Merge pull request #830 from open-data-rescue/staging #257
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: "Build Draw Docker image for Deploy" | |
| on: | |
| push: | |
| branches: | |
| - production | |
| - staging | |
| - development | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| inputs: | |
| logLevel: | |
| description: 'Log level' | |
| required: true | |
| default: 'warning' | |
| type: choice | |
| options: | |
| - info | |
| - warning | |
| - debug | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| # Temp keys for building assets and tests, not used ion any other environments | |
| env: | |
| DEVISE_SECRET: aa77bb734faa9b935c1f8b68846e37aed9096cc9fb746copypastaf856594409a11b1086535e468edb2e5bbc18482b386b6264ada38703dcdefd94a291ab5a95eb5 | |
| SECRET_KEY_BASE: aa77bb734faa9b935c1f8b68846e37aed9096cc9fb746copypastaf856594409a11b1086535e468edb2e5bbc18482b386b6264ada38703dcdefd94a291ab5a95eb5 | |
| TEST_TAG: ${{ github.repository_owner }}/climate-data-rescue:test | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| steps: | |
| - name: Maximize build space | |
| uses: easimon/maximize-build-space@master | |
| with: | |
| swap-size-mb: 4096 | |
| temp-reserve-mb: 4096 | |
| root-reserve-mb: 16384 | |
| remove-dotnet: 'true' | |
| remove-android: 'true' | |
| remove-haskell: 'true' | |
| - name: Build Space | |
| run: | | |
| echo "Free space:" | |
| df -h | |
| - uses: actions/checkout@v3 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern=latest | |
| # type=raw,enable=true,priority=200,value=test | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Builder instance name | |
| run: echo ${{ steps.buildx.outputs.name }} | |
| - name: Available platforms | |
| run: echo ${{ steps.buildx.outputs.platforms }} | |
| - name: Cache Docker layers | |
| uses: actions/cache@v3 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Build the image | |
| id: docker_build | |
| uses: docker/build-push-action@v4 | |
| with: | |
| context: ./ | |
| file: ./Dockerfile-prod | |
| builder: ${{ steps.buildx.outputs.name }} | |
| build-args: | | |
| DEVISE_SECRET=${{ env.DEVISE_SECRET }} | |
| SECRET_KEY_BASE=${{ env.SECRET_KEY_BASE }} | |
| RAILS_ENV=production | |
| NODE_ENV=development | |
| push: false | |
| load: true | |
| tags: ${{ env.TEST_TAG }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new | |
| # | |
| - name: Run specs | |
| run: | | |
| docker run -d --name="test-database" --hostname "mysql" -e "MYSQL_PASSWORD=test" -e "MYSQL_USER=test" -e "MYSQL_ROOT_PASSWORD=test" -p 127.0.0.1:3306:3306/tcp mysql:5.7 | |
| docker run --network "container:test-database" -e DB_HOST=mysql -e RAILS_ENV=test -e DEVISE_SECRET=${{ env.DEVISE_SECRET }} -e SECRET_KEY_BASE=${{ env.SECRET_KEY_BASE }} -e "MYSQL_PASSWORD=test" -e "RAILS_MYSQL_USER=root" -e "BASE_URL=localhost:3000" ${{ env.TEST_TAG }} /bin/sh -c "bin/rails db:create; bin/rails db:setup; bin/rails db:seed; bundle exec rspec" | |
| # | |
| - name: Run security tests | |
| if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/security-') }} | |
| run: | | |
| docker run -e RAILS_ENV=test ${{ env.TEST_TAG }} bundle update brakeman --quiet | |
| docker run -e RAILS_ENV=test ${{ env.TEST_TAG }} bundle exec brakeman --run-all-checks --no-pager | |
| # docker run -e RAILS_ENV=test ${{ env.TEST_TAG }} bundle exec bundler-audit check --update | |
| # docker run -e RAILS_ENV=test ${{ env.TEST_TAG }} bundle exec ruby-audit check | |
| docker run -e RAILS_ENV=production -e NODE_ENV=production ${{ env.TEST_TAG }} /bin/sh -c "bin/yarn install --frozen-lockfile; yarn check --integrity" | |
| # | |
| - name: Push the image | |
| id: docker_push | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: ./ | |
| file: ./Dockerfile-prod | |
| builder: ${{ steps.buildx.outputs.name }} | |
| build-args: | | |
| DEVISE_SECRET=${{ env.DEVISE_SECRET }} | |
| SECRET_KEY_BASE=${{ env.SECRET_KEY_BASE }} | |
| RAILS_ENV=production | |
| NODE_ENV=development | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new | |
| # Needed to prevent cache from growing forever (see https://github.com/docker/build-push-action/issues/252) | |
| - name: Move cache | |
| run: | | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache |