fix: enforce https for osm oauth callbacks #489
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Workflow for build and auto-deploy of branches | |
name: 🔧 Build and Deploy | |
on: | |
# Push includes PR merge | |
push: | |
branches: | |
- main | |
- staging | |
- development | |
paths: | |
# Workflow is triggered only if src changes | |
- src/** | |
# Allow manual trigger | |
workflow_dispatch: | |
jobs: | |
pytest: | |
uses: hotosm/gh-workflows/.github/workflows/[email protected] | |
with: | |
image_name: ghcr.io/${{ github.repository }}/backend | |
build_context: src/backend | |
compose_service: api | |
compose_command: wait-for-it fmtm-db:5432 --strict -- wait-for-it central:8383 --strict --timeout=30 -- pytest | |
tag_override: ci-${{ github.ref_name }} | |
secrets: inherit | |
frontend-tests: | |
uses: hotosm/gh-workflows/.github/workflows/[email protected] | |
with: | |
working_dir: src/frontend | |
backend-build: | |
uses: hotosm/gh-workflows/.github/workflows/[email protected] | |
needs: [pytest] | |
with: | |
context: src/backend | |
build_target: prod | |
image_name: ghcr.io/${{ github.repository }}/backend | |
frontend-build: | |
uses: hotosm/gh-workflows/.github/workflows/[email protected] | |
needs: [frontend-tests] | |
with: | |
context: src/frontend | |
dockerfile: prod.dockerfile | |
build_target: prod | |
image_name: ghcr.io/${{ github.repository }}/frontend | |
smoke-test-backend: | |
runs-on: ubuntu-latest | |
needs: [backend-build] | |
environment: | |
name: ${{ github.ref_name }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Vars and Secrets to Env | |
env: | |
GIT_BRANCH: ${{ github.ref_name }} | |
TAG_OVERRIDE: ${{ needs.backend-build.outputs.image_tag }} | |
VARS_CONTEXT: ${{ toJson(vars) }} | |
SECRETS_CONTEXT: ${{ toJson(secrets) }} | |
run: | | |
# Random delimeter string for security | |
delim=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
# Parse JSON with multiline strings, using delimeter (Github specific) | |
to_envs() { jq -r "to_entries[] | \"\(.key)<<$delim\n\(.value)\n$delim\n\""; } | |
# Set all vars | |
echo "GIT_BRANCH=${GIT_BRANCH}" >> $GITHUB_ENV | |
echo "TAG_OVERRIDE=${TAG_OVERRIDE}" >> $GITHUB_ENV | |
echo "${VARS_CONTEXT}" | to_envs >> $GITHUB_ENV | |
echo "${SECRETS_CONTEXT}" | to_envs >> $GITHUB_ENV | |
- name: Create .env file | |
run: | | |
# Get a8m/envsubst (required for default vals syntax ${VAR:-default}) | |
echo "Downloading envsubst" | |
curl -L https://github.com/a8m/envsubst/releases/download/v1.2.0/envsubst-`uname -s`-`uname -m` -o envsubst | |
chmod +x envsubst | |
echo "Substituing variables from .env.example --> .env" | |
./envsubst < .env.example > .env | |
echo "GIT_BRANCH=${GIT_BRANCH}" >> .env | |
echo "TAG_OVERRIDE=${TAG_OVERRIDE}" >> .env | |
- name: Backend smoke test | |
run: | | |
# Migrate db first, so api works | |
docker compose up migrations --exit-code-from migrations | |
# Run without migrations (avoid exit code 0) | |
# Also run within if block to capture logs if failure | |
if docker compose up --detach \ | |
--no-deps --wait --wait-timeout 60 \ | |
central-db central central-proxy s3 api | |
then | |
docker compose logs api | |
else | |
echo "Application not healthy after 1m0s. Exiting." | |
docker compose logs api | |
exit 1 | |
fi | |
smoke-test-frontend: | |
runs-on: ubuntu-latest | |
needs: [frontend-build] | |
environment: | |
name: ${{ github.ref_name }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Frontend smoke test | |
run: echo "Not implemented" | |
deploy-containers: | |
needs: | |
- smoke-test-backend | |
- smoke-test-frontend | |
uses: hotosm/gh-workflows/.github/workflows/[email protected] | |
with: | |
environment: ${{ github.ref_name }} | |
docker_compose_file: "docker-compose.${{ github.ref_name }}.yml" | |
secrets: inherit |