-
Notifications
You must be signed in to change notification settings - Fork 2
189 lines (181 loc) · 6.38 KB
/
Copy pathCI.yml
File metadata and controls
189 lines (181 loc) · 6.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
name: CI
env:
RAILS_ENV: test
CI: true
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
DATABASE_URL: postgres://postgres:postgres@localhost:5432/cipherswarm_test
CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
APPLICATION_HOST: localhost
on:
pull_request:
push:
branches: [main, develop]
workflow_call:
secrets:
RAILS_MASTER_KEY:
required: true
CC_TEST_REPORTER_ID:
required: false
MERGIFY_TOKEN:
required: false
jobs:
scan_ruby:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.3
- uses: jdx/mise-action@v4.0.1
with:
install: true
cache: true
github_token: ${{ secrets.GITHUB_TOKEN }}
- run: just install
- name: Scan for security vulnerabilities in Ruby dependencies
run: bin/brakeman --no-pager
- name: Audit gems for known vulnerabilities
run: |
gem install bundler-audit
bundle audit check --update
lint:
runs-on: ubuntu-latest
needs: scan_ruby
steps:
- name: Checkout code
uses: actions/checkout@v6.0.3
- uses: jdx/mise-action@v4.0.1
with:
install: true
cache: true
github_token: ${{ secrets.GITHUB_TOKEN }}
- run: just install
- name: Lint code for consistent style
run: bin/rubocop -f github
lint_api:
runs-on: ubuntu-latest
needs: scan_ruby
steps:
- name: Checkout code
uses: actions/checkout@v6.0.3
- uses: jdx/mise-action@v4.0.1
with:
install: true
cache: true
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Lint OpenAPI specification
run: mise exec -- vacuum lint swagger/v1/swagger.json -r vacuum-ruleset.yaml -b
test:
runs-on: ubuntu-latest
needs: [scan_ruby, lint]
services:
postgres:
image: postgres:17.2-alpine
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
ports:
- 5432:5432
options: --health-cmd="pg_isready" --health-interval=10s --health-timeout=5s --health-retries=3
redis:
image: redis:7.2
ports:
- 6379:6379
options: --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5
steps:
- name: Checkout code
uses: actions/checkout@v6.0.3
with:
fetch-depth: 0
- uses: jdx/mise-action@v4.0.1
with:
install: true
cache: true
github_token: ${{ secrets.GITHUB_TOKEN }}
- run: just setup
- name: Install Chrome and dependencies
run: |
sudo apt-get update
sudo apt-get install --no-install-recommends -y \
curl \
libjemalloc2 \
libvips \
postgresql-client \
libpq-dev \
wget \
ca-certificates \
gnupg
# Install Google Chrome using modern method
wget -q -O - https://dl.google.com/linux/linux_signing_key.pub | sudo gpg --dearmor -o /usr/share/keyrings/google-chrome-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-chrome-keyring.gpg] http://dl.google.com/linux/chrome/deb/ stable main" | sudo tee /etc/apt/sources.list.d/google-chrome.list
sudo apt-get update
sudo apt-get install --no-install-recommends -y google-chrome-stable
# Verify Chrome installation
google-chrome-stable --version || google-chrome --version
- name: Precompile assets
run: just assets-precompile
- name: Setup Code Climate Test Reporter
if: env.CC_TEST_REPORTER_ID != ''
run: |
mkdir -p tmp/
curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./tmp/cc-test-reporter
chmod +x ./tmp/cc-test-reporter
./tmp/cc-test-reporter before-build
- name: Run tests
env:
HEADLESS: "true"
# Help webdrivers find Chrome
CHROME_BIN: /usr/bin/google-chrome-stable
run: bin/bundle exec rspec --exclude-pattern "spec/system/**/*_spec.rb" --profile 10 --format RspecJunitFormatter --out /tmp/test-results/rspec.xml --format progress
- name: Upload Test Results
uses: actions/upload-artifact@v7
if: always()
with:
name: test-results
path: /tmp/test-results
if-no-files-found: ignore
- name: Wrap JUnit XML for Mergify
id: junit-wrap
if: ${{ !cancelled() }}
run: |
FILE=/tmp/test-results/rspec.xml
if [ ! -f "$FILE" ]; then
echo "report_exists=false" >> "$GITHUB_OUTPUT"
exit 0
fi
echo "report_exists=true" >> "$GITHUB_OUTPUT"
if ! grep -q '<testsuites' "$FILE"; then
sed -i '/<?xml/d' "$FILE"
sed -i '1i\<?xml version="1.0" encoding="UTF-8"?>\n<testsuites>' "$FILE"
echo '</testsuites>' >> "$FILE"
fi
- name: Mergify CI Upload
if: ${{ !cancelled() && env.HAS_MERGIFY_TOKEN == 'true' && steps.junit-wrap.outputs.report_exists == 'true' }}
env:
HAS_MERGIFY_TOKEN: ${{ secrets.MERGIFY_TOKEN != '' }}
uses: mergifyio/gha-mergify-ci@v18
with:
token: ${{ secrets.MERGIFY_TOKEN }}
report_path: /tmp/test-results/rspec.xml
- name: Check coverage of changed code
continue-on-error: true # Transitional: tus upload migration has uncovered fallback paths
env:
BASE_REF: ${{ github.base_ref || 'main' }}
run: bin/bundle exec undercover --compare "origin/$BASE_REF" --exclude-files "lib/tasks/*.rake"
- name: Upload coverage results to Code Climate
if: env.CC_TEST_REPORTER_ID != ''
run: |
./tmp/cc-test-reporter format-coverage -t simplecov coverage/.resultset.json
./tmp/cc-test-reporter upload-coverage
- name: Upload coverage artifacts
uses: actions/upload-artifact@v7
if: always()
with:
name: coverage
path: coverage/
if-no-files-found: ignore
- name: Upload Capybara screenshots
uses: actions/upload-artifact@v7
if: always()
with:
name: capybara-screenshots
path: "${{ github.workspace }}/tmp/capybara"
if-no-files-found: ignore