Pin dependencies #1639
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| env: | |
| DOCKER_IMAGE: ghcr.io/nordeck/matrix-poll-widget | |
| outputs: | |
| docker-tag: ${{ steps.meta.outputs.version }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| # required for changesets | |
| fetch-depth: '0' | |
| # don't persist the credentials so the changesets action doesn't use the | |
| # github actions token but the git token provided via environment variable | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: 'lts/*' | |
| cache: 'yarn' | |
| - name: Install NPM packages | |
| run: yarn install --frozen-lockfile | |
| - name: prettier:check | |
| run: yarn prettier:check | |
| - name: depcheck | |
| run: yarn depcheck | |
| - name: Check Linting Rules | |
| run: yarn lint | |
| - name: type checking and declarations | |
| run: yarn tsc | |
| - name: check translations | |
| run: yarn translate --ci --dry-run | |
| - name: test | |
| run: yarn test:all | |
| - name: build | |
| run: yarn build | |
| - name: generate disclaimer | |
| run: yarn generate-disclaimer | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Generate Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 | |
| env: | |
| DOCKER_METADATA_PR_HEAD_SHA: true | |
| with: | |
| images: ${{ env.DOCKER_IMAGE }} | |
| labels: | | |
| org.opencontainers.image.title=Matrix Poll Widget | |
| org.opencontainers.image.description=A poll widget for Matrix | |
| org.opencontainers.image.vendor=Nordeck IT + Consulting GmbH | |
| tags: | | |
| type=sha,prefix= | |
| - name: Build and push | |
| id: build_and_push | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 | |
| with: | |
| push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'pull_request' && secrets.GH_APP_OS_APP_ID != '' }} | |
| context: . | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64,linux/s390x | |
| sbom: true | |
| provenance: true | |
| - name: Run Trivy to get an SBOM report of the container | |
| if: ${{ success() && steps.build_and_push.outputs.digest }} | |
| env: | |
| IMAGE_REF: ${{ env.DOCKER_IMAGE }}@${{ steps.build_and_push.outputs.digest }} | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | |
| with: | |
| scan-type: 'image' | |
| scanners: 'license' | |
| format: 'spdx-json' | |
| output: 'sbom.spdx.json' | |
| image-ref: ${{ env.IMAGE_REF }} | |
| github-pat: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload SBOM report as a build artifact | |
| if: ${{ success() && steps.build_and_push.outputs.digest }} | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: sbom-spdx-report | |
| path: 'sbom.spdx.json' | |
| retention-days: 30 | |
| - name: Generate GitHub token | |
| if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
| id: generate_token | |
| uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # @v2.1.0 | |
| with: | |
| app_id: ${{ secrets.GH_APP_OS_APP_ID }} | |
| private_key: ${{ secrets.GH_APP_OS_PRIVATE_KEY }} | |
| - name: Create Release Pull Request or Publish Packages | |
| if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
| uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # @v1.5.3 | |
| with: | |
| publish: yarn changeset tag | |
| env: | |
| GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} | |
| helm-lint-test: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 0 # need main branch to diff against | |
| - name: Set up Helm | |
| uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 | |
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | |
| with: | |
| python-version: '3.12' | |
| check-latest: true | |
| - name: Set up chart-testing | |
| uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 | |
| - name: Check if Helm charts updated (run chart-testing list-changed) | |
| id: list-changed | |
| run: | | |
| changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) | |
| if [[ -n "$changed" ]]; then | |
| echo "changed=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Run chart-testing (lint) | |
| if: steps.list-changed.outputs.changed == 'true' | |
| # --validate-maintainers is disabled because it tries to resolve the name as GitHub user | |
| run: ct lint --validate-maintainers=false --target-branch ${{ github.event.repository.default_branch }} | |
| - name: Create kind cluster | |
| if: steps.list-changed.outputs.changed == 'true' | |
| uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0 | |
| - name: Prepare k8s cluster | |
| if: steps.list-changed.outputs.changed == 'true' | |
| run: | | |
| kubectl create namespace matrix-poll | |
| - name: Run chart-testing (install) | |
| if: steps.list-changed.outputs.changed == 'true' | |
| run: | | |
| ct install --config=".github/k8s_config.yaml" --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args="--set=image.tag=${{ needs.build.outputs.docker-tag }}" | |
| deploy: | |
| if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
| name: Deploy to Dev | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| needs: build | |
| steps: | |
| - name: Generate GitHub token | |
| if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
| id: generate_token | |
| uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # @v2.1.0 | |
| with: | |
| app_id: ${{ secrets.GH_APP_OS_APP_ID }} | |
| private_key: ${{ secrets.GH_APP_OS_PRIVATE_KEY }} | |
| - name: Trigger Workflow | |
| uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 | |
| with: | |
| github-token: ${{ steps.generate_token.outputs.token }} | |
| script: | | |
| github.rest.actions.createWorkflowDispatch({ | |
| owner: 'nordeck', | |
| repo: '${{ secrets.GITOPS_DEPLOY_REPOSITORY }}', | |
| workflow_id: 'deployment.yml', | |
| ref: 'main', | |
| inputs: { | |
| environment: '${{ secrets.GITOPS_DEPLOY_ENVIRONMENT}}', | |
| application: 'matrix-poll', | |
| tag: '${{ github.sha }}' | |
| } | |
| }) | |
| # TODO: E2E Tests? |