forked from cartsnitch/api
Barcode Betty
3101b43079
- Add deploy-dev and deploy-uat jobs to update infra overlays - Add Grype vulnerability scan step with APT_CACHE_BUST - Remove cartsnitch-common install from typecheck and test jobs - Fix CLAUDE.md: API has its own local models, no cartsnitch-common dep - Add .grype.yaml from monorepo root Co-Authored-By: Paperclip <noreply@paperclip.ing>
304 lines
9.5 KiB
YAML
304 lines
9.5 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
concurrency:
|
|
group: ci-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
IMAGE_NAME: cartsnitch/api
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: runners-cartsnitch
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
cache: pip
|
|
- run: pip install ruff
|
|
- name: Ruff lint
|
|
run: ruff check .
|
|
- name: Ruff format check
|
|
run: ruff format --check .
|
|
|
|
typecheck:
|
|
runs-on: runners-cartsnitch
|
|
continue-on-error: true
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
cache: pip
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
|
|
- run: pip install -e ".[dev]" mypy
|
|
- name: Type check
|
|
run: mypy src/cartsnitch_api
|
|
|
|
test:
|
|
runs-on: runners-cartsnitch
|
|
services:
|
|
postgres:
|
|
image: postgres:15-alpine
|
|
credentials:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
env:
|
|
POSTGRES_USER: cartsnitch
|
|
POSTGRES_PASSWORD: cartsnitch_test
|
|
POSTGRES_DB: cartsnitch_test
|
|
ports:
|
|
- 5432:5432
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
redis:
|
|
image: redis:7-alpine
|
|
credentials:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
ports:
|
|
- 6379:6379
|
|
options: >-
|
|
--health-cmd "redis-cli ping"
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
env:
|
|
CARTSNITCH_DATABASE_URL: postgresql+asyncpg://cartsnitch:cartsnitch_test@localhost:5432/cartsnitch_test
|
|
CARTSNITCH_REDIS_URL: redis://localhost:6379/0
|
|
CARTSNITCH_JWT_SECRET_KEY: test-secret-do-not-use-in-prod
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
cache: pip
|
|
- name: Install system dependencies
|
|
run: sudo apt-get update && sudo apt-get install -y libpq-dev build-essential
|
|
- run: pip install -e ".[dev]"
|
|
- name: Run tests
|
|
run: pytest --tb=short -q
|
|
|
|
build-and-push:
|
|
runs-on: runners-cartsnitch
|
|
needs: [lint, test]
|
|
outputs:
|
|
calver_tag: ${{ steps.calver.outputs.version }}
|
|
sha_tag: sha-${{ github.sha }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Generate CalVer tag
|
|
id: calver
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
run: |
|
|
DATE_TAG=$(date -u +%Y.%m.%d)
|
|
EXISTING=$(git tag -l "v${DATE_TAG}*" | sort -V | tail -1)
|
|
if [ -z "$EXISTING" ]; then
|
|
VERSION="$DATE_TAG"
|
|
elif [ "$EXISTING" = "v${DATE_TAG}" ]; then
|
|
VERSION="${DATE_TAG}.2"
|
|
else
|
|
BUILD_NUM=$(echo "$EXISTING" | sed "s/v${DATE_TAG}\.//")
|
|
VERSION="${DATE_TAG}.$((BUILD_NUM + 1))"
|
|
fi
|
|
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
|
|
echo "CalVer tag: $VERSION"
|
|
|
|
- name: Log in to Docker Hub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
- name: Log in to GHCR
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract metadata
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
tags: |
|
|
type=sha,prefix=sha-,format=long
|
|
type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
|
|
- name: Build Docker image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
load: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
build-args: |
|
|
APT_CACHE_BUST=${{ github.run_id }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Scan api image for vulnerabilities
|
|
uses: anchore/scan-action@v5
|
|
id: scan
|
|
env:
|
|
GRYPE_CONFIG: .grype.yaml
|
|
with:
|
|
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
|
|
fail-build: true
|
|
severity-cutoff: high
|
|
only-fixed: "true"
|
|
output-format: sarif
|
|
|
|
- name: Upload api scan results to GitHub Security
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
if: always()
|
|
with:
|
|
sarif_file: ${{ steps.scan.outputs.sarif }}
|
|
|
|
- name: Push Docker image
|
|
if: github.event_name == 'push'
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
file: ./Dockerfile
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
build-args: |
|
|
APT_CACHE_BUST=${{ github.run_id }}
|
|
cache-from: type=gha
|
|
|
|
- name: Create git tag
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
run: |
|
|
git tag "v${{ steps.calver.outputs.version }}"
|
|
git push origin "v${{ steps.calver.outputs.version }}"
|
|
|
|
deploy-dev:
|
|
runs-on: runners-cartsnitch
|
|
needs: [build-and-push]
|
|
if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
|
|
steps:
|
|
- name: Generate GitHub App token
|
|
id: app-token
|
|
uses: actions/create-github-app-token@v1
|
|
with:
|
|
app-id: ${{ secrets.CARTSNITCH_APP_ID }}
|
|
private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
|
|
owner: ${{ github.repository_owner }}
|
|
repositories: infra
|
|
|
|
- name: Checkout infra repo
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: cartsnitch/infra
|
|
token: ${{ steps.app-token.outputs.token }}
|
|
ref: main
|
|
path: infra
|
|
|
|
- name: Install kubectl
|
|
uses: azure/setup-kubectl@v4
|
|
|
|
- name: Install kustomize
|
|
uses: imranismail/setup-kustomize@v2
|
|
|
|
- name: Determine image tag
|
|
id: api_tag
|
|
run: |
|
|
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
|
|
echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Update api image tag
|
|
if: needs.build-and-push.result == 'success'
|
|
run: |
|
|
cd infra/apps/overlays/dev
|
|
kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
|
|
|
|
- name: Commit and push to infra
|
|
run: |
|
|
cd infra
|
|
git config user.name "cartsnitch-ci[bot]"
|
|
git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
|
|
git add apps/overlays/dev/kustomization.yaml
|
|
git commit -m "ci(dev): update api image"
|
|
git pull --rebase origin main
|
|
git push origin main
|
|
|
|
deploy-uat:
|
|
runs-on: runners-cartsnitch
|
|
needs: [build-and-push]
|
|
if: always() && !cancelled() && github.event_name == 'push' && (github.ref == 'refs/heads/uat' || github.ref == 'refs/heads/main')
|
|
steps:
|
|
- name: Generate GitHub App token
|
|
id: app-token
|
|
uses: actions/create-github-app-token@v1
|
|
with:
|
|
app-id: ${{ secrets.CARTSNITCH_APP_ID }}
|
|
private-key: ${{ secrets.CARTSNITCH_APP_PRIVATE_KEY }}
|
|
owner: ${{ github.repository_owner }}
|
|
repositories: infra
|
|
|
|
- name: Checkout infra repo
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: cartsnitch/infra
|
|
token: ${{ steps.app-token.outputs.token }}
|
|
ref: main
|
|
path: infra
|
|
|
|
- name: Install kubectl
|
|
uses: azure/setup-kubectl@v4
|
|
|
|
- name: Install kustomize
|
|
uses: imranismail/setup-kustomize@v2
|
|
|
|
- name: Determine image tag
|
|
id: api_tag
|
|
run: |
|
|
if [ "${{ github.ref }}" == "refs/heads/main" ]; then
|
|
echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Update api image tag
|
|
if: needs.build-and-push.result == 'success'
|
|
run: |
|
|
cd infra/apps/overlays/uat
|
|
kustomize edit set image ghcr.io/cartsnitch/api:${{ steps.api_tag.outputs.tag }}
|
|
|
|
- name: Commit and push to infra
|
|
run: |
|
|
cd infra
|
|
git config user.name "cartsnitch-ci[bot]"
|
|
git config user.email "cartsnitch-ci[bot]@users.noreply.github.com"
|
|
git add apps/overlays/uat/kustomization.yaml
|
|
git commit -m "ci(uat): update api image"
|
|
git pull --rebase origin main
|
|
git push origin main |