Merge pull request #127 from teknologi-umum/chore/docker/bump-debian-… #23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Main System | |
| on: | |
| push: | |
| branches: | |
| - master | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| auth: | |
| name: Auth | |
| runs-on: ubuntu-latest | |
| container: golang:1.20 | |
| timeout-minutes: 30 | |
| defaults: | |
| run: | |
| working-directory: ./auth | |
| services: | |
| db: | |
| image: redis:7-bookworm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| - name: Build test | |
| run: go build -buildvcs=false . | |
| - name: Run test | |
| run: go test -v -coverprofile=coverage.out -covermode=atomic ./... | |
| env: | |
| ENVIRONMENT: github-actions | |
| SENTRY_DSN: "" | |
| REDIS_URL: redis://@db:6379 | |
| - name: Codecov | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| flags: auth | |
| rce: | |
| name: RCE | |
| runs-on: ubuntu-latest | |
| container: node:18.17.0 | |
| timeout-minutes: 30 | |
| defaults: | |
| run: | |
| working-directory: ./rce | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| - name: Setup packages && nosocket | |
| run: > | |
| apt-get update && | |
| apt-get install -y coreutils binutils build-essential libseccomp-dev gcc apt-utils && | |
| make -C ./nosocket/ all && make -C ./nosocket/ install | |
| - name: Install other language packages | |
| run: > | |
| apt-get install -y python3 sqlite3 lua5.4 | |
| - name: Setup directory | |
| run: mkdir -p /code/$(whoami) | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Lint | |
| run: npx eslint --ext .ts,.js,.cjs . | |
| - name: Build | |
| run: npm run build | |
| - name: Test & coverage | |
| run: npm run test | |
| env: | |
| LANGUAGE_JAVASCRIPT: true | |
| LANGUAGE_C: true | |
| LANGUAGE_LUA: true | |
| LANGUAGE_PYTHON: true | |
| LANGUAGE_SQLITE: true | |
| - name: Codecov | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| flags: rce | |
| landing: | |
| name: Landing | |
| runs-on: ubuntu-latest | |
| container: node:18.17.0 | |
| timeout-minutes: 30 | |
| defaults: | |
| run: | |
| working-directory: ./landing | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| - name: Install pnpm | |
| uses: pnpm/[email protected] | |
| with: | |
| version: 7 | |
| run_install: false | |
| - name: Install dependencies | |
| run: pnpm install | |
| - name: Check formatting | |
| run: pnpm fmt:check | |
| - name: Build | |
| run: pnpm build | |
| registration: | |
| name: Registration | |
| runs-on: ubuntu-latest | |
| container: mcr.microsoft.com/dotnet/sdk:7.0 | |
| timeout-minutes: 30 | |
| defaults: | |
| run: | |
| working-directory: ./registration | |
| services: | |
| db: | |
| image: redis:7-bookworm | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| - name: Restore | |
| run: dotnet restore "Registration.csproj" | |
| - name: Build | |
| run: dotnet build "Registration.csproj" --no-restore -c Release | |
| build-auth: | |
| name: Build Auth | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| needs: | |
| - auth | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-auth | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=edge | |
| type=sha | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: "{{defaultContext}}:auth" | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Create Sentry release | |
| uses: getsentry/action-release@v1 | |
| env: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| SENTRY_ORG: ${{ secrets.SENTRY_ORG }} | |
| SENTRY_PROJECT: pesto-auth | |
| with: | |
| environment: production | |
| ignore_empty: true | |
| build-landing: | |
| name: Build Landing | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| needs: | |
| - landing | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-landing | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=edge | |
| type=sha | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: "{{defaultContext}}:landing" | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-rce: | |
| name: Build RCE | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 720 | |
| needs: | |
| - rce | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-rce | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=edge | |
| type=sha | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: "{{defaultContext}}:rce" | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Create Sentry release | |
| uses: getsentry/action-release@v1 | |
| env: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| SENTRY_ORG: ${{ secrets.SENTRY_ORG }} | |
| SENTRY_PROJECT: pesto-rce | |
| with: | |
| environment: production | |
| ignore_empty: true | |
| build-registration: | |
| name: Build Registration | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| needs: | |
| - registration | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-registration | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=edge | |
| type=sha | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: "{{defaultContext}}:registration" | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Create Sentry release | |
| uses: getsentry/action-release@v1 | |
| env: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| SENTRY_ORG: ${{ secrets.SENTRY_ORG }} | |
| SENTRY_PROJECT: pesto-registration | |
| with: | |
| environment: production | |
| ignore_empty: true | |
| dogfood: | |
| name: Dogfood Integration Tests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| needs: | |
| - build-rce | |
| - rce | |
| services: | |
| pesto_rce: | |
| image: ghcr.io/teknologi-umum/pesto-rce:edge | |
| env: | |
| PORT: 50051 | |
| ENVIRONMENT: production | |
| ports: | |
| - 50051:50051 | |
| options: >- | |
| --health-cmd "curl -f http://localhost:50051/healthz" | |
| --health-interval 30s | |
| --health-timeout 15s | |
| --health-retries 10 | |
| --health-start-period 90s | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: latest | |
| check-latest: true | |
| - name: Run tests | |
| run: > | |
| npm ci && | |
| node --test | |
| working-directory: ./dogfood | |
| env: | |
| PESTO_URL: http://localhost:50051/ | |
| deploy: | |
| name: Deploy | |
| runs-on: ubuntu-latest | |
| container: debian:bookworm | |
| timeout-minutes: 120 | |
| needs: | |
| - build-auth | |
| - build-rce | |
| - build-landing | |
| - build-registration | |
| steps: | |
| - name: Install required packages | |
| run: apt-get update && apt-get upgrade -y && apt-get install -y tar gzip curl ssh | |
| - name: Register SSH key | |
| uses: shimataro/ssh-key-action@v2 | |
| with: | |
| key: ${{ secrets.SSH_KEY }} | |
| name: id_ed25519 | |
| known_hosts: ${{ secrets.SSH_IP }} | |
| if_key_exists: replace | |
| - name: SSH Keyscan | |
| run: ssh-keyscan -p ${{ secrets.SSH_PORT }} -H ${{ secrets.SSH_IP }} >> /root/.ssh/known_hosts | |
| - name: Pull latest code | |
| run: > | |
| ssh | |
| -i /root/.ssh/id_ed25519 | |
| -p ${{ secrets.SSH_PORT }} | |
| -t ${{ secrets.SSH_USER }}@${{ secrets.SSH_IP }} | |
| 'ssh pesto "cd ${{ secrets.SSH_WORKDIR }}/pesto && git pull" ' | |
| - name: Build Docker images | |
| run: > | |
| ssh | |
| -i /root/.ssh/id_ed25519 | |
| -p ${{ secrets.SSH_PORT }} | |
| -t ${{ secrets.SSH_USER }}@${{ secrets.SSH_IP }} | |
| "ssh pesto 'echo ${{ secrets.SSH_PASSWORD }} | sudo -S bash -c '\"'cd ${{ secrets.SSH_WORKDIR }}/pesto && | |
| docker compose pull && | |
| docker compose up -d --pull always registration rce landing auth '\"' ' " | |
| - name: Clean up docker artifacts | |
| run: > | |
| ssh | |
| -i /root/.ssh/id_ed25519 | |
| -p ${{ secrets.SSH_PORT }} | |
| -t ${{ secrets.SSH_USER }}@${{ secrets.SSH_IP }} | |
| "ssh pesto 'echo ${{ secrets.SSH_PASSWORD }} | sudo -S bash -c '\"'docker container prune -f && | |
| docker image prune -f && | |
| docker builder prune -f '\"' ' " |