name: CI on: push: branches: [main, dev, uat] pull_request: branches: [main, dev, uat] concurrency: group: ci-${{ github.ref }} cancel-in-progress: true permissions: contents: write packages: write env: REGISTRY: git.farh.net IMAGE_NAME: cartsnitch/api jobs: lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: "3.12" - run: pip install ruff - name: Ruff lint run: ruff check . - name: Ruff format check run: ruff format --check . typecheck: runs-on: ubuntu-latest continue-on-error: true steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: "3.12" - name: Install system dependencies run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential - run: pip install -e ".[dev]" mypy - name: Type check run: mypy src/cartsnitch_api test: runs-on: ubuntu-latest services: postgres: image: postgres:15-alpine env: POSTGRES_USER: cartsnitch POSTGRES_PASSWORD: cartsnitch_test POSTGRES_DB: cartsnitch_test ports: - 5432:5432 options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 redis: image: redis:7-alpine ports: - 6379:6379 options: >- --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5 env: CARTSNITCH_DATABASE_URL: postgresql+asyncpg://cartsnitch:cartsnitch_test@localhost:5432/cartsnitch_test CARTSNITCH_REDIS_URL: redis://localhost:6379/0 CARTSNITCH_JWT_SECRET_KEY: test-secret-do-not-use-in-prod CARTSNITCH_SERVICE_KEY: test-service-key-do-not-use-in-prod CARTSNITCH_FERNET_KEY: wXWQsC0FZlhSz2t_tfVQjNUSP8vgAGG3o3pkjrX8Bw0= steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: "3.12" - name: Install system dependencies run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential - run: pip install -e ".[dev]" - name: Run tests run: pytest --tb=short -q build-and-push: if: github.event_name == 'push' runs-on: ubuntu-latest needs: [lint, test] outputs: calver_tag: ${{ steps.calver.outputs.version }} sha_tag: sha-${{ github.sha }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Generate CalVer tag id: calver if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | DATE_TAG=$(date -u +%Y.%m.%d) EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1) if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG" elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2" else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//") VERSION="${DATE_TAG}.$((BUILD_NUM + 1))" fi echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "CalVer tag: $VERSION" - name: Log in to Gitea Container Registry run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.farh.net -u ${{ github.actor }} --password-stdin - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=sha,prefix=sha-,format=long type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - name: Build Docker image uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | APT_CACHE_BUST=${{ github.run_id }} - name: Scan api image for vulnerabilities uses: anchore/scan-action@v5 id: scan env: GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true severity-cutoff: high only-fixed: "true" output-format: sarif - name: Push Docker image if: github.event_name == 'push' uses: docker/build-push-action@v6 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - name: Create git tag if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | git tag "v${{ steps.calver.outputs.version }}" git push origin "v${{ steps.calver.outputs.version }}"