-
Notifications
You must be signed in to change notification settings - Fork 4
135 lines (108 loc) · 3.84 KB
/
Copy pathci.yml
File metadata and controls
135 lines (108 loc) · 3.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: 'CI'
on:
pull_request:
push:
branches: [ 'develop', 'prod', 'anvilprod' ]
jobs:
test:
runs-on: 'ubuntu-22.04'
timeout-minutes: 45
steps:
- uses: 'actions/checkout@v4'
- run: 'cat environment.boot >> "$GITHUB_ENV"'
- uses: 'actions/setup-python@v5'
with:
python-version: '${{ env.azul_python_version }}'
cache: 'pip'
cache-dependency-path: 'requirements.dev.txt'
- name: 'Run unit tests and other checks'
run: |
source environment # load global defaults
# PRs targetting the `prod` branch should be built with the `prod`
# deployment selected. The same goes for push builds of the `prod`
# branch. Likewise for `anvilprod`. All other PR and push builds
# should select the `dev` deployment. Note that this includes chained
# PRs whose target branch is not a protected branch but another PR
# branch.
#
azul_shared_deployments='{"": ["dev"], "prod": ["prod"], "anvilprod": ["anvilprod"]}'
make virtualenv
source .venv/bin/activate
make requirements
deployment=$(python scripts/check_branch.py --print)
_link $deployment
_refresh
make environment.boot
# FIXME: The default Azul registry is hosted privately on ECR, so we'd
# have to provide credentials to use it. For now, it's
# sufficient to pull 3rd party images directly from their
# upstream registry, accepting the risk that a 3rd party image
# is compromised. GitHub Actions have limited access to our
# infrastructure (the token scope is limited). The worst that
# could happen is that the token itself is revealed or that the
# action falsely reports a passing build.
# https://github.com/DataBiosphere/azul/issues/5188
#
export azul_docker_registry=""
make format
make isort
make -C lambdas openapi
make -C .github
make anvil_schema
make check_clean
make pep8
mypy
AZUL_DEBUG=0 GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} make test
make check_clean
coverage xml
- uses: 'actions/upload-artifact@v4'
with:
name: 'coverage-file'
path: 'coverage.xml'
codecov:
needs: 'test'
runs-on: 'ubuntu-22.04'
steps:
- uses: 'actions/checkout@v4'
- run: 'cat environment.boot >> "$GITHUB_ENV"'
- uses: 'actions/download-artifact@v4'
with:
name: 'coverage-file'
- uses: 'codecov/codecov-action@v7'
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: 'coverage.xml'
fail_ci_if_error: true
coveralls:
needs: 'test'
runs-on: 'ubuntu-22.04'
steps:
- uses: 'actions/checkout@v4'
- run: 'cat environment.boot >> "$GITHUB_ENV"'
- uses: 'actions/download-artifact@v4'
with:
name: 'coverage-file'
- uses: 'coverallsapp/github-action@v2'
with:
github-token: ${{ secrets.COVERALLS_REPO_TOKEN }}
codeql:
runs-on: 'ubuntu-22.04'
permissions:
actions: 'read'
contents: 'read'
security-events: 'write'
strategy:
fail-fast: false
matrix:
language: [ 'python', 'javascript' ]
steps:
- uses: 'actions/checkout@v4'
- run: 'cat environment.boot >> "$GITHUB_ENV"'
- uses: 'github/codeql-action/init@v3'
with:
languages: '${{ matrix.language }}'
config-file: './.github/codeql/codeql-config.yml'
queries: 'security-and-quality'
- uses: 'github/codeql-action/analyze@v3'
with:
category: '/language:${{matrix.language}}'