devteam/sharenet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
sharenet/.forgejo/workflows/ci.yml
continuist 6c90d69df6
Some checks failed
CI/CD Pipeline with Secure Ephemeral PiP / test-backend (push) Failing after 1s
Details
CI/CD Pipeline with Secure Ephemeral PiP / test-frontend (push) Has been skipped
Details
CI/CD Pipeline with Secure Ephemeral PiP / build-backend (push) Has been skipped
Details
CI/CD Pipeline with Secure Ephemeral PiP / build-frontend (push) Has been skipped
Details
CI/CD Pipeline with Secure Ephemeral PiP / deploy-prod (push) Has been skipped
Details
More CI workflow fixes #5
2025-09-11 15:09:14 -04:00

367 lines
14 KiB
YAML
Raw Blame History

name: CI/CD Pipeline with Secure Ephemeral PiP
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
REGISTRY: ${{ secrets.REGISTRY_HOST }}
APP_NAME: ${{ secrets.APP_NAME }}
IMAGE_TAG: ${{ github.sha }}
RUN_ID: ${{ github.run_id }}
POSTGRES_USERNAME: ${{ secrets.PROD_DB_USERNAME }}
POSTGRES_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
POSTGRES_HOST: ${{ secrets.PROD_DB_HOST }}
POSTGRES_PORT: ${{ secrets.PROD_DB_PORT }}
POSTGRES_DATABASE_NAME: ${{ secrets.PROD_DB_DATABASE_NAME }}
PROD_BACKEND_HOST: ${{ secrets.PROD_BACKEND_HOST }}
PROD_BACKEND_PORT: ${{ secrets.PROD_BACKEND_PORT }}
PROD_FRONTEND_PORT: ${{ secrets.PROD_FRONTEND_PORT }}
# Required pinned digests (fail if missing)
RUST_IMG_DIGEST: ${{ secrets.RUST_IMG_DIGEST }} # e.g., docker.io/library/rust@sha256:...
NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }} # e.g., docker.io/library/node@sha256:...
POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }} # e.g., docker.io/library/postgres@sha256:...
PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable@sha256:482bce3a829893f0dc3bf497c9a7609341fca11b34e35a92d308eb971ad61adb
PODMAN_SOCK: /run/user/999/podman/podman.sock
jobs:
test-backend:
runs-on: [ci]
container:
image: quay.io/podman/stable@sha256:482bce3a829893f0dc3bf497c9a7609341fca11b34e35a92d308eb971ad61adb
steps:
- uses: actions/checkout@v4
- name: Verify runner wiring to Podman
run: |
podman --version
test -S "${PODMAN_SOCK}" || { echo "Missing socket ${PODMAN_SOCK}"; exit 1; }
# Optional: sanity poke of the service via PiP later
- name: Network/DNS sanity from job container
run: |
getent hosts git.gcdo.org || true
curl -sS -o /dev/null -w 'status=%{http_code}\n' https://git.gcdo.org/api/healthz || true
- name: Verify pinned digests provided
run: |
for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; }
done
- name: Setup ephemeral PiP container
env:
PODMAN_CLIENT_IMG_DIGEST: quay.io/podman/stable@sha256:482bce3a829893f0dc3bf497c9a7609341fca11b34e35a92d308eb971ad61adb
SOCKET_PATH: ${{ env.PODMAN_SOCK }}
run: |
chmod +x ./secure_pip_setup.sh
./secure_pip_setup.sh
- name: Wait for PiP readiness
env:
PIP_NAME: ci-pip-${{ env.RUN_ID }}
run: |
chmod +x ./pip_ready.sh
./pip_ready.sh
- name: Verify Podman socket inside PiP
run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'test -S /run/podman-host/podman.sock && echo OK'
- name: Network sanity from PiP
run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'getent hosts git.gcdo.org && curl -sS -o /dev/null -w "status=%{http_code}\n" https://git.gcdo.org/api/healthz'
- name: Configure Git for token-based authentication
run: |
git config --global url."https://${{ secrets.REGISTRY_USERNAME }}:${{ secrets.REGISTRY_TOKEN }}@${{ env.REGISTRY }}".insteadOf "https://${{ env.REGISTRY }}"
- name: Create internal integration network
run: podman exec ci-pip-${{ env.RUN_ID }} podman network create --internal integ-${{ env.RUN_ID }}
- name: Start PostgreSQL on internal network (digest-pinned)
run: |
podman exec ci-pip-${{ env.RUN_ID }} podman run -d \
--name test-postgres \
--network integ-${{ env.RUN_ID }} \
-e POSTGRES_PASSWORD=password \
-e POSTGRES_USER=postgres \
-e POSTGRES_DB=sharenet_test \
"${POSTGRES_IMG_DIGEST}"
- name: Wait for PostgreSQL to be ready
run: |
podman exec ci-pip-${{ env.RUN_ID }} sh -lc '
i=0; until podman exec test-postgres pg_isready -h 127.0.0.1 -p 5432 -U postgres >/dev/null 2>&1; do
i=$((i+1)); [ $i -gt 60 ] && { echo "pg not ready"; exit 1; }; sleep 1
done'
- name: Run backend unit tests
env:
WORKSPACE: ${{ github.workspace }}
run: |
podman exec -e WORKSPACE="${WORKSPACE}" ci-pip-${{ env.RUN_ID }} sh -lc '
podman run --rm \
-v "$WORKSPACE":/workspace \
-w /workspace \
"'"${RUST_IMG_DIGEST}"'" \
sh -c "cargo test --lib -- --test-threads=1"'
- name: Run backend integration tests
env:
WORKSPACE: ${{ github.workspace }}
run: |
podman exec -e WORKSPACE="${WORKSPACE}" ci-pip-${{ env.RUN_ID }} sh -lc '
podman run --rm \
--network integ-${{ env.RUN_ID }} \
-v "$WORKSPACE":/workspace \
-w /workspace \
-e DATABASE_URL=postgres://postgres:password@test-postgres:5432/sharenet_test \
"'"${RUST_IMG_DIGEST}"'" \
sh -c "cargo test --test '"'"'*'"'"' -- --test-threads=1"'
- name: Cleanup test resources
if: always()
run: |
podman exec ci-pip-${{ env.RUN_ID }} podman rm -f test-postgres 2>/dev/null || true
podman exec ci-pip-${{ env.RUN_ID }} podman network rm integ-${{ env.RUN_ID }} 2>/dev/null || true
- name: Per-job cleanup (PiP container)
if: always()
run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
test-frontend:
runs-on: [ci]
needs: test-backend
container:
image: quay.io/podman/stable@sha256:482bce3a829893f0dc3bf497c9a7609341fca11b34e35a92d308eb971ad61adb
steps:
- uses: actions/checkout@v4
- name: Verify runner wiring to Podman
run: |
podman --version
test -S "${PODMAN_SOCK}" || { echo "Missing socket ${PODMAN_SOCK}"; exit 1; }
# Optional: sanity poke of the service via PiP later
- name: Verify pinned digests provided
run: |
for v in NODE_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do
[ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; }
done
- name: Setup ephemeral PiP container
env:
PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }}
SOCKET_PATH: ${{ env.PODMAN_SOCK }}
run: |
chmod +x ./secure_pip_setup.sh
./secure_pip_setup.sh
- name: Wait for PiP readiness
env:
PIP_NAME: ci-pip-${{ env.RUN_ID }}
run: |
chmod +x ./pip_ready.sh
./pip_ready.sh
- name: Verify Podman socket inside PiP
run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'test -S /run/podman-host/podman.sock && echo OK'
- name: Network sanity from PiP
run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'getent hosts git.gcdo.org && curl -sS -o /dev/null -w "status=%{http_code}\n" https://git.gcdo.org/api/healthz'
- name: Run frontend tests (digest-pinned)
env:
WORKSPACE: ${{ github.workspace }}
run: |
podman exec -e WORKSPACE="${WORKSPACE}" ci-pip-${{ env.RUN_ID }} sh -lc '
podman run --rm \
-v "$WORKSPACE":/workspace \
-w /workspace \
"'"${NODE_IMG_DIGEST}"'" \
sh -c "npm ci && npm run test"'
- name: Per-job cleanup (PiP container)
if: always()
run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
build-backend:
runs-on: [ci]
needs: test-frontend
container:
image: quay.io/podman/stable@sha256:482bce3a829893f0dc3bf497c9a7609341fca11b34e35a92d308eb971ad61adb
steps:
- uses: actions/checkout@v4
- name: Verify runner wiring to Podman
run: |
podman --version
test -S "${PODMAN_SOCK}" || { echo "Missing socket ${PODMAN_SOCK}"; exit 1; }
# Optional: sanity poke of the service via PiP later
- name: Setup ephemeral PiP container
env:
PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }}
SOCKET_PATH: ${{ env.PODMAN_SOCK }}
run: |
chmod +x ./secure_pip_setup.sh
./secure_pip_setup.sh
- name: Wait for PiP readiness
env:
PIP_NAME: ci-pip-${{ env.RUN_ID }}
run: |
chmod +x ./pip_ready.sh
./pip_ready.sh
- name: Verify Podman socket inside PiP
run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'test -S /run/podman-host/podman.sock && echo OK'
- name: Network sanity from PiP
run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'getent hosts git.gcdo.org && curl -sS -o /dev/null -w "status=%{http_code}\n" https://git.gcdo.org/api/healthz'
- name: Login to Forgejo Container Registry securely
env:
REGISTRY_HOST: ${{ env.REGISTRY }}
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
podman exec -i ci-pip-${{ env.RUN_ID }} sh -lc \
'podman login "$REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin' <<<"${REGISTRY_TOKEN}"
- name: Build backend image
env:
REGISTRY: ${{ env.REGISTRY }}
APP_NAME: ${{ env.APP_NAME }}
IMAGE_TAG: ${{ env.IMAGE_TAG }}
run: |
podman exec ci-pip-${{ env.RUN_ID }} sh -lc \
'cd /workspace/backend && podman build -t "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG" .'
- name: Push backend image
env:
REGISTRY: ${{ env.REGISTRY }}
APP_NAME: ${{ env.APP_NAME }}
IMAGE_TAG: ${{ env.IMAGE_TAG }}
run: |
podman exec ci-pip-${{ env.RUN_ID }} sh -lc \
'podman push "$REGISTRY/$APP_NAME/backend:$IMAGE_TAG"'
- name: Per-job cleanup (PiP container)
if: always()
run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
build-frontend:
runs-on: [ci]
needs: test-frontend
container:
image: quay.io/podman/stable@sha256:482bce3a829893f0dc3bf497c9a7609341fca11b34e35a92d308eb971ad61adb
steps:
- uses: actions/checkout@v4
- name: Verify runner wiring to Podman
run: |
podman --version
test -S "${PODMAN_SOCK}" || { echo "Missing socket ${PODMAN_SOCK}"; exit 1; }
# Optional: sanity poke of the service via PiP later
- name: Setup ephemeral PiP container
env:
PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }}
SOCKET_PATH: ${{ env.PODMAN_SOCK }}
run: |
chmod +x ./secure_pip_setup.sh
./secure_pip_setup.sh
- name: Wait for PiP readiness
env:
PIP_NAME: ci-pip-${{ env.RUN_ID }}
run: |
chmod +x ./pip_ready.sh
./pip_ready.sh
- name: Verify Podman socket inside PiP
run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'test -S /run/podman-host/podman.sock && echo OK'
- name: Network sanity from PiP
run: podman exec ci-pip-${{ env.RUN_ID }} sh -lc 'getent hosts git.gcdo.org && curl -sS -o /dev/null -w "status=%{http_code}\n" https://git.gcdo.org/api/healthz'
- name: Login to Forgejo Container Registry securely
env:
REGISTRY_HOST: ${{ env.REGISTRY }}
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
run: |
podman exec -i ci-pip-${{ env.RUN_ID }} sh -lc \
'podman login "$REGISTRY_HOST" -u "$REGISTRY_USERNAME" --password-stdin' <<<"${REGISTRY_TOKEN}"
- name: Build frontend image
env:
REGISTRY: ${{ env.REGISTRY }}
APP_NAME: ${{ env.APP_NAME }}
IMAGE_TAG: ${{ env.IMAGE_TAG }}
run: |
podman exec ci-pip-${{ env.RUN_ID }} sh -lc \
'cd /workspace/frontend && podman build -t "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG" .'
- name: Push frontend image
env:
REGISTRY: ${{ env.REGISTRY }}
APP_NAME: ${{ env.APP_NAME }}
IMAGE_TAG: ${{ env.IMAGE_TAG }}
run: |
podman exec ci-pip-${{ env.RUN_ID }} sh -lc \
'podman push "$REGISTRY/$APP_NAME/frontend:$IMAGE_TAG"'
- name: Per-job cleanup (PiP container)
if: always()
run: podman rm -f ci-pip-${{ env.RUN_ID }} 2>/dev/null || true
deploy-prod:
runs-on: [prod]
needs: [build-backend, build-frontend]
if: success()
container:
image: quay.io/podman/stable@sha256:482bce3a829893f0dc3bf497c9a7609341fca11b34e35a92d308eb971ad61adb
steps:
- uses: actions/checkout@v4
- name: Verify Podman in job container
run: |
podman --version
podman info --log-level=error >/dev/null
# Your prod-pod.yml uses ${REGISTRY_HOST}, but the workflow defines REGISTRY.
# Export a one-off alias so templating resolves.
- name: Render prod spec (no envsubst)
env:
REGISTRY_HOST: ${{ env.REGISTRY }}
run: |
awk '{
while (match($0, /\$\{[A-Za-z_][A-Za-z0-9_]*\}/)) {
k = substr($0, RSTART+2, RLENGTH-3);
v = ENVIRON[k];
gsub("\\$\\{" k "\\}", v);
}
print
}' deploy/prod-pod.yml > prod-pod-deploy.yml
- name: Apply with Podman
run: podman play kube --replace prod-pod-deploy.yml
- name: Clean up generated file
if: always()
run: rm -f prod-pod-deploy.yml
Reference in a new issue View git blame Copy permalink