-
Notifications
You must be signed in to change notification settings - Fork 0
181 lines (155 loc) · 6 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# Find full documentation here https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
name: CI
on:
pull_request:
merge_group:
# Manual invocation.
workflow_dispatch:
push:
branches:
- main
# Ensure we only ever have one build running at a time.
# If we push twice in quick succession, the first build will be stopped once the second starts.
# This avoids any race conditions.
concurrency:
group: ${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
timeout-minutes: 15
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: ./.github/actions/npm-run
with:
script: lint
deployment_key: ${{ secrets.PRIVATE_INFRASTRUCTURE_CONFIG_DEPLOY_KEY }}
test:
timeout-minutes: 15
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: ./.github/actions/npm-run
with:
script: test
deployment_key: ${{ secrets.PRIVATE_INFRASTRUCTURE_CONFIG_DEPLOY_KEY }}
typecheck:
timeout-minutes: 15
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: ./.github/actions/npm-run
with:
script: typecheck
deployment_key: ${{ secrets.PRIVATE_INFRASTRUCTURE_CONFIG_DEPLOY_KEY }}
db-migration:
timeout-minutes: 15
runs-on: ubuntu-latest
# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
permissions:
contents: read
env:
NODE_OPTIONS: '--max_old_space_size=4096'
services:
# See https://docs.github.com/en/actions/using-containerized-services/creating-postgresql-service-containers
postgres:
image: postgres:14.6-alpine
# Keep these in sync with `.env` file at the repository root
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: not_at_all_secret
POSTGRES_DB: postgres
# Set health checks to wait until postgres has started
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version-file: '.nvmrc'
cache: 'npm'
- uses: guardian/actions-read-private-repos@8792b5279dc2e6dfb6b9aa6ba2f26b6226be444c # v0.1.1
with:
private-ssh-keys: ${{ secrets.PRIVATE_INFRASTRUCTURE_CONFIG_DEPLOY_KEY }}
- name: install dependencies
run: npm ci
- name: perform a DEV database migration
run: npm -w cli start migrate -- --stage DEV
- name: basic database tests
run: psql -d postgresql://postgres:not_at_all_secret@localhost:5432/postgres -v ON_ERROR_STOP=1 -f sql/ci.sql
- name: check schema.prisma file hasn't changed
run: git diff --exit-code packages/common/prisma/schema.prisma
- name: check for untracked files
run: |
UNTRACKED_FILES=$(git ls-files --others --exclude-standard packages/common/prisma | wc -l)
if [ "$UNTRACKED_FILES" -gt 0 ]; then
echo "Untracked files found:"
git ls-files --others --exclude-standard packages/common/prisma
exit 1
fi
CI:
timeout-minutes: 15
runs-on: ubuntu-latest
needs: [lint, test, typecheck, db-migration]
# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
permissions:
# required by aws-actions/configure-aws-credentials
id-token: write
contents: read
pull-requests: write # required by guardian/actions-riff-raff
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version-file: '.nvmrc'
cache: 'npm'
- uses: guardian/actions-read-private-repos@8792b5279dc2e6dfb6b9aa6ba2f26b6226be444c # v0.1.1
with:
private-ssh-keys: ${{ secrets.PRIVATE_INFRASTRUCTURE_CONFIG_DEPLOY_KEY }}
- name: Build zip files
run: ./scripts/build.sh
- name: Upload to riff-raff
uses: guardian/actions-riff-raff@d5029dc221aeb98376f54cda13b88e214a5312b4 # v4.1.1
with:
app: service-catalogue
roleArn: ${{ secrets.GU_RIFF_RAFF_ROLE_ARN }}
githubToken: ${{ secrets.GITHUB_TOKEN }}
buildNumber: ${{ env.GITHUB_RUN_NUMBER }}
projectName: deploy::service-catalogue
configPath: packages/cdk/cdk.out/riff-raff.yaml
contentDirectories: |
cdk.out:
- packages/cdk/cdk.out
repocop:
- packages/repocop/dist/repocop.zip
interactive-monitor:
- packages/interactive-monitor/dist/interactive-monitor.zip
data-audit:
- packages/data-audit/dist/data-audit.zip
dependency-graph-integrator:
- packages/dependency-graph-integrator/dist/dependency-graph-integrator.zip
github-actions-usage:
- packages/github-actions-usage/dist/github-actions-usage.zip
obligatron:
- packages/obligatron/dist/obligatron.zip
refresh-materialized-view:
- packages/refresh-materialized-view/dist/refresh-materialized-view.zip
prisma:
- packages/common/prisma.zip
cloudbuster:
- packages/cloudbuster/dist/cloudbuster.zip
env:
NODE_OPTIONS: '--max_old_space_size=4096'