feat: new rafiki release pipeline and nodejs bump to v20 #10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Node Build | |
on: | |
workflow_dispatch: | |
pull_request: | |
branches: | |
- '**' | |
push: | |
branches: | |
- main | |
- release/v* | |
jobs: | |
prerequisite: | |
runs-on: ubuntu-latest | |
timeout-minutes: 1 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/workflows/rafiki/env-setup | |
- run: pnpm checks | |
backend: | |
runs-on: ubuntu-latest | |
needs: prerequisite | |
timeout-minutes: 25 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/workflows/rafiki/env-setup | |
- run: pnpm --filter backend build:deps | |
- run: NODE_OPTIONS=--max-old-space-size=4096 pnpm --filter backend test:ci | |
- name: AsyncAPI extension | |
run: | | |
echo "{\"extends\":[\"spectral:oas\",\"spectral:asyncapi\"]}" >> .spectral.json | |
- name: Validate Open API specs | |
run: | | |
npx @stoplight/spectral-cli lint ./packages/backend/src/openapi/specs/*.yaml | |
frontend: | |
runs-on: ubuntu-latest | |
needs: prerequisite | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/workflows/rafiki/env-setup | |
- run: pnpm --filter frontend typecheck | |
- run: pnpm --filter frontend build | |
auth: | |
runs-on: ubuntu-latest | |
needs: prerequisite | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/workflows/rafiki/env-setup | |
- run: pnpm --filter auth build:deps | |
- run: pnpm --filter auth test | |
- name: AsyncAPI extension | |
run: | | |
echo "{\"extends\":[\"spectral:oas\",\"spectral:asyncapi\"]}" >> .spectral.json | |
- name: Validate Open API specs | |
run: | | |
npx @stoplight/spectral-cli lint ./packages/auth/src/openapi/specs/*.yaml | |
token-introspection: | |
runs-on: ubuntu-latest | |
needs: prerequisite | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/workflows/rafiki/env-setup | |
- run: pnpm --filter token-introspection test | |
- name: AsyncAPI extension | |
run: | | |
echo "{\"extends\":[\"spectral:oas\",\"spectral:asyncapi\"]}" >> .spectral.json | |
- name: Validate Open API specs | |
run: | | |
npx @stoplight/spectral-cli lint ./packages/token-introspection/src/openapi/specs/*.yaml | |
mock-account-servicing-entity: | |
runs-on: ubuntu-latest | |
needs: prerequisite | |
timeout-minutes: 5 | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/workflows/rafiki/env-setup | |
- run: pnpm --filter mock-account-servicing-entity typecheck | |
- run: pnpm --filter mock-account-servicing-entity build | |
graphql: | |
runs-on: ubuntu-latest | |
needs: prerequisite | |
strategy: | |
matrix: | |
package: [auth, backend] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/workflows/rafiki/env-setup | |
- name: generate ${{ matrix.package }} graphql | |
run: pnpm --filter ${{ matrix.package }} generate | |
- name: verify changed files | |
uses: tj-actions/verify-changed-files@v19 | |
id: verify-changed-files | |
with: | |
files: | | |
**/generated/graphql.* | |
- name: fail if GraphQL was generated | |
if: steps.verify-changed-files.outputs.files_changed == 'true' | |
run: exit 1 | |
codeql-analyze: | |
runs-on: ubuntu-latest | |
needs: prerequisite | |
timeout-minutes: 5 | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
language: [ 'javascript' ] | |
config: | |
- './.github/codeql/source.yml' | |
- './.github/codeql/tests.yml' | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/workflows/rafiki/env-setup | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: ${{ matrix.language }} | |
config-file: ${{ matrix.config }} | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
node-build: | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
needs: [auth, backend, frontend, token-introspection, mock-account-servicing-entity, graphql, codeql-analyze] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/workflows/rafiki/env-setup | |
- run: pnpm build | |
version-generator: | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref_name, 'release/v') | |
outputs: | |
version: ${{ steps.version-generator.outputs.NEW_VERSION }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: Configure git | |
run: | | |
git config --global user.name "github-actions[bot]" | |
git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
- id: version-generator | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
VERSION_PREFIX=$(echo "${{ github.ref_name }}" | sed 's|release/||') | |
read major minor patch pre_release <<< $(echo "$VERSION_PREFIX" | awk -F'[.v-]' '{print $2, $3, $4, $5}') | |
version_search="v$major.$minor.*" | |
if [ -n "$pre_release" ]; then | |
version_search="$version_search-$pre_release" | |
fi | |
echo "VERSION_SEARCH: $version_search" | |
VERSION_PREFIX=$(git tag -l $version_search --sort=-taggerdate | head -n 1) | |
if [ -n "$VERSION_PREFIX" ]; then | |
read major minor patch pre_release <<< $(echo "$VERSION_PREFIX" | awk -F'[.v-]' '{print $2, $3, $4, $5}') | |
patch=$((patch + 1)) | |
fi | |
NEW_VERSION="v${major}.${minor}.${patch}" | |
if [ -n "$pre_release" ]; then | |
NEW_VERSION="$NEW_VERSION-${pre_release}" | |
fi | |
echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_OUTPUT | |
echo "New version will be: $NEW_VERSION" | |
git tag -a $NEW_VERSION -m "$NEW_VERSION" | |
git push origin $NEW_VERSION | |
docker-build-branch: | |
runs-on: ubuntu-latest | |
needs: prerequisite | |
if: ${{ !startsWith(github.ref_name, 'release/v') }} | |
timeout-minutes: 5 | |
strategy: | |
matrix: | |
package: [auth, backend, frontend] | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build linux/amd64 | |
uses: docker/build-push-action@v5 | |
with: | |
push: false | |
platforms: linux/amd64 | |
file: packages/${{ matrix.package }}/Dockerfile | |
tags: ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ github.workflow_sha }} | |
docker-build: | |
runs-on: ubuntu-latest | |
needs: version-generator | |
timeout-minutes: 5 | |
strategy: | |
matrix: | |
package: [auth, backend, frontend] | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build linux/amd64 | |
if: ${{ !startsWith(github.ref_name, 'release/v') }} | |
uses: docker/build-push-action@v5 | |
with: | |
push: false | |
platforms: linux/amd64 | |
file: packages/${{ matrix.package }}/Dockerfile | |
tags: ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ needs.version-generator.outputs.version }} | |
outputs: type=docker,dest=/tmp/${{ matrix.package }}.tar | |
- name: Build linux/amd64 & linux/arm64 | |
uses: docker/build-push-action@v5 | |
with: | |
push: false | |
platforms: linux/amd64,linux/arm64 | |
file: packages/${{ matrix.package }}/Dockerfile | |
tags: ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ needs.version-generator.outputs.version }} | |
outputs: type=docker,dest=/tmp/${{ matrix.package }}.tar | |
- name: Save docker image to cache | |
uses: actions/cache@v4 | |
with: | |
path: /tmp/${{ matrix.package }}.tar | |
key: ${{ github.sha }} | |
docker-grype: | |
name: Docker Grype Scan | |
needs: docker-build | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
strategy: | |
matrix: | |
package: [auth, backend, frontend] | |
steps: | |
- name: Fetch docker image from cache | |
uses: actions/cache/restore@v4 | |
with: | |
path: /tmp/${{ matrix.package }}.tar | |
key: ${{ github.sha }} | |
- name: Scan docker image | |
uses: anchore/scan-action@v3 | |
with: | |
image: /tmp/${{ matrix.package }}.tar | |
fail-build: true | |
only-fixed: true | |
severity-cutoff: high | |
output-format: table | |
docker-trivy: | |
name: Docker Trivy Scan | |
needs: [docker-build] | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
strategy: | |
matrix: | |
package: [auth, backend, frontend] | |
steps: | |
- name: Fetch docker image from cache | |
uses: actions/cache/restore@v4 | |
with: | |
path: /tmp/${{ matrix.package }}.tar | |
key: ${{ github.sha }} | |
- name: Download Trivy | |
run: | | |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /tmp | |
- name: Scan docker image | |
run: | | |
/tmp/trivy image --ignore-unfixed --format table --vuln-type os,library --exit-code 1 --severity HIGH --input /tmp/${{ matrix.package }}.tar | |
push: | |
name: Push to registry | |
needs: [docker-grype, docker-trivy, version-generator, node-build] | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
package: [auth, backend, frontend] | |
steps: | |
- name: Fetch docker image from cache | |
uses: actions/cache/restore@v4 | |
with: | |
path: /tmp/${{ matrix.package }}.tar | |
key: ${{ github.sha }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to GHCR | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Load image into Docker | |
run: | | |
docker load --input /tmp/${{ matrix.package }}.tar | |
- name: List docker images | |
run: docker images | |
- name: Push to registry | |
run: | | |
docker push ghcr.io/${{ github.repository_owner }}/rafiki-${{ matrix.package }}:${{ needs.version-generator.outputs.version }} | |
generate-release: | |
runs-on: ubuntu-latest | |
needs: [push, version-generator] | |
steps: | |
- name: Checkout Code | |
uses: actions/checkout@v4 | |
- name: Generate CHANGELOG data | |
id: changelog | |
uses: requarks/changelog-action@v1 | |
with: | |
token: ${{ github.token }} | |
tag: ${{ needs.version-generator.outputs.version }} | |
- name: Create Release | |
uses: ncipollo/release-action@v1.14.0 | |
with: | |
allowUpdates: true | |
draft: false | |
makeLatest: true | |
prerelease: endsWith(needs.version-generator.outputs.version, '-alpha') | |
name: ${{ needs.version-generator.outputs.version }} | |
body: ${{ steps.changelog.outputs.changes }} | |
tag: ${{ needs.version-generator.outputs.version }} | |
token: ${{ github.token }} |