Merge pull request #338 from minvws/syslog #861
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - v* | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Run build action | |
| uses: minvws/action-python-poetry-install@v1 | |
| with: | |
| python_version: "3.14" | |
| lint: | |
| name: Run code linter | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Run build action | |
| uses: minvws/action-python-poetry-install@v1 | |
| with: | |
| python_version: "3.14" | |
| - name: Lint | |
| run: poetry run $(make lint --just-print --silent) | |
| type-check: | |
| name: Check static types | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Run build action | |
| uses: minvws/action-python-poetry-install@v1 | |
| with: | |
| python_version: "3.14" | |
| - name: Check static types | |
| run: poetry run $(make type-check --just-print --silent) | |
| safety-check: | |
| name: Scan packages for vulnerabilities | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Run build action | |
| uses: minvws/action-python-poetry-install@v1 | |
| with: | |
| python_version: "3.14" | |
| - name: Scan packages for vulnerabilities | |
| run: poetry run $(make safety-check --just-print --silent) | |
| spelling-check: | |
| name: Run spelling check | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Run build action | |
| uses: minvws/action-python-poetry-install@v1 | |
| with: | |
| python_version: "3.14" | |
| - uses: codespell-project/codespell-problem-matcher@v1 | |
| - name: Run spelling check | |
| run: poetry run $(make spelling-check --just-print --silent) | |
| test: | |
| name: Run the tests | |
| runs-on: ubuntu-24.04 | |
| needs: build | |
| services: | |
| prs_db: | |
| image: postgres:15 | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: testing | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Run build action | |
| uses: minvws/action-python-poetry-install@v1 | |
| with: | |
| python_version: "3.14" | |
| - name: install dependencies | |
| run: | | |
| sudo apt update | |
| sudo apt install -y libpq-dev build-essential postgresql-client | |
| - name: install liboprf | |
| run: | | |
| sudo apt install -y libsodium-dev | |
| git clone --depth 1 --branch v0.9.3 https://github.com/stef/liboprf.git | |
| cd liboprf/src | |
| make | |
| sudo make install | |
| sudo ldconfig | |
| - name: Run the tests | |
| env: | |
| FASTAPI_CONFIG_PATH: ./app.ci.conf | |
| run: | | |
| sudo bash -c 'echo "127.0.0.1 prs_db" >> /etc/hosts' | |
| DSN="postgresql://postgres:postgres@prs_db:5432/postgres" poetry run ./tools/migrate_db.sh | |
| poetry run $(make test --just-print --silent) | |
| - name: Upload coverage report | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: coverage | |
| path: coverage.xml | |
| sonar: | |
| name: SonarCloud | |
| runs-on: ubuntu-24.04 | |
| needs: test | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download coverage report | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: coverage | |
| - name: Run SonarQube scan | |
| uses: minvws/action-sonarqube@v1 | |
| with: | |
| sonar-token: ${{ secrets.SONAR_TOKEN }} | |
| detect_modified_files: | |
| name: Modified files | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| image_files_changed: ${{ steps.image-files-changed.outputs.any_changed }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Check image-related file changes | |
| id: image-files-changed | |
| uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 | |
| with: | |
| files: | | |
| docker/Dockerfile | |
| pyproject.toml | |
| poetry.lock | |
| .github/workflows/ci.yaml | |
| image_build_scan_push: | |
| name: Build, scan, and push Docker image | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| [ | |
| build, | |
| lint, | |
| type-check, | |
| safety-check, | |
| spelling-check, | |
| test, | |
| detect_modified_files, | |
| ] | |
| # Only run this job on main branch, version tags, or if image-related files have changed | |
| if: | | |
| github.ref == 'refs/heads/main' || | |
| startsWith(github.ref, 'refs/tags/v') || | |
| needs.detect_modified_files.outputs.image_files_changed == 'true' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v7 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set release version | |
| run: | | |
| RELEASE_VERSION="${GITHUB_REF#refs/*/}" | |
| echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v7 | |
| env: | |
| NEW_UID: 1000 | |
| NEW_GID: 1000 | |
| with: | |
| context: . | |
| file: docker/Dockerfile | |
| push: false | |
| load: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-args: | | |
| NEW_UID=${{ env.NEW_UID }} | |
| NEW_GID=${{ env.NEW_GID }} | |
| standalone=true | |
| RELEASE_VERSION=${{ env.RELEASE_VERSION }} | |
| GIT_SHA=${{ github.sha }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@v0.36.0 | |
| with: | |
| image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| exit-code: "0" | |
| severity: "CRITICAL,HIGH" | |
| vuln-type: "library" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| # Only upload SARIF results on main branch or version tags | |
| if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| - name: Fail build on vulnerabilities | |
| uses: aquasecurity/trivy-action@v0.36.0 | |
| with: | |
| image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
| format: "table" | |
| exit-code: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && '0' || '1' }} | |
| severity: "CRITICAL,HIGH" | |
| vuln-type: "library" | |
| skip-setup-trivy: true | |
| - name: Push Docker image | |
| if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') | |
| run: | | |
| echo "${{ steps.meta.outputs.tags }}" | xargs -I{} docker push {} |