Delete .github/workflows/ci.yml
Some checks are pending
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Waiting to run
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Blocked by required conditions
Some checks are pending
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Waiting to run
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Blocked by required conditions
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Blocked by required conditions
Remove file erroneously created
This commit is contained in:
parent
7ed3c3b5e4
commit
f11683256b
1 changed files with 0 additions and 256 deletions
256
.github/workflows/ci.yml
vendored
256
.github/workflows/ci.yml
vendored
|
|
@ -1,256 +0,0 @@
|
|||
name: CI/CD Pipeline with Secure Ephemeral PiP
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
branches: [main]
|
||||
|
||||
env:
|
||||
REGISTRY: ${{ secrets.REGISTRY_HOST }}
|
||||
APP_NAME: ${{ secrets.APP_NAME }}
|
||||
IMAGE_TAG: ${{ github.sha }}
|
||||
RUN_ID: ${{ github.run_id }}
|
||||
# Required pinned digests (fail if missing)
|
||||
RUST_IMG_DIGEST: ${{ secrets.RUST_IMG_DIGEST }} # e.g., docker.io/library/rust@sha256:...
|
||||
NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }} # e.g., docker.io/library/node@sha256:...
|
||||
POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }} # e.g., docker.io/library/postgres@sha256:...
|
||||
PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }} # e.g., quay.io/podman/stable@sha256:...
|
||||
SELINUX_ZLABEL: "" # set to ":z" if SELinux is enforcing
|
||||
|
||||
jobs:
|
||||
test-backend:
|
||||
runs-on: [self-hosted, ci]
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Verify pinned digests provided
|
||||
run: |
|
||||
for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
|
||||
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
|
||||
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}' || { echo "$v must be a digest ref"; exit 1; }
|
||||
done
|
||||
|
||||
- name: Setup ephemeral PiP container
|
||||
env:
|
||||
PODMAN_CLIENT_IMG_DIGEST: ${{ env.PODMAN_CLIENT_IMG_DIGEST }}
|
||||
run: |
|
||||
chmod +x ./secure_pip_setup.sh
|
||||
./secure_pip_setup.sh
|
||||
|
||||
- name: Wait for PiP readiness
|
||||
env:
|
||||
PIP_NAME: ci-pip-${{ env.RUN_ID }}
|
||||
run: |
|
||||
chmod +x ./pip_ready.sh
|
||||
./pip_ready.sh
|
||||
|
||||
- name: Setup SSH with pinned known_hosts (per-step)
|
||||
env:
|
||||
GIT_SSH_COMMAND: 'ssh -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts'
|
||||
run: |
|
||||
mkdir -p ~/.ssh && chmod 700 ~/.ssh
|
||||
install -m 600 /dev/null ~/.ssh/id_ed25519
|
||||
printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
|
||||
install -m 644 /dev/null ~/.ssh/known_hosts
|
||||
printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
|
||||
# git commands in this step will use $GIT_SSH_COMMAND
|
||||
|
||||
- name: Create internal integration network
|
||||
run: podman exec ci-pip-${{ env.RUN_ID }} podman network create --internal integ-${{ env.RUN_ID }}
|
||||
|
||||
- name: Start PostgreSQL on internal network (digest-pinned)
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} podman run -d \
|
||||
--name test-postgres \
|
||||
--network integ-${{ env.RUN_ID }} \
|
||||
-e POSTGRES_PASSWORD=testpassword \
|
||||
-e POSTGRES_USER=testuser \
|
||||
-e POSTGRES_DB=testdb \
|
||||
"${POSTGRES_IMG_DIGEST}"
|
||||
|
||||
- name: Wait for PostgreSQL to be ready
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
||||
i=0; until podman exec test-postgres pg_isready -h 127.0.0.1 -p 5432 -U testuser >/dev/null 2>&1; do
|
||||
i=$((i+1)); [ $i -gt 60 ] && { echo "pg not ready"; exit 1; }; sleep 1
|
||||
done'
|
||||
|
||||
- name: Run backend unit tests
|
||||
env:
|
||||
WORKSPACE: ${{ github.workspace }}
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
||||
podman run --rm \
|
||||
-v "$WORKSPACE":/workspace${SELINUX_ZLABEL} \
|
||||
-w /workspace \
|
||||
"'"${RUST_IMG_DIGEST}"'" \
|
||||
sh -c "cargo test --lib -- --test-threads=1"'
|
||||
|
||||
- name: Run backend integration tests
|
||||
env:
|
||||
WORKSPACE: ${{ github.workspace }}
|
||||
RUN_ID: ${{ env.RUN_ID }}
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
||||
podman run --rm \
|
||||
--network integ-'"$RUN_ID"' \
|
||||
-v "$WORKSPACE":/workspace'"${SELINUX_ZLABEL}"' \
|
||||
-w /workspace \
|
||||
-e DATABASE_URL=postgres://testuser:testpassword@test-postgres:5432/testdb \
|
||||
"'"${RUST_IMG_DIGEST}"'" \
|
||||
sh -c "cargo test --test '"'"'*'"'"' -- --test-threads=1"'
|
||||
|
||||
- name: Cleanup test resources
|
||||
if: always()
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} podman rm -f test-postgres 2>/dev/null || true
|
||||
podman exec ci-pip-${{ env.RUN_ID }} podman network rm integ-${{ env.RUN_ID }} 2>/dev/null || true
|
||||
|
||||
- name: Per-job cleanup (PiP container)
|
||||
if: always()
|
||||
run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
|
||||
|
||||
test-frontend:
|
||||
runs-on: [self-hosted, ci]
|
||||
needs: test-backend
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Verify pinned digests provided
|
||||
run: |
|
||||
for v in NODE_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
|
||||
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
|
||||
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}' || { echo "$v must be a digest ref"; exit 1; }
|
||||
done
|
||||
|
||||
- name: Setup ephemeral PiP container
|
||||
env:
|
||||
PODMAN_CLIENT_IMG_DIGEST: ${{ env.PODMAN_CLIENT_IMG_DIGEST }}
|
||||
run: |
|
||||
chmod +x ./secure_pip_setup.sh
|
||||
./secure_pip_setup.sh
|
||||
|
||||
- name: Wait for PiP readiness
|
||||
env:
|
||||
PIP_NAME: ci-pip-${{ env.RUN_ID }}
|
||||
run: |
|
||||
chmod +x ./pip_ready.sh
|
||||
./pip_ready.sh
|
||||
|
||||
- name: Run frontend tests (digest-pinned)
|
||||
env:
|
||||
WORKSPACE: ${{ github.workspace }}
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
|
||||
podman run --rm \
|
||||
-v "$WORKSPACE":/workspace'"${SELINUX_ZLABEL}"' \
|
||||
-w /workspace \
|
||||
"'"${NODE_IMG_DIGEST}"'" \
|
||||
sh -c "npm ci && npm run test"'
|
||||
|
||||
- name: Per-job cleanup (PiP container)
|
||||
if: always()
|
||||
run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
|
||||
|
||||
build-backend:
|
||||
runs-on: [self-hosted, ci]
|
||||
needs: test-frontend
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Setup ephemeral PiP container
|
||||
env:
|
||||
PODMAN_CLIENT_IMG_DIGEST: ${{ env.PODMAN_CLIENT_IMG_DIGEST }}
|
||||
run: |
|
||||
chmod +x ./secure_pip_setup.sh
|
||||
./secure_pip_setup.sh
|
||||
|
||||
- name: Wait for PiP readiness
|
||||
env:
|
||||
PIP_NAME: ci-pip-${{ env.RUN_ID }}
|
||||
run: |
|
||||
chmod +x ./pip_ready.sh
|
||||
./pip_ready.sh
|
||||
|
||||
- name: Login to Forgejo Container Registry securely
|
||||
env:
|
||||
REGISTRY_HOST: ${{ env.REGISTRY }}
|
||||
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
|
||||
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||
run: |
|
||||
podman exec -i ci-pip-${{ env.RUN_ID }} sh -lc \
|
||||
'podman login "$REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin' <<<"${REGISTRY_TOKEN}"
|
||||
|
||||
- name: Build backend image
|
||||
env:
|
||||
REGISTRY: ${{ env.REGISTRY }}
|
||||
APP_NAME: ${{ env.APP_NAME }}
|
||||
IMAGE_TAG: ${{ env.IMAGE_TAG }}
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc \
|
||||
'cd /workspace/backend && podman build -t "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG" .'
|
||||
|
||||
- name: Push backend image
|
||||
env:
|
||||
REGISTRY: ${{ env.REGISTRY }}
|
||||
APP_NAME: ${{ env.APP_NAME }}
|
||||
IMAGE_TAG: ${{ env.IMAGE_TAG }}
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc \
|
||||
'podman push "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG"'
|
||||
|
||||
- name: Per-job cleanup (PiP container)
|
||||
if: always()
|
||||
run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
|
||||
|
||||
build-frontend:
|
||||
runs-on: [self-hosted, ci]
|
||||
needs: test-frontend
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Setup ephemeral PiP container
|
||||
env:
|
||||
PODMAN_CLIENT_IMG_DIGEST: ${{ env.PODMAN_CLIENT_IMG_DIGEST }}
|
||||
run: |
|
||||
chmod +x ./secure_pip_setup.sh
|
||||
./secure_pip_setup.sh
|
||||
|
||||
- name: Wait for PiP readiness
|
||||
env:
|
||||
PIP_NAME: ci-pip-${{ env.RUN_ID }}
|
||||
run: |
|
||||
chmod +x ./pip_ready.sh
|
||||
./pip_ready.sh
|
||||
|
||||
- name: Login to Forgejo Container Registry securely
|
||||
env:
|
||||
REGISTRY_HOST: ${{ env.REGISTRY }}
|
||||
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
|
||||
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||
run: |
|
||||
podman exec -i ci-pip-${{ env.RUN_ID }} sh -lc \
|
||||
'podman login "$REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin' <<<"${REGISTRY_TOKEN}"
|
||||
|
||||
- name: Build frontend image
|
||||
env:
|
||||
REGISTRY: ${{ env.REGISTRY }}
|
||||
APP_NAME: ${{ env.APP_NAME }}
|
||||
IMAGE_TAG: ${{ env.IMAGE_TAG }}
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc \
|
||||
'cd /workspace/frontend && podman build -t "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG" .'
|
||||
|
||||
- name: Push frontend image
|
||||
env:
|
||||
REGISTRY: ${{ env.REGISTRY }}
|
||||
APP_NAME: ${{ env.APP_NAME }}
|
||||
IMAGE_TAG: ${{ env.IMAGE_TAG }}
|
||||
run: |
|
||||
podman exec ci-pip-${{ env.RUN_ID }} sh -lc \
|
||||
'podman push "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG"'
|
||||
|
||||
- name: Per-job cleanup (PiP container)
|
||||
if: always()
|
||||
run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
|
||||
Loading…
Add table
Reference in a new issue