Barcode Betty
5e1cd5fbe0
The build-and-push job was running on PRs and trying to log in to the Gitea Container Registry, which always fails on PRs because the github.token has no package write permission. Add if: github.event_name == 'push' so the job is skipped for PRs and the overall run can stay green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
179 lines
5.2 KiB
YAML
179 lines
5.2 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main, dev, uat]
|
|
pull_request:
|
|
branches: [main, dev, uat]
|
|
|
|
concurrency:
|
|
group: ci-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
|
|
env:
|
|
REGISTRY: git.farh.net
|
|
IMAGE_NAME: cartsnitch/api
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- run: pip install ruff
|
|
- name: Ruff lint
|
|
run: ruff check .
|
|
- name: Ruff format check
|
|
run: ruff format --check .
|
|
|
|
typecheck:
|
|
runs-on: ubuntu-latest
|
|
continue-on-error: true
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
|
|
- run: pip install -e ".[dev]" mypy
|
|
- name: Type check
|
|
run: mypy src/cartsnitch_api
|
|
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
services:
|
|
postgres:
|
|
image: postgres:15-alpine
|
|
env:
|
|
POSTGRES_USER: cartsnitch
|
|
POSTGRES_PASSWORD: cartsnitch_test
|
|
POSTGRES_DB: cartsnitch_test
|
|
ports:
|
|
- 5432:5432
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
redis:
|
|
image: redis:7-alpine
|
|
ports:
|
|
- 6379:6379
|
|
options: >-
|
|
--health-cmd "redis-cli ping"
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
env:
|
|
CARTSNITCH_DATABASE_URL: postgresql+asyncpg://cartsnitch:cartsnitch_test@localhost:5432/cartsnitch_test
|
|
CARTSNITCH_REDIS_URL: redis://localhost:6379/0
|
|
CARTSNITCH_JWT_SECRET_KEY: test-secret-do-not-use-in-prod
|
|
CARTSNITCH_SERVICE_KEY: test-service-key-do-not-use-in-prod
|
|
CARTSNITCH_FERNET_KEY: wXWQsC0FZlhSz2t_tfVQjNUSP8vgAGG3o3pkjrX8Bw0=
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
|
|
- run: pip install -e ".[dev]"
|
|
- name: Run tests
|
|
run: pytest --tb=short -q
|
|
|
|
build-and-push:
|
|
if: github.event_name == 'push'
|
|
runs-on: ubuntu-latest
|
|
needs: [lint, test]
|
|
outputs:
|
|
calver_tag: ${{ steps.calver.outputs.version }}
|
|
sha_tag: sha-${{ github.sha }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Generate CalVer tag
|
|
id: calver
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
run: |
|
|
DATE_TAG=$(date -u +%Y.%m.%d)
|
|
EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
|
|
if [ -z "$EXISTING" ]; then
|
|
VERSION="$DATE_TAG"
|
|
elif [ "$EXISTING" = "v${DATE_TAG}" ]; then
|
|
VERSION="${DATE_TAG}.2"
|
|
else
|
|
BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//")
|
|
VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"
|
|
fi
|
|
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
|
|
echo "CalVer tag: $VERSION"
|
|
|
|
- name: Log in to Gitea Container Registry
|
|
run: echo "${{ github.token }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin
|
|
|
|
- name: Extract metadata
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
tags: |
|
|
type=sha,prefix=sha-,format=long
|
|
type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
|
|
- name: Build Docker image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
load: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
build-args: |
|
|
APT_CACHE_BUST=${{ github.run_id }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Scan api image for vulnerabilities
|
|
uses: anchore/scan-action@v5
|
|
id: scan
|
|
env:
|
|
GRYPE_CONFIG: .grype.yaml
|
|
with:
|
|
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
|
|
fail-build: true
|
|
severity-cutoff: high
|
|
only-fixed: "true"
|
|
output-format: sarif
|
|
|
|
|
|
|
|
- name: Push Docker image
|
|
if: github.event_name == 'push'
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
build-args: |
|
|
APT_CACHE_BUST=${{ github.run_id }}
|
|
cache-from: type=gha
|
|
|
|
- name: Create git tag
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
run: |
|
|
git tag "v${{ steps.calver.outputs.version }}"
|
|
git push origin "v${{ steps.calver.outputs.version }}"
|
|
|