Skip to content

Merge pull request #339 from minvws/dependabot/pip/version-updates-d9… #868

Merge pull request #339 from minvws/dependabot/pip/version-updates-d9…

Merge pull request #339 from minvws/dependabot/pip/version-updates-d9… #868

Workflow file for this run

name: CI
on:
workflow_dispatch:
pull_request:
push:
branches:
- main
tags:
- v*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
name: Build
runs-on: ubuntu-24.04
steps:
- name: Checkout repository
uses: actions/checkout@v7
- name: Run build action
uses: minvws/action-python-poetry-install@v1
with:
python_version: "3.14"
lint:
name: Run code linter
runs-on: ubuntu-24.04
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v7
- name: Run build action
uses: minvws/action-python-poetry-install@v1
with:
python_version: "3.14"
- name: Lint
run: poetry run $(make lint --just-print --silent)
type-check:
name: Check static types
runs-on: ubuntu-24.04
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v7
- name: Run build action
uses: minvws/action-python-poetry-install@v1
with:
python_version: "3.14"
- name: Check static types
run: poetry run $(make type-check --just-print --silent)
safety-check:
name: Scan packages for vulnerabilities
runs-on: ubuntu-24.04
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v7
- name: Run build action
uses: minvws/action-python-poetry-install@v1
with:
python_version: "3.14"
- name: Scan packages for vulnerabilities
run: poetry run $(make safety-check --just-print --silent)
spelling-check:
name: Run spelling check
runs-on: ubuntu-24.04
needs: build
steps:
- name: Checkout repository
uses: actions/checkout@v7
- name: Run build action
uses: minvws/action-python-poetry-install@v1
with:
python_version: "3.14"
- uses: codespell-project/codespell-problem-matcher@v1
- name: Run spelling check
run: poetry run $(make spelling-check --just-print --silent)
test:
name: Run the tests
runs-on: ubuntu-24.04
needs: build
services:
prs_db:
image: postgres:15
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: testing
ports:
- 5432:5432
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- name: Checkout repository
uses: actions/checkout@v7
- name: Run build action
uses: minvws/action-python-poetry-install@v1
with:
python_version: "3.14"
- name: install dependencies
run: |
sudo apt update
sudo apt install -y libpq-dev build-essential postgresql-client
- name: install liboprf
run: |
sudo apt install -y libsodium-dev
git clone --depth 1 --branch v0.9.3 https://github.com/stef/liboprf.git
cd liboprf/src
make
sudo make install
sudo ldconfig
- name: Run the tests
env:
FASTAPI_CONFIG_PATH: ./app.ci.conf
run: |
sudo bash -c 'echo "127.0.0.1 prs_db" >> /etc/hosts'
DSN="postgresql://postgres:postgres@prs_db:5432/postgres" poetry run ./tools/migrate_db.sh
poetry run $(make test --just-print --silent)
- name: Upload coverage report
uses: actions/upload-artifact@v7
with:
name: coverage
path: coverage.xml
sonar:
name: SonarCloud
runs-on: ubuntu-24.04
needs: test
steps:
- name: Checkout repository
uses: actions/checkout@v7
with:
fetch-depth: 0
- name: Download coverage report
uses: actions/download-artifact@v8
with:
name: coverage
- name: Run SonarQube scan
uses: minvws/action-sonarqube@v1
with:
sonar-token: ${{ secrets.SONAR_TOKEN }}
detect_modified_files:
name: Modified files
runs-on: ubuntu-24.04
outputs:
image_files_changed: ${{ steps.image-files-changed.outputs.any_changed }}
steps:
- name: Checkout repository
uses: actions/checkout@v7
- name: Check image-related file changes
id: image-files-changed
uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
with:
files: |
docker/Dockerfile
pyproject.toml
poetry.lock
.github/workflows/ci.yaml
image_build_scan_push:
name: Build, scan, and push Docker image
runs-on: ubuntu-24.04
needs:
[
build,
lint,
type-check,
safety-check,
spelling-check,
test,
detect_modified_files,
]
# Only run this job on main branch, version tags, or if image-related files have changed
if: |
github.ref == 'refs/heads/main' ||
startsWith(github.ref, 'refs/tags/v') ||
needs.detect_modified_files.outputs.image_files_changed == 'true'
steps:
- name: Checkout repository
uses: actions/checkout@v7
- name: Log in to the Container registry
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set release version
run: |
RELEASE_VERSION="${GITHUB_REF#refs/*/}"
echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v6
with:
images: ghcr.io/${{ github.repository }}
- name: Build Docker image
uses: docker/build-push-action@v7
env:
NEW_UID: 1000
NEW_GID: 1000
with:
context: .
file: docker/Dockerfile
push: false
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
NEW_UID=${{ env.NEW_UID }}
NEW_GID=${{ env.NEW_GID }}
standalone=true
RELEASE_VERSION=${{ env.RELEASE_VERSION }}
GIT_SHA=${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
format: "sarif"
output: "trivy-results.sarif"
exit-code: "0"
severity: "CRITICAL,HIGH"
vuln-type: "library"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
# Only upload SARIF results on main branch or version tags
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
with:
sarif_file: "trivy-results.sarif"
- name: Fail build on vulnerabilities
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
format: "table"
exit-code: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && '0' || '1' }}
severity: "CRITICAL,HIGH"
vuln-type: "library"
skip-setup-trivy: true
- name: Push Docker image
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
run: |
echo "${{ steps.meta.outputs.tags }}" | xargs -I{} docker push {}