Skip to content

Update beslisboom to version v1.2.0 #1569

Update beslisboom to version v1.2.0

Update beslisboom to version v1.2.0 #1569

Workflow file for this run

name: continuous-integration
on:
push:
branches:
- main
tags:
- "v*"
pull_request:
branches:
- "main"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
REGISTRY: ghcr.io
POETRY_CACHE_DIR: ~/.cache/pypoetry
PIPX_BIN_DIR: /usr/local/bin
IMAGE_NAME: ${{ github.repository }}
PYTHON_VERSION: "3.12"
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install poetry
run: pipx install poetry
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "poetry"
- uses: actions/setup-node@v4
with:
node-version-file: .nvmrc
cache: "npm"
- name: Install dependencies
run: |
poetry install
npm install
- name: Run pyright # There is no official pyright pre-commit hook
run: poetry run pyright
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install poetry
run: pipx install poetry
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "poetry"
- name: Install dependencies
run: poetry install
- name: check licenses used by project in pyproject.toml
run: poetry run liccheck -s pyproject.toml
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
trivy-config: trivy.yaml
scan-type: fs
scan-ref: "."
test-compose:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: mv compose.test.yml compose.override.yml
- run: docker compose build
- run: docker compose down -v --remove-orphans
- run: docker compose up -d
- name: test frontend
run: docker compose run amt-test npm run test
- name: test app
run: docker compose run amt-test poetry run pytest -m 'not slow' --db postgresql
- name: db downgrade test
run: docker compose exec -T amt alembic downgrade -1
- name: db upgrade test
run: docker compose exec -T amt alembic upgrade head
- run: docker compose down -v --remove-orphans
test-local-frontend:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version-file: .nvmrc
cache: "npm"
- name: Install dependencies
run: npm install
- name: Run tests
run: npm run test
test-local-backend:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.12"] # When using ACT only use ["3.12"]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install poetry
run: pipx install poetry
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
cache: "poetry"
- uses: actions/setup-node@v4
with:
node-version-file: .nvmrc
cache: "npm"
- name: Install dependencies
run: |
poetry install
npm install
- name: Install Playwright browsers
run: poetry run playwright install --with-deps
- name: test migrations for sqlite
run: |
poetry run alembic upgrade head
poetry run alembic downgrade -1
poetry run alembic upgrade head
- name: Generate required files
run: |
npm run build
- name: Run pytest
run: TZ=UTC poetry run coverage run -m pytest
- name: Upload playwright tracing
if: failure()
uses: actions/upload-artifact@v3
with:
name: playwright-${{ github.sha }}
path: test-results/
if-no-files-found: error
overwrite: true
- name: run coverage report
run: poetry run coverage report
- name: run coverage html
run: poetry run coverage html
- name: Upload code coverage report
if: matrix.python-version == '3.12'
uses: actions/upload-artifact@v3
with:
name: codecoverage-${{ github.sha }}
path: htmlcov/
if-no-files-found: error
overwrite: true
- name: run coverage xml
run: poetry run coverage xml
- name: SonarCloud Scan
if: matrix.python-version == '3.12' && github.actor != 'dependabot[bot]' && !env.ACT
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
build:
needs: [test-local-frontend, test-local-backend, test-compose]
if: ${{ !github.event.act }}
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
security-events: write
actions: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: get commit hash
id: get_commit_hash
run: |
echo "commit_hash=$(git describe --tags)" >> "$GITHUB_OUTPUT"
- name: Make changes to project to inject commit hash
run: |
sed -i 's/VERSION: str = .*$/VERSION: str = "${{ steps.get_commit_hash.outputs.commit_hash }}"/g' amt/core/config.py
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Extract metadata for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} #TODO(berry): fix on git labels multiple tags
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: print metadata
run: |
echo "tags: ${{ steps.meta.outputs.tags }}"
echo "labels: ${{ steps.meta.outputs.labels }}"
echo "annotations: ${{ steps.meta.outputs.annotations }}"
echo "hash: ${{ steps.get_commit_hash.outputs.commit_hash }}"
- name: Build and push Docker image
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
platforms: linux/amd64,linux/arm64,darwin/amd64
- name: Run Trivy vulnerability scanner sarif
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
scan-type: image
exit-code: 0
format: "sarif"
output: "trivy-results.sarif"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
- name: Run Trivy SBOM
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
scan-type: image
exit-code: 0
format: "cyclonedx"
output: "trivy-sbom.json"
list-all-pkgs: "true"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy license scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
scan-type: image
scanners: "license"
exit-code: 0
output: "trivy-license.json"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SBOM & License
uses: actions/upload-artifact@v4
with:
name: sbom-licence-${{ github.sha }}.json
path: |
trivy-sbom.json
trivy-license.json
if-no-files-found: error
overwrite: true
deploy:
runs-on: ubuntu-latest
needs: [build]
if: ${{ github.event_name == 'push' && !github.event.act}}
permissions:
actions: write
steps:
- name: Extract metadata for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: "" # make empty to get the correct tag
flavor: |
latest=false
- name: print metadata
run: |
echo "tags: ${{ steps.meta.outputs.tags }}"
- uses: actions/checkout@v4
- name: Trigger deployment
run: |
gh workflow run deploy.yml -f image_tag=${{ fromJSON(steps.meta.outputs.json).tags[0] }} -f environment=production
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
notifyMattermost:
runs-on: ubuntu-latest
needs:
[
lint,
security,
test-local-backend,
test-local-frontend,
test-compose,
build,
]
if: ${{ always() && contains(needs.*.result, 'failure') }}
steps:
- uses: mattermost/action-mattermost-notify@master
if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
with:
MATTERMOST_WEBHOOK_URL: ${{ secrets.MM_WEBHOOK_URL }}
MATTERMOST_CHANNEL: dev
TEXT: |
${{ github.repository }} failed build for ${{ github.ref_name }} by ${{ github.actor }}
[Pipeline](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) failed :fire:
MATTERMOST_USERNAME: ${{ github.triggering_actor }}