[Snyk] Fix for 2 vulnerabilities #52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Craiglist app CI/CD | |
on: | |
push: | |
branches: [ main ] | |
pull_request: | |
branches: [ main ] | |
env: | |
WEB_IMAGE: ghcr.io/$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')/craiglist_web | |
NGINX_IMAGE: ghcr.io/$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')/craiglist_nginx | |
jobs: | |
test: | |
name: Run tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code source | |
uses: actions/checkout@v3 | |
- name: Add environment variables to .env | |
run: | | |
echo DEBUG=0 >> .env | |
echo POSTGRES_DB=${{ secrets.SQL_DATABASE }} >> .env | |
echo SECRET_KEY=${{ secrets.SECRET_KEY }} >> .env | |
echo POSTGRES_USER=${{ secrets.SQL_USER }} >> .env | |
echo POSTGRES_PASSWORD=${{ secrets.SQL_PASSWORD }} >> .env | |
echo POSTGRES_HOST=${{ secrets.SQL_HOST }} >> .env | |
echo POSTGRES_PORT=${{ secrets.SQL_PORT }} >> .env | |
echo HOST_IP=${{ secrets.DIGITAL_OCEAN_IP_ADDRESS }} >> .env | |
- name: Set up Python version | |
uses: actions/setup-python@v3 | |
with: | |
python-version: 3.9 | |
- name: Install Dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install -r requirements.txt | |
- name: Lint with Flake8 | |
run: flake8 . | |
- name: Run Tests | |
run: python manage.py test | |
build: | |
name: Build docker images | |
runs-on: ubuntu-latest | |
needs: test | |
steps: | |
- name: Checkout code source | |
uses: actions/checkout@v3 | |
- name: Add environment variables to .env | |
run: | | |
echo DEBUG=0 >> .env | |
echo POSTGRES_DB=${{ secrets.SQL_DATABASE }} >> .env | |
echo SECRET_KEY=${{ secrets.SECRET_KEY }} >> .env | |
echo POSTGRES_USER=${{ secrets.SQL_USER }} >> .env | |
echo POSTGRES_PASSWORD=${{ secrets.SQL_PASSWORD }} >> .env | |
echo POSTGRES_HOST=${{ secrets.SQL_HOST }} >> .env | |
echo POSTGRES_PORT=${{ secrets.SQL_PORT }} >> .env | |
echo HOST_IP=${{ secrets.DIGITAL_OCEAN_IP_ADDRESS }} >> .env | |
- name: Set environnement variables | |
run: | | |
echo "WEB_IMAGE=$(echo ${{env.WEB_IMAGE}} )" >> $GITHUB_ENV | |
echo "NGINX_IMAGE=$(echo ${{env.NGINX_IMAGE}} )" >> $GITHUB_ENV | |
- name: Log in to GitHub Packages | |
run: echo ${GH_PERSONAL_ACCESS_TOKEN} | docker login ghcr.io -u ${{ secrets.GH_USERNAME }} --password-stdin | |
env: | |
GH_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} | |
- name: Pull images | |
run: | | |
docker pull ${{ env.WEB_IMAGE }} || true | |
docker pull ${{ env.NGINX_IMAGE }} || true | |
- name: Build images | |
if: ${{ !env.ACT }} | |
run: docker-compose -f docker-compose-ci.yml build | |
- name: Push images | |
run: | | |
docker push ${{ env.WEB_IMAGE }} | |
docker push ${{ env.NGINX_IMAGE }} | |
deploy: | |
name: Deploy to production | |
runs-on: ubuntu-latest | |
needs: build | |
if: github.ref == 'refs/heads/main' | |
steps: | |
- name: Checkout main | |
uses: actions/checkout@v2 | |
- name: Add environment variables to .env | |
run: | | |
echo DEBUG=0 >> .env | |
echo SQL_ENGINE=django.db.backends.postgresql >> .env | |
echo SECRET_KEY=${{ secrets.SECRET_KEY }} >> .env | |
echo SQL_DATABASE=${{ secrets.SQL_DATABASE }} >> .env | |
echo SQL_USER=${{ secrets.SQL_USER }} >> .env | |
echo SQL_PASSWORD=${{ secrets.SQL_PASSWORD }} >> .env | |
echo SQL_HOST=${{ secrets.SQL_HOST }} >> .env | |
echo SQL_PORT=${{ secrets.SQL_PORT }} >> .env | |
echo WEB_IMAGE=${{ env.WEB_IMAGE }} >> .env | |
echo NGINX_IMAGE=${{ env.NGINX_IMAGE }} >> .env | |
echo GH_USERNAME=${{ secrets.GH_USERNAME }} >> .env | |
echo GH_PERSONAL_ACCESS_TOKEN=${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} >> .env | |
echo HOST_IP=${{ secrets.DIGITAL_OCEAN_IP_ADDRESS }} >> .env | |
- name: Add the private SSH key to the ssh-agent | |
if: ${{ !env.ACT }} | |
env: | |
SSH_AUTH_SOCK: /tmp/ssh_agent.sock | |
run: | | |
mkdir -p ~/.ssh | |
ssh-agent -a $SSH_AUTH_SOCK > /dev/null | |
ssh-keyscan ${{ secrets.DIGITAL_OCEAN_IP_ADDRESS }} >> ~/.ssh/known_hosts | |
ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}" | |
- name: Build and deploy images on DigitalOcean | |
if: ${{ !env.ACT }} | |
env: | |
SSH_AUTH_SOCK: /tmp/ssh_agent.sock | |
run: | | |
scp -o StrictHostKeyChecking=no -r ./.env ./docker-compose-prod.yml root@${{ secrets.DIGITAL_OCEAN_IP_ADDRESS }}:/app | |
ssh -o StrictHostKeyChecking=no root@${{ secrets.DIGITAL_OCEAN_IP_ADDRESS }} << 'ENDSSH' | |
cd /app | |
source .env | |
docker login ghcr.io -u $GH_USERNAME -p $GH_PERSONAL_ACCESS_TOKEN | |
docker pull $WEB_IMAGE | |
docker pull $NGINX_IMAGE | |
docker-compose -f docker-compose-prod.yml up -d | |
docker-compose -f docker-compose-prod.yml exec -T craiglist_web python manage.py migrate | |
docker-compose -f docker-compose-prod.yml exec -T craiglist_web python manage.py collectstatic --no-input | |
docker-compose -f docker-compose-prod.yml exec -T craiglist_web cp -a /app/static/. /usr/src/app/static/ | |
ENDSSH |