fix: Add layer of security and download p7zip-full lib on docker (#237) #371
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CI/CD" | |
on: [push] | |
env: | |
CI: "true" | |
SIMPLECOV: "true" | |
RSPEC_FORMAT: "documentation" | |
RUBY_VERSION: 3.0.6 | |
CHROME_VERSION: 126.0.6478.182 | |
RAILS_ENV: test | |
NODE_VERSION: 16.9.1 | |
RUBYOPT: '-W:no-deprecated' | |
# Set locales available for i18n tasks | |
ENFORCED_LOCALES: "en,fr,ca,es" | |
AVAILABLE_LOCALES: "en,fr,ca,es" | |
jobs: | |
todo: | |
name: TODO | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- name: "TODO to Issue" | |
uses: "alstr/todo-to-issue-action@v4" | |
lint: | |
name: Lint code | |
runs-on: ubuntu-latest | |
if: "!startsWith(github.head_ref, 'chore/l10n')" | |
timeout-minutes: 60 | |
steps: | |
- uses: rokroskar/[email protected] | |
if: "github.ref != 'refs/heads/develop'" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- uses: OpenSourcePolitics/lint-action@master | |
with: | |
ruby_version: ${{ env.RUBY_VERSION }} | |
node_version: ${{ env.NODE_VERSION }} | |
zeitwerk: | |
name: Check for Zeitwerk errors | |
runs-on: ubuntu-latest | |
if: "!startsWith(github.head_ref, 'chore/l10n')" | |
timeout-minutes: 60 | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ env.RUBY_VERSION }} | |
bundler-cache: true | |
- name: Check for Zeitwerk errors | |
run: | | |
bundle exec rails zeitwerk:check | |
tests: | |
strategy: | |
fail-fast: false | |
matrix: | |
slice: [ "0-2", "1-2" ] | |
name: Tests | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres:11 | |
ports: ["5432:5432"] | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
env: | |
POSTGRES_PASSWORD: postgres | |
env: | |
DATABASE_USERNAME: postgres | |
DATABASE_PASSWORD: postgres | |
DATABASE_HOST: localhost | |
steps: | |
- uses: rokroskar/[email protected] | |
if: "github.ref != 'refs/heads/master' || github.ref != 'refs/heads/develop'" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ env.RUBY_VERSION }} | |
bundler-cache: true | |
- run: | | |
sudo apt install libu2f-udev | |
wget --no-verbose -O /tmp/chrome.deb https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${{env.CHROME_VERSION}}-1_amd64.deb | |
sudo dpkg -i /tmp/chrome.deb | |
rm /tmp/chrome.deb | |
name: Install Chrome version ${{ env.CHROME_VERSION }} | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Install dependencies | |
run: yarn install --prefer-offline --frozen-lockfile | |
- name: Create db | |
run: | | |
bundle exec rails parallel:create parallel:migrate | |
- name: Register cache hash | |
id: cache-hash | |
run: | | |
echo "::set-output name=hash::$(bundle exec rake test:assets_hash)" | |
- uses: OpenSourcePolitics/cache-precompile-action@master | |
with: | |
key: asset-cache-${{ runner.os }}-${{ steps.cache-hash.outputs.hash }} | |
- run: mkdir -p ./spec/tmp/screenshots | |
name: Create the screenshots folder | |
- uses: nanasess/setup-chromedriver@v2 | |
with: | |
chromedriver-version: ${{ env.CHROME_VERSION }} | |
- run: bundle exec rake "test:run[exclude, spec/system/**/*_spec.rb, ${{ matrix.slice }}]" | |
name: RSpec | |
# - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH | |
# name: Upload coverage | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: screenshots | |
path: ./spec/tmp/screenshots | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: assets-manifest-${{ matrix.slice }} | |
path: ./tmp/assets_manifest.json | |
system_tests: | |
strategy: | |
fail-fast: false | |
matrix: | |
slice: [ "0-4", "1-4", "2-4", "3-4" ] | |
name: System tests | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres:11 | |
ports: ["5432:5432"] | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
env: | |
POSTGRES_PASSWORD: postgres | |
env: | |
DATABASE_USERNAME: postgres | |
DATABASE_PASSWORD: postgres | |
DATABASE_HOST: localhost | |
steps: | |
- uses: rokroskar/[email protected] | |
if: "github.ref != 'refs/heads/master' || github.ref != 'refs/heads/develop'" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 1 | |
- uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: ${{ env.RUBY_VERSION }} | |
bundler-cache: true | |
- run: | | |
sudo apt install libu2f-udev | |
wget --no-verbose -O /tmp/chrome.deb https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${{env.CHROME_VERSION}}-1_amd64.deb | |
sudo dpkg -i /tmp/chrome.deb | |
rm /tmp/chrome.deb | |
name: Install Chrome version ${{ env.CHROME_VERSION }} | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
- name: Install dependencies | |
run: yarn install --prefer-offline --frozen-lockfile | |
- name: Create db | |
run: | | |
bundle exec rails parallel:create parallel:migrate | |
- name: Register cache hash | |
id: cache-hash | |
run: | | |
echo "::set-output name=hash::$(bundle exec rake test:assets_hash)" | |
- uses: OpenSourcePolitics/cache-precompile-action@master | |
with: | |
key: asset-cache-${{ runner.os }}-${{ steps.cache-hash.outputs.hash }} | |
- run: mkdir -p ./spec/tmp/screenshots | |
name: Create the screenshots folder | |
- uses: nanasess/setup-chromedriver@v2 | |
with: | |
chromedriver-version: ${{ env.CHROME_VERSION }} | |
- run: bundle exec rake "test:run[include, spec/system/**/*_spec.rb, ${{ matrix.slice }}]" | |
name: RSpec | |
# - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH | |
# name: Upload coverage | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: screenshots | |
path: ./spec/tmp/screenshots | |
- uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: assets-manifest-${{ matrix.slice }} | |
path: ./tmp/assets_manifest.json | |
test_build: | |
name: Test build docker image | |
runs-on: ubuntu-latest | |
services: | |
postgres: | |
image: postgres:11 | |
ports: [ "5432:5432" ] | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
env: | |
POSTGRES_PASSWORD: postgres | |
env: | |
DATABASE_USERNAME: postgres | |
DATABASE_PASSWORD: postgres | |
DATABASE_HOST: host.docker.internal | |
steps: | |
- uses: OpenSourcePolitics/build-and-test-images-action@master | |
with: | |
registry: ${{ vars.REGISTRY_ENDPOINT }} | |
namespace: ${{ vars.REGISTRY_NAMESPACE }} | |
image_name: ${{ vars.IMAGE_NAME }} | |
tag: ${{ github.ref }} | |
password: ${{ secrets.TOKEN }} | |
database_username: ${{ env.DATABASE_USERNAME }} | |
database_password: ${{ env.DATABASE_PASSWORD }} | |
database_host: ${{ env.DATABASE_HOST }} | |
# We don't want to upload the image to the registry if the build fails, but we don't care when on a PR for speed reasons | |
push: ${{ github.ref != 'refs/heads/develop' || github.ref != 'refs/heads/master' }} | |
build_and_push_image_dev: | |
if: "github.ref == 'refs/heads/develop'" | |
name: Build and push image to Registry | |
needs: [ lint, zeitwerk, tests, system_tests, test_build ] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: OpenSourcePolitics/build-and-push-images-action@master | |
with: | |
registry: ${{ vars.REGISTRY_ENDPOINT }} | |
namespace: ${{ vars.REGISTRY_NAMESPACE }} | |
password: ${{ secrets.TOKEN }} | |
image_name: ${{ vars.IMAGE_NAME }} | |
tag: ${{ github.ref }} | |
generate_release: | |
name: Generate release | |
needs: [lint, tests, system_tests, test_build] | |
if: "github.ref == 'refs/heads/master'" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- uses: mathieudutour/[email protected] | |
name: Bump version and push tag | |
id: tag_version | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: ncipollo/release-action@v1 | |
name: Create a GitHub release | |
with: | |
generateReleaseNotes: true | |
tag: ${{ steps.tag_version.outputs.new_tag }} | |
name: Release ${{ steps.tag_version.outputs.new_tag }} | |
body: ${{ steps.tag_version.outputs.changelog }} | |
- uses: OpenSourcePolitics/build-and-push-images-action@master | |
with: | |
registry: ${{ vars.REGISTRY_ENDPOINT }} | |
namespace: ${{ vars.REGISTRY_NAMESPACE }} | |
password: ${{ secrets.TOKEN }} | |
image_name: ${{ vars.IMAGE_NAME }} | |
tag: ${{ steps.tag_version.outputs.new_tag }} |