diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..e1bcd9e6 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,107 @@ +name: Build +on: + - push +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: '8.2' + extensions: bcmath, ctype, curl, fileinfo, gd, intl, json, ldap, mbstring, mysqli, openssl, pdo, redis, sqlite3, tokenizer, uuid, xml, zip + coverage: none + env: + fail-fast: true + GITHUB_TOKEN: ${{ github.token }} + + - name: Get Composer cache directory + id: composer-cache + run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT + + - name: Setup Composer cache + uses: actions/cache@v4 + with: + path: ${{ steps.composer-cache.outputs.dir }} + key: ${{ runner.os }}-composer-${{ hashFiles('composer.lock') }} + restore-keys: ${{ runner.os }}-composer- + + - name: Install Composer dependencies + env: + COMPOSER_AUTH: >- + {"github-oauth":{"github.com":"${{ github.token }}"}} + run: composer install --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist + + - name: Run Pint + run: vendor/bin/pint --test + + - name: Run PHPCS + run: vendor/bin/phpcs . + + - name: Run PHPStan + run: vendor/bin/phpstan analyze --level=max --configuration=phpstan.neon --error-format=github --no-progress . + + - name: Run Phan + run: vendor/bin/phan --no-progress-bar --analyze-twice + + - name: Run Psalm + run: vendor/bin/psalm --output-format=github --no-progress + + - name: Run Enlightn + run: | + cp --verbose .env.example .env + php artisan key:generate --no-interaction --verbose + php artisan enlightn --ci --details --show-exceptions --no-interaction --verbose + + docker: + name: Docker + runs-on: ubuntu-latest + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to BCDC Registry + uses: docker/login-action@v3 + with: + registry: registry.bcdc.robojackets.net + username: ${{ secrets.BCDC_REGISTRY_USERNAME }} + password: ${{ secrets.BCDC_REGISTRY_PASSWORD }} + + - name: Write Composer auth file + run: | + echo '{"github-oauth":{"github.com":"${{ github.token }}"}}' > auth.json + + - name: Build and push + id: build + uses: docker/build-push-action@v5 + with: + tags: registry.bcdc.robojackets.net/jedi:latest + network: host + pull: true + push: true + secret-files: composer_auth=./auth.json + target: ${{ github.ref == 'refs/heads/main' && 'backend-compressed' || 'backend-uncompressed' }} + cache-from: type=gha + cache-to: type=gha,mode=max + + outputs: + image-digest: ${{ steps.build.outputs.digest }} + + deploy-production: + name: Deploy + needs: [lint, docker] + uses: ./.github/workflows/deploy.yml + concurrency: + group: deploy-production + cancel-in-progress: true + permissions: + id-token: write + contents: read + with: + image-digest: ${{ needs.docker.outputs.image-digest }} + environment: production + precompressed-assets: true diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 00000000..5b5035e3 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,54 @@ +name: Deploy + +on: + workflow_call: + inputs: + image-digest: + required: true + type: string + precompressed-assets: + required: true + type: boolean + workflow_dispatch: + inputs: + image-digest: + required: true + type: string + precompressed-assets: + required: true + type: boolean + +concurrency: + group: deploy-production + cancel-in-progress: true + +jobs: + deploy: + name: Deploy + environment: + name: production + url: https://jedi.robojackets.org + permissions: + id-token: write + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Nomad + uses: lucasmelin/setup-nomad@v2.0.0 + + - name: Exchange GitHub JWT for Nomad token + uses: RoboJackets/nomad-jwt-auth@main + with: + url: https://nomad.bcdc.robojackets.net + jwtGithubAudience: https://nomad.bcdc.robojackets.net + methodName: GitHub + + - name: Run Nomad job + env: + NOMAD_ADDR: https://nomad.bcdc.robojackets.net + working-directory: ./.nomad/ + run: | + nomad run -var image=registry.bcdc.robojackets.net/jedi@${{ inputs.image-digest }} -var precompressed_assets=${{ inputs.precompressed-assets }} jedi.nomad diff --git a/.nomad/jedi.nomad b/.nomad/jedi.nomad index a18e94b4..89458ba0 100644 --- a/.nomad/jedi.nomad +++ b/.nomad/jedi.nomad @@ -53,7 +53,7 @@ locals { ) ) - # remove gzip_static directive if/when image does not contain compressed assets (handled at Concourse/operator level) + # remove gzip_static directive if/when image does not contain compressed assets (handled at GitHub Actions/operator level) compressed_nginx_configuration_without_gzip_static = regex_replace(local.compressed_nginx_configuration,"gzip_static\\s\\S+;","") } diff --git a/Dockerfile b/Dockerfile index 37e5b326..e8e29e6b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -49,7 +49,8 @@ WORKDIR /app/ USER www-data -RUN set -eux && \ +RUN --mount=type=secret,id=composer_auth,dst=/app/auth.json,uid=33,gid=33,required=true \ + set -eux && \ composer check-platform-reqs --lock --no-dev && \ composer install --no-interaction --no-progress --no-dev --optimize-autoloader --classmap-authoritative --no-cache && \ mkdir --parents /app/resources/views/ && \ diff --git a/renovate-helper.yml b/renovate-helper.yml deleted file mode 100644 index 501ad40c..00000000 --- a/renovate-helper.yml +++ /dev/null @@ -1,175 +0,0 @@ ---- -resource_types: - -- name: github-webhook - type: registry-image - source: - aws_access_key_id: ((aws/sts/ecr.access_key)) - aws_region: us-east-1 - aws_secret_access_key: ((aws/sts/ecr.secret_key)) - aws_session_token: ((aws/sts/ecr.security_token)) - repository: robojackets/concourse-github-webhook-resource - tag: latest - tags: - - resources - -- name: pull-request - type: registry-image - source: - repository: teliaoss/github-pr-resource - tag: latest - tags: - - resources - -resources: - -- name: pull-request - public: true - type: pull-request - icon: source-pull - webhook_token: ((webhook-token)) - source: - repository: RoboJackets/jedi - access_token: (("github.com"/token.token)) - base_branch: main - disable_forks: true - tags: - - resources - -- name: pull-request-branch - public: true - type: git - icon: github - source: - uri: https://github.com/RoboJackets/jedi - branch: ((pr-branch)) - username: x-access-token - password: (("github.com"/token.token)) - tags: - - resources - -- name: webhooks - public: true - type: github-webhook - icon: webhook - source: - github_token: (("github.com"/token.token)) - webhook_token: ((webhook-token)) - resources: - pull-request: - github_uri: https://github.com/RoboJackets/jedi - events: - - push - - pull_request - tags: - - resources - -jobs: - -- name: reconfigure - public: true - plan: - - - in_parallel: - - - put: webhooks - inputs: [] - - - get: pull-request - trigger: true - - - load_var: pr-branch-two - file: pull-request/.git/resource/head_name - format: trim - reveal: true - - - set_pipeline: self - file: pull-request/renovate-helper.yml - vars: - pr-branch: ((.:pr-branch-two)) - -- name: update-composer-lock - public: true - plan: - - - get: pull-request-branch - - - get: pull-request - passed: [reconfigure] - - - task: composer-update - config: - platform: linux - - image_resource: - type: registry-image - source: - aws_access_key_id: ((aws/sts/ecr.access_key)) - aws_region: us-east-1 - aws_secret_access_key: ((aws/sts/ecr.secret_key)) - aws_session_token: ((aws/sts/ecr.security_token)) - repository: robojackets/php8-build - tag: latest - - inputs: - - name: pull-request-branch - - outputs: - - name: pull-request-branch - - caches: - - path: pull-request-branch/vendor - - run: - path: composer - dir: pull-request-branch - args: - - update - - --no-interaction - - --no-progress - - --optimize-autoloader - - --classmap-authoritative - - --with-all-dependencies - - - task: commit-lock-file - config: - platform: linux - - image_resource: - type: registry-image - source: - aws_access_key_id: ((aws/sts/ecr.access_key)) - aws_region: us-east-1 - aws_secret_access_key: ((aws/sts/ecr.secret_key)) - aws_session_token: ((aws/sts/ecr.security_token)) - repository: robojackets/php8-build - tag: latest - - params: - GIT_AUTHOR_NAME: robojackets-concourse[bot] - GIT_AUTHOR_EMAIL: 69061102+robojackets-concourse[bot]@users.noreply.github.com - GIT_COMMITTER_NAME: robojackets-concourse[bot] - GIT_COMMITTER_EMAIL: 69061102+robojackets-concourse[bot]@users.noreply.github.com - - inputs: - - name: pull-request-branch - - outputs: - - name: pull-request-branch - - run: - path: bash - dir: pull-request-branch - args: - - -e - - -o - - pipefail - - -c - - >- - git add composer.lock - && git commit -m "Run composer update" - - - put: pull-request-branch - no_get: true - params: - repository: pull-request-branch diff --git a/renovate.json b/renovate.json index dfa1f281..968233b4 100644 --- a/renovate.json +++ b/renovate.json @@ -38,7 +38,9 @@ "enabled": false }, "docker": { - "enabled": false + "major": { + "enabled": true + } }, "lockFileMaintenance": { "enabled": true,