REKDAT-253: Disable user reset views for anonymous/normal users #1317
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD | |
| on: | |
| schedule: | |
| - cron: "0 6 * * *" | |
| pull_request: | |
| workflow_dispatch: | |
| workflow_call: | |
| outputs: | |
| ckan: | |
| description: "Change in ckan container" | |
| value: ${{ jobs.detect-changes.outputs.ckan }} | |
| nginx: | |
| description: "Change in nginx container" | |
| value: ${{ jobs.detect-changes.outputs.nginx }} | |
| solr: | |
| description: "Change in solr container" | |
| value: ${{ jobs.detect-changes.outputs.solr }} | |
| environment: | |
| description: "Changes in docker environment" | |
| value: ${{ jobs.detect-changes.outputs.environment }} | |
| assets: | |
| description: "Change in assets" | |
| value: ${{ jobs.detect-changes.outputs.assets }} | |
| jobs: | |
| detect-changes: | |
| uses: ./.github/workflows/changes.yml | |
| build-containers: | |
| needs: | |
| - detect-changes | |
| name: Build Containers | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - dockerfile: ./docker/solr/Dockerfile | |
| context: ./docker/solr | |
| submodules: "" | |
| build-frontend: false | |
| name: solr | |
| build-container: ${{ needs.detect-changes.outputs.solr == 'true' }} | |
| - dockerfile: ./docker/nginx/Dockerfile | |
| context: ./docker/nginx | |
| submodules: "" | |
| build-frontend: false | |
| name: nginx | |
| build-container: ${{ needs.detect-changes.outputs.nginx == 'true' }} | |
| - dockerfile: ./ckan/Dockerfile | |
| context: ./ckan | |
| submodules: recursive | |
| build-frontend: true | |
| name: ckan | |
| build-container: ${{ (needs.detect-changes.outputs.ckan == 'true') || (needs.detect-changes.outputs.assets == 'true') }} | |
| steps: | |
| - name: checkout | |
| if: ${{ matrix.build-container == true }} | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: ${{ matrix.submodules }} | |
| - name: setup docker buildx | |
| if: ${{ matrix.build-container == true }} | |
| uses: docker/setup-buildx-action@v3 | |
| - name: configure NPM credentials | |
| if: ${{ matrix.build-frontend == true && matrix.build-container == true }} | |
| run: | | |
| cat <<EOT >> .npmrc | |
| @fortawesome:registry=https://npm.fontawesome.com/ | |
| //npm.fontawesome.com/:_authToken=$NPM_TOKEN | |
| EOT | |
| env: | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| - name: install nodejs v20 | |
| if: ${{ matrix.build-frontend == true && matrix.build-container == true }} | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: 'npm' | |
| cache-dependency-path: 'package-lock.json' | |
| - name: install npm packages | |
| if: ${{ matrix.build-frontend == true && matrix.build-container == true }} | |
| run: npm ci | |
| - name: build frontend with gulp | |
| if: ${{ matrix.build-frontend == true && matrix.build-container == true }} | |
| run: npx gulp | |
| - name: build images | |
| if: ${{ matrix.build-container == true }} | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ${{ matrix.context }} | |
| file: ${{ matrix.dockerfile }} | |
| push: false | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| outputs: type=docker,dest=/tmp/${{ matrix.name }}.tar | |
| tags: ${{ env.REGISTRY }}/${{ env.REPOSITORY }}/${{ matrix.name }}:latest | |
| env: | |
| REGISTRY: ${{ secrets.REGISTRY }} | |
| REPOSITORY: ${{ vars.REPOSITORY }} | |
| DOCKER_BUILD_RECORD_UPLOAD: false | |
| - name: upload images | |
| if: ${{ matrix.build-container == true }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.name }} | |
| path: /tmp/${{ matrix.name }}.tar | |
| test: | |
| name: Test restricteddata extensions | |
| runs-on: ubuntu-latest | |
| needs: | |
| - detect-changes | |
| if: ${{ needs.detect-changes.outputs.ckan == 'true' }} | |
| container: | |
| image: ckan/ckan-dev:2.10.3 | |
| services: | |
| solr: | |
| image: ckan/ckan-solr:2.10-solr9 | |
| postgres: | |
| image: postgres:12 | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: postgres | |
| options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
| redis: | |
| image: redis:3 | |
| env: | |
| CKAN_SQLALCHEMY_URL: postgresql://ckan_default:pass@postgres/ckan_test | |
| CKAN_DATASTORE_WRITE_URL: postgresql://datastore_write:pass@postgres/datastore_test | |
| CKAN_DATASTORE_READ_URL: postgresql://datastore_read:pass@postgres/datastore_test | |
| CKAN_SOLR_URL: http://solr:8983/solr/ckan | |
| CKAN_REDIS_URL: redis://redis:6379/1 | |
| PGPASSWORD: postgres | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| - name: Create Database | |
| run: | | |
| psql --host=postgres --username=postgres --command="CREATE USER ckan_default WITH PASSWORD 'pass' NOSUPERUSER NOCREATEDB NOCREATEROLE;" | |
| createdb --encoding=utf-8 --host=postgres --username=postgres --owner=ckan_default ckan_test | |
| psql --host=postgres --username=postgres --command="CREATE USER datastore_write WITH PASSWORD 'pass' NOSUPERUSER NOCREATEDB NOCREATEROLE;" | |
| psql --host=postgres --username=postgres --command="CREATE USER datastore_read WITH PASSWORD 'pass' NOSUPERUSER NOCREATEDB NOCREATEROLE;" | |
| createdb --encoding=utf-8 --host=postgres --username=postgres --owner=datastore_write datastore_test | |
| - name: Install requirements | |
| run: | | |
| apk add proj proj-dev proj-util geos | |
| cd ckan/ckanext/ckanext-restricteddata | |
| pip install -r dev-requirements.txt | |
| pip install -r requirements.txt | |
| pip install -e . | |
| # Replace default path to CKAN core config file with the one on the container | |
| sed -i -e 's/use = config:.*/use = config:\/srv\/app\/src\/ckan\/test-core.ini/' test.ini | |
| cd ../ckanext-scheming | |
| pip install -e . | |
| cd ../ckanext-fluent | |
| pip install -r requirements.txt | |
| pip install -e . | |
| cd ../ckanext-dcat | |
| pip install -r requirements.txt | |
| pip install -e . | |
| cd ../ckanext-pages | |
| pip install -r requirements.txt | |
| pip install -e . | |
| cd ../ckanext-markdown_editor | |
| pip install -r requirements.txt | |
| pip install -e . | |
| - name: Run tests | |
| run: pytest --ckan-ini=ckan/ckanext/ckanext-restricteddata/test.ini --cov=ckanext.restricteddata --disable-warnings ckan/ckanext/ckanext-restricteddata/ckanext/restricteddata/tests | |
| - name: install codecov requirements | |
| run: | | |
| apk add gpg gpg-agent | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| flags: ckan | |
| os: alpine | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| test-e2e: | |
| name: test-e2e | |
| needs: | |
| - detect-changes | |
| - build-containers | |
| if: ${{ (needs.detect-changes.outputs.nginx == 'true') || | |
| (needs.detect-changes.outputs.ckan == 'true') || | |
| (needs.detect-changes.outputs.solr == 'true') || | |
| (needs.detect-changes.outputs.assets == 'true') || | |
| (needs.detect-changes.outputs.environment == 'true') }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v4 | |
| - name: setup docker buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_BUILD_ROLE }} | |
| role-session-name: github-actions | |
| aws-region: eu-north-1 | |
| - name: login to AWS ECR | |
| id: login | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| with: | |
| registries: ${{ secrets.AWS_PROD_ACCOUNT_ID }} | |
| - name: download built images | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: /tmp | |
| - name: load built ckan image | |
| if: ${{ (needs.detect-changes.outputs.ckan == 'true') || (needs.detect-changes.outputs.assets == 'true')}} | |
| run: | | |
| docker load --input /tmp/ckan/ckan.tar | |
| - name: load built solr image | |
| if: ${{ needs.detect-changes.outputs.solr == 'true' }} | |
| run: | | |
| docker load --input /tmp/solr/solr.tar | |
| - name: load built nginx image | |
| if: ${{ needs.detect-changes.outputs.nginx == 'true' }} | |
| run: | | |
| docker load --input /tmp/nginx/nginx.tar | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: configure .env | |
| shell: bash | |
| run: | | |
| cp -f docker/.env.template docker/.env | |
| pip install "python-dotenv[cli]" | |
| dotenv -f docker/.env set REGISTRY ${REGISTRY} | |
| dotenv -f docker/.env set REPOSITORY ${REPOSITORY} | |
| dotenv -f docker/.env set MATOMO_ENABLED false | |
| dotenv -f docker/.env set TEST_MODE true | |
| env: | |
| REGISTRY: ${{ secrets.REGISTRY }} | |
| REPOSITORY: ${{ vars.REPOSITORY }} | |
| - name: bring services up | |
| working-directory: docker | |
| run: | | |
| docker compose -f docker-compose.yml -f docker-compose.build.yml -p restricteddata up -d | |
| - name: wait until services have started | |
| shell: bash | |
| timeout-minutes: 5 | |
| run: | | |
| # wait for services to start properly | |
| while [[ $(curl -L --write-out '%{http_code}' --silent --output /dev/null http://localhost) != "200" ]]; do | |
| echo "waiting for services to start up and initialize ..." | |
| sleep 5s | |
| done | |
| sleep 5s | |
| # print the list of containers | |
| docker ps -a | |
| # print logs to debug errors | |
| docker logs restricteddata-ckan-1 | |
| docker logs restricteddata-solr-1 | |
| docker logs restricteddata-nginx-1 | |
| - name: Build robot container | |
| run: docker build -t robot/test robot/ | |
| - name: Run robot tests | |
| shell: bash | |
| run: docker run --rm --network host -v ./results:/robot/results robot/test | |
| - name: upload robot test results to XRay | |
| if: always() | |
| shell: bash | |
| env: | |
| JIRA_ACCESS_TOKEN: ${{ secrets.JIRA_ACCESS_TOKEN }} | |
| JIRA_URL: ${{ secrets.JIRA_URL }} | |
| JIRA_PROJECT_ID: ${{ secrets.JIRA_PROJECT_ID }} | |
| run: | | |
| curl -H "Authorization: Bearer ${JIRA_ACCESS_TOKEN}" -F file=@results/output.xml "${JIRA_URL}/rest/raven/1.0/import/execution/robot?projectKey=${JIRA_PROJECT_ID}" | |
| - name: upload robot test result artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: robot-results | |
| path: results/* | |
| - name: export docker logs if running tests fails | |
| if: failure() | |
| shell: bash | |
| run: | | |
| docker logs restricteddata-ckan-1 > /tmp/restricteddata-ckan-1.log 2>&1 | |
| docker logs restricteddata-ckan_cron-1 > /tmp/restricteddata-ckan_cron-1.log 2>&1 | |
| docker logs restricteddata-solr-1 > /tmp/restricteddata-solr-1.log 2>&1 | |
| docker logs restricteddata-nginx-1 > /tmp/restricteddata-nginx-1.log 2>&1 | |
| - name: upload log artifacts | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-logs | |
| path: /tmp/restricteddata_*.log | |
| test-cdk: | |
| name: test-cdk | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| concurrency: | |
| group: ${{ github.ref }}/test-cdk | |
| cancel-in-progress: true | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v4 | |
| - name: install nodejs v20 | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: 'npm' | |
| cache-dependency-path: 'cdk/package-lock.json' | |
| - name: install cdk npm packages and verify installation | |
| working-directory: cdk | |
| run: | | |
| npm install | |
| npx cdk doctor | |
| - name: build cdk project | |
| working-directory: cdk | |
| run: | | |
| npm run build | |
| - name: test cdk project | |
| working-directory: cdk | |
| run: | | |
| npm run test | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| flags: cdk | |
| token: ${{ secrets.CODECOV_TOKEN }} |