Feature/143 expand improvements #401
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| # Run this workflow every time a new commit pushed to your repository | |
| on: | |
| push: | |
| branches: | |
| - master | |
| tags: | |
| - '*' | |
| pull_request: | |
| workflow_dispatch: | |
| env: | |
| IMAGE_NAME: maykinmedia/open-klant | |
| DJANGO_SETTINGS_MODULE: openklant.conf.jenkins | |
| DB_PASSWORD: '' | |
| DB_USER: postgres | |
| # ALLOWED_HOSTS: openklant.nl | |
| jobs: | |
| # determine changed files to decide if certain jobs can be skipped or not | |
| changed-files: | |
| runs-on: ubuntu-latest # windows-latest | macos-latest | |
| name: Determine changed files | |
| steps: | |
| - uses: actions/checkout@v2 | |
| with: | |
| fetch-depth: 2 | |
| - name: Get changed PY files | |
| id: changed-py-files | |
| uses: tj-actions/[email protected] | |
| with: | |
| files: | | |
| ^src/.+\.py | |
| - name: Get changed JS files | |
| id: changed-js-files | |
| uses: tj-actions/[email protected] | |
| with: | |
| files: | | |
| ^src/.+\.js | |
| - name: Get changed requirements files | |
| id: changed-requirements | |
| uses: tj-actions/[email protected] | |
| with: | |
| files: ^requirements/.+\.txt$ | |
| outputs: | |
| changed-py-files: ${{ steps.changed-py-files.outputs.any_changed }} | |
| changed-js-files: ${{ steps.changed-js-files.outputs.any_changed }} | |
| changed-requirements: ${{ steps.changed-requirements.outputs.any_changed }} | |
| tests: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - changed-files | |
| # only run tests if source files have changed (e.g. skip for PRs that only update docs) | |
| if: ${{ needs.changed-files.outputs.changed-py-files == 'true'|| needs.changed-files.outputs.changed-requirements == 'true'|| github.event_name == 'push' }} | |
| strategy: | |
| matrix: | |
| postgres: ['11', '12', '13'] | |
| name: Tests (PG ${{ matrix.postgres }}) | |
| services: | |
| postgres: | |
| image: postgres:${{ matrix.postgres }} | |
| env: | |
| POSTGRES_HOST_AUTH_METHOD: trust | |
| ports: | |
| - 5432:5432 | |
| # needed because the postgres container does not provide a healthcheck | |
| options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: actions/setup-python@v2 | |
| with: | |
| python-version: '3.10' | |
| - uses: actions/setup-node@v2-beta | |
| with: | |
| node-version: '17' | |
| - name: Install system packages | |
| run: | | |
| sudo apt-get update \ | |
| && sudo apt-get install -y --no-install-recommends | |
| - name: Install dependencies | |
| run: pip install -r requirements/dev.txt codecov | |
| - name: Build frontend | |
| run: | | |
| npm ci --legacy-peer-deps | |
| npm run build | |
| - name: Run tests | |
| run: | | |
| python src/manage.py collectstatic --noinput --link | |
| coverage run src/manage.py test src | |
| env: | |
| DJANGO_SETTINGS_MODULE: openklant.conf.dev | |
| SECRET_KEY: dummy | |
| DB_USER: postgres | |
| DB_PASSWORD: '' | |
| - name: Publish coverage report | |
| uses: codecov/codecov-action@v1 | |
| docker: | |
| needs: tests | |
| name: Docker image build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Determine tag/commit hash | |
| id: vars | |
| run: | | |
| # Strip git ref prefix from version | |
| VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
| # Strip "v" prefix from tag name (if present at all) | |
| [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
| # Use Docker `latest` tag convention | |
| [ "$VERSION" == "master" ] && VERSION=latest | |
| echo "tag=${VERSION}" >> $GITHUB_OUTPUT | |
| echo "git_hash=${GITHUB_SHA}" >> $GITHUB_OUTPUT | |
| - name: Build the Docker image | |
| run: | | |
| docker build \ | |
| --tag $IMAGE_NAME:${{ steps.vars.outputs.tag }} \ | |
| --build-arg COMMIT_HASH=${{ steps.vars.outputs.git_hash }} \ | |
| --build-arg RELEASE=${{ steps.vars.outputs.tag }} \ | |
| . | |
| - run: docker image save -o image.tar $IMAGE_NAME:${{ steps.vars.outputs.tag }} | |
| - name: Store image artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: docker-image | |
| path: image.tar | |
| retention-days: 1 | |
| image_scan: | |
| runs-on: ubuntu-latest | |
| name: Scan docker image | |
| needs: | |
| - docker | |
| steps: | |
| # So the scanner gets commit meta-information | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Derive version | |
| id: vars | |
| run: | | |
| # Strip git ref prefix from version | |
| VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
| # Strip "v" prefix from tag name (if present at all) | |
| [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
| # Use Docker `latest` tag convention | |
| [ "$VERSION" == "master" ] && VERSION=latest | |
| # PRs result in version 'merge' -> transform that into 'latest' | |
| [ "$VERSION" == "merge" ] && VERSION=latest | |
| echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
| - name: Download built image | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: docker-image | |
| - name: Scan image with Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| input: /github/workspace/image.tar # from download-artifact | |
| format: 'sarif' | |
| output: 'trivy-results-docker.sarif' | |
| ignore-unfixed: true | |
| - name: Upload results to GH Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results-docker.sarif' | |
| publish: | |
| needs: | |
| - tests | |
| - docker | |
| name: Push Docker image | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.repository_owner == 'open-klant' # exclude PRs/forks | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Download built image | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: docker-image | |
| - name: Determine tag/commit hash | |
| id: vars | |
| run: | | |
| # Strip git ref prefix from version | |
| VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') | |
| # Strip "v" prefix from tag name (if present at all) | |
| [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') | |
| # Use Docker `latest` tag convention | |
| [ "$VERSION" == "main" ] && VERSION=latest | |
| echo "tag=${VERSION}" >> $GITHUB_OUTPUT | |
| - name: Load image | |
| run: | | |
| docker image load -i image.tar | |
| - name: Log into registry | |
| run: echo "${{ secrets.DOCKER_TOKEN }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin | |
| - name: Push the Docker image | |
| run: docker push $IMAGE_NAME:${{ steps.vars.outputs.tag }} |