[#17] add jobs for checking for changes for OAS files #786

Workflow file for this run

	name: ci

	on:
	push:
	branches:
	- master
	tags:
	- '**'
	pull_request:
	workflow_dispatch:

	env:
	IMAGE_NAME: maykinmedia/objects-api

	jobs:
	tests:
	name: Run the Django test suite
	runs-on: ubuntu-latest

	services:
	postgres:
	image: postgis/postgis:12-2.5
	env:
	POSTGRES_HOST_AUTH_METHOD: trust
	ports:
	- 5432:5432
	# needed because the postgres container does not provide a healthcheck
	options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5

	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-python@v5
	with:
	python-version: '3.10'
	- uses: actions/setup-node@v4
	with:
	node-version: '18'

	- name: Install system packages
	run: \|
	sudo apt-get update \
	&& sudo apt-get install -y --no-install-recommends \
	libgdal-dev \
	gdal-bin

	- name: Install dependencies
	run: pip install -r requirements/ci.txt codecov
	- name: Build frontend
	run: \|
	npm ci
	npm run build

	- name: Run tests
	run: \|
	python src/manage.py collectstatic --noinput --link
	coverage run src/manage.py test src
	env:
	DJANGO_SETTINGS_MODULE: objects.conf.ci
	SECRET_KEY: dummy
	DB_USER: postgres
	DB_PASSWORD: ''

	- name: Publish coverage report
	uses: codecov/codecov-action@v3

	generate-oas-files:
	name: Generate and upload OAS files for all versions
	needs: tests
	runs-on: ubuntu-latest
	strategy:
	matrix:
	version: ['v1', 'v2']
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-python@v5
	with:
	python-version: '3.10'
	- uses: actions/setup-node@v4
	with:
	node-version: '18'

	- name: Install system packages
	run: \|
	sudo apt-get update \
	&& sudo apt-get install -y --no-install-recommends \
	libgdal-dev \
	gdal-bin

	- name: Install dependencies
	run: pip install -r requirements/ci.txt codecov

	- name: Generate OAS files
	run: ./bin/generate_schema.sh ${{ matrix.version }} openapi-${{ matrix.version }}.yaml
	env:
	DJANGO_SETTINGS_MODULE: objects.conf.ci

	- name: Store generated OAS files
	uses: actions/upload-artifact@v4
	with:
	name: objects-api-${{ matrix.version }}-oas
	path: openapi-${{ matrix.version }}.yaml
	retention-days: 1

	oas-up-to-date:
	name: Check for unexepected OAS changes
	needs: generate-oas-files
	runs-on: ubuntu-latest
	strategy:
	matrix:
	version: ['v1', 'v2']
	steps:
	- uses: actions/checkout@v4
	- name: Download generated OAS
	uses: actions/download-artifact@v4
	with:
	name: objects-api-${{ matrix.version }}-oas
	- name: Check for OAS changes
	run: \|
	diff openapi-${{ matrix.version }}.yaml src/objects/api/${{ matrix.version }}/openapi.yaml
	- name: Write failure markdown
	if: ${{ failure() }}
	run: \|
	echo 'Run the following command locally and commit the changes' >> $GITHUB_STEP_SUMMARY
	echo '' >> $GITHUB_STEP_SUMMARY
	echo '```bash' >> $GITHUB_STEP_SUMMARY
	echo './bin/generate_schema.sh ${{ matrix.version }}' >> $GITHUB_STEP_SUMMARY
	echo '```' >> $GITHUB_STEP_SUMMARY

	docker:
	needs: tests

	name: Build (and push) Docker image
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v4

	- name: Set tag
	id: vars
	run: \|
	# Strip git ref prefix from version
	VERSION=$(echo "${{ github.ref }}" \| sed -e 's,./$.$,\1,')

	# Strip "v" prefix from tag name (if present at all)
	[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION \| sed -e 's/^v//')

	# Use Docker `latest` tag convention
	[ "$VERSION" == "master" ] && VERSION=latest

	echo ::set-output name=tag::${VERSION}

	- name: Build the Docker image
	env:
	RELEASE_VERSION: ${{ steps.vars.outputs.tag }}
	run: docker build . --tag $IMAGE_NAME:$RELEASE_VERSION

	- run: docker image save -o image.tar $IMAGE_NAME:${{ steps.vars.outputs.tag }}

	- name: Store image artifact
	uses: actions/upload-artifact@v3
	with:
	name: docker-image
	path: image.tar
	retention-days: 1

	image_scan:
	runs-on: ubuntu-latest
	name: Scan docker image
	needs:
	- docker

	steps:
	- name: Download built image
	uses: actions/download-artifact@v3
	with:
	name: docker-image
	- name: Scan image with Trivy
	uses: aquasecurity/trivy-action@master
	with:
	input: /github/workspace/image.tar # from download-artifact
	format: 'sarif'
	output: 'trivy-results-docker.sarif'
	ignore-unfixed: true
	- name: Upload results to GH Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results-docker.sarif'

	publish:
	needs:
	- tests
	- docker

	name: Push Docker image
	runs-on: ubuntu-latest
	if: github.event_name == 'push' # exclude PRs

	steps:
	- uses: actions/checkout@v4
	- name: Download built image
	uses: actions/download-artifact@v3
	with:
	name: docker-image

	- name: Determine tag
	id: vars
	run: \|
	# Strip git ref prefix from version
	VERSION=$(echo "${{ github.ref }}" \| sed -e 's,./$.$,\1,')

	# Strip "v" prefix from tag name (if present at all)
	[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION \| sed -e 's/^v//')

	# Use Docker `latest` tag convention
	[ "$VERSION" == "master" ] && VERSION=latest

	echo ::set-output name=tag::${VERSION}

	- name: Load image
	run: \|
	docker image load -i image.tar

	- name: Log into registry
	run: echo "${{ secrets.DOCKER_TOKEN }}" \| docker login -u ${{ secrets.DOCKER_USERNAME }} --password-stdin

	- name: Push the Docker image
	env:
	RELEASE_VERSION: ${{ steps.vars.outputs.tag }}
	run: docker push $IMAGE_NAME:$RELEASE_VERSION

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[#17] add jobs for checking for changes for OAS files #786

Workflow file

[#17] add jobs for checking for changes for OAS files #786

Jobs

Run details

Workflow file for this run