Update Deps and Improve CI #596
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Lint, Test & Build | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| branches: | |
| - main | |
| - feature/* | |
| push: | |
| branches: | |
| - main | |
| - feature/* | |
| concurrency: | |
| group: lint-test-build-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| should_run: | |
| name: Should run? | |
| runs-on: ubuntu-latest | |
| outputs: | |
| should-run: "${{ (github.event_name == 'workflow_dispatch' || steps.regex-match.outputs.match != 'ci: skip') && (github.event_name != 'pull_request' || !github.event.pull_request.draft || steps.regex-match.outputs.match == 'ci: force') }}" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get last commit message | |
| run: | | |
| git log -1 --no-merges --pretty=format:"%B" -n 1 HEAD | tee commit_message.txt | |
| COMMIT_MSG=$(cat commit_message.txt) | |
| echo "COMMIT_MSG<<EOF" >> $GITHUB_ENV | |
| echo "$COMMIT_MSG" >> $GITHUB_ENV | |
| echo "EOF" >> $GITHUB_ENV | |
| - uses: actions-ecosystem/action-regex-match@v2 | |
| id: regex-match | |
| with: | |
| text: ${{ env.COMMIT_MSG }} | |
| regex: '\bci: (force|skip)\b' | |
| approve: | |
| name: Approve the run | |
| runs-on: ubuntu-latest | |
| needs: [should_run] | |
| if: ${{ needs.should_run.outputs.should-run == 'true' }} | |
| environment: ${{ (github.ref != 'refs/heads/main' && github.ref != 'refs/heads/feature/*' && github.event_name != 'workflow_dispatch') && 'lint-test-build' || '' }} | |
| steps: | |
| - name: Dummy step | |
| run: echo "Approving the run" | |
| lint: | |
| name: Run Lint | |
| runs-on: ubuntu-latest | |
| container: ghcr.io/scuffletv/build:latest | |
| needs: [approve] | |
| services: | |
| cockroach: | |
| image: ghcr.io/scuffletv/cockroach:latest | |
| ports: | |
| - 26257:26257 | |
| env: | |
| DATABASE_URL: postgres://root@cockroach:26257/scuffle | |
| CARGO_INCREMENTAL: 1 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: pnpm/action-setup@v2 | |
| with: | |
| version: latest | |
| - name: Install Node | |
| uses: actions/setup-node@v3 | |
| with: | |
| cache: "pnpm" | |
| node-version: 18 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| - name: Install dependencies | |
| run: mask bootstrap --no-db --no-docker --no-env --no-rust | |
| - name: Run migrations | |
| run: mask db migrate | |
| - name: Run JS, Terraform & Proto Lint | |
| run: mask lint --no-rust | |
| - name: Restore cached lint build | |
| uses: tespkg/actions-cache@v1 | |
| with: | |
| accessKey: ${{ secrets.CI_CACHE_ACCESS_KEY_ID }} | |
| secretKey: ${{ secrets.CI_CACHE_SECRET_ACCESS_KEY }} | |
| bucket: ${{ secrets.CI_CACHE_BUCKET_NAME }} | |
| endpoint: ${{ secrets.CI_CACHE_ENDPOINT }} | |
| path: | | |
| target/ | |
| key: lint-rust-${{ hashFiles('Cargo.lock') }} | |
| restore-keys: lint-rust- | |
| - name: Cargo Sweep Start | |
| run: cargo sweep -s | |
| - name: Run Rust Lint | |
| run: mask lint --no-js --no-terraform --no-proto | |
| - name: Cargo Sweep Finish | |
| run: cargo sweep -f | |
| test: | |
| name: Run Tests | |
| runs-on: ubuntu-latest | |
| container: ghcr.io/scuffletv/build:latest | |
| needs: [approve] | |
| services: | |
| cockroach: | |
| image: ghcr.io/scuffletv/cockroach:latest | |
| ports: | |
| - 26257:26257 | |
| rmq: | |
| image: bitnami/rabbitmq:latest | |
| ports: | |
| - 5672:5672 | |
| env: | |
| RABBITMQ_USERNAME: rabbitmq | |
| RABBITMQ_PASSWORD: rabbitmq | |
| RABBITMQ_VHOSTS: scuffle | |
| redis: | |
| image: redis:latest | |
| ports: | |
| - 6379:6379 | |
| env: | |
| DATABASE_URL: postgres://root@cockroach:26257/scuffle | |
| RMQ_URL: amqp://rabbitmq:rabbitmq@rmq:5672/scuffle | |
| REDIS_URL: redis://redis:6379 | |
| CARGO_INCREMENTAL: 1 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: pnpm/action-setup@v2 | |
| with: | |
| version: latest | |
| - name: Install Node | |
| uses: actions/setup-node@v3 | |
| with: | |
| cache: "pnpm" | |
| node-version: 18 | |
| - name: Install dependencies | |
| run: mask bootstrap --no-db --no-docker --no-env --no-rust | |
| - name: Run migrations | |
| run: mask db migrate | |
| - name: Restore cached test build | |
| id: cache-test | |
| uses: tespkg/actions-cache@v1 | |
| with: | |
| accessKey: ${{ secrets.CI_CACHE_ACCESS_KEY_ID }} | |
| secretKey: ${{ secrets.CI_CACHE_SECRET_ACCESS_KEY }} | |
| bucket: ${{ secrets.CI_CACHE_BUCKET_NAME }} | |
| endpoint: ${{ secrets.CI_CACHE_ENDPOINT }} | |
| path: | | |
| target/ | |
| key: test-rust-${{ hashFiles('Cargo.lock') }} | |
| restore-keys: test-rust- | |
| - name: Cargo Sweep Start | |
| run: cargo sweep -s | |
| - name: Run Test Rust | |
| run: mask test --no-js --ci | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: lcov.info | |
| fail_ci_if_error: true | |
| - name: Cargo Sweep Finish | |
| run: cargo sweep -f | |
| - name: Install Playwright Dependencies | |
| run: pnpm --filter website exec playwright install-deps | |
| - name: Run Test JavaScript | |
| run: mask test --no-rust | |
| build: | |
| name: Run Build | |
| runs-on: ubuntu-latest | |
| container: ghcr.io/scuffletv/build:latest | |
| needs: [lint, test] | |
| env: | |
| CARGO_INCREMENTAL: 1 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - uses: pnpm/action-setup@v2 | |
| with: | |
| version: latest | |
| - name: Setup Node | |
| uses: actions/setup-node@v3 | |
| with: | |
| cache: "pnpm" | |
| node-version: 18 | |
| - name: Install dependencies | |
| run: mask bootstrap --no-db --no-docker --no-env --no-js-tests --no-rust | |
| - name: Restore cached build | |
| uses: tespkg/actions-cache@v1 | |
| with: | |
| accessKey: ${{ secrets.CI_CACHE_ACCESS_KEY_ID }} | |
| secretKey: ${{ secrets.CI_CACHE_SECRET_ACCESS_KEY }} | |
| bucket: ${{ secrets.CI_CACHE_BUCKET_NAME }} | |
| endpoint: ${{ secrets.CI_CACHE_ENDPOINT }} | |
| path: | | |
| target/ | |
| key: build-rust-${{ hashFiles('Cargo.lock') }} | |
| restore-keys: build-rust- | |
| - name: Cargo Sweep Start | |
| run: cargo sweep -s | |
| - name: Run Build Rust | |
| run: mask build rust | |
| - name: Cargo Sweep Finish | |
| run: cargo sweep -f | |
| - name: Run Build Website | |
| run: mask build website | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: build | |
| path: | | |
| target/x86_64-unknown-linux-gnu/release/api | |
| target/x86_64-unknown-linux-gnu/release/edge | |
| target/x86_64-unknown-linux-gnu/release/ingest | |
| target/x86_64-unknown-linux-gnu/release/edge | |
| target/x86_64-unknown-linux-gnu/release/transcoder | |
| frontend/website/build | |
| frontend/player/dist | |
| frontend/player/pkg | |
| frontend/player/demo-dist | |
| docker: | |
| name: Build docker images | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: build | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Login to GitHub Container Registry | |
| uses: docker/[email protected] | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build API image | |
| id: docker_build_api | |
| uses: docker/[email protected] | |
| with: | |
| context: . | |
| file: ./docker/api.Dockerfile | |
| load: true | |
| tags: ghcr.io/scuffletv/api:${{ github.sha }} | |
| - name: Build Edge image | |
| id: docker_build_edge | |
| uses: docker/[email protected] | |
| with: | |
| context: . | |
| file: ./docker/edge.Dockerfile | |
| load: true | |
| tags: ghcr.io/scuffletv/edge:${{ github.sha }} | |
| - name: Build Ingest image | |
| id: docker_build_ingest | |
| uses: docker/[email protected] | |
| with: | |
| context: . | |
| file: ./docker/ingest.Dockerfile | |
| load: true | |
| tags: ghcr.io/scuffletv/ingest:${{ github.sha }} | |
| - name: Build Transcoder image | |
| id: docker_build_transcoder | |
| uses: docker/[email protected] | |
| with: | |
| context: . | |
| file: ./docker/transcoder.Dockerfile | |
| load: true | |
| tags: ghcr.io/scuffletv/transcoder:${{ github.sha }} | |
| - name: Build Website image | |
| id: docker_build_website | |
| uses: docker/[email protected] | |
| with: | |
| context: . | |
| file: ./docker/website.Dockerfile | |
| load: true | |
| tags: ghcr.io/scuffletv/website:${{ github.sha }} | |
| - name: Scan API image | |
| uses: aquasecurity/trivy-action@master | |
| if: ${{ always() && steps.docker_build_api.outcome == 'success' }} | |
| with: | |
| image-ref: ghcr.io/scuffletv/api:${{ github.sha }} | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Scan Edge image | |
| uses: aquasecurity/trivy-action@master | |
| if: ${{ always() && steps.docker_build_edge.outcome == 'success' }} | |
| with: | |
| image-ref: ghcr.io/scuffletv/edge:${{ github.sha }} | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Scan Ingest image | |
| uses: aquasecurity/trivy-action@master | |
| if: ${{ always() && steps.docker_build_ingest.outcome == 'success' }} | |
| with: | |
| image-ref: ghcr.io/scuffletv/ingest:${{ github.sha }} | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Scan Transcoder image | |
| uses: aquasecurity/trivy-action@master | |
| if: ${{ always() && steps.docker_build_transcoder.outcome == 'success' }} | |
| with: | |
| image-ref: ghcr.io/scuffletv/transcoder:${{ github.sha }} | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Scan Website image | |
| uses: aquasecurity/trivy-action@master | |
| if: ${{ always() && steps.docker_build_website.outcome == 'success' }} | |
| with: | |
| image-ref: ghcr.io/scuffletv/website:${{ github.sha }} | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| - name: Tag images and push | |
| if: ${{ (github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/feature/'))) || github.event_name == 'workflow_dispatch' }} | |
| # If the push is to the main branch, tag the image as latest | |
| # If the workflow is triggered by a workflow_dispatch event, tag the image as workflow_dispatch | |
| # Otherwise, tag the image with the branch name, in the format of feature-branch-name | |
| env: | |
| TAG: ${{ github.ref == 'refs/heads/main' && 'latest' || github.event_name == 'workflow_dispatch' && 'workflow_dispatch' || github.ref_name }} | |
| run: | | |
| # We need to replace the / in the branch name with a - so that it can be used as a tag | |
| TAG="${TAG//\//-}" | |
| docker tag ghcr.io/scuffletv/api:${{ github.sha }} ghcr.io/scuffletv/api:$TAG | |
| docker tag ghcr.io/scuffletv/edge:${{ github.sha }} ghcr.io/scuffletv/edge:$TAG | |
| docker tag ghcr.io/scuffletv/ingest:${{ github.sha }} ghcr.io/scuffletv/ingest:$TAG | |
| docker tag ghcr.io/scuffletv/transcoder:${{ github.sha }} ghcr.io/scuffletv/transcoder:$TAG | |
| docker tag ghcr.io/scuffletv/website:${{ github.sha }} ghcr.io/scuffletv/website:$TAG | |
| docker push ghcr.io/scuffletv/api:${{ github.sha }} | |
| docker push ghcr.io/scuffletv/api:$TAG | |
| docker push ghcr.io/scuffletv/edge:${{ github.sha }} | |
| docker push ghcr.io/scuffletv/edge:$TAG | |
| docker push ghcr.io/scuffletv/ingest:${{ github.sha }} | |
| docker push ghcr.io/scuffletv/ingest:$TAG | |
| docker push ghcr.io/scuffletv/transcoder:${{ github.sha }} | |
| docker push ghcr.io/scuffletv/transcoder:$TAG | |
| docker push ghcr.io/scuffletv/website:${{ github.sha }} | |
| docker push ghcr.io/scuffletv/website:$TAG | |
| deploy: | |
| name: Deploy to Production | |
| runs-on: ubuntu-latest | |
| needs: [docker] | |
| environment: prod | |
| if: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'workflow_dispatch' }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| with: | |
| cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} | |
| - name: Run Terraform Apply | |
| run: | | |
| terraform -chdir=terraform init | |
| terraform -chdir=terraform workspace select prod | |
| cat > terraform/terraform.tfvars <<EOT | |
| api_docker_image = "ghcr.io/scuffletv/api:${{ github.sha }}" | |
| edge_docker_image = "ghcr.io/scuffletv/edge:${{ github.sha }}" | |
| ingest_docker_image = "ghcr.io/scuffletv/ingest:${{ github.sha }}" | |
| transcoder_docker_image = "ghcr.io/scuffletv/transcoder:${{ github.sha }}" | |
| website_docker_image = "ghcr.io/scuffletv/website:${{ github.sha }}" | |
| EOT | |
| terraform -chdir=terraform apply |