Allow to run CI from fork #1881
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- develop | |
- staging | |
- master | |
- ephemeral-* | |
pull_request: | |
branches: | |
- develop | |
- staging | |
- master | |
- ephemeral-* | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
frontend_tests: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Use Node.js | |
uses: actions/setup-node@v2 | |
with: | |
node-version: '18' | |
- name: Cache dependencies | |
uses: actions/cache@v2 | |
with: | |
path: | | |
frontend/node_modules | |
frontend/.yarn | |
frontend/.yarn/cache | |
key: ${{ runner.os }}-node-${{ hashFiles('frontend/yarn.lock') }} | |
restore-keys: | | |
${{ runner.os }}-node- | |
- run: yarn install --frozen-lockfile | |
working-directory: frontend | |
- run: yarn lint | |
working-directory: frontend | |
- run: yarn test --watchAll=false | |
working-directory: frontend | |
build_dev: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v1 | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Docker environment | |
run: | | |
echo "DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV | |
echo "DOCKERHUB_TOKEN=${{ secrets.DOCKERHUB_TOKEN }}" >> $GITHUB_ENV | |
if [ -n "${{ vars.DOCKERHUB_ORGANIZATION }}" ]; then | |
echo "DOCKERHUB_ORGANIZATION=${{ vars.DOCKERHUB_ORGANIZATION }}" >> $GITHUB_ENV | |
else | |
echo "DOCKERHUB_ORGANIZATION=unicef" >> $GITHUB_ENV | |
fi | |
- name: DockerHub login | |
uses: docker/login-action@v1 | |
if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }} | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Push dev | |
run: | | |
docker buildx create --use | |
option=load | |
if [ -n "${{ env.DOCKERHUB_USERNAME }}" ] && [ -n "${{ env.DOCKERHUB_TOKEN }}" ]; then | |
option=push | |
fi | |
docker buildx build \ | |
--progress=plain \ | |
--cache-from type=gha,scope=${{ github.ref_name }} \ | |
--cache-to type=gha,mode=max,scope=${{ github.ref_name }} \ | |
-t ${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
-t ${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-latest-dev \ | |
-f ./docker/Dockerfile \ | |
--target dev \ | |
--$option \ | |
./ | |
- name: Save image to tar | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
run: | | |
docker save ${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev | gzip > /tmp/dev-image.tar.gz | |
- name: Upload Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: dev-artifact | |
path: /tmp/dev-image.tar.gz | |
isort: | |
runs-on: ubuntu-latest | |
needs: [build_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Docker environment | |
run: | | |
echo "DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV | |
echo "DOCKERHUB_TOKEN=${{ secrets.DOCKERHUB_TOKEN }}" >> $GITHUB_ENV | |
if [ -n "${{ vars.DOCKERHUB_ORGANIZATION }}" ]; then | |
echo "DOCKERHUB_ORGANIZATION=${{ vars.DOCKERHUB_ORGANIZATION }}" >> $GITHUB_ENV | |
else | |
echo "DOCKERHUB_ORGANIZATION=unicef" >> $GITHUB_ENV | |
fi | |
- name: Download Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: dev-artifact | |
path: /tmp | |
- name: Load image from tar | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
run: | | |
gunzip -c /tmp/dev-image.tar.gz | docker load | |
- name: Check | |
run: | | |
docker run --rm -i \ | |
${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
isort . --check-only | |
black: | |
runs-on: ubuntu-latest | |
needs: [build_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Docker environment | |
run: | | |
echo "DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV | |
echo "DOCKERHUB_TOKEN=${{ secrets.DOCKERHUB_TOKEN }}" >> $GITHUB_ENV | |
if [ -n "${{ vars.DOCKERHUB_ORGANIZATION }}" ]; then | |
echo "DOCKERHUB_ORGANIZATION=${{ vars.DOCKERHUB_ORGANIZATION }}" >> $GITHUB_ENV | |
else | |
echo "DOCKERHUB_ORGANIZATION=unicef" >> $GITHUB_ENV | |
fi | |
- name: Download Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: dev-artifact | |
path: /tmp | |
- name: Load image from tar | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
run: | | |
gunzip -c /tmp/dev-image.tar.gz | docker load | |
- name: Check | |
run: | | |
docker run --rm -i \ | |
${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
black . --check | |
flake8: | |
runs-on: ubuntu-latest | |
needs: [build_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Docker environment | |
run: | | |
echo "DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV | |
echo "DOCKERHUB_TOKEN=${{ secrets.DOCKERHUB_TOKEN }}" >> $GITHUB_ENV | |
if [ -n "${{ vars.DOCKERHUB_ORGANIZATION }}" ]; then | |
echo "DOCKERHUB_ORGANIZATION=${{ vars.DOCKERHUB_ORGANIZATION }}" >> $GITHUB_ENV | |
else | |
echo "DOCKERHUB_ORGANIZATION=unicef" >> $GITHUB_ENV | |
fi | |
- name: Download Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: dev-artifact | |
path: /tmp | |
- name: Load image from tar | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
run: | | |
gunzip -c /tmp/dev-image.tar.gz | docker load | |
- name: Check | |
run: | | |
docker run --rm -i \ | |
${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
flake8 . | |
mypy: | |
runs-on: ubuntu-latest | |
needs: [build_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Docker environment | |
run: | | |
echo "DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV | |
echo "DOCKERHUB_TOKEN=${{ secrets.DOCKERHUB_TOKEN }}" >> $GITHUB_ENV | |
if [ -n "${{ vars.DOCKERHUB_ORGANIZATION }}" ]; then | |
echo "DOCKERHUB_ORGANIZATION=${{ vars.DOCKERHUB_ORGANIZATION }}" >> $GITHUB_ENV | |
else | |
echo "DOCKERHUB_ORGANIZATION=unicef" >> $GITHUB_ENV | |
fi | |
- name: Download Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: dev-artifact | |
path: /tmp | |
- name: Load image from tar | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
run: | | |
gunzip -c /tmp/dev-image.tar.gz | docker load | |
- name: Check | |
run: | | |
docker run --rm -i \ | |
${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev \ | |
mypy . | |
build_dist: | |
needs: [build_dev] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v1 | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Docker environment | |
run: | | |
echo "DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV | |
echo "DOCKERHUB_TOKEN=${{ secrets.DOCKERHUB_TOKEN }}" >> $GITHUB_ENV | |
if [ -n "${{ vars.DOCKERHUB_ORGANIZATION }}" ]; then | |
echo "DOCKERHUB_ORGANIZATION=${{ vars.DOCKERHUB_ORGANIZATION }}" >> $GITHUB_ENV | |
else | |
echo "DOCKERHUB_ORGANIZATION=unicef" >> $GITHUB_ENV | |
fi | |
- name: DockerHub login | |
uses: docker/login-action@v1 | |
if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }} | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Push dist | |
run: | | |
docker buildx create --use | |
option=load | |
if [ -n "${{ env.DOCKERHUB_USERNAME }}" ] && [ -n "${{ env.DOCKERHUB_TOKEN }}" ]; then | |
option=push | |
fi | |
# Base part of the command | |
build_command="docker buildx build \ | |
--progress=plain \ | |
--cache-from type=gha,scope=${{ github.ref_name }} \ | |
--cache-to type=gha,mode=max,scope=${{ github.ref_name }} \ | |
-t ${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dist \ | |
-t ${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }} \ | |
-f ./docker/Dockerfile \ | |
--target dist \ | |
--$option ./" | |
if [ -n "${{ env.DOCKERHUB_USERNAME }}" ] && [ -n "${{ env.DOCKERHUB_TOKEN }}" ] && [ "${{ github.ref }}" = "refs/heads/master" ]; then | |
version=$(python3 -c "import sys; version=None; [version:=line.split('=')[1].strip().strip('\"') for line in open('backend/pyproject.toml', 'r') if line.strip().startswith('version =')]; print(version if version else sys.exit(1))") | |
tagged_image=${{ env.DOCKERHUB_ORGANIZATION }}/hope:core-$version | |
build_command="$build_command -t $tagged_image" | |
fi | |
eval $build_command | |
- name: Save image to tar | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
run: | | |
docker save ${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dist | gzip > /tmp/dist-image.tar.gz | |
- name: Upload Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: dist-artifact | |
path: /tmp/dist-image.tar.gz | |
unit_tests: | |
runs-on: ubuntu-latest | |
needs: [build_dev] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Docker environment | |
run: | | |
echo "DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV | |
echo "DOCKERHUB_TOKEN=${{ secrets.DOCKERHUB_TOKEN }}" >> $GITHUB_ENV | |
if [ -n "${{ vars.DOCKERHUB_ORGANIZATION }}" ]; then | |
echo "DOCKERHUB_ORGANIZATION=${{ vars.DOCKERHUB_ORGANIZATION }}" >> $GITHUB_ENV | |
else | |
echo "DOCKERHUB_ORGANIZATION=unicef" >> $GITHUB_ENV | |
fi | |
- name: Download Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: dev-artifact | |
path: /tmp | |
- name: Load image from tar | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
run: | | |
gunzip -c /tmp/dev-image.tar.gz | docker load | |
- name: Unit tests | |
run: | | |
backend_image=${{ env.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev docker compose \ | |
-f ./deployment/docker-compose.tst.yml \ | |
run backend ./dev.sh test | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
with: | |
files: ./backend/coverage.xml | |
flags: unittests | |
token: ${{ secrets.CODECOV_TOKEN }} | |
verbose: true | |
e2e_tests: | |
runs-on: ubuntu-latest | |
needs: [build_dist] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Docker environment | |
run: | | |
echo "DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV | |
echo "DOCKERHUB_TOKEN=${{ secrets.DOCKERHUB_TOKEN }}" >> $GITHUB_ENV | |
if [ -n "${{ vars.DOCKERHUB_ORGANIZATION }}" ]; then | |
echo "DOCKERHUB_ORGANIZATION=${{ vars.DOCKERHUB_ORGANIZATION }}" >> $GITHUB_ENV | |
else | |
echo "DOCKERHUB_ORGANIZATION=unicef" >> $GITHUB_ENV | |
fi | |
- name: Download Dev Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: dev-artifact | |
path: /tmp | |
- name: Download Dist Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: dist-artifact | |
path: /tmp | |
- name: Load images from tar | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
run: | | |
gunzip -c /tmp/dev-image.tar.gz | docker load | |
gunzip -c /tmp/dist-image.tar.gz | docker load | |
- name: E2E tests | |
run: | | |
dist_backend_image=${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dist dev_backend_image=${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}-dev docker compose \ | |
-f ./deployment/docker-compose.selenium.yml \ | |
run selenium | |
- name: Upload Artifact | |
uses: actions/upload-artifact@v4 | |
if: always() | |
continue-on-error: true | |
with: | |
name: report | |
path: ./backend/report/ | |
retention-days: 5 | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
if: always() | |
continue-on-error: true | |
with: | |
files: ./backend/coverage.xml | |
flags: e2e | |
token: ${{ secrets.CODECOV_TOKEN }} | |
verbose: true | |
trivy: | |
runs-on: ubuntu-latest | |
needs: [build_dist] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
- name: Set up Docker environment | |
run: | | |
echo "DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}" >> $GITHUB_ENV | |
echo "DOCKERHUB_TOKEN=${{ secrets.DOCKERHUB_TOKEN }}" >> $GITHUB_ENV | |
if [ -n "${{ vars.DOCKERHUB_ORGANIZATION }}" ]; then | |
echo "DOCKERHUB_ORGANIZATION=${{ vars.DOCKERHUB_ORGANIZATION }}" >> $GITHUB_ENV | |
else | |
echo "DOCKERHUB_ORGANIZATION=unicef" >> $GITHUB_ENV | |
fi | |
- name: Download Dist Artifact | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
uses: actions/download-artifact@v4 | |
with: | |
name: dist-artifact | |
path: /tmp | |
- name: Load images from tar | |
if: ${{ !( env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN ) }} | |
run: | | |
gunzip -c /tmp/dist-image.tar.gz | docker load | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: '${{ vars.DOCKERHUB_ORGANIZATION }}/hope-support-images:core-${{ github.sha }}' | |
format: 'table' | |
exit-code: '0' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
deploy: | |
runs-on: ubuntu-latest | |
needs: [e2e_tests, unit_tests, isort, black, flake8, mypy, frontend_tests] | |
if: | | |
github.event_name == 'push' && | |
( | |
github.ref == 'refs/heads/develop' || | |
github.ref == 'refs/heads/staging' || | |
github.ref == 'refs/heads/master' || | |
github.ref == 'refs/heads/ephemeral-1' || | |
github.ref == 'refs/heads/ephemeral-2' || | |
github.ref == 'refs/heads/ephemeral-3' | |
) | |
steps: | |
- name: Trigger deploy | |
run: | | |
# TODO: make it prettier | |
if [ ${{ github.ref }} == 'refs/heads/develop' ]; then | |
pipelineId=1159 | |
elif [ ${{ github.ref }} == 'refs/heads/staging' ]; then | |
pipelineId=1160 | |
elif [ ${{ github.ref }} == 'refs/heads/master' ]; then | |
pipelineId=1161,1165 | |
elif [ ${{ github.ref }} == 'refs/heads/ephemeral-1' ]; then | |
pipelineId=1164 | |
elif [ ${{ github.ref }} == 'refs/heads/ephemeral-2' ]; then | |
pipelineId=1253 | |
elif [ ${{ github.ref }} == 'refs/heads/ephemeral-3' ]; then | |
pipelineId=1283 | |
else | |
echo "No pipeline to trigger for ref ${{ github.ref }}" | |
exit 0 | |
fi | |
IFS=',' read -ra pipelines <<< "$pipelineId" | |
for pipeline in "${pipelines[@]}"; do | |
jsonBody='{"variables": {"sha": {"isSecret": false, "value": "${{ github.sha }}"}, "tag": {"isSecret": false, "value": "core-${{ github.sha }}"}}}' | |
contentLength=$(echo -n $jsonBody | wc -c) | |
project=ICTD-HCT-MIS | |
organization=unicef | |
echo Triggering deploy for pipeline $pipeline | |
echo JSON body: $jsonBody | |
curl -v -L \ | |
-u ":${{ secrets.AZURE_PAT }}" \ | |
-H "Content-Type: application/json" \ | |
-H "Content-Length: $contentLength" \ | |
-d "$jsonBody" \ | |
https://dev.azure.com/$organization/$project/_apis/pipelines/$pipeline/runs?api-version=7.1-preview.1 | |
if [ $? -ne 0 ]; then | |
echo "Failed to trigger deploy for pipeline $pipeline" | |
exit 1 | |
fi | |
done |