Swap to GitHub Actions for CI/CD

.github/workflows/build.yml

@@ -0,0 +1,107 @@
+name: Build
+on:
+  - push
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+          extensions: bcmath, ctype, curl, fileinfo, gd, intl, json, ldap, mbstring, mysqli, openssl, pdo, redis, sqlite3, tokenizer, uuid, xml, zip
+          coverage: none
+        env:
+          fail-fast: true
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Get Composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+
+      - name: Setup Composer cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Install Composer dependencies
+        env:
+          COMPOSER_AUTH: >-
+            {"github-oauth":{"github.com":"${{ github.token }}"}}
+        run: composer install --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
+
+      - name: Run Pint
+        run: vendor/bin/pint --test
+
+      - name: Run PHPCS
+        run: vendor/bin/phpcs .
+
+      - name: Run PHPStan
+        run: vendor/bin/phpstan analyze --level=max --configuration=phpstan.neon --error-format=github --no-progress .
+
+      - name: Run Phan
+        run: vendor/bin/phan --no-progress-bar --analyze-twice
+
+      - name: Run Psalm
+        run: vendor/bin/psalm --output-format=github --no-progress
+
+      - name: Run Enlightn
+        run: |
+          cp --verbose .env.example .env
+          php artisan key:generate --no-interaction --verbose
+          php artisan enlightn --ci --details --show-exceptions --no-interaction --verbose
+
+  docker:
+    name: Docker
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to BCDC Registry
+        uses: docker/login-action@v3
+        with:
+          registry: registry.bcdc.robojackets.net
+          username: ${{ secrets.BCDC_REGISTRY_USERNAME }}
+          password: ${{ secrets.BCDC_REGISTRY_PASSWORD }}
+
+      - name: Write Composer auth file
+        run: |
+          echo '{"github-oauth":{"github.com":"${{ github.token }}"}}' > auth.json
+
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          tags: registry.bcdc.robojackets.net/jedi:latest
+          network: host
+          pull: true
+          push: true
+          secret-files: composer_auth=./auth.json
+          target: ${{ github.ref == 'refs/heads/main' && 'backend-compressed' || 'backend-uncompressed' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+    outputs:
+      image-digest: ${{ steps.build.outputs.digest }}
+
+  deploy-production:
+    name: Deploy
+    needs: [lint, docker]
+    uses: ./.github/workflows/deploy.yml
+    concurrency:
+      group: deploy-production
+      cancel-in-progress: true
+    permissions:
+      id-token: write
+      contents: read
+    with:
+      image-digest: ${{ needs.docker.outputs.image-digest }}
+      environment: production
+      precompressed-assets: true

.github/workflows/deploy.yml

@@ -0,0 +1,54 @@
+name: Deploy
+
+on:
+  workflow_call:
+    inputs:
+      image-digest:
+        required: true
+        type: string
+      precompressed-assets:
+        required: true
+        type: boolean
+  workflow_dispatch:
+    inputs:
+      image-digest:
+        required: true
+        type: string
+      precompressed-assets:
+        required: true
+        type: boolean
+
+concurrency:
+  group: deploy-production
+  cancel-in-progress: true
+
+jobs:
+  deploy:
+    name: Deploy
+    environment:
+      name: production
+      url: https://jedi.robojackets.org
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Nomad
+        uses: lucasmelin/[email protected]
+
+      - name: Exchange GitHub JWT for Nomad token
+        uses: RoboJackets/nomad-jwt-auth@main
+        with:
+          url: https://nomad.bcdc.robojackets.net
+          jwtGithubAudience: https://nomad.bcdc.robojackets.net
+          methodName: GitHub
+
+      - name: Run Nomad job
+        env:
+          NOMAD_ADDR: https://nomad.bcdc.robojackets.net
+        working-directory: ./.nomad/
+        run: |
+          nomad run -var image=registry.bcdc.robojackets.net/jedi@${{ inputs.image-digest }} -var precompressed_assets=${{ inputs.precompressed-assets }} jedi.nomad

.nomad/jedi.nomad

@@ -53,7 +53,7 @@ locals {
     )
   )
 
-  # remove gzip_static directive if/when image does not contain compressed assets (handled at Concourse/operator level)
+  # remove gzip_static directive if/when image does not contain compressed assets (handled at GitHub Actions/operator level)
   compressed_nginx_configuration_without_gzip_static = regex_replace(local.compressed_nginx_configuration,"gzip_static\\s\\S+;","")
 }
 

Dockerfile

@@ -49,7 +49,8 @@ WORKDIR /app/
 
 USER www-data
 
-RUN set -eux && \
+RUN --mount=type=secret,id=composer_auth,dst=/app/auth.json,uid=33,gid=33,required=true \
+    set -eux && \
     composer check-platform-reqs --lock --no-dev && \
     composer install --no-interaction --no-progress --no-dev --optimize-autoloader --classmap-authoritative --no-cache && \
     mkdir --parents /app/resources/views/ && \

renovate.json

@@ -38,7 +38,9 @@
         "enabled": false
     },
     "docker": {
-        "enabled": false
+        "major": {
+            "enabled": true
+        }
     },
     "lockFileMaintenance": {
         "enabled": true,