build(deps): bump the allpip group with 15 updates #2450
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: continuous-integration | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*" | |
| pull_request: | |
| branches: | |
| - "main" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| REGISTRY: ghcr.io | |
| POETRY_CACHE_DIR: ~/.cache/pypoetry | |
| PIPX_BIN_DIR: /usr/local/bin | |
| IMAGE_NAME: ${{ github.repository }} | |
| PYTHON_VERSION: "3.12" | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install poetry | |
| run: pipx install poetry | |
| - name: Set up Python ${{ env.PYTHON_VERSION }} | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: "poetry" | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: | | |
| poetry install | |
| npm install | |
| - name: Run pyright # There is no official pyright pre-commit hook | |
| run: poetry run pyright | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Install poetry | |
| run: pipx install poetry | |
| - name: Set up Python ${{ env.PYTHON_VERSION }} | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: "poetry" | |
| - name: Install dependencies | |
| run: poetry install | |
| # liccheck 0.9.2 imports pkg_resources, which setuptools >=82 removed. The app | |
| # itself does not need pkg_resources at runtime, so we keep setuptools current in | |
| # the lock and only downgrade it here, in the license-check job, to provide | |
| # pkg_resources for liccheck. Drop this once liccheck no longer needs pkg_resources. | |
| - name: Provide pkg_resources for liccheck | |
| run: poetry run pip install "setuptools<81" | |
| - name: check licenses used by project in pyproject.toml | |
| run: poetry run liccheck -s pyproject.toml | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 | |
| with: | |
| trivy-config: trivy.yaml | |
| scan-type: fs | |
| scan-ref: "." | |
| test-compose: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - run: mv compose.test.yml compose.override.yml | |
| - run: docker compose build | |
| - run: docker compose down -v --remove-orphans | |
| - run: docker compose up -d | |
| - name: test frontend | |
| run: docker compose run amt-test npm run test | |
| - name: test app | |
| run: docker compose run amt-test poetry run pytest -m 'not slow' --db postgresql | |
| - name: db downgrade test | |
| run: docker compose exec -T amt alembic downgrade -1 | |
| - name: db upgrade test | |
| run: docker compose exec -T amt alembic upgrade head | |
| - run: docker compose down -v --remove-orphans | |
| # Smoke test the production image. test-compose runs against the `test` | |
| # stage; nothing else starts the production stage, so a broken multi-stage | |
| # build or a missing runtime dependency would otherwise only surface after | |
| # deploy. This builds the default (production) target, boots it against | |
| # postgres and asserts the app serves a real page with its webpack assets. | |
| smoke-production: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Build and start the production image | |
| run: docker compose up -d --build | |
| - name: Wait until the amt container is healthy | |
| run: | | |
| for i in $(seq 1 60); do | |
| status=$(docker inspect --format '{{.State.Health.Status}}' amt-amt-1 2>/dev/null || echo missing) | |
| echo "attempt $i: health=$status" | |
| if [ "$status" = "healthy" ]; then exit 0; fi | |
| if [ "$status" = "unhealthy" ]; then | |
| docker compose logs amt | |
| exit 1 | |
| fi | |
| sleep 5 | |
| done | |
| echo "container did not become healthy in time" | |
| docker compose logs amt | |
| exit 1 | |
| - name: Assert migrations ran in the entrypoint | |
| run: docker compose logs amt | grep -q "alembic.runtime.migration" | |
| - name: Assert the landing page renders with webpack assets | |
| run: | | |
| body=$(curl -fsS http://localhost:8070/) | |
| echo "$body" | grep -qE '/static/dist/amt\.[a-z0-9]+\.js' \ | |
| || { echo "no hashed webpack bundle in the landing page"; echo "$body" | head -40; exit 1; } | |
| echo "$body" | grep -qE '/static/dist/main\.[a-z0-9]+\.css' \ | |
| || { echo "no hashed css bundle in the landing page"; exit 1; } | |
| - name: Assert the production image carries no node toolchain | |
| run: | | |
| if docker compose exec -T amt sh -c 'command -v node || command -v npm'; then | |
| echo "node/npm leaked into the production image" | |
| exit 1 | |
| fi | |
| echo "no node/npm in the production image" | |
| - if: always() | |
| run: docker compose down -v --remove-orphans | |
| test-local-frontend: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Run tests | |
| run: npm run test | |
| test-local-backend: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.12"] # When using ACT only use ["3.12"] | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install poetry | |
| run: pipx install poetry | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| cache: "poetry" | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: | | |
| poetry install | |
| npm install | |
| - name: Install Playwright browsers | |
| run: poetry run playwright install --with-deps | |
| - name: test migrations for sqlite | |
| run: | | |
| poetry run alembic upgrade head | |
| poetry run alembic downgrade -1 | |
| poetry run alembic upgrade head | |
| - name: Generate required files | |
| run: | | |
| npm run build | |
| - name: Run pytest | |
| run: TZ=UTC poetry run coverage run -m pytest | |
| - name: Upload playwright tracing | |
| if: failure() | |
| uses: actions/upload-artifact@v4.6.2 | |
| with: | |
| name: playwright-${{ github.sha }} | |
| path: test-results/ | |
| if-no-files-found: error | |
| overwrite: true | |
| - name: run coverage report | |
| run: poetry run coverage report | |
| - name: run coverage html | |
| run: poetry run coverage html | |
| - name: Upload code coverage report | |
| if: matrix.python-version == '3.12' | |
| uses: actions/upload-artifact@v4.6.2 | |
| with: | |
| name: codecoverage-${{ github.sha }} | |
| path: htmlcov/ | |
| if-no-files-found: error | |
| overwrite: true | |
| - name: run coverage xml | |
| run: poetry run coverage xml | |
| - name: SonarCloud Scan | |
| if: matrix.python-version == '3.12' && github.actor != 'dependabot[bot]' && !env.ACT | |
| uses: SonarSource/sonarcloud-github-action@v5.0.0 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| build-pr: | |
| if: github.event_name == 'pull_request' && !github.event.act | |
| uses: ./.github/workflows/build-reusable.yml | |
| permissions: | |
| packages: write | |
| contents: read | |
| security-events: write | |
| actions: read | |
| secrets: inherit | |
| build: | |
| needs: | |
| [test-local-frontend, test-local-backend, test-compose, smoke-production] | |
| if: >- | |
| github.event_name != 'pull_request' && | |
| !github.event.act && | |
| !contains(needs.*.result, 'failure') | |
| uses: ./.github/workflows/build-reusable.yml | |
| permissions: | |
| packages: write | |
| contents: read | |
| security-events: write | |
| actions: read | |
| secrets: inherit | |
| deploy: | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| permissions: | |
| actions: write | |
| steps: | |
| - name: Extract metadata for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: "" # make empty to get the correct tag | |
| flavor: | | |
| latest=false | |
| - name: print metadata | |
| run: | | |
| echo "tags: ${{ steps.meta.outputs.tags }}" | |
| - uses: actions/checkout@v6 | |
| - name: Trigger deployment | |
| run: | | |
| if [ "${{ github.event_name }}" == "push" ]; then | |
| gh workflow run deploy.yml -f image_tag=${{ fromJSON(steps.meta.outputs.json).tags[0] }} -f environment=production | |
| elif [ "${{ github.actor }}" == "uittenbroekrobbert" ]; then | |
| gh workflow run deploy.yml -f image_tag=${{ fromJSON(steps.meta.outputs.json).tags[0] }} -f environment=sandbox | |
| else | |
| echo "Not deploying changes, there is no trigger for ${{ github.event_name }} or ${{ github.actor }}" | |
| fi | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| deploy-pr: | |
| runs-on: ubuntu-latest | |
| needs: [build-pr] | |
| if: github.event_name == 'pull_request' && github.event.pull_request.user.type != 'Bot' | |
| permissions: | |
| contents: read | |
| packages: read | |
| pull-requests: write | |
| steps: | |
| - name: Extract metadata for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: "" | |
| flavor: | | |
| latest=false | |
| - name: Get GHCR package hash | |
| id: get_package_hash | |
| run: | | |
| container_id=$(gh api --paginate -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /orgs/MinBZK/packages/container/amt/versions | jq -r '.[] | select(.metadata.container.tags | contains(["${{ fromJSON(steps.meta.outputs.json).tags[0] }}"])) | .name') | |
| echo "container_id=$container_id" >> "$GITHUB_OUTPUT" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Deploy to ZAD | |
| uses: RijksICTGilde/zad-actions/deploy@v4 | |
| with: | |
| api-key: ${{ secrets.ZAD_API_KEY_DEV }} | |
| project-id: amt-odc | |
| deployment-name: pr-${{ github.event.pull_request.number }} | |
| component: component-1 | |
| image: ghcr.io/minbzk/amt:${{ fromJSON(steps.meta.outputs.json).tags[0] }}@${{ steps.get_package_hash.outputs.container_id }} | |
| comment-on-pr: "true" | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| notifyMattermost: | |
| runs-on: ubuntu-latest | |
| needs: | |
| [ | |
| lint, | |
| security, | |
| test-local-backend, | |
| test-local-frontend, | |
| test-compose, | |
| build, | |
| build-pr, | |
| ] | |
| if: ${{ always() && contains(needs.*.result, 'failure') }} | |
| steps: | |
| - uses: mattermost/action-mattermost-notify@v2.1.0 | |
| if: github.event_name != 'pull_request' || github.event.pull_request.draft == false | |
| with: | |
| MATTERMOST_WEBHOOK_URL: ${{ secrets.MM_WEBHOOK_URL }} | |
| MATTERMOST_CHANNEL: dev | |
| TEXT: | | |
| ${{ github.repository }} failed build for ${{ github.ref_name }} by ${{ github.actor }} | |
| [Pipeline](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) failed :fire: | |
| MATTERMOST_USERNAME: ${{ github.triggering_actor }} |