Skip to content

fix up the nonprod warning banner #4215

fix up the nonprod warning banner

fix up the nonprod warning banner #4215

Workflow file for this run

# Docs: https://docs.github.com/en/actions
name: CI/CD
on:
push:
branches: ["master"]
pull_request:
branches: ["master"]
jobs:
lint:
name: Linters
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Harden CI
uses: step-security/harden-runner@v2.10.1
with:
disable-sudo: true
disable-file-monitoring: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
- name: Checkout source code
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: "3.13"
- name: Install uv
uses: astral-sh/setup-uv@v3
- name: Set up Tox environment
run: |
uv tool install tox --with tox-uv
tox run -e lint --notest
- name: Run Linters
run: tox run -e lint
env:
# no-commit-to-branch always fails in CI, because this pre-commit
# is only designed for running locally (i.e. when committing to a
# local master branch)
SKIP: no-commit-to-branch
mypy:
name: Mypy (static type checker)
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Harden CI
uses: step-security/harden-runner@v2.10.1
with:
disable-sudo: true
disable-file-monitoring: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
- name: Checkout source code
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: "3.13"
- name: Install uv
uses: astral-sh/setup-uv@v3
- name: Set up Tox environment
run: |
uv tool install tox --with tox-uv
tox run -e lint --notest
- name: Run Mypy
run: tox run -e mypy
packaging:
name: Packaging
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Harden CI
uses: step-security/harden-runner@v2.10.1
with:
disable-sudo: true
disable-file-monitoring: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
- name: Checkout source code
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: "3.13"
- name: Install uv
uses: astral-sh/setup-uv@v3
- name: Set up Tox environment
run: |
uv tool install tox --with tox-uv
tox run -e lint --notest
- name: Check packaging
run: tox run -e packaging
unit:
name: "Py:${{ matrix.python-version }} - ${{ matrix.os }}"
# Available versions:
# https://github.com/actions/python-versions/blob/main/versions-manifest.json
runs-on: ${{ matrix.os }}
timeout-minutes: 30
continue-on-error: ${{ matrix.optional }}
strategy:
matrix:
os: ["ubuntu-latest"]
python-version: ["3.13"] # Versions to test with coverage
tox-prefix: ["coverage"]
optional: [false]
include:
# Test next Python version but allow it to fail
- os: "ubuntu-latest"
python-version: "3.14.0-alpha.1"
optional: true
tox-prefix: "test"
services:
mysql:
image: mariadb:10.5.17
env:
MYSQL_ROOT_HOST: "%"
MYSQL_ROOT_PASSWORD: ims
MYSQL_USER: ims
MYSQL_PASSWORD: ims
ports:
- 3306
options: >-
--health-cmd="mysqladmin ping"
--health-interval=10s
--health-timeout=5s
--health-retries=5
steps:
- name: Harden CI
uses: step-security/harden-runner@v2.10.1
with:
disable-sudo: true
disable-file-monitoring: true
egress-policy: block
allowed-endpoints: >
api.codecov.io:443
api.github.com:443
cli.codecov.io:443
codecov.io:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
storage.googleapis.com:443
uploader.codecov.io:443
- name: Checkout source code
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Translate Python version to Tox environment
shell: python
run: |
from os import environ
from pathlib import Path
py = "${{ matrix.python-version }}"
py = "".join(py.split(".")[:2]) # Combine major/minor, toss rest
py = py.replace("pypy-", "py") # For Pypy: have a litte less py
env = f"${{ matrix.tox-prefix }}-py{py}"
print(f"TOX_ENV={env}")
p = Path(environ["GITHUB_ENV"])
f = p.open(mode="a")
f.write(f"TOX_ENV={env}\n")
- name: Install uv
uses: astral-sh/setup-uv@v3
- name: Set up Tox environment
run: |
uv tool install tox --with tox-uv
tox run -e lint --notest
- name: Run unit tests
id: test
run: |
status=0
tox run -e "${TOX_ENV}" || status=$?
if [ ${status} -ne 0 ] && [ "${{ matrix.optional }}" == "true" ]; then
echo "::warning::Optional matrix job failed."
echo "optional_fail=true" >> "${GITHUB_OUTPUT}"
echo "optional_fail_status=${status}" >> "${GITHUB_OUTPUT}"
exit 0 # Ignore error here to keep the green checkmark going
fi;
exit ${status}
env:
IMS_TEST_MYSQL_HOST: localhost
IMS_TEST_MYSQL_PORT: ${{ job.services.mysql.ports['3306'] }}
IMS_TEST_MYSQL_ROOT_PASSWORD: ims
IMS_TEST_MYSQL_USERNAME: ims
IMS_TEST_MYSQL_PASSWORD: ims
- name: Upload Trial log artifact
if: ${{ failure() || steps.test.outputs.optional_fail == 'true' }}
uses: actions/upload-artifact@v4
with:
name: trial
path: .tox/${TOX_ENV}/log/trial.log
- name: Add comment if optional job failed; delete otherwise
# this step fails on post-merge runs on master, since there's no
# PR to comment against.
if: ${{ matrix.optional && github.ref != 'refs/heads/master' }}
uses: thollander/actions-comment-pull-request@v3
with:
# Note: tag must be unique to each matrix case
comment-tag: "${{ matrix.python-version }}-${{ matrix.os }}-optional-notice"
message: |
### ⚠️ Optional matrix job Py:${{ matrix.python-version }} - ${{ matrix.os }} failed ⚠️
- tox prefix: ${{ matrix.tox-prefix }}
- exit status: ${{ steps.test.outputs.optional_fail_status }}
mode: ${{ steps.test.outputs.optional_fail == 'true' && 'upsert' || 'delete' }}
# Use the latest supported Python version for combining coverage to
# prevent parsing errors in older versions when looking at modern code.
- uses: "actions/setup-python@v5"
if: ${{ matrix.tox-prefix == 'coverage' }}
with:
python-version: 3.13
- name: "Upload coverage to Codecov"
uses: "codecov/codecov-action@v4"
if: ${{ matrix.tox-prefix == 'coverage' }}
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: .tox/coverage.xml
env_vars: GITHUB_REF,GITHUB_COMMIT,GITHUB_USER,GITHUB_WORKFLOW
fail_ci_if_error: true
env:
GITHUB_REF: ${{ github.ref }}
GITHUB_COMMIT: ${{ github.sha }}
GITHUB_USER: ${{ github.actor }}
GITHUB_WORKFLOW: ${{ github.workflow }}
docker-build:
name: Build Docker image
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden CI
uses: step-security/harden-runner@v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
dl-cdn.alpinelinux.org:443
files.pythonhosted.org:443
github.com:443
production.cloudflare.docker.com:443
pypi.org:443
registry-1.docker.io:443
- name: Checkout source code
uses: actions/checkout@v4
- name: Build Docker image
run: ./bin/build
- name: Save Docker image
run: docker image save ranger-ims-server:dev | gzip -9 > docker_image.tgz
- name: Upload Docker image artifacts
uses: actions/upload-artifact@v4
with:
name: docker
path: docker_image.tgz
docker-test:
name: Test Docker image
needs: [docker-build]
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden CI
uses: step-security/harden-runner@v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
github.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
- name: Checkout source code
uses: actions/checkout@v4
- name: Download Docker image artifacts
uses: actions/download-artifact@v4
with:
name: docker
- name: Load Docker image
run: gzip --uncompress --stdout docker_image.tgz | docker image load
- name: Test Docker image
run: ./bin/test_docker
# Can't figure out how to keep a failed docker-trivy job from marking a build
# as failed in the UI and it's driving me nuts so never mind this.
# docker-trivy:
# name: Trivy (security scan)
# needs: [docker-build]
# runs-on: ubuntu-latest
# timeout-minutes: 10
# continue-on-error: true
# steps:
# - uses: step-security/harden-runner@v2.10.1
# with:
# egress-policy: audit
# - name: Checkout source code
# uses: actions/checkout@v4
# - name: Download Docker image artifacts
# uses: actions/download-artifact@v4
# with:
# name: docker
# - name: Load Docker image
# run: gzip --uncompress --stdout docker_image.tgz | docker image load
# - name: Run Trivy
# run: docker run -v /var/run/docker.sock:/var/run/docker.sock --rm aquasec/trivy image --exit-code 1 --no-progress ranger-ims-server:dev
deploy-staging:
name: Deploy image built from master branch to the staging environment
needs: [docker-test, lint, mypy, packaging, unit]
if: ${{ github.ref == 'refs/heads/master' }}
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Harden CI
uses: step-security/harden-runner@v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
655216687927.dkr.ecr.us-west-2.amazonaws.com:443
api.ecr.us-west-2.amazonaws.com:443
ecs.us-west-2.amazonaws.com:443
email-smtp.us-west-2.amazonaws.com:465
files.pythonhosted.org:443
github.com:443
pypi.org:443
raw.githubusercontent.com:443
api.github.com:443
objects.githubusercontent.com:443
- name: Checkout source code
uses: actions/checkout@v4
- name: Download Docker image artifacts
uses: actions/download-artifact@v4
with:
name: docker
- name: Load Docker image
run: gzip --uncompress --stdout docker_image.tgz | docker image load
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Deploy to staging
run: ./bin/deploy staging
env:
# https://github.com/burningmantech/ranger-ims-server/settings/secrets
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_ECR_IMAGE_NAME: ${{ secrets.AWS_ECR_IMAGE_NAME }}
AWS_ECS_CLUSTER_STAGING: rangers
AWS_ECS_SERVICE_STAGING: ${{ secrets.AWS_ECS_SERVICE_STAGING }}
NOTIFY_SMTP_HOST: ${{ secrets.NOTIFY_SMTP_HOST }}
NOTIFY_SMTP_USER: ${{ secrets.NOTIFY_SMTP_USER }}
NOTIFY_SMTP_PASSWORD: ${{ secrets.NOTIFY_SMTP_PASSWORD }}
NOTIFY_EMAIL_RECIPIENT: ${{ secrets.NOTIFY_EMAIL_RECIPIENT }}
NOTIFY_EMAIL_SENDER: ${{ secrets.NOTIFY_EMAIL_SENDER }}
CI: true
PROJECT_NAME: Ranger IMS Server
REPOSITORY_ID: ${{ github.repository }}
BUILD_NUMBER: 0
BUILD_URL: https://github.com/burningmantech/ranger-ims-server/commit/${{ github.sha }}/checks
COMMIT_ID: ${{ github.event.head_commit.id }}
COMMIT_URL: ${{ github.event.head_commit.url }}
COMMIT_AUTHOR_USER: ${{ github.event.head_commit.author.username }}
COMMIT_AUTHOR_NAME: ${{ github.event.head_commit.author.name }}
COMMIT_AUTHOR_EMAIL: ${{ github.event.head_commit.author.email }}
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}