|
|
|
@@ -2,9 +2,9 @@ name: CI
|
|
|
|
|
|
|
|
|
|
on:
|
|
|
|
|
push:
|
|
|
|
|
branches: [main, dev, uat]
|
|
|
|
|
branches: [main, dev]
|
|
|
|
|
pull_request:
|
|
|
|
|
branches: [main, dev, uat]
|
|
|
|
|
branches: [main, dev]
|
|
|
|
|
|
|
|
|
|
concurrency:
|
|
|
|
|
group: ci-${{ github.ref }}
|
|
|
|
@@ -15,17 +15,18 @@ permissions:
|
|
|
|
|
packages: write
|
|
|
|
|
|
|
|
|
|
env:
|
|
|
|
|
REGISTRY: git.farh.net
|
|
|
|
|
REGISTRY: ghcr.io
|
|
|
|
|
IMAGE_NAME: cartsnitch/api
|
|
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
|
lint:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
runs-on: runners-cartsnitch
|
|
|
|
|
steps:
|
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
|
- uses: actions/setup-python@v5
|
|
|
|
|
with:
|
|
|
|
|
python-version: "3.12"
|
|
|
|
|
cache: pip
|
|
|
|
|
- run: pip install ruff
|
|
|
|
|
- name: Ruff lint
|
|
|
|
|
run: ruff check .
|
|
|
|
@@ -33,13 +34,14 @@ jobs:
|
|
|
|
|
run: ruff format --check .
|
|
|
|
|
|
|
|
|
|
typecheck:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
runs-on: runners-cartsnitch
|
|
|
|
|
continue-on-error: true
|
|
|
|
|
steps:
|
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
|
- uses: actions/setup-python@v5
|
|
|
|
|
with:
|
|
|
|
|
python-version: "3.12"
|
|
|
|
|
cache: pip
|
|
|
|
|
- name: Install system dependencies
|
|
|
|
|
run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
|
|
|
|
|
- run: pip install -e ".[dev]" mypy
|
|
|
|
@@ -47,10 +49,13 @@ jobs:
|
|
|
|
|
run: mypy src/cartsnitch_api
|
|
|
|
|
|
|
|
|
|
test:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
runs-on: runners-cartsnitch
|
|
|
|
|
services:
|
|
|
|
|
postgres:
|
|
|
|
|
image: postgres:15-alpine
|
|
|
|
|
credentials:
|
|
|
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
|
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
|
env:
|
|
|
|
|
POSTGRES_USER: cartsnitch
|
|
|
|
|
POSTGRES_PASSWORD: cartsnitch_test
|
|
|
|
@@ -64,6 +69,9 @@ jobs:
|
|
|
|
|
--health-retries 5
|
|
|
|
|
redis:
|
|
|
|
|
image: redis:7-alpine
|
|
|
|
|
credentials:
|
|
|
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
|
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
|
ports:
|
|
|
|
|
- 6379:6379
|
|
|
|
|
options: >-
|
|
|
|
@@ -75,13 +83,12 @@ jobs:
|
|
|
|
|
CARTSNITCH_DATABASE_URL: postgresql+asyncpg://cartsnitch:cartsnitch_test@localhost:5432/cartsnitch_test
|
|
|
|
|
CARTSNITCH_REDIS_URL: redis://localhost:6379/0
|
|
|
|
|
CARTSNITCH_JWT_SECRET_KEY: test-secret-do-not-use-in-prod
|
|
|
|
|
CARTSNITCH_SERVICE_KEY: test-service-key-do-not-use-in-prod
|
|
|
|
|
CARTSNITCH_FERNET_KEY: wXWQsC0FZlhSz2t_tfVQjNUSP8vgAGG3o3pkjrX8Bw0=
|
|
|
|
|
steps:
|
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
|
- uses: actions/setup-python@v5
|
|
|
|
|
with:
|
|
|
|
|
python-version: "3.12"
|
|
|
|
|
cache: pip
|
|
|
|
|
- name: Install system dependencies
|
|
|
|
|
run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
|
|
|
|
|
- run: pip install -e ".[dev]"
|
|
|
|
@@ -89,7 +96,7 @@ jobs:
|
|
|
|
|
run: pytest --tb=short -q
|
|
|
|
|
|
|
|
|
|
build-and-push:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
runs-on: runners-cartsnitch
|
|
|
|
|
needs: [lint, test]
|
|
|
|
|
outputs:
|
|
|
|
|
calver_tag: ${{ steps.calver.outputs.version }}
|
|
|
|
@@ -116,8 +123,19 @@ jobs:
|
|
|
|
|
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
|
|
|
|
|
echo "CalVer tag: $VERSION"
|
|
|
|
|
|
|
|
|
|
- name: Log in to Gitea Container Registry
|
|
|
|
|
run: echo "${{ github.token }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin
|
|
|
|
|
- name: Log in to Docker Hub
|
|
|
|
|
uses: docker/login-action@v3
|
|
|
|
|
with:
|
|
|
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
|
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
|
|
|
|
|
|
- name: Log in to GHCR
|
|
|
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
|
|
|
uses: docker/login-action@v3
|
|
|
|
|
with:
|
|
|
|
|
registry: ${{ env.REGISTRY }}
|
|
|
|
|
username: ${{ github.actor }}
|
|
|
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
|
|
|
|
|
|
- name: Extract metadata
|
|
|
|
|
id: meta
|
|
|
|
@@ -154,7 +172,11 @@ jobs:
|
|
|
|
|
only-fixed: "true"
|
|
|
|
|
output-format: sarif
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: Upload api scan results to GitHub Security
|
|
|
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
|
|
|
if: always()
|
|
|
|
|
with:
|
|
|
|
|
sarif_file: ${{ steps.scan.outputs.sarif }}
|
|
|
|
|
|
|
|
|
|
- name: Push Docker image
|
|
|
|
|
if: github.event_name == 'push'
|
|
|
|
@@ -176,15 +198,24 @@ jobs:
|
|
|
|
|
git push origin "v${{ steps.calver.outputs.version }}"
|
|
|
|
|
|
|
|
|
|
deploy-dev:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
runs-on: runners-cartsnitch
|
|
|
|
|
needs: [build-and-push]
|
|
|
|
|
if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
|
|
|
|
|
steps:
|
|
|
|
|
- name: Generate GitHub App token
|
|
|
|
|
id: app-token
|
|
|
|
|
uses: actions/create-github-app-token@v1
|
|
|
|
|
with:
|
|
|
|
|
app-id: ${{ secrets.CARTSNITCH_APP_ID }}
|
|
|
|
|
private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
|
|
|
|
|
owner: ${{ github.repository_owner }}
|
|
|
|
|
repositories: infra
|
|
|
|
|
|
|
|
|
|
- name: Checkout infra repo
|
|
|
|
|
uses: actions/checkout@v4
|
|
|
|
|
with:
|
|
|
|
|
repository: cartsnitch/infra
|
|
|
|
|
token: ${{ secrets.GITEA_TOKEN }}
|
|
|
|
|
token: ${{ steps.app-token.outputs.token }}
|
|
|
|
|
ref: main
|
|
|
|
|
path: infra
|
|
|
|
|
|
|
|
|
@@ -207,7 +238,7 @@ jobs:
|
|
|
|
|
if: needs.build-and-push.result == 'success'
|
|
|
|
|
run: |
|
|
|
|
|
cd infra/apps/overlays/dev
|
|
|
|
|
kustomize edit set image ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.api_tag.outputs.tag }}
|
|
|
|
|
kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
|
|
|
|
|
|
|
|
|
|
- name: Commit and push to infra
|
|
|
|
|
run: |
|
|
|
|
@@ -220,15 +251,24 @@ jobs:
|
|
|
|
|
git push origin main
|
|
|
|
|
|
|
|
|
|
deploy-uat:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
runs-on: runners-cartsnitch
|
|
|
|
|
needs: [build-and-push]
|
|
|
|
|
if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
|
|
|
|
|
steps:
|
|
|
|
|
- name: Generate GitHub App token
|
|
|
|
|
id: app-token
|
|
|
|
|
uses: actions/create-github-app-token@v1
|
|
|
|
|
with:
|
|
|
|
|
app-id: ${{ secrets.CARTSNITCH_APP_ID }}
|
|
|
|
|
private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
|
|
|
|
|
owner: ${{ github.repository_owner }}
|
|
|
|
|
repositories: infra
|
|
|
|
|
|
|
|
|
|
- name: Checkout infra repo
|
|
|
|
|
uses: actions/checkout@v4
|
|
|
|
|
with:
|
|
|
|
|
repository: cartsnitch/infra
|
|
|
|
|
token: ${{ secrets.GITEA_TOKEN }}
|
|
|
|
|
token: ${{ steps.app-token.outputs.token }}
|
|
|
|
|
ref: main
|
|
|
|
|
path: infra
|
|
|
|
|
|
|
|
|
@@ -251,7 +291,7 @@ jobs:
|
|
|
|
|
if: needs.build-and-push.result == 'success'
|
|
|
|
|
run: |
|
|
|
|
|
cd infra/apps/overlays/uat
|
|
|
|
|
kustomize edit set image ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.api_tag.outputs.tag }}
|
|
|
|
|
kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
|
|
|
|
|
|
|
|
|
|
- name: Commit and push to infra
|
|
|
|
|
run: |
|
cartsnitch-ceo[bot]