.github/workflows/main.yml

---
name: CI

env:
  IMAGE_NAME: metrics
  PUBLIC_IMAGE_NAME: ghcr.io/ebmdatalab/metrics
  REGISTRY: ghcr.io
  SSH_AUTH_SOCK: /tmp/agent.sock

on:
  workflow_dispatch:
  pull_request:
  push:
    branches: [main]

jobs:
  check:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - uses: "opensafely-core/setup-action@v1"
        with:
          python-version: "3.12"
          install-just: true
      - name: Check formatting, linting and import sorting
        run: just check

  test:
    runs-on: ubuntu-latest

    services:
      timescaledb:
        # mirror what's in timescaledb/Dockerfile
        image: timescale/timescaledb:pg14-latest@sha256:c453fa2d290d578a5983b5823e9ffbf16f478735d8c121620436c4a9c6e55df5
        env:
          POSTGRES_USER: user
          POSTGRES_PASSWORD: password
          POSTGRES_DB: metrics
          TIMESCALEDB_TELEMETRY: off
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5

    steps:
      - uses: actions/checkout@v4
      - uses: "opensafely-core/setup-action@v1"
        with:
          python-version: "3.12"
          install-just: true

      - name: Run tests
        env:
          GITHUB_EBMDATALAB_TOKEN:
          GITHUB_OS_CORE_TOKEN:
          SLACK_SIGNING_SECRET:
          SLACK_TECH_SUPPORT_CHANNEL_ID:
          SLACK_TOKEN:
          TIMESCALEDB_URL: postgresql://user:password@localhost/metrics
        run: |
          just test

  lint-dockerfile:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf  # v3.1.0
        with:
          dockerfile: docker/Dockerfile

  docker-test-dev:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - uses: "opensafely-core/setup-action@v1"
        with:
          python-version: "3.12"
          install-just: true

      - name: Build docker image for dev
        run: |
            just docker-build dev

      - name: Run the smoke test on the prod image
        run: |
            docker compose up -d timescaledb
            SKIP_BUILD=1 just docker/test

  docker-build-prod:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - uses: "opensafely-core/setup-action@v1"
        with:
          install-just: true

      - name: Build docker image for prod
        run: |
            just docker-build prod

      - name: Run the smoke test on the prod image
        run: |
            SKIP_BUILD=1 just docker-run prod

      - name: Save docker image
        run: |
          docker save metrics | gzip > /tmp/metrics.tar.gz

      - name: Upload docker image
        uses: actions/upload-artifact@v4
        with:
            name: metrics-image
            path: /tmp/metrics.tar.gz

  required-checks:
    if: always()

    needs:
    - check
    - test
    - docker-test-dev
    - docker-build-prod
    - lint-dockerfile

    runs-on: Ubuntu-latest

    steps:
    - name: Decide whether the needed jobs succeeded or failed
      uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2
      with:
        jobs: ${{ toJSON(needs) }}

  deploy:
    needs: [required-checks]

    runs-on: ubuntu-latest

    permissions:
      contents: read
      packages: write

    if: github.ref == 'refs/heads/main'

    concurrency: deploy-production-ci

    steps:
      - uses: actions/checkout@v4
      - uses: "opensafely-core/setup-action@v1"
        with:
          install-just: true

      - name: Download docker image
        uses: actions/download-artifact@v4
        with:
            name: metrics-image
            path: /tmp/image

      - name: Import docker image
        run: gunzip -c /tmp/image/metrics.tar.gz | docker load

      - name: Test image we imported from previous job works
        run: |
            SKIP_BUILD=1 just docker-run prod

      - name: Publish image
        run: |
            echo ${{ secrets.GITHUB_TOKEN }} | docker login "$REGISTRY" -u ${{ github.actor }} --password-stdin
            docker tag "$IMAGE_NAME" "$PUBLIC_IMAGE_NAME":latest
            docker push "$PUBLIC_IMAGE_NAME":latest

      - name: Deploy image
        run: |
            ssh-agent -a "$SSH_AUTH_SOCK" > /dev/null
            ssh-add - <<< "${{ secrets.DOKKU3_DEPLOY_SSH_KEY }}"
            SHA=$(docker inspect --format='{{index .RepoDigests 0}}' "$PUBLIC_IMAGE_NAME":latest)
            ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" dokku@dokku3.ebmdatalab.net git:from-image metrics "$SHA"