Skip to content

Upgrade Node for security #80

Upgrade Node for security

Upgrade Node for security #80

Workflow file for this run

name: Node.js CI
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
pull_request:
push:
branches:
- main
jobs:
lint:
name: ESLint
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup node
uses: actions/setup-node@v3
with:
node-version: 16
- uses: c-hive/gha-npm-cache@v1
- run: npm install
- name: Lint
run: npm run lint
typecheck:
name: TypeScript
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup node
uses: actions/setup-node@v3
with:
node-version: 16
- uses: c-hive/gha-npm-cache@v1
- run: npm install
- name: Type check
run: npm run typecheck --if-present
vitest:
name: Vitest
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Setup node
uses: actions/setup-node@v3
with:
node-version: 16
- uses: c-hive/gha-npm-cache@v1
- run: npm install
- name: Run vitest
run: npm run test -- --coverage
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
# Setup cache
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Tag Build
uses: docker/metadata-action@v3
id: meta
with:
images: ghcr.io/${{ github.repository }}
# Only tag with latest if we're on main
tags: |
type=ref,event=pr
type=ref,event=branch
type=sha
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
- name: Build and push Docker images
uses: docker/build-push-action@v2
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new
# This ugly bit is necessary if you don't want your cache to grow forever
# till it hits GitHub's limit of 5GB.
# Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
deployment:
needs: build
if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/feature/actions'
runs-on: ubuntu-latest
steps:
- name: Checkout to branch
uses: actions/checkout@v3
- name: Tag Build
uses: docker/metadata-action@v3
id: meta
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=sha
- name: Create build context for k8s deployment
# There should only be 1 tag, so 'join' will just produce a simple string
run: |
touch k8s-context
echo IMAGE=${{ join(steps.meta.outputs.tags, '') }} > k8s-context
cat k8s-context
- name: Set up kubectl
uses: matootie/[email protected]
with:
personalAccessToken: ${{ secrets.DIGITALOCEAN_TOKEN }}
clusterName: k8s-rf
- name: Deploy app
run: |
kubectl diff -k . || echo \n
kubectl delete secret modbot-env || echo \n
kubectl create secret generic modbot-env \
--from-literal=SESSION_SECRET=${{ secrets.SESSION_SECRET }} \
--from-literal=DISCORD_PUBLIC_KEY=${{ secrets.DISCORD_PUBLIC_KEY }} \
--from-literal=DISCORD_APP_ID=${{ secrets.DISCORD_APP_ID }} \
--from-literal=DISCORD_SECRET=${{ secrets.DISCORD_SECRET }} \
--from-literal=DISCORD_HASH=${{ secrets.DISCORD_HASH }} \
--from-literal=DISCORD_TEST_GUILD=${{ secrets.DISCORD_TEST_GUILD }}
kubectl apply -k .
- name: Set Sentry release
run: |
curl ${{secrets.SENTRY_RELEASES}} \
-X POST \
-H 'Content-Type: application/json' \
-d '{"version": "${{github.sha}}"}'