-
Notifications
You must be signed in to change notification settings - Fork 1
313 lines (271 loc) · 12.1 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
name: CI
run-name: ${{ (github.event_name == 'workflow_dispatch' && format('manual{0} {1}', ':', github.sha)) || '' }}
on:
workflow_dispatch:
push:
branches: [main]
paths-ignore: [".vscode/**", "docs/**", "**/README.md", "LICENSE.md", ".github/**.md"]
merge_group:
pull_request:
branches: [main]
# Note - Ignore is not commit specific, if any file in the PR is outside of this list, workflow will run, see https://github.com/orgs/community/discussions/25161#discussioncomment-3246673
paths-ignore: [".vscode/**", "docs/**", "**/README.md", "LICENSE.md", ".github/**.md"]
# Automatically cancel in-progress actions on the same branch except for main
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
env:
GO_CACHE_INFO_FILE: wf-go-cache-info.txt
jobs:
build:
name: Build and test
runs-on: ubuntu-latest
outputs:
image_sha: ${{ steps.setDockerSHAs.outputs.image_sha }}
image_version: ${{ steps.setDockerSHAs.outputs.image_version }}
build_version: ${{ steps.setDockerSHAs.outputs.build_version }}
timeout-minutes: 20
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# We need to fetch all branches and commits so that Nx affected has a base to compare against.
fetch-depth: 0
- name: Derive appropriate SHAs for base and head for `nx affected` commands
id: setNxSHAs
uses: nrwl/nx-set-shas@v4
- name: Ensure tracking against main
run: git branch --track main origin/main
if: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }}
- name: Setup node
uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: "npm"
# https://github.com/actions/setup-go/issues/358 - cache is shared across jobs by default since the dependency
# graph is the same, however each job results in different dependencies being downloaded and the first one
# to finish wins with regards to saving the cache. To workaround, we create a file to include in the graph
# that contains information specified to the workflow & job so that each job gets a separate go cache.
# Note that the cache key used (https://github.com/actions/setup-go/blob/main/src/cache-restore.ts#L35) by
# actions/setup-go is already platform/arch/go-version specific so we only need to further differentiate
# by workflow and job.
- name: Create go cache info file
run: echo "go-cache-${{ github.workflow }}-${{ github.job }}" > ${GO_CACHE_INFO_FILE}
- name: Setup go
uses: actions/setup-go@v5
with:
go-version-file: go.work
cache-dependency-path: |
apps/*/go.sum
go.work.sum
${{ env.GO_CACHE_INFO_FILE }}
- name: Install NPM dependencies
run: npm ci
- name: Build and test
env:
UESIO_DEV: "true" # required to ensure packui gets built
run: npx nx affected -t build test --configuration=ci --parallel=5
- name: Prep for docker image
id: setDockerSHAs
env:
UESIO_DEV: "true" # required to ensure packui gets built
run: |
# We lint/test/build affected but in order to build image, we need to ensure everything
# is built. Build anything that hasn't been built yet (takes advantage of nx cache
# for anything already built from above)
npx nx run-many -t build
# build values for docker image tags
VERSION_SUFFIX=${{ github.run_number }}.${{ github.run_attempt }}
FULL_SHA=${{ steps.setNxSHAs.outputs.head }}
# instead of using rev-parse we always just get the first 8 characters but we'll ensure
# its unique (just in case 8 is not enough) by appending the VERSION_SUFFIX
SHORT_SHA=$(echo ${FULL_SHA} | cut -c1-8)
echo "IMAGE_SHA=${FULL_SHA}" >> "$GITHUB_OUTPUT"
echo "IMAGE_VERSION=${FULL_SHA}.${VERSION_SUFFIX}" >> "$GITHUB_OUTPUT"
echo "BUILD_VERSION=${SHORT_SHA}.${VERSION_SUFFIX}" >> "$GITHUB_OUTPUT"
- name: Set up docker buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
tags: |
type=raw,value=${{ steps.setDockerSHAs.outputs.image_version }}
type=ref,event=branch
type=ref,event=pr
labels: |
org.opencontainers.image.version=${{ steps.setDockerSHAs.outputs.image_version }}
- name: Cache for docker
id: cache
uses: actions/cache@v4
with:
path: |
go-build-cache
key: ${{ runner.os }}-docker-cache-${{ hashFiles('apps/**/go.sum', 'go.work.sum') }}
- name: Inject cache into docker
uses: reproducible-containers/buildkit-cache-dance@v3
with:
cache-map: |
{
"go-build-cache": "/root/.cache/go-build"
}
skip-extraction: ${{ steps.cache.outputs.cache-hit }}
- name: Build and export to docker
uses: docker/build-push-action@v6
with:
context: .
cache-from: type=gha
cache-to: type=gha,mode=max
load: true
file: ./apps/platform/Dockerfile
build-args: |
BUILD_VERSION=${{ steps.setDockerSHAs.outputs.build_version }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
outputs: |
type=docker
type=docker,dest=${{ runner.temp }}/uesio-image.tar
- name: Upload docker image artifact
uses: actions/upload-artifact@v4
with:
name: uesio-image
path: ${{ runner.temp }}/uesio-image.tar
- name: Integration and e2e tests
env:
APP_IMAGE: ${{ steps.setDockerSHAs.outputs.image_version }}
run: |
./scripts/seed-etc-hosts.sh
cd apps/platform/ssl
bash ./create.sh
cd ../../../
# Start up the Uesio app, and dependencies, in Docker
# then run all Integration and E2E tests against the app
npm run tests-docker
check:
name: Check format and lint
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# We need to fetch all branches and commits so that Nx affected has a base to compare against.
fetch-depth: 0
- name: Derive appropriate SHAs for base and head for `nx affected` commands
id: setNxSHAs
uses: nrwl/nx-set-shas@v4
- name: Ensure tracking against main
run: git branch --track main origin/main
if: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }}
- name: Setup node
uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: "npm"
# https://github.com/actions/setup-go/issues/358 - cache is shared across jobs by default since the dependency
# graph is the same, however each job results in different dependencies being downloaded and the first one
# to finish wins with regards to saving the cache. To workaround, we create a file to include in the graph
# that contains information specified to the workflow & job so that each job gets a separate go cache.
# Note that the cache key used (https://github.com/actions/setup-go/blob/main/src/cache-restore.ts#L35) by
# actions/setup-go is already platform/arch/go-version specific so we only need to further differentiate
# by workflow and job.
- name: Create go cache info file
run: echo "go-cache-${{ github.workflow }}-${{ github.job }}" > ${GO_CACHE_INFO_FILE}
- name: Setup go
uses: actions/setup-go@v5
with:
go-version-file: go.work
cache-dependency-path: |
apps/*/go.sum
go.work.sum
${{ env.GO_CACHE_INFO_FILE }}
- name: Install NPM dependencies
run: npm ci
- name: Check formatting
run: npx nx format:check --verbose
- name: Lint
run: npx nx affected -t lint --configuration=ci --parallel=5
typecheck:
name: Check types
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v4
with:
# We need to fetch all branches and commits so that Nx affected has a base to compare against.
fetch-depth: 0
- name: Derive appropriate SHAs for base and head for `nx affected` commands
id: setNxSHAs
uses: nrwl/nx-set-shas@v4
- name: Ensure tracking against main
run: git branch --track main origin/main
if: ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_target' }}
- name: Setup node
uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: "npm"
- name: Install NPM dependencies
run: npm ci
- name: Typecheck
run: npx nx affected -t typecheck --configuration=ci --parallel=5
update-dev-branch:
name: Update Dev environment to latest image
if: github.ref_name == 'main' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
runs-on: ubuntu-latest
needs: [build, check, typecheck]
timeout-minutes: 3
permissions:
id-token: write # This is required for requesting a OIDC JWT for AWS
steps:
- name: Checkout TheCloudMasters/uesio-infra
uses: actions/checkout@v4
with:
repository: TheCloudMasters/uesio-infra
token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your personal Github access token
fetch-depth: 1
- name: Download docker image artifact
uses: actions/download-artifact@v4
with:
name: uesio-image
path: ${{ runner.temp }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ECR_ROLE_DEV }}
role-session-name: ecrpush
aws-region: ${{ secrets.AWS_REGION_DEV }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Push image to ECR
id: pushImageToECR
env:
IMAGE_VERSION_TAG: ${{ needs.build.outputs.image_version }}
IMAGE_SHA_TAG: ${{ needs.build.outputs.image_sha }}-latest
REGISTRY_IMAGE_TAG_BASE: ${{ steps.login-ecr.outputs.registry }}/uesio
run: |
REGISTRY_SHA_TAG=${REGISTRY_IMAGE_TAG_BASE}:${IMAGE_SHA_TAG}
REGISTRY_VERSION_TAG=${REGISTRY_IMAGE_TAG_BASE}:${IMAGE_VERSION_TAG}
echo "REGISTRY_VERSION_TAG=${REGISTRY_VERSION_TAG}" >> "$GITHUB_OUTPUT"
docker load --input ${{ runner.temp }}/uesio-image.tar
docker tag $IMAGE_VERSION_TAG $REGISTRY_SHA_TAG
docker tag $IMAGE_VERSION_TAG $REGISTRY_VERSION_TAG
docker image push --all-tags $REGISTRY_IMAGE_TAG_BASE
- name: Update docker container image tag for dev
env:
REGISTRY_VERSION_TAG: ${{ steps.pushImageToECR.outputs.registry_version_tag }}
APP_TASK_DEF_PATH: ./aws/dev/ecs/task_definitions/uesio_web.json
WORKER_TASK_DEF_PATH: ./aws/dev/ecs/task_definitions/uesio_worker.json
run: |
echo "Docker image SHA updated to $REGISTRY_VERSION_TAG"
jq --arg img "$REGISTRY_VERSION_TAG" '.containerDefinitions[0].image = $img' $APP_TASK_DEF_PATH > tmp1.json
jq --arg img "$REGISTRY_VERSION_TAG" '.containerDefinitions[0].image = $img' $WORKER_TASK_DEF_PATH > tmp2.json
mv tmp1.json $APP_TASK_DEF_PATH
mv tmp2.json $WORKER_TASK_DEF_PATH
git config user.name github-actions
git config user.email [email protected]
git add $APP_TASK_DEF_PATH $WORKER_TASK_DEF_PATH
git commit -m "ci: Auto-update dev image to $REGISTRY_VERSION_TAG"
git push