name: CI on: push: branches: [main] pull_request: branches: [main] concurrency: group: ci-${{ github.ref }} cancel-in-progress: true permissions: contents: write packages: write env: REGISTRY: ghcr.io IMAGE_NAME: cartsnitch/api jobs: lint: runs-on: runners-cartsnitch steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.12" cache: pip - run: pip install ruff - name: Ruff lint run: ruff check . - name: Ruff format check run: ruff format --check . typecheck: runs-on: runners-cartsnitch continue-on-error: true steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.12" cache: pip - name: Install system dependencies run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential - run: pip install -e ".[dev]" mypy - name: Type check run: mypy src/cartsnitch_api test: runs-on: runners-cartsnitch services: postgres: image: postgres:15-alpine credentials: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} env: POSTGRES_USER: cartsnitch POSTGRES_PASSWORD: cartsnitch_test POSTGRES_DB: cartsnitch_test ports: - 5432:5432 options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 redis: image: redis:7-alpine credentials: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} ports: - 6379:6379 options: >- --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5 env: CARTSNITCH_DATABASE_URL: postgresql+asyncpg://cartsnitch:cartsnitch_test@localhost:5432/cartsnitch_test CARTSNITCH_REDIS_URL: redis://localhost:6379/0 CARTSNITCH_JWT_SECRET_KEY: test-secret-do-not-use-in-prod steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.12" cache: pip - name: Install system dependencies run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential - run: pip install -e ".[dev]" - name: Run tests run: pytest --tb=short -q build-and-push: runs-on: runners-cartsnitch needs: [lint, test] outputs: calver_tag: ${{ steps.calver.outputs.version }} sha_tag: sha-${{ github.sha }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Generate CalVer tag id: calver if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | DATE_TAG=$(date -u +%Y.%m.%d) EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1) if [ -z "$EXISTING" ]; then VERSION="$DATE_TAG" elif [ "$EXISTING" = "v${DATE_TAG}" ]; then VERSION="${DATE_TAG}.2" else BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//") VERSION="${DATE_TAG}.$((BUILD_NUM + 1))" fi echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "CalVer tag: $VERSION" - name: Log in to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Log in to GHCR if: github.event_name == 'push' && github.ref == 'refs/heads/main' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=sha,prefix=sha-,format=long type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - name: Build Docker image uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha cache-to: type=gha,mode=max - name: Scan api image for vulnerabilities uses: anchore/scan-action@v5 id: scan env: GRYPE_CONFIG: .grype.yaml with: image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}" fail-build: true severity-cutoff: high only-fixed: "true" output-format: sarif - name: Upload api scan results to GitHub Security uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Push Docker image if: github.event_name == 'push' uses: docker/build-push-action@v6 with: context: . file: ./Dockerfile push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | APT_CACHE_BUST=${{ github.run_id }} cache-from: type=gha - name: Create git tag if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | git tag "v${{ steps.calver.outputs.version }}" git push origin "v${{ steps.calver.outputs.version }}" deploy-dev: runs-on: runners-cartsnitch needs: [build-and-push] if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') steps: - name: Generate GitHub App token id: app-token uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.CARTSNITCH_APP_ID }} private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: infra - name: Checkout infra repo uses: actions/checkout@v4 with: repository: cartsnitch/infra token: ${{ steps.app-token.outputs.token }} ref: main path: infra - name: Install kubectl uses: azure/setup-kubectl@v4 - name: Install kustomize uses: imranismail/setup-kustomize@v2 - name: Determine image tag id: api_tag run: | if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" fi - name: Update api image tag if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/dev kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Commit and push to infra run: | cd infra git config user.name "cartsnitch-ci[bot]" git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" git add apps/overlays/dev/kustomization.yaml git commit -m "ci(dev): update api image" git pull --rebase origin main git push origin main deploy-uat: runs-on: runners-cartsnitch needs: [build-and-push] if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main') steps: - name: Generate GitHub App token id: app-token uses: actions/create-github-app-token@v1 with: app-id: ${{ secrets.CARTSNITCH_APP_ID }} private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }} owner: ${{ github.repository_owner }} repositories: infra - name: Checkout infra repo uses: actions/checkout@v4 with: repository: cartsnitch/infra token: ${{ steps.app-token.outputs.token }} ref: main path: infra - name: Install kubectl uses: azure/setup-kubectl@v4 - name: Install kustomize uses: imranismail/setup-kustomize@v2 - name: Determine image tag id: api_tag run: | if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" fi - name: Update api image tag if: needs.build-and-push.result == 'success' run: | cd infra/apps/overlays/uat kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }} - name: Commit and push to infra run: | cd infra git config user.name "cartsnitch-ci[bot]" git config user.email "cartsnitch-ci[bot]@users.noreply.github.com" git add apps/overlays/uat/kustomization.yaml git commit -m "ci(uat): update api image" git pull --rebase origin main git push origin main