[#13] reuse open-api-workflows workflows

.github/workflows/ci.yml

@@ -15,7 +15,6 @@ env:
   DJANGO_SETTINGS_MODULE: openklant.conf.ci
   DB_PASSWORD: ''
   DB_USER: postgres
-  # ALLOWED_HOSTS: openklant.nl
 
 jobs:
   # determine changed files to decide if certain jobs can be skipped or not
@@ -28,25 +27,21 @@ jobs:
         with:
           fetch-depth: 2
 
-      - name: Changed files
-        id: app-files
+      - name: Get changed PY files
+        id: changed-py-files
         uses: tj-actions/changed-files@v45
         with:
-          files: |
-            src/**/*.py
-            requirements/*.txt
+          files: src/{,**/}*.py
 
-      - name: Display changed files
-        if: steps.app-files.outputs.any_changed == 'true'
-        env:
-          ALL_CHANGED_FILES: ${{ steps.app-files.outputs.all_changed_files }}
-        run: |
-          for file in ${ALL_CHANGED_FILES}; do
-            echo "$file was changed"
-          done
+      - name: Get changed requirements files
+        id: changed-requirements
+        uses: tj-actions/changed-files@v45
+        with:
+          files: requirements/*.txt
 
     outputs:
-      changed-files: ${{ steps.app-files.outputs.any_changed }}
+      changed-py-files: ${{ steps.changed-py-files.outputs.any_changed }}
+      changed-requirements: ${{ steps.changed-requirements.outputs.any_changed }}
 
   tests:
     name: Tests (PG ${{ matrix.postgres }})
@@ -55,7 +50,7 @@ jobs:
       - changed-files
 
     # only run tests if source files have changed (e.g. skip for PRs that only update docs)
-    if: needs.changed-files.outputs.changed-files == 'true' || github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    if: ${{ needs.changed-files.outputs.changed-py-files == 'true'|| needs.changed-files.outputs.changed-requirements == 'true'|| github.event_name == 'push' }}
 
     strategy:
       matrix:
@@ -73,28 +68,18 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - name: Set up backend environment
+        uses: maykinmedia/[email protected]
         with:
           python-version: '3.11'
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '18'
+          setup-node: true
 
-      - name: Install dependencies
-        run: pip install -r requirements/dev.txt codecov
-      - name: Build frontend
-        run: |
-          npm ci
-          npm run build
       - name: Run tests
         run: |
           python src/manage.py collectstatic --noinput --link
           coverage run src/manage.py test src
         env:
-          DJANGO_SETTINGS_MODULE: openklant.conf.ci
           SECRET_KEY: dummy
-          DB_USER: postgres
-          DB_PASSWORD: ''
 
       - name: Publish coverage report
         uses: codecov/codecov-action@v3
@@ -105,13 +90,12 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - name: Set up backend environment
+        uses: maykinmedia/[email protected]
         with:
           python-version: '3.11'
-          cache: 'pip'
-          cache-dependency-path: 'requirements/*.txt'
-      - name: Install dependencies
-        run: pip install -r requirements/ci.txt pytest
+          setup-node: false
+
       - name: Generate environment variable documentation using OAf and check if it was updated
         run: |
           bin/generate_envvar_docs.sh
@@ -121,101 +105,36 @@ jobs:
               echo "Please update the environment documentation by running \`bin/generate_envvar_docs.sh\`"
               exit 1
           fi
-        env:
-          DJANGO_SETTINGS_MODULE: openklant.conf.ci
 
-  docker:
-    needs: tests
-    name: Build Docker image
+  store-reusable-workflow-vars:
+    name: create values which can be passed through a reusable workflow
     runs-on: ubuntu-latest
+    outputs:
+      image-name: ${{ steps.image-name.outputs.image-name }}
 
     steps:
-      - uses: actions/checkout@v4
-      - name: Determine tag/commit hash
-        id: vars
-        run: |
-          # Strip git ref prefix from version
-          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
-          # Strip "v" prefix from tag name (if present at all)
-          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
-          # Use Docker `latest` tag convention
-          [ "$VERSION" == "master" ] && VERSION=latest
-          echo "tag=${VERSION}" >> $GITHUB_OUTPUT
-          echo "git_hash=${GITHUB_SHA}" >> $GITHUB_OUTPUT
-      - name: Build the Docker image
-        run: |
-          docker build \
-            --tag $IMAGE_NAME:${{ steps.vars.outputs.tag }} \
-            --build-arg COMMIT_HASH=${{ steps.vars.outputs.git_hash }} \
-            --build-arg RELEASE=${{ steps.vars.outputs.tag }} \
-            .
-      - run: docker image save -o image.tar $IMAGE_NAME:${{ steps.vars.outputs.tag }}
-      - name: Store image artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: docker-image
-          path: image.tar
-          retention-days: 1
-
-  # image_scan:
-  #   runs-on: ubuntu-latest
-  #   name: Scan docker image
-  #   needs:
-  #     - docker
-
-  #   steps:
-  #     - name: Download built image
-  #       uses: actions/download-artifact@v3
-  #       with:
-  #         name: docker-image
-  #     - name: Scan image with Trivy
-  #       uses: aquasecurity/trivy-action@master
-  #       with:
-  #         input: /github/workspace/image.tar  # from download-artifact
-  #         format: 'sarif'
-  #         output: 'trivy-results-docker.sarif'
-  #         ignore-unfixed: true
-  #     - name: Upload results to GH Security tab
-  #       uses: github/codeql-action/upload-sarif@v3
-  #       with:
-  #         sarif_file: 'trivy-results-docker.sarif'
-
-  publish:
+      - run: echo "image-name=$IMAGE_NAME" >> $GITHUB_OUTPUT
+        name: 'Store the docker image name'
+        id: image-name
+
+  open-api-ci:
+    uses: maykinmedia/open-api-workflows/.github/workflows/ci.yml@v1
+    needs:
+      - store-reusable-workflow-vars
+    with:
+      main-branch: 'master'
+      python-version: '3.11'
+      docker-image-name: ${{ needs.store-reusable-workflow-vars.outputs.image-name }}
+
+  open-api-publish:
+    uses: maykinmedia/open-api-workflows/.github/workflows/publish.yml@v1
     needs:
+      - store-reusable-workflow-vars
+      - open-api-ci
       - tests
-      - docker
-
-    name: Push Docker image
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push'  # exclude PRs
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Download built image
-        uses: actions/download-artifact@v3
-        with:
-          name: docker-image
-
-      - name: Determine tag/commit hash
-        id: vars
-        run: |
-          # Strip git ref prefix from version
-          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
-
-          # Strip "v" prefix from tag name (if present at all)
-          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
-
-          # Use Docker `latest` tag convention
-          [ "$VERSION" == "master" ] && VERSION=latest
-
-          echo "tag=${VERSION}" >> $GITHUB_OUTPUT
-
-      - name: Load image
-        run: |
-          docker image load -i image.tar
-
-      - name: Log into registry
-        run: echo "${{ secrets.DOCKER_TOKEN }}" | docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin
-
-      - name: Push the Docker image
-        run: docker push $IMAGE_NAME:${{ steps.vars.outputs.tag }}
+    with:
+      docker-image-name: ${{ needs.store-reusable-workflow-vars.outputs.image-name }}
+      repository-owner: 'maykinmedia'
+    secrets:
+      docker-username: ${{ secrets.DOCKER_USERNAME }}
+      docker-token: ${{ secrets.DOCKER_TOKEN }}

.github/workflows/code-analysis.yml

@@ -0,0 +1,21 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches:
+      - main
+  schedule:
+    - cron: '0 23 * * 6'
+
+jobs:
+  open-api-workflow-code-analysis:
+    uses: maykinmedia/open-api-workflows/.github/workflows/code-analysis.yml@v1