Merge pull request #4277 from opensafely-core/iaindillingham/decouple… #8621
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
env: | |
IMAGE_NAME: job-server | |
PUBLIC_IMAGE_NAME: ghcr.io/opensafely-core/job-server | |
REGISTRY: ghcr.io | |
SSH_AUTH_SOCK: /tmp/agent.sock | |
on: | |
merge_group: | |
pull_request: | |
push: | |
branches: [main] | |
jobs: | |
check: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: "opensafely-core/setup-action@v1" | |
with: | |
python-version: "3.12" | |
install-just: true | |
- name: Check formatting, linting and import sorting | |
run: just check | |
test: | |
runs-on: ubuntu-22.04 | |
services: | |
postgres: | |
image: postgres:13 | |
env: | |
POSTGRES_USER: user | |
POSTGRES_PASSWORD: password | |
POSTGRES_DB: jobserver | |
ports: | |
- 5432:5432 | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: "opensafely-core/setup-action@v1" | |
with: | |
python-version: "3.12" | |
install-just: true | |
- name: Install Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ".node-version" | |
cache: "npm" | |
cache-dependency-path: package-lock.json | |
- name: Install node_modules | |
run: just assets-install --ignore-scripts | |
- name: Lint assets | |
run: npm run lint | |
- name: Run JS tests | |
run: just assets-test | |
- name: Build assets | |
run: just assets-build | |
- name: Install venv | |
run: just devenv | |
- name: Run tests | |
env: | |
DATABASE_URL: postgres://user:password@localhost/jobserver | |
GITHUB_TOKEN: empty | |
GITHUB_TOKEN_TESTING: ${{ secrets.OPENSAFELY_GITHUB_TESTING_ORG_PAT }} | |
SECRET_KEY: 12345 | |
SOCIAL_AUTH_GITHUB_KEY: test | |
SOCIAL_AUTH_GITHUB_SECRET: test | |
run: | | |
just check-migrations | |
# hardcode n because auto=2 in CI for some reason | |
just test --migrations -n 4 | |
- name: Upload HTML coverage report if tests failed | |
uses: actions/upload-artifact@v4 | |
with: | |
name: python-coverage-report | |
path: htmlcov | |
# don't fail the job because no files were found, we expect this when | |
# * the tests passed with 100% coverage | |
# * a test failed and coverage didn't run | |
if-no-files-found: ignore | |
if: ${{ failure() }} # only upload when the previous step, run tests, fails | |
lint-dockerfile: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | |
with: | |
dockerfile: docker/Dockerfile | |
docker-test: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: "opensafely-core/setup-action@v1" | |
with: | |
install-just: true | |
- name: Build docker image for both prod and dev | |
run: | | |
just docker-build prod | |
just docker-build dev | |
- name: Run unit tests on docker dev image | |
env: | |
GITHUB_TOKEN_TESTING: ${{ secrets.OPENSAFELY_GITHUB_TESTING_ORG_PAT }} | |
GITHUB_WRITEABLE_TOKEN: | |
run: | | |
# build docker and run test | |
just docker-test -n 4 # hardcode n because auto does not dtrt in docker | |
- name: Run smoke test on prod | |
run: | | |
just docker-serve prod -d | |
sleep 5 | |
just docker-smoke-test || { docker logs job-server_prod_1; exit 1; } | |
- name: Save docker image | |
run: | | |
docker save job-server | gzip > /tmp/job-server.tar.gz | |
- name: Upload docker image | |
uses: actions/upload-artifact@v4 | |
with: | |
name: job-server-image | |
path: /tmp/job-server.tar.gz | |
deploy: | |
needs: [check, test, docker-test, lint-dockerfile] | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: read | |
packages: write | |
if: github.ref == 'refs/heads/main' | |
concurrency: deploy-production | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: "opensafely-core/setup-action@v1" | |
with: | |
install-just: true | |
- name: Download docker image | |
uses: actions/download-artifact@v4 | |
with: | |
name: job-server-image | |
path: /tmp/image | |
- name: Import docker image | |
run: gunzip -c /tmp/image/job-server.tar.gz | docker load | |
- name: Test image we imported from previous job works | |
run: | | |
SKIP_BUILD=1 just docker-serve prod -d | |
sleep 5 | |
just docker-smoke-test || { docker logs job-server_prod_1; exit 1; } | |
- name: Publish image | |
run: | | |
echo ${{ secrets.GITHUB_TOKEN }} | docker login $REGISTRY -u ${{ github.actor }} --password-stdin | |
docker tag $IMAGE_NAME $PUBLIC_IMAGE_NAME:latest | |
docker push $PUBLIC_IMAGE_NAME:latest | |
- name: Deploy image | |
run: | | |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null | |
ssh-add - <<< "${{ secrets.DOKKU4_DEPLOY_SSH_KEY }}" | |
SHA=$(docker inspect --format='{{index .RepoDigests 0}}' $PUBLIC_IMAGE_NAME:latest) | |
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" [email protected] git:from-image job-server $SHA | |
- name: Create Honeycomb Marker | |
env: | |
GH_TOKEN: ${{ github.token }} | |
run: | | |
gh release download v0.2.10 -R honeycombio/honeymarker -p '*-linux-amd64*' -O honeymarker | |
chmod 755 ./honeymarker | |
# --dataset __all__ will ad an marker to *all* production datasets (this writekey is for production) | |
./honeymarker --writekey ${{ secrets.HC_MARKER_APIKEY }} --dataset __all__ add --type deploy --msg "job-server deploy $GITHUB_SHA" | |
- name: Create Sentry release | |
uses: getsentry/action-release@e769183448303de84c5a06aaaddf9da7be26d6c7 # v1.7.0 | |
env: | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_RELEASE_INTEGRATION_TOKEN }} | |
SENTRY_ORG: ebm-datalab | |
SENTRY_PROJECT: job-server | |
with: | |
environment: production |