fix up the nonprod warning banner (#1397) #4216
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Docs: https://docs.github.com/en/actions | |
name: CI/CD | |
on: | |
push: | |
branches: ["master"] | |
pull_request: | |
branches: ["master"] | |
jobs: | |
lint: | |
name: Linters | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/harden-runner@v2.10.1 | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.13" | |
- name: Install uv | |
uses: astral-sh/setup-uv@v3 | |
- name: Set up Tox environment | |
run: | | |
uv tool install tox --with tox-uv | |
tox run -e lint --notest | |
- name: Run Linters | |
run: tox run -e lint | |
env: | |
# no-commit-to-branch always fails in CI, because this pre-commit | |
# is only designed for running locally (i.e. when committing to a | |
# local master branch) | |
SKIP: no-commit-to-branch | |
mypy: | |
name: Mypy (static type checker) | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/harden-runner@v2.10.1 | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.13" | |
- name: Install uv | |
uses: astral-sh/setup-uv@v3 | |
- name: Set up Tox environment | |
run: | | |
uv tool install tox --with tox-uv | |
tox run -e lint --notest | |
- name: Run Mypy | |
run: tox run -e mypy | |
packaging: | |
name: Packaging | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/harden-runner@v2.10.1 | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pypi.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.13" | |
- name: Install uv | |
uses: astral-sh/setup-uv@v3 | |
- name: Set up Tox environment | |
run: | | |
uv tool install tox --with tox-uv | |
tox run -e lint --notest | |
- name: Check packaging | |
run: tox run -e packaging | |
unit: | |
name: "Py:${{ matrix.python-version }} - ${{ matrix.os }}" | |
# Available versions: | |
# https://github.com/actions/python-versions/blob/main/versions-manifest.json | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 30 | |
continue-on-error: ${{ matrix.optional }} | |
strategy: | |
matrix: | |
os: ["ubuntu-latest"] | |
python-version: ["3.13"] # Versions to test with coverage | |
tox-prefix: ["coverage"] | |
optional: [false] | |
include: | |
# Test next Python version but allow it to fail | |
- os: "ubuntu-latest" | |
python-version: "3.14.0-alpha.1" | |
optional: true | |
tox-prefix: "test" | |
services: | |
mysql: | |
image: mariadb:10.5.17 | |
env: | |
MYSQL_ROOT_HOST: "%" | |
MYSQL_ROOT_PASSWORD: ims | |
MYSQL_USER: ims | |
MYSQL_PASSWORD: ims | |
ports: | |
- 3306 | |
options: >- | |
--health-cmd="mysqladmin ping" | |
--health-interval=10s | |
--health-timeout=5s | |
--health-retries=5 | |
steps: | |
- name: Harden CI | |
uses: step-security/harden-runner@v2.10.1 | |
with: | |
disable-sudo: true | |
disable-file-monitoring: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.codecov.io:443 | |
api.github.com:443 | |
cli.codecov.io:443 | |
codecov.io:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
pypi.org:443 | |
storage.googleapis.com:443 | |
uploader.codecov.io:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 2 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Translate Python version to Tox environment | |
shell: python | |
run: | | |
from os import environ | |
from pathlib import Path | |
py = "${{ matrix.python-version }}" | |
py = "".join(py.split(".")[:2]) # Combine major/minor, toss rest | |
py = py.replace("pypy-", "py") # For Pypy: have a litte less py | |
env = f"${{ matrix.tox-prefix }}-py{py}" | |
print(f"TOX_ENV={env}") | |
p = Path(environ["GITHUB_ENV"]) | |
f = p.open(mode="a") | |
f.write(f"TOX_ENV={env}\n") | |
- name: Install uv | |
uses: astral-sh/setup-uv@v3 | |
- name: Set up Tox environment | |
run: | | |
uv tool install tox --with tox-uv | |
tox run -e lint --notest | |
- name: Run unit tests | |
id: test | |
run: | | |
status=0 | |
tox run -e "${TOX_ENV}" || status=$? | |
if [ ${status} -ne 0 ] && [ "${{ matrix.optional }}" == "true" ]; then | |
echo "::warning::Optional matrix job failed." | |
echo "optional_fail=true" >> "${GITHUB_OUTPUT}" | |
echo "optional_fail_status=${status}" >> "${GITHUB_OUTPUT}" | |
exit 0 # Ignore error here to keep the green checkmark going | |
fi; | |
exit ${status} | |
env: | |
IMS_TEST_MYSQL_HOST: localhost | |
IMS_TEST_MYSQL_PORT: ${{ job.services.mysql.ports['3306'] }} | |
IMS_TEST_MYSQL_ROOT_PASSWORD: ims | |
IMS_TEST_MYSQL_USERNAME: ims | |
IMS_TEST_MYSQL_PASSWORD: ims | |
- name: Upload Trial log artifact | |
if: ${{ failure() || steps.test.outputs.optional_fail == 'true' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: trial | |
path: .tox/${TOX_ENV}/log/trial.log | |
- name: Add comment if optional job failed; delete otherwise | |
# this step fails on post-merge runs on master, since there's no | |
# PR to comment against. | |
if: ${{ matrix.optional && github.ref != 'refs/heads/master' }} | |
uses: thollander/actions-comment-pull-request@v3 | |
with: | |
# Note: tag must be unique to each matrix case | |
comment-tag: "${{ matrix.python-version }}-${{ matrix.os }}-optional-notice" | |
message: | | |
### ⚠️ Optional matrix job Py:${{ matrix.python-version }} - ${{ matrix.os }} failed ⚠️ | |
- tox prefix: ${{ matrix.tox-prefix }} | |
- exit status: ${{ steps.test.outputs.optional_fail_status }} | |
mode: ${{ steps.test.outputs.optional_fail == 'true' && 'upsert' || 'delete' }} | |
# Use the latest supported Python version for combining coverage to | |
# prevent parsing errors in older versions when looking at modern code. | |
- uses: "actions/setup-python@v5" | |
if: ${{ matrix.tox-prefix == 'coverage' }} | |
with: | |
python-version: 3.13 | |
- name: "Upload coverage to Codecov" | |
uses: "codecov/codecov-action@v4" | |
if: ${{ matrix.tox-prefix == 'coverage' }} | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: .tox/coverage.xml | |
env_vars: GITHUB_REF,GITHUB_COMMIT,GITHUB_USER,GITHUB_WORKFLOW | |
fail_ci_if_error: true | |
env: | |
GITHUB_REF: ${{ github.ref }} | |
GITHUB_COMMIT: ${{ github.sha }} | |
GITHUB_USER: ${{ github.actor }} | |
GITHUB_WORKFLOW: ${{ github.workflow }} | |
docker-build: | |
name: Build Docker image | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Harden CI | |
uses: step-security/harden-runner@v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
dl-cdn.alpinelinux.org:443 | |
files.pythonhosted.org:443 | |
github.com:443 | |
production.cloudflare.docker.com:443 | |
pypi.org:443 | |
registry-1.docker.io:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Build Docker image | |
run: ./bin/build | |
- name: Save Docker image | |
run: docker image save ranger-ims-server:dev | gzip -9 > docker_image.tgz | |
- name: Upload Docker image artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: docker | |
path: docker_image.tgz | |
docker-test: | |
name: Test Docker image | |
needs: [docker-build] | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Harden CI | |
uses: step-security/harden-runner@v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
github.com:443 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Download Docker image artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: docker | |
- name: Load Docker image | |
run: gzip --uncompress --stdout docker_image.tgz | docker image load | |
- name: Test Docker image | |
run: ./bin/test_docker | |
# Can't figure out how to keep a failed docker-trivy job from marking a build | |
# as failed in the UI and it's driving me nuts so never mind this. | |
# docker-trivy: | |
# name: Trivy (security scan) | |
# needs: [docker-build] | |
# runs-on: ubuntu-latest | |
# timeout-minutes: 10 | |
# continue-on-error: true | |
# steps: | |
# - uses: step-security/harden-runner@v2.10.1 | |
# with: | |
# egress-policy: audit | |
# - name: Checkout source code | |
# uses: actions/checkout@v4 | |
# - name: Download Docker image artifacts | |
# uses: actions/download-artifact@v4 | |
# with: | |
# name: docker | |
# - name: Load Docker image | |
# run: gzip --uncompress --stdout docker_image.tgz | docker image load | |
# - name: Run Trivy | |
# run: docker run -v /var/run/docker.sock:/var/run/docker.sock --rm aquasec/trivy image --exit-code 1 --no-progress ranger-ims-server:dev | |
deploy-staging: | |
name: Deploy image built from master branch to the staging environment | |
needs: [docker-test, lint, mypy, packaging, unit] | |
if: ${{ github.ref == 'refs/heads/master' }} | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Harden CI | |
uses: step-security/harden-runner@v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
655216687927.dkr.ecr.us-west-2.amazonaws.com:443 | |
api.ecr.us-west-2.amazonaws.com:443 | |
ecs.us-west-2.amazonaws.com:443 | |
email-smtp.us-west-2.amazonaws.com:465 | |
files.pythonhosted.org:443 | |
github.com:443 | |
pypi.org:443 | |
raw.githubusercontent.com:443 | |
api.github.com:443 | |
objects.githubusercontent.com:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Download Docker image artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: docker | |
- name: Load Docker image | |
run: gzip --uncompress --stdout docker_image.tgz | docker image load | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: "3.12" | |
- name: Deploy to staging | |
run: ./bin/deploy staging | |
env: | |
# https://github.com/burningmantech/ranger-ims-server/settings/secrets | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} | |
AWS_ECR_IMAGE_NAME: ${{ secrets.AWS_ECR_IMAGE_NAME }} | |
AWS_ECS_CLUSTER_STAGING: rangers | |
AWS_ECS_SERVICE_STAGING: ${{ secrets.AWS_ECS_SERVICE_STAGING }} | |
NOTIFY_SMTP_HOST: ${{ secrets.NOTIFY_SMTP_HOST }} | |
NOTIFY_SMTP_USER: ${{ secrets.NOTIFY_SMTP_USER }} | |
NOTIFY_SMTP_PASSWORD: ${{ secrets.NOTIFY_SMTP_PASSWORD }} | |
NOTIFY_EMAIL_RECIPIENT: ${{ secrets.NOTIFY_EMAIL_RECIPIENT }} | |
NOTIFY_EMAIL_SENDER: ${{ secrets.NOTIFY_EMAIL_SENDER }} | |
CI: true | |
PROJECT_NAME: Ranger IMS Server | |
REPOSITORY_ID: ${{ github.repository }} | |
BUILD_NUMBER: 0 | |
BUILD_URL: https://github.com/burningmantech/ranger-ims-server/commit/${{ github.sha }}/checks | |
COMMIT_ID: ${{ github.event.head_commit.id }} | |
COMMIT_URL: ${{ github.event.head_commit.url }} | |
COMMIT_AUTHOR_USER: ${{ github.event.head_commit.author.username }} | |
COMMIT_AUTHOR_NAME: ${{ github.event.head_commit.author.name }} | |
COMMIT_AUTHOR_EMAIL: ${{ github.event.head_commit.author.email }} | |
COMMIT_MESSAGE: ${{ github.event.head_commit.message }} |