Relaxed CSP headers #2493
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test and deploy | |
on: [ push, pull_request ] | |
env: | |
# Version required to run itwêwina: | |
ACTIONS_PYTHON_VERSION: '3.10' | |
# Version required to run npm build: | |
ACTIONS_NODE_VERSION: 22 | |
jobs: | |
# Originally, it skipped deploy if [skip deploy] is present in the commit message. | |
# There is currently a github-provided implementation of this behaviour and the | |
# original repo is unmaintained. Thus the new behaviour is that actions won't trigger | |
# when using [skip ci]. See | |
# https://github.blog/changelog/2021-02-08-github-actions-skip-pull-request-and-push-workflows-with-skip-ci/ | |
should-deploy: | |
runs-on: ubuntu-22.04 | |
outputs: | |
should-run: ${{github.repository_owner == 'UAlbertaALTLab' && github.ref == 'refs/heads/main' }} | |
steps: | |
- run: true | |
should-update-dev: | |
runs-on: ubuntu-22.04 | |
outputs: | |
should-run: ${{ github.repository_owner == 'UAlbertaALTLab' && github.ref == 'refs/heads/dev' }} | |
steps: | |
- run: true | |
# Run Pytest unit tests | |
unit-test: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: 🐍 Set up Python ${{ env.ACTIONS_PYTHON_VERSION }} | |
uses: actions/setup-python@v5 | |
# actions/cache below uses this id to get the exact python version | |
id: setup-python | |
with: | |
python-version: ${{ env.ACTIONS_PYTHON_VERSION }} | |
- name: 🖥 Install system dependencies | |
run: sudo apt-get install -y libfoma0 | |
- name: ☤ Install pipenv | |
run: python3 -m pip install pipenv==2021.11.9 | |
# This started out life as a copy-paste from | |
# https://github.com/actions/cache/blob/main/examples.md#python---pipenv | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.local/share/virtualenvs | |
key: ${{ runner.os }}-python-${{ steps.setup-python.outputs.python-version }}-pipenv-${{ hashFiles('Pipfile.lock') }} | |
- name: 📥 Install dependencies | |
run: | | |
pipenv install --dev | |
# Install pytest plugin to show failed tests on the web | |
pipenv run pip install pytest-github-actions-annotate-failures | |
- name: Do LFS checkout | |
# actions/checkout@v2 has a `with: lfs: true` option, but it only | |
# knows how to talk to GitHub’s LFS server. | |
# | |
# These actions are automatic if you have run `git lfs install` | |
# even once on your dev machine. | |
run: git lfs install --local && git lfs fetch && git lfs checkout | |
- name: 🧶 Run linters/static-analysis | |
run: | | |
pipenv run mypy src | |
- name: 🩺 Run unit tests | |
env: | |
DEBUG: "True" | |
run: pipenv run test -v --cov=src --cov-report=xml | |
- name: Check working directory clean | |
run: ./libexec/check-git-status | |
- name: Check that generated files are up-to-date | |
# A few auto-generated files are checked in for convenience; ensure | |
# that they are up-to-date. | |
if: github.ref != 'refs/heads/dev' | |
run: "pipenv run docker/helper.py make-yaml | |
&& if ! ./libexec/check-git-status ; then | |
echo Error: running make-yaml resulted in changed files. When | |
changing template files, please ensure that updated generated | |
files get checked in too. 1>&2 ; | |
exit 1 ; | |
fi" | |
- name: 📤 Upload Codecov coverage report | |
uses: codecov/codecov-action@v4 | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
# Runs Cypress acceptance tests | |
integration-test: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: 🐍 Set up Python ${{ env.ACTIONS_PYTHON_VERSION }} | |
uses: actions/setup-python@v5 | |
id: setup-python | |
with: | |
python-version: ${{ env.ACTIONS_PYTHON_VERSION }} | |
- name: Setup Node ${{ env.ACTIONS_NODE_VERSION }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ env.ACTIONS_NODE_VERSION }} | |
cache: npm | |
- name: 🖥 Install system dependencies | |
run: sudo apt-get install -y libfoma0 libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libgconf-2-4 libnss3 libxss1 libasound2 libxtst6 xauth xvfb | |
- name: ☤ Install pipenv | |
run: python3 -m pip install pipenv==2021.11.9 | |
# This started out life as a copy-paste from | |
# https://github.com/actions/cache/blob/main/examples.md#python---pipenv | |
- uses: actions/cache@v4 | |
with: | |
path: ~/.local/share/virtualenvs | |
key: ${{ runner.os }}-python-${{ steps.setup-python.outputs.python-version }}-pipenv-${{ hashFiles('Pipfile.lock') }} | |
- name: 📥 Install Python dependencies | |
run: | | |
pipenv install --dev | |
- name: Do LFS checkout | |
# actions/checkout@v2 has a `with: lfs: true` option, but it only | |
# knows how to talk to GitHub’s LFS server. | |
# | |
# These actions are automatic if you have run `git lfs install` | |
# even once on your dev machine. | |
run: git lfs install --local && git lfs fetch && git lfs checkout | |
- name: 📥 Install Node dependencies | |
run: npm ci | |
- name: 🛑 Halt tests if Cypress tests are marked as '.only' | |
run: npm run stop-only | |
- name: 🏗 Build frontend | |
run: npm run build | |
- name: 🌲 Run Cypress tests | |
env: | |
DEBUG: "True" | |
# NOTE: only set on the upstream repo, i.e., UAlbertaALTLab/morphodict | |
CYPRESS_RECORD_KEY: "${{ secrets.CYPRESS_RECORD_KEY }}" | |
run: | | |
# Enables uploading test runs to Cypress Dashboard: | |
if [ -n "$CYPRESS_RECORD_KEY" ] ; then export CYPRESS_OPTS="--key $CYPRESS_RECORD_KEY" ; fi | |
pipenv run ./scripts/run-cypress --no-interactive | |
- name: Archive cypress videos | |
uses: actions/upload-artifact@v4 | |
with: | |
name: cypress-videos | |
path: | | |
cypress/videos | |
build-docker-image-dev: | |
runs-on: ubuntu-22.04 | |
# Only build the Docker Image when we're deploying! | |
needs: | |
- should-update-dev | |
if: needs.should-update-dev.outputs.should-run == 'true' | |
steps: | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GHCR_PERSONAL_ACCESS_TOKEN }} | |
- uses: actions/checkout@v4 | |
- name: Rename docker-compose for dev | |
run: mv docker/docker-compose-dev.yml docker/docker-compose.yml | |
- name: Change crkeng settings to dev | |
run: sed -i 's/itwewina.altlab.app/itwewina.altlab.dev/g' src/crkeng/site/settings.py | |
- name: Ensure banner appears on dev | |
run: sed -i 's/MORPHODICT_PREVIEW_WARNING = False/# MORPHODICT_PREVIEW_WARNING = False/' src/crkeng/site/settings.py | |
- name: Build and push Docker images | |
uses: docker/build-push-action@v6 | |
with: | |
# build-push-action with the default ‘git context’ ignores the | |
# .dockerignore file | |
# https://github.com/docker/build-push-action/issues/182 | |
context: . | |
file: docker/Dockerfile | |
push: true | |
# hopefully this will speed up builds and save disk space by | |
# sharing layers with the existing docker image, where possible | |
cache-from: | | |
type=registry,ref=ghcr.io/ualbertaaltlab/itwewina.altlab.app:dev | |
tags: | | |
ghcr.io/ualbertaaltlab/itwewina.altlab.app:${{ github.sha }} | |
update-docker-dev-tag: | |
runs-on: ubuntu-22.04 | |
needs: | |
- should-update-dev | |
# - unit-test | |
# - integration-test | |
- build-docker-image-dev | |
if: needs.should-update-dev.outputs.should-run == 'true' | |
steps: | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GHCR_PERSONAL_ACCESS_TOKEN }} | |
- uses: actions/checkout@v4 | |
- name: 🐍 Set up Python ${{ env.ACTIONS_PYTHON_VERSION }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.ACTIONS_PYTHON_VERSION }} | |
- name: Install requests | |
run: pip install requests | |
- name: Update tag | |
run: docker/copy-registry-tag ${{ github.sha }} dev | |
env: | |
GHCR_PERSONAL_ACCESS_TOKEN: ${{ secrets.GHCR_PERSONAL_ACCESS_TOKEN }} | |
build-docker-image: | |
runs-on: ubuntu-22.04 | |
# Only build the Docker Image when we're deploying! | |
needs: | |
- should-deploy | |
if: needs.should-deploy.outputs.should-run == 'true' | |
steps: | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GHCR_PERSONAL_ACCESS_TOKEN }} | |
- uses: actions/checkout@v4 | |
- name: Build and push Docker images | |
uses: docker/build-push-action@v6 | |
with: | |
# build-push-action with the default ‘git context’ ignores the | |
# .dockerignore file | |
# https://github.com/docker/build-push-action/issues/182 | |
context: . | |
file: docker/Dockerfile | |
push: true | |
# hopefully this will speed up builds and save disk space by | |
# sharing layers with the existing docker image, where possible | |
cache-from: | | |
type=registry,ref=ghcr.io/ualbertaaltlab/itwewina.altlab.app:latest | |
tags: | | |
ghcr.io/ualbertaaltlab/itwewina.altlab.app:${{ github.sha }} | |
trigger-deployment: | |
runs-on: ubuntu-22.04 | |
needs: | |
- should-deploy | |
- unit-test | |
- integration-test | |
- build-docker-image | |
if: needs.should-deploy.outputs.should-run == 'true' | |
steps: | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GHCR_PERSONAL_ACCESS_TOKEN }} | |
- uses: actions/checkout@v4 | |
- name: 🐍 Set up Python ${{ env.ACTIONS_PYTHON_VERSION }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ env.ACTIONS_PYTHON_VERSION }} | |
- name: Install requests | |
run: pip install requests | |
- name: Update tag | |
run: docker/copy-registry-tag ${{ github.sha }} latest | |
env: | |
GHCR_PERSONAL_ACCESS_TOKEN: ${{ secrets.GHCR_PERSONAL_ACCESS_TOKEN }} | |
- name: send HTTP request to deploy.altlab.dev webhook | |
# Be careful with spacing here. | |
# | |
# What https://yaml-multiline.info *doesn’t* warn you about: although | |
# `>-` means “replace newlines with spaces,” if you have an extra | |
# space on the next line, the newline gets preserved! | |
# | |
# So although | |
# | |
# foo: >- | |
# a | |
# a | |
# | |
# means `{ "foo": "a a" }`, | |
# | |
# foo: >- | |
# a | |
# a | |
# | |
# turns into `{ "foo": "a\n a" }` ! | |
# run: >- | |
# curl -X POST https://deploy.altlab.dev/itwewina --fail | |
# -d '{ "secret": "${{ secrets.DEPLOY_ALTLAB_DEV_ITWEWINA_KEY }}" }' | |
# -H 'Content-Type: application/json' | |
run: echo "This step has been temporarily disabled, call the deploy script." |