
# - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH
# name: Upload coverage
- uses: actions/upload-artifact@v3
if: always()
with:
name: screenshots
path: ./spec/tmp/screenshots
- uses: actions/upload-artifact@v3
if: always()
with:
name: assets-manifest-${{ matrix.slice }}
path: ./tmp/assets_manifest.json
test_build:
name: Test build docker image
runs-on: ubuntu-latest
services:
postgres:
image: postgres:11
ports: [ "5432:5432" ]
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
env:
POSTGRES_PASSWORD: postgres
env:
DATABASE_USERNAME: postgres
DATABASE_PASSWORD: postgres
DATABASE_HOST: host.docker.internal
steps:
- uses: OpenSourcePolitics/build-and-test-images-action@master
with:
registry: ${{ vars.REGISTRY_ENDPOINT }}
namespace: ${{ vars.REGISTRY_NAMESPACE }}
image_name: ${{ vars.IMAGE_NAME }}
tag: ${{ github.ref }}
password: ${{ secrets.TOKEN }}
database_username: ${{ env.DATABASE_USERNAME }}
database_password: ${{ env.DATABASE_PASSWORD }}
database_host: ${{ env.DATABASE_HOST }}
# We don't want to upload the image to the registry if the build fails, but we don't care when on a PR for speed reasons
push: ${{ github.ref != 'refs/heads/develop' || github.ref != 'refs/heads/master' }}
build_and_push_image_dev:
if: "github.ref == 'refs/heads/develop'"
name: Build and push image to Registry
needs: [ lint, zeitwerk, tests, system_tests, test_build ]
runs-on: ubuntu-latest
steps:
- uses: OpenSourcePolitics/build-and-push-images-action@master
with:
registry: ${{ vars.REGISTRY_ENDPOINT }}
namespace: ${{ vars.REGISTRY_NAMESPACE }}
password: ${{ secrets.TOKEN }}
image_name: ${{ vars.IMAGE_NAME }}
tag: ${{ github.ref }}
generate_release:
name: Generate release
needs: [lint, tests, system_tests, test_build]
if: "github.ref == 'refs/heads/master'"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: mathieudutour/[email protected]
name: Bump version and push tag
id: tag_version
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
- uses: ncipollo/release-action@v1
name: Create a GitHub release
with:
generateReleaseNotes: true
tag: ${{ steps.tag_version.outputs.new_tag }}
name: Release ${{ steps.tag_version.outputs.new_tag }}
body: ${{ steps.tag_version.outputs.changelog }}
- uses: OpenSourcePolitics/build-and-push-images-action@master
with:
registry: ${{ vars.REGISTRY_ENDPOINT }}
namespace: ${{ vars.REGISTRY_NAMESPACE }}
password: ${{ secrets.TOKEN }}
image_name: ${{ vars.IMAGE_NAME }}
tag: ${{ steps.tag_version.outputs.new_tag }}