-
Notifications
You must be signed in to change notification settings - Fork 2
149 lines (120 loc) · 4.32 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: 'CI'
on:
pull_request:
push:
branches: [ 'develop', 'prod' ]
jobs:
test:
runs-on: 'ubuntu-22.04'
timeout-minutes: 45
steps:
- uses: 'actions/checkout@v3'
- run: 'cat environment.boot >> "$GITHUB_ENV"'
- uses: 'actions/[email protected]'
with:
python-version: '${{ env.azul_python_version }}'
cache: 'pip'
cache-dependency-path: 'requirements.dev.txt'
- name: 'Run unit tests and other checks'
run: |
source environment
_link dev
_refresh
make virtualenv
source .venv/bin/activate
make requirements
make environment.boot
# FIXME: The default Azul registry is hosted privately on ECR, so we'd
# have to provide credentials to use it. For now, it's
# sufficient to pull 3rd party images directly from their
# upstream registry, accepting the risk that a 3rd party image
# is compromised. GitHub Actions have limited access to our
# infrastructure (the token scope is limited). The worst that
# could happen is that the token itself is revealed or that the
# action falsely reports a passing build.
# https://github.com/DataBiosphere/azul/issues/5188
#
export azul_docker_registry=""
# Hack: The use of chrgp compensates for a quirk of Docker. The
# PyCharm image used by make format sets up a user called `developer`
# and assigns it UID 1000. Actions is running as UID 1001. An
# alternative would be to pass --user to `docker run` and bind-mount
# an /etc/passwd that maps that to `developer`. We also need write
# permissions for the group
#
chmod -R g+w . && sudo chgrp -R 1000 . && make format && sudo chgrp -R $(id -g) .
make -C lambdas openapi
make -C .github
make anvil_schema
make check_clean
make pep8
AZUL_DEBUG=0 GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} make test
make check_clean
coverage xml
- uses: 'actions/upload-artifact@v3'
with:
name: 'coverage-file'
path: 'coverage.xml'
codecov:
needs: 'test'
runs-on: 'ubuntu-22.04'
steps:
- uses: 'actions/checkout@v3'
- run: 'cat environment.boot >> "$GITHUB_ENV"'
- uses: 'actions/[email protected]'
with:
python-version: '${{ env.azul_python_version }}'
cache: 'pip'
cache-dependency-path: 'requirements.dev.txt'
- uses: 'actions/download-artifact@v3'
with:
name: 'coverage-file'
- uses: 'codecov/codecov-action@v3'
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: 'coverage.xml'
fail_ci_if_error: true
coveralls:
needs: 'test'
runs-on: 'ubuntu-22.04'
steps:
- uses: 'actions/checkout@v3'
- run: 'cat environment.boot >> "$GITHUB_ENV"'
- uses: 'actions/[email protected]'
with:
python-version: '${{ env.azul_python_version }}'
cache: 'pip'
cache-dependency-path: 'requirements.dev.txt'
- uses: 'actions/download-artifact@v3'
with:
name: 'coverage-file'
- uses: 'coverallsapp/github-action@v2'
with:
github-token: ${{ secrets.COVERALLS_REPO_TOKEN }}
codeql:
runs-on: 'ubuntu-22.04'
permissions:
actions: 'read'
contents: 'read'
security-events: 'write'
strategy:
fail-fast: false
matrix:
language: [ 'python', 'javascript' ]
steps:
- uses: 'actions/checkout@v3'
- run: 'cat environment.boot >> "$GITHUB_ENV"'
- uses: 'actions/[email protected]'
with:
python-version: '${{ env.azul_python_version }}'
cache: 'pip'
cache-dependency-path: 'requirements.dev.txt'
- uses: 'github/codeql-action/init@v2'
with:
languages: '${{ matrix.language }}'
setup-python-dependencies: false
config-file: './.github/codeql/codeql-config.yml'
queries: 'security-and-quality'
- uses: 'github/codeql-action/analyze@v2'
with:
category: '/language:${{matrix.language}}'