From a238df05953e7f60288ef65e3a5c005c3feeff24 Mon Sep 17 00:00:00 2001 From: Chris K Date: Wed, 3 Jan 2024 02:09:45 -0800 Subject: [PATCH] strip out old GHA workflows; add CICD foundation --- .github/workflows/build-and-deploy.yml | 56 +++ .github/workflows/build-container-image.yml | 99 ----- .github/workflows/build-nightly.yml | 42 -- .github/workflows/build-push-pr.yml | 41 -- .github/workflows/build-releases.yml | 29 -- .github/workflows/bundler-audit.yml | 40 -- .github/workflows/check-i18n.yml | 62 --- .github/workflows/codeql.yml | 62 --- .github/workflows/crowdin-download.yml | 76 ---- .github/workflows/crowdin-upload.yml | 35 -- .github/workflows/ecr.yml | 85 ++++ .github/workflows/eks.yml | 102 +++++ .../workflows/haml-lint-problem-matcher.json | 17 - .github/workflows/lint-css.yml | 52 --- .github/workflows/lint-haml.yml | 47 --- .github/workflows/lint-js.yml | 55 --- .github/workflows/lint-json.yml | 44 --- .github/workflows/lint-md.yml | 44 --- .github/workflows/lint-ruby.yml | 51 --- .github/workflows/lint-yml.yml | 46 --- .github/workflows/rebase-needed.yml | 27 -- .github/workflows/test-image-build.yml | 21 - .github/workflows/test-js.yml | 48 --- .../workflows/test-migrations-one-step.yml | 111 ------ .../workflows/test-migrations-two-step.yml | 119 ------ .github/workflows/test-ruby.yml | 365 ------------------ deploy/README.md | 39 ++ deploy/staging/values.yaml | 29 ++ deploy/values.yaml | 99 +++++ 29 files changed, 410 insertions(+), 1533 deletions(-) create mode 100644 .github/workflows/build-and-deploy.yml delete mode 100644 .github/workflows/build-container-image.yml delete mode 100644 .github/workflows/build-nightly.yml delete mode 100644 .github/workflows/build-push-pr.yml delete mode 100644 .github/workflows/build-releases.yml delete mode 100644 .github/workflows/bundler-audit.yml delete mode 100644 .github/workflows/check-i18n.yml delete mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/crowdin-download.yml delete mode 100644 .github/workflows/crowdin-upload.yml create mode 100644 .github/workflows/ecr.yml create mode 100644 .github/workflows/eks.yml delete mode 100644 .github/workflows/haml-lint-problem-matcher.json delete mode 100644 .github/workflows/lint-css.yml delete mode 100644 .github/workflows/lint-haml.yml delete mode 100644 .github/workflows/lint-js.yml delete mode 100644 .github/workflows/lint-json.yml delete mode 100644 .github/workflows/lint-md.yml delete mode 100644 .github/workflows/lint-ruby.yml delete mode 100644 .github/workflows/lint-yml.yml delete mode 100644 .github/workflows/rebase-needed.yml delete mode 100644 .github/workflows/test-image-build.yml delete mode 100644 .github/workflows/test-js.yml delete mode 100644 .github/workflows/test-migrations-one-step.yml delete mode 100644 .github/workflows/test-migrations-two-step.yml delete mode 100644 .github/workflows/test-ruby.yml create mode 100644 deploy/README.md create mode 100644 deploy/staging/values.yaml create mode 100644 deploy/values.yaml diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml new file mode 100644 index 00000000000000..aa4d645bd33275 --- /dev/null +++ b/.github/workflows/build-and-deploy.yml @@ -0,0 +1,56 @@ +name: AWS Build and Deploy + +on: + push: + branches: ["staging", "production"] + +jobs: + build-and-push: + permissions: + id-token: write + contents: read + checks: write + name: build-and-push + concurrency: ${{ github.ref }} + uses: ./.github/workflows/ecr.yml + with: + build_role: arn:aws:iam::458591407913:role/github-actions-ecr-thoughtbot-mastodon + ecr_repo: thoughtbot/thoughtbot-mastodon + + deploy-staging: + if: ${{ endsWith(github.ref, 'staging') }} + permissions: + contents: read + id-token: write + actions: read + name: deploy-staging + needs: build-and-push + concurrency: ${{ github.ref }} + uses: ./.github/workflows/eks.yml + with: + cluster_name: thoughtbot-sandbox-v1 + deploy_role: arn:aws:iam::181682000713:role/thoughtbot-mastodon-deploy + image_url: ${{ needs.build-and-push.outputs.image_url }} + manifest_path: ./deploy/staging + namespace: thoughtbot-mastodon-staging + registry_account: '458591407913' + version: ${{ needs.build-and-push.outputs.version }} + + deploy-production: + if: ${{ endsWith(github.ref, 'production') }} + permissions: + contents: read + id-token: write + actions: read + name: deploy-production + needs: build-and-push + concurrency: ${{ github.ref }} + uses: ./.github/workflows/eks.yml + with: + cluster_name: thoughtbot-production-v1 + deploy_role: arn:aws:iam::651913466569:role/thoughtbot-mastodon-deploy + image_url: ${{ needs.build-and-push.outputs.image_url }} + manifest_path: ./deploy/production + namespace: thoughtbot-mastodon-production + registry_account: '458591407913' + version: ${{ needs.build-and-push.outputs.version }} diff --git a/.github/workflows/build-container-image.yml b/.github/workflows/build-container-image.yml deleted file mode 100644 index aa9e74e7e9f32a..00000000000000 --- a/.github/workflows/build-container-image.yml +++ /dev/null @@ -1,99 +0,0 @@ -on: - workflow_call: - inputs: - platforms: - required: true - type: string - cache: - type: boolean - default: true - use_native_arm64_builder: - type: boolean - push_to_images: - type: string - version_prerelease: - type: string - version_metadata: - type: string - flavor: - type: string - tags: - type: string - labels: - type: string - -jobs: - build-image: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v4 - - - uses: docker/setup-qemu-action@v2 - if: contains(inputs.platforms, 'linux/arm64') && !inputs.use_native_arm64_builder - - - uses: docker/setup-buildx-action@v2 - id: buildx - if: ${{ !(inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')) }} - - - name: Start a local Docker Builder - if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64') - run: | - docker run --rm -d --name buildkitd -p 1234:1234 --privileged moby/buildkit:latest --addr tcp://0.0.0.0:1234 - - - uses: docker/setup-buildx-action@v2 - id: buildx-native - if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64') - with: - driver: remote - endpoint: tcp://localhost:1234 - platforms: linux/amd64 - append: | - - endpoint: tcp://${{ vars.DOCKER_BUILDER_HETZNER_ARM64_01_HOST }}:13865 - platforms: linux/arm64 - name: mastodon-docker-builder-arm64-01 - driver-opts: - - servername=mastodon-docker-builder-arm64-01 - env: - BUILDER_NODE_1_AUTH_TLS_CACERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CACERT }} - BUILDER_NODE_1_AUTH_TLS_CERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CERT }} - BUILDER_NODE_1_AUTH_TLS_KEY: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_KEY }} - - - name: Log in to Docker Hub - if: contains(inputs.push_to_images, 'tootsuite') - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Log in to the Github Container registry - if: contains(inputs.push_to_images, 'ghcr.io') - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - uses: docker/metadata-action@v4 - id: meta - if: ${{ inputs.push_to_images != '' }} - with: - images: ${{ inputs.push_to_images }} - flavor: ${{ inputs.flavor }} - tags: ${{ inputs.tags }} - labels: ${{ inputs.labels }} - - - uses: docker/build-push-action@v4 - with: - context: . - build-args: | - MASTODON_VERSION_PRERELEASE=${{ inputs.version_prerelease }} - MASTODON_VERSION_METADATA=${{ inputs.version_metadata }} - platforms: ${{ inputs.platforms }} - provenance: false - builder: ${{ steps.buildx.outputs.name || steps.buildx-native.outputs.name }} - push: ${{ inputs.push_to_images != '' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: ${{ inputs.cache && 'type=gha' || '' }} - cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }} diff --git a/.github/workflows/build-nightly.yml b/.github/workflows/build-nightly.yml deleted file mode 100644 index aa1f916afe3a3b..00000000000000 --- a/.github/workflows/build-nightly.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Build nightly container image -on: - workflow_dispatch: - schedule: - - cron: '0 2 * * *' # run at 2 AM UTC - -permissions: - contents: read - packages: write - -jobs: - compute-suffix: - runs-on: ubuntu-latest - steps: - - id: version_vars - env: - TZ: Etc/UTC - run: | - echo mastodon_version_prerelease=nightly.$(date +'%Y-%m-%d')>> $GITHUB_OUTPUT - outputs: - prerelease: ${{ steps.version_vars.outputs.mastodon_version_prerelease }} - - build-image: - needs: compute-suffix - uses: ./.github/workflows/build-container-image.yml - with: - platforms: linux/amd64,linux/arm64 - use_native_arm64_builder: true - cache: false - push_to_images: | - tootsuite/mastodon - ghcr.io/mastodon/mastodon - version_prerelease: ${{ needs.compute-suffix.outputs.prerelease }} - labels: | - org.opencontainers.image.description=Nightly build image used for testing purposes - flavor: | - latest=auto - tags: | - type=raw,value=edge - type=raw,value=nightly - type=schedule,pattern=${{ needs.compute-suffix.outputs.prerelease }} - secrets: inherit diff --git a/.github/workflows/build-push-pr.yml b/.github/workflows/build-push-pr.yml deleted file mode 100644 index 1f647e2a1418f1..00000000000000 --- a/.github/workflows/build-push-pr.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Build container image for PR -on: - pull_request: - types: [labeled, synchronize, reopened, ready_for_review, opened] - -permissions: - contents: read - packages: write - -jobs: - compute-suffix: - runs-on: ubuntu-latest - # This is only allowed to run if: - # - the PR branch is in the `mastodon/mastodon` repository - # - the PR is not a draft - # - the PR has the "build-image" label - if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !github.event.pull_request.draft && contains(github.event.pull_request.labels.*.name, 'build-image') }} - steps: - # Repository needs to be cloned so `git rev-parse` below works - - name: Clone repository - uses: actions/checkout@v4 - - id: version_vars - run: | - echo mastodon_version_metadata=pr-${{ github.event.pull_request.number }}-$(git rev-parse --short HEAD) >> $GITHUB_OUTPUT - outputs: - metadata: ${{ steps.version_vars.outputs.mastodon_version_metadata }} - - build-image: - needs: compute-suffix - uses: ./.github/workflows/build-container-image.yml - with: - platforms: linux/amd64,linux/arm64 - use_native_arm64_builder: true - push_to_images: | - ghcr.io/mastodon/mastodon - version_metadata: ${{ needs.compute-suffix.outputs.metadata }} - flavor: | - latest=auto - tags: | - type=ref,event=pr - secrets: inherit diff --git a/.github/workflows/build-releases.yml b/.github/workflows/build-releases.yml deleted file mode 100644 index 3b82eef9d899cb..00000000000000 --- a/.github/workflows/build-releases.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: Build container release images -on: - push: - tags: - - '*' - -permissions: - contents: read - packages: write - -jobs: - build-image: - uses: ./.github/workflows/build-container-image.yml - with: - platforms: linux/amd64,linux/arm64 - use_native_arm64_builder: true - push_to_images: | - tootsuite/mastodon - ghcr.io/mastodon/mastodon - # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages - cache: false - # Only tag with latest when ran against the latest stable branch - # This needs to be updated after each minor version release - flavor: | - latest=${{ startsWith(github.ref, 'refs/tags/v4.2.') }} - tags: | - type=pep440,pattern={{raw}} - type=pep440,pattern=v{{major}}.{{minor}} - secrets: inherit diff --git a/.github/workflows/bundler-audit.yml b/.github/workflows/bundler-audit.yml deleted file mode 100644 index bfb93a36cd052c..00000000000000 --- a/.github/workflows/bundler-audit.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Bundler Audit -on: - push: - branches-ignore: - - 'dependabot/**' - paths: - - 'Gemfile*' - - '.ruby-version' - - '.bundler-audit.yml' - - '.github/workflows/bundler-audit.yml' - - pull_request: - paths: - - 'Gemfile*' - - '.ruby-version' - - '.bundler-audit.yml' - - '.github/workflows/bundler-audit.yml' - - schedule: - - cron: '0 5 * * 1' - -jobs: - security: - runs-on: ubuntu-latest - - steps: - - name: Clone repository - uses: actions/checkout@v4 - - - name: Install native Ruby dependencies - run: sudo apt-get install -y libicu-dev libidn11-dev - - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: .ruby-version - bundler-cache: true - - - name: Run bundler-audit - run: bundle exec bundler-audit diff --git a/.github/workflows/check-i18n.yml b/.github/workflows/check-i18n.yml deleted file mode 100644 index 39cf32ddc43a66..00000000000000 --- a/.github/workflows/check-i18n.yml +++ /dev/null @@ -1,62 +0,0 @@ -name: Check i18n - -on: - push: - branches: [main] - pull_request: - branches: [main] - -env: - RAILS_ENV: test - -permissions: - contents: read - -jobs: - check-i18n: - runs-on: ubuntu-22.04 - - steps: - - uses: actions/checkout@v4 - - - name: Install system dependencies - run: | - sudo apt-get update - sudo apt-get install -y libicu-dev libidn11-dev - - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: .ruby-version - bundler-cache: true - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install all yarn packages - run: yarn --frozen-lockfile - - - name: Check for missing strings in English JSON - run: | - yarn i18n:extract --throws - git diff --exit-code - - - name: Check locale file normalization - run: bundle exec i18n-tasks check-normalized - - - name: Check for unused strings - run: bundle exec i18n-tasks unused - - - name: Check for missing strings in English YML - run: | - bundle exec i18n-tasks add-missing -l en - git diff --exit-code - - - name: Check for wrong string interpolations - run: bundle exec i18n-tasks check-consistent-interpolations - - - name: Check that all required locale files exist - run: bundle exec rake repo:check_locales_files diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 3b40c3fd07be90..00000000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,62 +0,0 @@ -name: 'CodeQL' - -on: - push: - branches: ['main'] - pull_request: - # The branches below must be a subset of the branches above - branches: ['main'] - schedule: - - cron: '22 6 * * 1' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ['javascript', 'ruby'] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: '/language:${{matrix.language}}' diff --git a/.github/workflows/crowdin-download.yml b/.github/workflows/crowdin-download.yml deleted file mode 100644 index e5385808defd2a..00000000000000 --- a/.github/workflows/crowdin-download.yml +++ /dev/null @@ -1,76 +0,0 @@ -name: Crowdin / Download translations -on: - schedule: - - cron: '17 4 * * *' # Every day - workflow_dispatch: - -permissions: - contents: write - pull-requests: write - -jobs: - download-translations: - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Increase Git http.postBuffer - # This is needed due to a bug in Ubuntu's cURL version? - # See https://github.com/orgs/community/discussions/55820 - run: | - git config --global http.version HTTP/1.1 - git config --global http.postBuffer 157286400 - - # Download the translation files from Crowdin - - name: crowdin action - uses: crowdin/github-action@v1 - with: - upload_sources: false - upload_translations: false - download_translations: true - crowdin_branch_name: main - push_translations: false - create_pull_request: false - env: - CROWDIN_PROJECT_ID: ${{ vars.CROWDIN_PROJECT_ID }} - CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }} - - # As the files are extracted from a Docker container, they belong to root:root - # We need to fix this before the next steps - - name: Fix file permissions - run: sudo chown -R runner:docker . - - # This is needed to run the normalize step - - name: Install native Ruby dependencies - run: sudo apt-get install -y libicu-dev libidn11-dev - - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: .ruby-version - bundler-cache: true - - - name: Run i18n normalize task - run: bundle exec i18n-tasks normalize - - # Create or update the pull request - - name: Create Pull Request - uses: peter-evans/create-pull-request@v5.0.2 - with: - commit-message: 'New Crowdin translations' - title: 'New Crowdin Translations (automated)' - author: 'GitHub Actions ' - body: | - New Crowdin translations, automated with Github Actions - - See `.github/workflows/crowdin-download.yml` - - This PR will be updated every day with new translations. - - Due to a limitation in Github Actions, checks are not running on this PR without manual action. - If you want to run the checks, then close and re-open it. - branch: i18n/crowdin/translations - base: main - labels: i18n diff --git a/.github/workflows/crowdin-upload.yml b/.github/workflows/crowdin-upload.yml deleted file mode 100644 index 705af12c025044..00000000000000 --- a/.github/workflows/crowdin-upload.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: Crowdin / Upload translations - -on: - push: - branches: - - main - paths: - - crowdin.yml - - app/javascript/mastodon/locales/en.json - - config/locales/en.yml - - config/locales/simple_form.en.yml - - config/locales/activerecord.en.yml - - config/locales/devise.en.yml - - config/locales/doorkeeper.en.yml - - .github/workflows/crowdin-upload.yml - -jobs: - upload-translations: - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: crowdin action - uses: crowdin/github-action@v1 - with: - upload_sources: true - upload_translations: false - download_translations: false - crowdin_branch_name: main - - env: - CROWDIN_PROJECT_ID: ${{ vars.CROWDIN_PROJECT_ID }} - CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }} diff --git a/.github/workflows/ecr.yml b/.github/workflows/ecr.yml new file mode 100644 index 00000000000000..7791ff5cbc5b54 --- /dev/null +++ b/.github/workflows/ecr.yml @@ -0,0 +1,85 @@ +name: ECR Build and Push + +on: + workflow_call: + inputs: + build_role: + type: string + required: true + ecr_repo: + type: string + required: true + outputs: + image_url: + description: Full URL of the ECR image to deploy + value: ${{ jobs.docker-build.outputs.image_url }} + version: + description: Version of the application to deploy + value: ${{ jobs.docker-build.outputs.version }} + +jobs: + docker-build: + runs-on: + - ubuntu-20.04 + + permissions: + id-token: write + contents: read + checks: write + + outputs: + image_url: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.ecr_repo }} + version: ${{ steps.meta.outputs.version }} + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-region: us-east-1 + role-to-assume: ${{ inputs.build_role }} + # The Docker container contains the account ID, which must be in the outputs + mask-aws-account-id: 'no' + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v2 + + - name: Set Docker meta + id: meta + uses: docker/metadata-action@v3 + with: + images: ${{ steps.login-ecr.outputs.registry }}/${{ inputs.ecr_repo }} + tags: type=sha,format=short + + - name: Check for existing Docker image + id: check-image + env: + ECR_REPO: ${{ inputs.ecr_repo }} + IMAGE_URL: ${{ steps.meta.outputs.tags }} + run: | + IMAGE_TAG=$( echo "$IMAGE_URL" | cut -d ":" -f 2) + RESULT=$(aws ecr describe-images --repository-name="$ECR_REPO" --image-ids=imageTag="$IMAGE_TAG" > /dev/null && echo true || echo false) + echo "$IMAGE_TAG" + echo "$RESULT" + echo "image_exists=$RESULT" >> "$GITHUB_OUTPUT" + + - name: Build and push Docker image + id: docker_build + if: ${{ steps.check-image.outputs.image_exists == 'false' }} + uses: docker/build-push-action@v3 + with: + context: . + builder: ${{ steps.buildx.outputs.name }} + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + diff --git a/.github/workflows/eks.yml b/.github/workflows/eks.yml new file mode 100644 index 00000000000000..263792a53123a2 --- /dev/null +++ b/.github/workflows/eks.yml @@ -0,0 +1,102 @@ +name: EKS Deploy + +on: + workflow_call: + inputs: + cluster_name: + type: string + required: true + deploy_role: + type: string + required: true + image_url: + type: string + required: true + manifest_path: + type: string + required: true + namespace: + type: string + required: true + registry_account: + type: string + required: true + version: + type: string + required: true + +jobs: + kustomize-and-deploy: + permissions: + contents: read + id-token: write + actions: read + + runs-on: + - ubuntu-20.04 + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Add thoughtbot Helm repository + run: | + helm repo add \ + thoughtbot-charts https://thoughtbot.github.io/helm-charts/ + + - name: Pull Helm Rails chart + run: | + helm pull thoughtbot-charts/helm-rails \ + --version 0.1.13 --untar + + - uses: azure/k8s-bake@v2.2 + with: + renderEngine: 'helm' + helmChart: ./helm-rails + releaseName: workhands + overrideFiles: | + deploy/values.yaml + ${{ inputs.manifest_path }}/values.yaml + overrides: | + app.image:${{ inputs.image_url }} + app.version:${{ inputs.version }} + helm-version: 'v3.8.2' + silent: 'false' + name: bake helm template + id: bake + + - uses: azure/setup-kubectl@v3 + with: + version: 'v1.24.3' + id: install + + - name: Assume deploy role + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-region: us-east-1 + role-to-assume: ${{ inputs.deploy_role }} + + - name: Login to Amazon ECR + id: login_ecr + uses: aws-actions/amazon-ecr-login@v1 + with: + registries: ${{ inputs.registry_account }} + + - name: Create k8s config for use with deploy + run: | + aws eks update-kubeconfig \ + --name ${{ inputs.cluster_name }} \ + --region us-east-1 + + - name: Clean up any prior jobs + run: | + kubectl delete job --namespace ${{ inputs.namespace }} --all + + - uses: azure/k8s-deploy@v4.2 + with: + annotate-namespace: false + namespace: ${{ inputs.namespace }} + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: ${{ inputs.image_url }}:${{ inputs.version }} + strategy: basic + action: deploy diff --git a/.github/workflows/haml-lint-problem-matcher.json b/.github/workflows/haml-lint-problem-matcher.json deleted file mode 100644 index 3523ea29515a25..00000000000000 --- a/.github/workflows/haml-lint-problem-matcher.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "problemMatcher": [ - { - "owner": "haml-lint", - "severity": "warning", - "pattern": [ - { - "regexp": "^(.*):(\\d+)\\s\\[W]\\s(.*):\\s(.*)$", - "file": 1, - "line": 2, - "code": 3, - "message": 4 - } - ] - } - ] -} diff --git a/.github/workflows/lint-css.yml b/.github/workflows/lint-css.yml deleted file mode 100644 index bd775dba2061b5..00000000000000 --- a/.github/workflows/lint-css.yml +++ /dev/null @@ -1,52 +0,0 @@ -name: CSS Linting -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - paths: - - 'package.json' - - 'yarn.lock' - - '.nvmrc' - - '.prettier*' - - 'stylelint.config.js' - - '**/*.css' - - '**/*.scss' - - '.github/workflows/lint-css.yml' - - '.github/stylelint-matcher.json' - - pull_request: - paths: - - 'package.json' - - 'yarn.lock' - - '.nvmrc' - - '.prettier*' - - 'stylelint.config.js' - - '**/*.css' - - '**/*.scss' - - '.github/workflows/lint-css.yml' - - '.github/stylelint-matcher.json' - -jobs: - lint: - runs-on: ubuntu-latest - - steps: - - name: Clone repository - uses: actions/checkout@v4 - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install all yarn packages - run: yarn --frozen-lockfile - - - uses: xt0rted/stylelint-problem-matcher@v1 - - - run: echo "::add-matcher::.github/stylelint-matcher.json" - - - name: Stylelint - run: yarn lint:sass diff --git a/.github/workflows/lint-haml.yml b/.github/workflows/lint-haml.yml deleted file mode 100644 index ca9bd66a4ae1b1..00000000000000 --- a/.github/workflows/lint-haml.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: Haml Linting -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - paths: - - '.github/workflows/haml-lint-problem-matcher.json' - - '.github/workflows/lint-haml.yml' - - '.haml-lint*.yml' - - '.rubocop*.yml' - - '.ruby-version' - - '**/*.haml' - - 'Gemfile*' - - pull_request: - paths: - - '.github/workflows/haml-lint-problem-matcher.json' - - '.github/workflows/lint-haml.yml' - - '.haml-lint*.yml' - - '.rubocop*.yml' - - '.ruby-version' - - '**/*.haml' - - 'Gemfile*' - -jobs: - lint: - runs-on: ubuntu-latest - steps: - - name: Clone repository - uses: actions/checkout@v4 - - - name: Install native Ruby dependencies - run: | - sudo apt-get update - sudo apt-get install -y libicu-dev libidn11-dev - - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: .ruby-version - bundler-cache: true - - - name: Run haml-lint - run: | - echo "::add-matcher::.github/workflows/haml-lint-problem-matcher.json" - bundle exec haml-lint diff --git a/.github/workflows/lint-js.yml b/.github/workflows/lint-js.yml deleted file mode 100644 index 67d28589cb09ca..00000000000000 --- a/.github/workflows/lint-js.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: JavaScript Linting -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - paths: - - 'package.json' - - 'yarn.lock' - - 'tsconfig.json' - - '.nvmrc' - - '.prettier*' - - '.eslint*' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '.github/workflows/lint-js.yml' - - pull_request: - paths: - - 'package.json' - - 'yarn.lock' - - 'tsconfig.json' - - '.nvmrc' - - '.prettier*' - - '.eslint*' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '.github/workflows/lint-js.yml' - -jobs: - lint: - runs-on: ubuntu-latest - - steps: - - name: Clone repository - uses: actions/checkout@v4 - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install all yarn packages - run: yarn --frozen-lockfile - - - name: ESLint - run: yarn lint:js --max-warnings 0 - - - name: Typecheck - run: yarn typecheck diff --git a/.github/workflows/lint-json.yml b/.github/workflows/lint-json.yml deleted file mode 100644 index 1d98c52673f7f3..00000000000000 --- a/.github/workflows/lint-json.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: JSON Linting -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - paths: - - 'package.json' - - 'yarn.lock' - - '.nvmrc' - - '.prettier*' - - '**/*.json' - - '.github/workflows/lint-json.yml' - - '!app/javascript/mastodon/locales/*.json' - - pull_request: - paths: - - 'package.json' - - 'yarn.lock' - - '.nvmrc' - - '.prettier*' - - '**/*.json' - - '.github/workflows/lint-json.yml' - - '!app/javascript/mastodon/locales/*.json' - -jobs: - lint: - runs-on: ubuntu-latest - - steps: - - name: Clone repository - uses: actions/checkout@v4 - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install all yarn packages - run: yarn --frozen-lockfile - - - name: Prettier - run: yarn lint:json diff --git a/.github/workflows/lint-md.yml b/.github/workflows/lint-md.yml deleted file mode 100644 index 1b3f92c972730c..00000000000000 --- a/.github/workflows/lint-md.yml +++ /dev/null @@ -1,44 +0,0 @@ -name: Markdown Linting -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - paths: - - '.github/workflows/lint-md.yml' - - '.nvmrc' - - '.prettier*' - - '**/*.md' - - '!AUTHORS.md' - - 'package.json' - - 'yarn.lock' - - pull_request: - paths: - - '.github/workflows/lint-md.yml' - - '.nvmrc' - - '.prettier*' - - '**/*.md' - - '!AUTHORS.md' - - 'package.json' - - 'yarn.lock' - -jobs: - lint: - runs-on: ubuntu-latest - - steps: - - name: Clone repository - uses: actions/checkout@v4 - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install all yarn packages - run: yarn --frozen-lockfile - - - name: Prettier - run: yarn lint:md diff --git a/.github/workflows/lint-ruby.yml b/.github/workflows/lint-ruby.yml deleted file mode 100644 index 92882a084d126e..00000000000000 --- a/.github/workflows/lint-ruby.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: Ruby Linting -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - paths: - - 'Gemfile*' - - '.rubocop*.yml' - - '.ruby-version' - - 'config/brakeman.ignore' - - '**/*.rb' - - '**/*.rake' - - '.github/workflows/lint-ruby.yml' - - pull_request: - paths: - - 'Gemfile*' - - '.rubocop*.yml' - - '.ruby-version' - - 'config/brakeman.ignore' - - '**/*.rb' - - '**/*.rake' - - '.github/workflows/lint-ruby.yml' - -jobs: - lint: - runs-on: ubuntu-latest - - steps: - - name: Clone repository - uses: actions/checkout@v4 - - - name: Install native Ruby dependencies - run: sudo apt-get install -y libicu-dev libidn11-dev - - - name: Set up Ruby - uses: ruby/setup-ruby@v1 - with: - ruby-version: .ruby-version - bundler-cache: true - - - name: Set-up RuboCop Problem Matcher - uses: r7kamura/rubocop-problem-matchers-action@v1 - - - name: Run rubocop - run: bundle exec rubocop - - - name: Run brakeman - if: always() # Run both checks, even if the first failed - run: bundle exec brakeman diff --git a/.github/workflows/lint-yml.yml b/.github/workflows/lint-yml.yml deleted file mode 100644 index e77cc988919279..00000000000000 --- a/.github/workflows/lint-yml.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: YML Linting -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - paths: - - 'package.json' - - 'yarn.lock' - - '.nvmrc' - - '.prettier*' - - '**/*.yaml' - - '**/*.yml' - - '.github/workflows/lint-yml.yml' - - '!config/locales/*.yml' - - pull_request: - paths: - - 'package.json' - - 'yarn.lock' - - '.nvmrc' - - '.prettier*' - - '**/*.yaml' - - '**/*.yml' - - '.github/workflows/lint-yml.yml' - - '!config/locales/*.yml' - -jobs: - lint: - runs-on: ubuntu-latest - - steps: - - name: Clone repository - uses: actions/checkout@v4 - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install all yarn packages - run: yarn --frozen-lockfile - - - name: Prettier - run: yarn lint:yml diff --git a/.github/workflows/rebase-needed.yml b/.github/workflows/rebase-needed.yml deleted file mode 100644 index 06d835c090e15c..00000000000000 --- a/.github/workflows/rebase-needed.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: PR Needs Rebase - -on: - schedule: - - cron: '0 * * * *' - -permissions: - pull-requests: write - -jobs: - label-rebase-needed: - runs-on: ubuntu-latest - - concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - - steps: - - name: Check for merge conflicts - uses: eps1lon/actions-label-merge-conflict@releases/2.x - with: - dirtyLabel: 'rebase needed :construction:' - repoToken: '${{ secrets.GITHUB_TOKEN }}' - commentOnClean: This pull request has resolved merge conflicts and is ready for review. - commentOnDirty: This pull request has merge conflicts that must be resolved before it can be merged. - retryMax: 30 - continueOnMissingPermissions: false diff --git a/.github/workflows/test-image-build.yml b/.github/workflows/test-image-build.yml deleted file mode 100644 index 778e341771ec40..00000000000000 --- a/.github/workflows/test-image-build.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Test container image build -on: - pull_request: - paths: - - .github/workflows/build-nightly.yml - - .github/workflows/build-push-pr.yml - - .github/workflows/build-releases.yml - - .github/workflows/test-image-build.yml - - Dockerfile -permissions: - contents: read - -jobs: - build-image: - concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - - uses: ./.github/workflows/build-container-image.yml - with: - platforms: linux/amd64 # Testing only on native platform so it is performant diff --git a/.github/workflows/test-js.yml b/.github/workflows/test-js.yml deleted file mode 100644 index 0ef1d9b7c82797..00000000000000 --- a/.github/workflows/test-js.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: JavaScript Testing -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - paths: - - 'package.json' - - 'yarn.lock' - - '.nvmrc' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '**/*.snap' - - '.github/workflows/test-js.yml' - - pull_request: - paths: - - 'package.json' - - 'yarn.lock' - - '.nvmrc' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '**/*.snap' - - '.github/workflows/test-js.yml' - -jobs: - test: - runs-on: ubuntu-latest - - steps: - - name: Clone repository - uses: actions/checkout@v4 - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install all yarn packages - run: yarn --frozen-lockfile - - - name: Jest testing - run: yarn jest --reporters github-actions summary diff --git a/.github/workflows/test-migrations-one-step.yml b/.github/workflows/test-migrations-one-step.yml deleted file mode 100644 index 59287e88cf2553..00000000000000 --- a/.github/workflows/test-migrations-one-step.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: Test one step migrations -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - pull_request: - -jobs: - pre_job: - runs-on: ubuntu-latest - - outputs: - should_skip: ${{ steps.skip_check.outputs.should_skip }} - - steps: - - id: skip_check - uses: fkirc/skip-duplicate-actions@v5 - with: - paths: '["Gemfile*", ".ruby-version", "**/*.rb", ".github/workflows/test-migrations-one-step.yml", "lib/tasks/tests.rake"]' - - test: - runs-on: ubuntu-latest - needs: pre_job - if: needs.pre_job.outputs.should_skip != 'true' - - strategy: - fail-fast: false - - matrix: - postgres: - - 14-alpine - - 15-alpine - - services: - postgres: - image: postgres:${{ matrix.postgres}} - env: - POSTGRES_PASSWORD: postgres - POSTGRES_USER: postgres - options: >- - --health-cmd pg_isready - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 5432:5432 - - redis: - image: redis:7-alpine - options: >- - --health-cmd "redis-cli ping" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 6379:6379 - - env: - CONTINUOUS_INTEGRATION: true - DB_HOST: localhost - DB_USER: postgres - DB_PASS: postgres - DISABLE_SIMPLECOV: true - RAILS_ENV: test - BUNDLE_CLEAN: true - BUNDLE_FROZEN: true - BUNDLE_WITHOUT: 'development production' - BUNDLE_JOBS: 3 - BUNDLE_RETRY: 3 - - steps: - - uses: actions/checkout@v4 - - - name: Install native Ruby dependencies - run: | - sudo apt-get update - sudo apt-get install -y libicu-dev libidn11-dev - - - name: Set up bundler cache - uses: ruby/setup-ruby@v1 - with: - ruby-version: .ruby-version - bundler-cache: true - - - name: Create database - run: './bin/rails db:create' - - - name: Run migrations up to v2.0.0 - run: './bin/rails db:migrate VERSION=20171010025614' - - - name: Populate database with test data - run: './bin/rails tests:migrations:populate_v2' - - - name: Run migrations up to v2.4.0 - run: './bin/rails db:migrate VERSION=20180514140000' - - - name: Populate database with test data - run: './bin/rails tests:migrations:populate_v2_4' - - - name: Run migrations up to v2.4.3 - run: './bin/rails db:migrate VERSION=20180707154237' - - - name: Populate database with test data - run: './bin/rails tests:migrations:populate_v2_4_3' - - - name: Run all remaining migrations - run: './bin/rails db:migrate' - - - name: Check migration result - run: './bin/rails tests:migrations:check_database' diff --git a/.github/workflows/test-migrations-two-step.yml b/.github/workflows/test-migrations-two-step.yml deleted file mode 100644 index 8f3c84d8f36884..00000000000000 --- a/.github/workflows/test-migrations-two-step.yml +++ /dev/null @@ -1,119 +0,0 @@ -name: Test two step migrations -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - pull_request: - -jobs: - pre_job: - runs-on: ubuntu-latest - - outputs: - should_skip: ${{ steps.skip_check.outputs.should_skip }} - - steps: - - id: skip_check - uses: fkirc/skip-duplicate-actions@v5 - with: - paths: '["Gemfile*", ".ruby-version", "**/*.rb", ".github/workflows/test-migrations-two-step.yml", "lib/tasks/tests.rake"]' - - test: - runs-on: ubuntu-latest - needs: pre_job - if: needs.pre_job.outputs.should_skip != 'true' - - strategy: - fail-fast: false - - matrix: - postgres: - - 14-alpine - - 15-alpine - - services: - postgres: - image: postgres:${{ matrix.postgres}} - env: - POSTGRES_PASSWORD: postgres - POSTGRES_USER: postgres - options: >- - --health-cmd pg_isready - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 5432:5432 - redis: - image: redis:7-alpine - options: >- - --health-cmd "redis-cli ping" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 6379:6379 - - env: - CONTINUOUS_INTEGRATION: true - DB_HOST: localhost - DB_USER: postgres - DB_PASS: postgres - DISABLE_SIMPLECOV: true - RAILS_ENV: test - BUNDLE_CLEAN: true - BUNDLE_FROZEN: true - BUNDLE_WITHOUT: 'development production' - BUNDLE_JOBS: 3 - BUNDLE_RETRY: 3 - - steps: - - uses: actions/checkout@v4 - - - name: Install native Ruby dependencies - run: | - sudo apt-get update - sudo apt-get install -y libicu-dev libidn11-dev - - - name: Set up bundler cache - uses: ruby/setup-ruby@v1 - with: - ruby-version: .ruby-version - bundler-cache: true - - - name: Create database - run: './bin/rails db:create' - - - name: Run migrations up to v2.0.0 - run: './bin/rails db:migrate VERSION=20171010025614' - - - name: Populate database with test data - run: './bin/rails tests:migrations:populate_v2' - - - name: Run pre-deployment migrations up to v2.4.0 - run: './bin/rails db:migrate VERSION=20180514140000' - env: - SKIP_POST_DEPLOYMENT_MIGRATIONS: true - - - name: Populate database with test data - run: './bin/rails tests:migrations:populate_v2_4' - - - name: Run migrations up to v2.4.3 - run: './bin/rails db:migrate VERSION=20180707154237' - env: - SKIP_POST_DEPLOYMENT_MIGRATIONS: true - - - name: Populate database with test data - run: './bin/rails tests:migrations:populate_v2_4_3' - - - name: Run all remaining pre-deployment migrations - run: './bin/rails db:migrate' - env: - SKIP_POST_DEPLOYMENT_MIGRATIONS: true - - - name: Run all post-deployment migrations - run: './bin/rails db:migrate' - - - name: Check migration result - run: './bin/rails tests:migrations:check_database' diff --git a/.github/workflows/test-ruby.yml b/.github/workflows/test-ruby.yml deleted file mode 100644 index 343dc36ca16d10..00000000000000 --- a/.github/workflows/test-ruby.yml +++ /dev/null @@ -1,365 +0,0 @@ -name: Ruby Testing - -on: - push: - branches-ignore: - - 'dependabot/**' - - 'renovate/**' - pull_request: - -env: - BUNDLE_CLEAN: true - BUNDLE_FROZEN: true - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - build: - runs-on: ubuntu-latest - - strategy: - fail-fast: true - matrix: - mode: - - production - - test - env: - RAILS_ENV: ${{ matrix.mode }} - BUNDLE_WITH: ${{ matrix.mode }} - OTP_SECRET: precompile_placeholder - SECRET_KEY_BASE: precompile_placeholder - - steps: - - uses: actions/checkout@v4 - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install native Ruby dependencies - run: | - sudo apt-get update - sudo apt-get install -y libicu-dev libidn11-dev - - - name: Set up bundler cache - uses: ruby/setup-ruby@v1 - with: - ruby-version: .ruby-version - bundler-cache: true - - - run: yarn --frozen-lockfile --production - - name: Precompile assets - # Previously had set this, but it's not supported - # export NODE_OPTIONS=--openssl-legacy-provider - run: |- - ./bin/rails assets:precompile - - - uses: actions/upload-artifact@v3 - if: matrix.mode == 'test' - with: - path: |- - ./public/assets - ./public/packs-test - name: ${{ github.sha }} - retention-days: 0 - - test: - runs-on: ubuntu-latest - - needs: - - build - - services: - postgres: - image: postgres:14-alpine - env: - POSTGRES_PASSWORD: postgres - POSTGRES_USER: postgres - options: >- - --health-cmd pg_isready - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 5432:5432 - - redis: - image: redis:7-alpine - options: >- - --health-cmd "redis-cli ping" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 6379:6379 - - env: - DB_HOST: localhost - DB_USER: postgres - DB_PASS: postgres - DISABLE_SIMPLECOV: true - RAILS_ENV: test - ALLOW_NOPAM: true - PAM_ENABLED: true - PAM_DEFAULT_SERVICE: pam_test - PAM_CONTROLLED_SERVICE: pam_test_controlled - OIDC_ENABLED: true - OIDC_SCOPE: read - SAML_ENABLED: true - CAS_ENABLED: true - BUNDLE_WITH: 'pam_authentication test' - CI_JOBS: ${{ matrix.ci_job }}/4 - - strategy: - fail-fast: false - matrix: - ruby-version: - - '3.0' - - '3.1' - - '.ruby-version' - ci_job: - - 1 - - 2 - - 3 - - 4 - steps: - - uses: actions/checkout@v4 - - - uses: actions/download-artifact@v3 - with: - path: './public' - name: ${{ github.sha }} - - - name: Update package index - run: sudo apt-get update - - - name: Install native Ruby dependencies - run: sudo apt-get install -y libicu-dev libidn11-dev - - - name: Install additional system dependencies - run: sudo apt-get install -y ffmpeg imagemagick libpam-dev - - - name: Set up bundler cache - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby-version}} - bundler-cache: true - - - name: Load database schema - run: './bin/rails db:create db:schema:load db:seed' - - - run: bundle exec rake rspec_chunked - - test-e2e: - name: End to End testing - runs-on: ubuntu-latest - - needs: - - build - - services: - postgres: - image: postgres:14-alpine - env: - POSTGRES_PASSWORD: postgres - POSTGRES_USER: postgres - options: >- - --health-cmd pg_isready - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 5432:5432 - - redis: - image: redis:7-alpine - options: >- - --health-cmd "redis-cli ping" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 6379:6379 - - env: - DB_HOST: localhost - DB_USER: postgres - DB_PASS: postgres - DISABLE_SIMPLECOV: true - RAILS_ENV: test - BUNDLE_WITH: test - - strategy: - fail-fast: false - matrix: - ruby-version: - - '3.0' - - '3.1' - - '.ruby-version' - - steps: - - uses: actions/checkout@v4 - - - uses: actions/download-artifact@v3 - with: - path: './public' - name: ${{ github.sha }} - - - name: Update package index - run: sudo apt-get update - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install native Ruby dependencies - run: sudo apt-get install -y libicu-dev libidn11-dev - - - name: Install additional system dependencies - run: sudo apt-get install -y ffmpeg imagemagick - - - name: Set up bundler cache - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby-version}} - bundler-cache: true - - - run: yarn --frozen-lockfile - - - name: Load database schema - run: './bin/rails db:create db:schema:load db:seed' - - - run: bundle exec rake spec:system - - - name: Archive logs - uses: actions/upload-artifact@v3 - if: failure() - with: - name: e2e-logs-${{ matrix.ruby-version }} - path: log/ - - - name: Archive test screenshots - uses: actions/upload-artifact@v3 - if: failure() - with: - name: e2e-screenshots - path: tmp/screenshots/ - - test-search: - name: Testing search - runs-on: ubuntu-latest - - needs: - - build - - services: - postgres: - image: postgres:14-alpine - env: - POSTGRES_PASSWORD: postgres - POSTGRES_USER: postgres - options: >- - --health-cmd pg_isready - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 5432:5432 - - redis: - image: redis:7-alpine - options: >- - --health-cmd "redis-cli ping" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 6379:6379 - - elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.17.13 - env: - discovery.type: single-node - xpack.security.enabled: false - options: >- - --health-cmd "curl http://localhost:9200/_cluster/health" - --health-interval 10s - --health-timeout 5s - --health-retries 10 - ports: - - 9200:9200 - - env: - DB_HOST: localhost - DB_USER: postgres - DB_PASS: postgres - DISABLE_SIMPLECOV: true - RAILS_ENV: test - BUNDLE_WITH: test - ES_ENABLED: true - ES_HOST: localhost - ES_PORT: 9200 - - strategy: - fail-fast: false - matrix: - ruby-version: - - '3.0' - - '3.1' - - '.ruby-version' - - steps: - - uses: actions/checkout@v4 - - - uses: actions/download-artifact@v3 - with: - path: './public' - name: ${{ github.sha }} - - - name: Update package index - run: sudo apt-get update - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - cache: yarn - node-version-file: '.nvmrc' - - - name: Install native Ruby dependencies - run: sudo apt-get install -y libicu-dev libidn11-dev - - - name: Install additional system dependencies - run: sudo apt-get install -y ffmpeg imagemagick - - - name: Set up bundler cache - uses: ruby/setup-ruby@v1 - with: - ruby-version: ${{ matrix.ruby-version}} - bundler-cache: true - - - run: yarn --frozen-lockfile - - - name: Load database schema - run: './bin/rails db:create db:schema:load db:seed' - - - run: bundle exec rake spec:search - - - name: Archive logs - uses: actions/upload-artifact@v3 - if: failure() - with: - name: test-search-logs-${{ matrix.ruby-version }} - path: log/ - - - name: Archive test screenshots - uses: actions/upload-artifact@v3 - if: failure() - with: - name: test-search-screenshots - path: tmp/screenshots/ diff --git a/deploy/README.md b/deploy/README.md new file mode 100644 index 00000000000000..23989cbd06417e --- /dev/null +++ b/deploy/README.md @@ -0,0 +1,39 @@ +This repository contains [Helm] value files used to generate the [Kubernetes manifests] for the thoughtbot.social rails application. + +The manifests decide how the application containers will be deployed and configured. You can perform many common configuration tasks by modifying the manifests in this repository. + +## Helm Chart + +The Helm repository used to deploy the application is [`thoughtbot-charts/helm-rails`]. + +Common configuration between all releases can be found in the `values.yaml` file in this directory. + +## Releases + +Configuration common to a particular release can be found in subdirectories. + +- [Staging](./staging/) + +## Modifying Environment Variables + +Environment variables are contained in the `values.yaml` files under `config.env.data`. + +**Note: Do not store secrets in these files, as they will be permanently committed in the Git history.** + +Add an environment variable to the appropriate `values.yaml` file and push to a release branch to update environment variables. + +### Application Secrets + +Secrets are managed by [AWS Secrets Manager]. Secrets are defined in the application's [Terraform configuration]. + +To update a user-managed secret, you will need to log into the AWS Console using a permission set with secrets access, find the secret in Secrets Manager, and use the console to update the value. Secrets will be automatically reloaded once updated. + +To add a new secret, add a definition in the Terraform configuration to create an empty secret and then populate it using the procedure described above. Afterwards, update the `values.yaml` file to map the secret value to an environment variable or file. + +See [Managing Secrets] for more information. + +[`thoughtbot-charts/helm-rails`]: https://github.com/thoughtbot/helm-charts/tree/main/charts/helm-rails +[managing secrets]: https://thoughtbot.atlassian.net/wiki/spaces/APG/pages/15040625/Managing+Secrets +[helm]: https://helm.sh/docs/intro/install/ +[kubernetes manifests]: https://thoughtbot.atlassian.net/wiki/spaces/APG/pages/15106113/Deploying+to+Kubernetes +[aws secrets manager]: https://aws.amazon.com/secrets-manager/ diff --git a/deploy/staging/values.yaml b/deploy/staging/values.yaml new file mode 100644 index 00000000000000..f86bb3e6a41872 --- /dev/null +++ b/deploy/staging/values.yaml @@ -0,0 +1,29 @@ +app: + instance: thoughtbot-staging + +config: + env: + data: + RAILS_ENV: production + +namespaces: + - name: thoughtbot-mastodon-staging + create: false + hosts: + - staging.thoughtbot.social + secretproviderclass: + workhands-staging: + #workhands-application: + #secretkeys: + #- FOO + redis-thoughtbot-mastodon-staging-redis-red: + secretkeys: + - REDIS_URL + rds-postgres-thoughtbot-mastodon-staging-postgres-blue: + secretkeys: + - DATABASE_URL + serviceaccount: + workhands: + create: false + virtualservice: + enabled: true diff --git a/deploy/values.yaml b/deploy/values.yaml new file mode 100644 index 00000000000000..49a2f711db5393 --- /dev/null +++ b/deploy/values.yaml @@ -0,0 +1,99 @@ +app: + # This image will be replaced with the latest application image during deploy. + image: ruby:2.7.8-slim + +config: + env: + data: + LANG: en_US.UTF-8 + PORT: '3000' + RACK_ENV: production + RAILS_ENV: production + RAILS_LOG_TO_STDOUT: enabled + RAILS_MAX_THREADS: '5' + RAILS_SERVE_STATIC_FILES: enabled + TZ: America/Los_Angeles + +defaults: + csiSecrets: + pod: + securityContext: + # This must match the uid in the Dockerfile + fsGroup: 1000 + +# New services, such as additional Sidekiq workers, can be defined here. Use one +# of the existing definitions as an example and modify the container arguments +# to run your service. +services: + web: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 10 + containers: + main: + http: {} + resources: + requests: + cpu: 128m + memory: 1024Mi + virtualservice: + headers: true + matchprefix: / + timeout: 30s + initContainers: + migrations: + name: migrations + args: + - rails + - db:abort_if_pending_migrations + + console: + containers: + main: + args: + - 'sleep' + - 'infinity' + resources: + requests: + cpu: 128m + memory: 1024Mi + initContainers: + migrations: + name: migrations + args: + - rails + - db:abort_if_pending_migrations + + worker-default: + containers: + main: + args: ['bundle', 'exec', 'sidekiq', '-C', 'config/sidekiq.yml', '-e', 'production'] + resources: + requests: + cpu: 1000m + memory: 2048Mi + initContainers: + migrations: + name: migrations + args: + - rails + - db:abort_if_pending_migrations + +jobs: + db-migrate: + backoffLimit: 1 + containers: + main: + command: + - /bin/sh + - -c + - | + bundle exec rails db:migrate; + result="$?"; + ruby -rnet/http -e 'Net::HTTP.post(URI.parse("http://localhost:15020/quitquitquit"), nil)'; + exit "$result" + env: + - name: ENABLE_PROMETHEUS + value: 'false' + restartPolicy: Never