Skip to content

chore(semgrep): allow limiting the per-file memory during the scan #107

chore(semgrep): allow limiting the per-file memory during the scan

chore(semgrep): allow limiting the per-file memory during the scan #107

Workflow file for this run

name: Continuous Integration
on:
push:
branches:
- main
- dev
pull_request:
env:
APP_NAME: etabli
CONTAINER_REGISTRY: ghcr.io
CONTAINER_IMAGE_FOLDER: ghcr.io/${{ github.repository }}
NODE_OPTIONS: --max_old_space_size=4096
NODE_VERSION: 18.19.0
RUBY_VERSION: 3.2.2
PYTHON_VERSION: 3.10.4
PLAYWRIGHT_BROWSERS_CACHE_FOLDER_SUFFIX: .cache/ms-playwright
concurrency:
# Prevent parallel builds of the same branch
group: cicd-${{ github.ref }}
cancel-in-progress: false
jobs:
requirements:
name: Continuous Integration
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
issues: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set environment for branch
run: |
if [[ $GITHUB_REF_NAME == 'main' ]]; then
echo "APP_MODE=prod" >> $GITHUB_ENV
echo "CLEVER_APP_ID=${{ secrets.CLEVER_APP_ID_PRODUCTION }}" >> $GITHUB_ENV
elif [[ $GITHUB_REF_NAME == 'dev' ]]; then
echo "APP_MODE=dev" >> $GITHUB_ENV
echo "CLEVER_APP_ID=${{ secrets.CLEVER_APP_ID_DEVELOPMENT }}" >> $GITHUB_ENV
else
echo "APP_MODE=test" >> $GITHUB_ENV
fi
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ env.RUBY_VERSION }}
- name: Setup Python
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: 'pip'
cache-dependency-path: 'src/semgrep/requirements.txt'
- name: Export npm store directory as an environment variable
shell: bash
run: |
echo "STORE_PATH=$(npm config get cache)" >> $GITHUB_ENV
- uses: actions/cache@v3
name: Setup npm cache
with:
path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-npm-store-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-npm-store-
- uses: actions/cache@v3
name: Setup Next.js build cache
with:
path: ${{ github.workspace }}/.next/cache
key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
restore-keys: |
${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-
- name: Install tools
run: bundle --gemfile src/bibliothecary/Gemfile && pip install -r src/semgrep/requirements.txt
- name: Install dependencies
env:
PLAYWRIGHT_BROWSERS_PATH: ${{ env.STORE_PATH }}/${{ env.PLAYWRIGHT_BROWSERS_CACHE_FOLDER_SUFFIX }}
run: make deps
- name: Prepare linting
run: make lint-prepare
- name: Lint
run: make lint
- name: Format check
run: make format-check
- name: Prepare tests
env:
PLAYWRIGHT_BROWSERS_PATH: ${{ env.STORE_PATH }}/${{ env.PLAYWRIGHT_BROWSERS_CACHE_FOLDER_SUFFIX }}
run: make test-prepare
- name: Install `docker-compose` for local CI/CD simulations (https://github.com/nektos/act/issues/112#issuecomment-1387307297)
if: ${{ env.ACT }}
uses: KengoTODA/actions-setup-docker-compose@v1
with:
version: '2.14.2'
- name: Install `Xvfb` and others to run browsers for end-to-end testing in local CI/CD simulations (https://github.com/nektos/act/issues/1300#issuecomment-1387344639)
if: ${{ env.ACT }}
run: sudo apt-get update && sudo apt-get install -y xvfb && npm run playwright install-deps chromium
- name: Test unit
run: make test-unit
- name: Build
env:
SENTRY_URL: ${{ secrets.SENTRY_URL }}
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
SENTRY_RELEASE_UPLOAD: true
# [WORKAROUND] When building Next.js in a standalone mode the frontend `NEXT_PUBLIC_*` environement variables are hardcoded
# So they are not switchable at runtime. Since ours won't change overtime, we are fine to retrigger a build in needed
# but it would be painful for someone reusing directly the Docker image. Some workarounds exist but they are by far too hacky, see:
# - https://github.com/vercel/next.js/discussions/17641
# - https://phase.dev/blog/nextjs-public-runtime-variables/
# - https://www.tomoliver.net/posts/nextjs-docker-public-env-vars
NEXT_PUBLIC_APP_BASE_URL: ${{ secrets.NEXT_PUBLIC_APP_BASE_URL }}
NEXT_PUBLIC_CRISP_WEBSITE_ID: ${{ secrets.NEXT_PUBLIC_CRISP_WEBSITE_ID }}
NEXT_PUBLIC_MATOMO_SITE_ID: ${{ secrets.NEXT_PUBLIC_MATOMO_SITE_ID }}
NEXT_PUBLIC_MATOMO_URL: ${{ secrets.NEXT_PUBLIC_MATOMO_URL }}
NEXT_PUBLIC_SENTRY_DSN: ${{ secrets.NEXT_PUBLIC_SENTRY_DSN }}
run: make build
- name: Test end-to-end
env:
PLAYWRIGHT_BROWSERS_PATH: ${{ env.STORE_PATH }}/${{ env.PLAYWRIGHT_BROWSERS_CACHE_FOLDER_SUFFIX }}
run: make test-e2e
# # Disabled since too long, need to consider if our Storybook e2e tests are sufficient
# - name: Accessibility with Lighthouse
# run: make accessibility
# env:
# NEXTJS_BUILD_OUTPUT_MODE: export
# LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }}
- name: Publish to Chromatic
if: ${{ !github.event.act }}
env:
CHROMATIC_PROJECT_TOKEN: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
run: npm run chromatic
- name: Set up Docker buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
if: ${{ !github.event.act && (github.ref_name == 'dev' || github.ref_name == 'main') }}
uses: docker/login-action@v2
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push the application Docker image
if: ${{ !github.event.act && (github.ref_name == 'dev' || github.ref_name == 'main') }}
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ env.CONTAINER_IMAGE_FOLDER }}/${{ env.APP_NAME }}-${{ github.ref_name }}:${{ github.sha }},${{ env.CONTAINER_IMAGE_FOLDER }}/${{ env.APP_NAME }}-${{ github.ref_name }}:latest
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Deploy to Clever Cloud
if: ${{ !github.event.act && (github.ref_name == 'dev' || github.ref_name == 'main') }}
uses: 47ng/[email protected]
timeout-minutes: 15 # Needed to avoid randomly hanging forever (ref: https://github.com/47ng/actions-clever-cloud/issues/206)
with:
appID: ${{ env.CLEVER_APP_ID }}
force: true
quiet: true # disable copying into GitHub Actions all logs from Clever Cloud
env:
CLEVER_TOKEN: ${{ secrets.CLEVER_TOKEN }}
CLEVER_SECRET: ${{ secrets.CLEVER_SECRET }}