From 5e2cd6fff2c2b8cefdb954137fa18f4f98645c49 Mon Sep 17 00:00:00 2001 From: chichi Date: Mon, 5 Feb 2024 06:47:07 -0800 Subject: [PATCH 01/27] updated nextconfig and package.json --- apps/web/next.config.js | 15 +++++++++++++++ apps/web/package.json | 8 +++++--- packages/config/eslint-preset.js | 4 ++++ 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/apps/web/next.config.js b/apps/web/next.config.js index 52831dd03e171f..748e2ada3268f0 100644 --- a/apps/web/next.config.js +++ b/apps/web/next.config.js @@ -13,6 +13,17 @@ const { orgUserTypeEmbedRoutePath, } = require("./pagesAndRewritePaths"); +const path = require ('node:path') ; +const url = require ('node:url'); + + + +const workspaceRoot = path.resolve( + path.dirname(url.fileURLToPath(require('url').pathToFileURL(__filename).toString())), + '..', + '..' +); + if (!process.env.NEXTAUTH_SECRET) throw new Error("Please set NEXTAUTH_SECRET"); if (!process.env.CALENDSO_ENCRYPTION_KEY) throw new Error("Please set CALENDSO_ENCRYPTION_KEY"); const isOrganizationsEnabled = @@ -154,7 +165,11 @@ const matcherConfigUserTypeEmbedRoute = { /** @type {import("next").NextConfig} */ const nextConfig = { + output: 'standalone', + outputFileTracing: true , + swcMinify: true, experimental: { + outputFileTracingRoot: workspaceRoot , // externalize server-side node_modules with size > 1mb, to improve dev mode performance/RAM usage serverComponentsExternalPackages: ["next-i18next"], }, diff --git a/apps/web/package.json b/apps/web/package.json index 3ec5d900b1c107..e472b8798d7bff 100644 --- a/apps/web/package.json +++ b/apps/web/package.json @@ -17,11 +17,13 @@ "lint": "eslint . --ignore-path .gitignore", "lint:fix": "eslint . --ext .ts,.js,.tsx,.jsx --fix", "lint:report": "eslint . --format json --output-file ../../lint-results/web.json", - "check-changed-files": "ts-node scripts/ts-check-changed-files.ts" + "check-changed-files": "ts-node scripts/ts-check-changed-files.ts", + "docker-start-web": "prisma migrate deploy --schema /app/packages/prisma/schema.prisma && node /app/apps/web/server.js" + }, "engines": { - "node": "18", - "yarn": "3.4.1" + "node": "18" + }, "dependencies": { "@boxyhq/saml-jackson": "1.8.2", diff --git a/packages/config/eslint-preset.js b/packages/config/eslint-preset.js index e114436acecec0..404fd08b306fc8 100644 --- a/packages/config/eslint-preset.js +++ b/packages/config/eslint-preset.js @@ -43,6 +43,10 @@ module.exports = { }, ], "prefer-template": "error", + "prettier/prettier": [ 'warn', { + endOfLine: 'auto', + }, + ], }, overrides: [ { From dd1cfead335633110c14d90666d1bbe9867bddcd Mon Sep 17 00:00:00 2001 From: chichi Date: Mon, 5 Feb 2024 07:03:40 -0800 Subject: [PATCH 02/27] added web dockerfile --- infra/docker/web/.dockerignore | 5 + infra/docker/web/.env.example | 61 ++++++++++++ infra/docker/web/Dockerfile | 95 +++++++++++++++++++ infra/docker/web/docker-compose.yaml | 25 +++++ infra/docker/web/integration-test/compose.yml | 28 ++++++ infra/docker/web/scripts/placeholder.yml | 5 + .../docker/web/scripts/replace-placeholder.sh | 43 +++++++++ 7 files changed, 262 insertions(+) create mode 100644 infra/docker/web/.dockerignore create mode 100644 infra/docker/web/.env.example create mode 100644 infra/docker/web/Dockerfile create mode 100644 infra/docker/web/docker-compose.yaml create mode 100644 infra/docker/web/integration-test/compose.yml create mode 100644 infra/docker/web/scripts/placeholder.yml create mode 100644 infra/docker/web/scripts/replace-placeholder.sh diff --git a/infra/docker/web/.dockerignore b/infra/docker/web/.dockerignore new file mode 100644 index 00000000000000..6e100ccdb9088e --- /dev/null +++ b/infra/docker/web/.dockerignore @@ -0,0 +1,5 @@ +.git +.github +.env.example +node_modules +**/node_modules \ No newline at end of file diff --git a/infra/docker/web/.env.example b/infra/docker/web/.env.example new file mode 100644 index 00000000000000..cf91da2e4ab3e9 --- /dev/null +++ b/infra/docker/web/.env.example @@ -0,0 +1,61 @@ +# Set this value to 'agree' to accept our license: +# LICENSE: https://github.com/calendso/calendso/blob/main/LICENSE +# +# Summary of terms: +# - The codebase has to stay open source, whether it was modified or not +# - You can not repackage or sell the codebase +# - Acquire a commercial license to remove these terms by emailing: license@cal.com +NEXT_PUBLIC_LICENSE_CONSENT= +LICENSE= + +# BASE_URL and NEXT_PUBLIC_APP_URL are both deprecated. Both are replaced with one variable, NEXT_PUBLIC_WEBAPP_URL +# BASE_URL=http://localhost:3000 +# NEXT_PUBLIC_APP_URL=http://localhost:3000 + +NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000 + + +# Configure NEXTAUTH_URL manually if needed, otherwise it will resolve to {NEXT_PUBLIC_WEBAPP_URL}/api/auth +# NEXTAUTH_URL=http://localhost:3000/api/auth + +# It is highly recommended that the NEXTAUTH_SECRET must be overridden and very unique +# Use `openssl rand -base64 32` to generate a key +NEXTAUTH_SECRET=secret + +# Encryption key that will be used to encrypt CalDAV credentials, choose a random string, for example with `dd if=/dev/urandom bs=1K count=1 | md5sum` +CALENDSO_ENCRYPTION_KEY=secret + +# Deprecation note: JWT_SECRET is no longer used +# JWT_SECRET=secret + +POSTGRES_USER=unicorn_user +POSTGRES_PASSWORD=magical_password +POSTGRES_DB=calendso +DATABASE_HOST=database:5432 +DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${DATABASE_HOST}/${POSTGRES_DB} +GOOGLE_API_CREDENTIALS={} + +# Set this to '1' if you don't want Cal to collect anonymous usage +CALCOM_TELEMETRY_DISABLED= + +# Used for the Office 365 / Outlook.com Calendar integration +MS_GRAPH_CLIENT_ID= +MS_GRAPH_CLIENT_SECRET= + +# Used for the Zoom integration +ZOOM_CLIENT_ID= +ZOOM_CLIENT_SECRET= + +# E-mail settings +# Configures the global From: header whilst sending emails. +EMAIL_FROM=notifications@example.com + +# Configure SMTP settings (@see https://nodemailer.com/smtp/). +EMAIL_SERVER_HOST=smtp.example.com +EMAIL_SERVER_PORT=587 +EMAIL_SERVER_USER=email_user +EMAIL_SERVER_PASSWORD=email_password + +NODE_ENV=production + +# HOSTNAME=example.com diff --git a/infra/docker/web/Dockerfile b/infra/docker/web/Dockerfile new file mode 100644 index 00000000000000..8d6417a46b126e --- /dev/null +++ b/infra/docker/web/Dockerfile @@ -0,0 +1,95 @@ +FROM node:18-slim as base + +RUN set -eux; \ + apt-get update -qq && \ + apt-get install -y build-essential openssl pkg-config python-is-python3 jq git && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists /var/cache/apt/archives + +############################################# +FROM base as builder + +WORKDIR /app + +# Disables some well-known postinstall scripts +ENV PRISMA_SKIP_POSTINSTALL_GENERATE=true \ + HUSKY=0 + +ENV NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000 \ + NEXTAUTH_URL=${NEXT_PUBLIC_WEBAPP_URL}/api/auth \ + NEXTAUTH_SECRET=auth_secret \ + CALENDSO_ENCRYPTION_KEY=encyrption_secret \ + NEXT_PUBLIC_LICENSE_CONSENT=$NEXT_PUBLIC_LICENSE_CONSENT_PLACEHOLDER \ + CALCOM_TELEMETRY_DISABLED=$CALCOM_TELEMETRY_DISABLED_PLACEHOLDER \ + MAX_OLD_SPACE_SIZE=4096 + +ENV NODE_ENV=production \ + NODE_OPTIONS=--max-old-space-size=${MAX_OLD_SPACE_SIZE} + +COPY --link . . + +# align turbo with package.json version +RUN TURBO_VERSION=$(cat package.json | jq '.dependencies["turbo"]' -r) npm i -g turbo@${TURBO_VERSION} + +RUN yarn config set httpTimeout 1200000 && \ + turbo prune --scope=@calcom/web --docker && \ + yarn && \ + turbo run build --filter=@calcom/web... && \ + rm -rf node_modules/.cache .yarn/cache apps/web/.next/cache + + +############################################# +FROM base as unit-test + +WORKDIR /app + +COPY --from=builder /app/. ./ + +RUN yarn run test + + +############################################# +FROM node:18-slim as runner + +# Install packages needed for deployment +RUN apt-get update -qq && \ + apt-get install --no-install-recommends -y openssl jq curl bash && \ + rm -rf /var/lib/apt/lists /var/cache/apt/archives + +WORKDIR /app + +# chown to node default user/group +COPY --from=builder --chown=node:node /app/apps/web/next.config.js \ + /app/apps/web/next-i18next.config.js \ + /app/apps/web/package.json \ + ./ + +# automatically leverage outputfiletracing to reduce image size +COPY --from=builder --chown=node:node /app/apps/web/.next/standalone ./ +COPY --from=builder --chown=node:node /app/apps/web/.next/static ./apps/web/.next/static +COPY --from=builder --chown=node:node /app/apps/web/public ./apps/web/public + +# # prisma schema to be loaded at runtime with dependency +RUN PRISMA_CLIENT_VERSION=$(cat packages/prisma/package.json | jq '.dependencies["@prisma/client"]' -r) npm i -g @prisma/client@${PRISMA_CLIENT_VERSION} && \ + PRISMA_VERSION=$(cat packages/prisma/package.json | jq '.dependencies["prisma"]' -r) npm i -g prisma@${PRISMA_VERSION} + +COPY --from=builder --chown=node:node /app/packages/prisma /app/packages/prisma + +# entrypoint scripts +COPY --chown=node:node infra/docker/web/scripts ./ +RUN ["chmod", "+x", "./replace-placeholder.sh"] + +USER node + +ENTRYPOINT ["/bin/bash", "./replace-placeholder.sh"] + + +# enables standalone access to api route endpoints by changing the inline "localhost" +# in server.js to "0.0.0.0" +ENV HOSTNAME=0.0.0.0 + +CMD ["yarn", "workspace", "@calcom/web", "docker-start-web"] + + + + diff --git a/infra/docker/web/docker-compose.yaml b/infra/docker/web/docker-compose.yaml new file mode 100644 index 00000000000000..dcf1a86e65a575 --- /dev/null +++ b/infra/docker/web/docker-compose.yaml @@ -0,0 +1,25 @@ +version: '3' + +volumes: + database-data: + +services: + database: + image: postgres + volumes: + - database-data:/var/lib/postgresql/data/ + env_file: .env + healthcheck: + test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"] + interval: 10s + retries: 10 + + + calcom: + image: horizonclient/calkube:v3.7.10-alpha.43 + ports: + - 3000:3000 + env_file: .env + depends_on: + database: + condition: service_healthy \ No newline at end of file diff --git a/infra/docker/web/integration-test/compose.yml b/infra/docker/web/integration-test/compose.yml new file mode 100644 index 00000000000000..7d681a99d4fe9d --- /dev/null +++ b/infra/docker/web/integration-test/compose.yml @@ -0,0 +1,28 @@ +volumes: + database-data: + +services: + database: + image: postgres + volumes: + - database-data:/var/lib/postgresql/data/ + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: postgres + + + calcom: + image: "${TESTING_IMAGE}" + ports: + - 3000:3000 + environment: + - DATABASE_URL=postgresql://postgres:postgres@database:5432/calcom + depends_on: + - database + + + + + + + diff --git a/infra/docker/web/scripts/placeholder.yml b/infra/docker/web/scripts/placeholder.yml new file mode 100644 index 00000000000000..84d4602c444916 --- /dev/null +++ b/infra/docker/web/scripts/placeholder.yml @@ -0,0 +1,5 @@ +NEXT_PUBLIC_WEBAPP_URL : http://localhost:3000 +NEXTAUTH_SECRET : auth_secret +CALENDSO_ENCRYPTION_KEY : encyrption_secret +NEXT_PUBLIC_LICENSE_CONSENT: NEXT_PUBLIC_LICENSE_CONSENT_PLACEHOLDER +CALCOM_TELEMETRY_DISABLED : CALCOM_TELEMETRY_DISABLED_PLACEHOLDER diff --git a/infra/docker/web/scripts/replace-placeholder.sh b/infra/docker/web/scripts/replace-placeholder.sh new file mode 100644 index 00000000000000..4d037952ff91fa --- /dev/null +++ b/infra/docker/web/scripts/replace-placeholder.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# # no verbose +set +x + +# Define the path to the YAML file +YAML_FILE="placeholder.yml" +# Define the path to the .next folder +NEXT_FOLDER="apps/web/.next" + +function apply_path { + # Check if the YAML file exists + if [ ! -f "$YAML_FILE" ]; then + echo "Error: YAML file $YAML_FILE not found." + exit 1 + fi + # Parse the YAML file and extract keys and values of variables + while IFS=':' read -r key value; do + # Remove leading and trailing whitespace from the key and value + config_key=$(echo "$key" | sed 's/^[ \t]*//;s/[ \t]*$//') + config_value=$(echo "$value" | sed 's/^[ \t]*//;s/[ \t]*$//') + + + # Iterate over all environment variables + while IFS='=' read -r docker_key docker_value; do + # Check if docker_key matches config_key + if [ "$docker_key" == "$config_key" ]; then + + if [ -n "$docker_value" ]; then + # Replace the value in the .next folder with the value from Docker runtime + + find $NEXT_FOLDER \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i "s#$config_value#$docker_value#g" + echo "Replaced value of $config_value with $docker_value in .next folder" + fi + break # Stop iterating once the key is found + fi + done < <(env) + +done < "$YAML_FILE" +} + +apply_path +echo "Starting Nextjs" +exec "$@" \ No newline at end of file From f05767c74a277f908c6c03d3e7c147f52f3c4054 Mon Sep 17 00:00:00 2001 From: chichi Date: Mon, 5 Feb 2024 07:17:29 -0800 Subject: [PATCH 03/27] adjusted docker variables --- infra/docker/web/docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/docker/web/docker-compose.yaml b/infra/docker/web/docker-compose.yaml index dcf1a86e65a575..ab02b3ed53500f 100644 --- a/infra/docker/web/docker-compose.yaml +++ b/infra/docker/web/docker-compose.yaml @@ -16,7 +16,7 @@ services: calcom: - image: horizonclient/calkube:v3.7.10-alpha.43 + image: calcom/cal.com ports: - 3000:3000 env_file: .env From bb680e85bb70c71eacd7156990da4ad26dd1fd88 Mon Sep 17 00:00:00 2001 From: chichi Date: Mon, 5 Feb 2024 07:32:12 -0800 Subject: [PATCH 04/27] added ci workflow --- .github/workflows/docker-ci.yml | 371 ++++++++++++++++++++++++++++++++ 1 file changed, 371 insertions(+) create mode 100644 .github/workflows/docker-ci.yml diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml new file mode 100644 index 00000000000000..f0f8a474e8c852 --- /dev/null +++ b/.github/workflows/docker-ci.yml @@ -0,0 +1,371 @@ +--- +name: Docker CI + +on: +# # enable when merged to upstream repo +# push: +# branches: +# - main + +# pull_request: +# branches: +# - main + + workflow_dispatch: + + +jobs: +# # FIRST JOB ####################################################################### +# builds a test image and push to GHCR which will subequently be pulled by integration-test +# and trivy scan jobs for their respective actions + build-test-image: + name: Build Image for Testing + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Extract metadata for the Docker image + id: docker_meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: | + ${{ github.run_id }} + + - name: Build and Push to GHCR + uses: docker/build-push-action@v5 + with: + file: infra/docker/web/Dockerfile + push: true + tags: ${{ steps.docker_meta.outputs.tags }} + cache-to: | + type=gha,scope=base,mode=max + cache-from: | + type=gha,scope=base + platforms: linux/amd64 + + + # # # # # NEXT JOB ####################################################################### +# builds and runs unit test specified in the repo by targeting unit-test layer of multistage docker build +# however uses the cache from test image to increase speed + unit-test: + name: unit test in docker + needs: [build-test-image] + runs-on: ubuntu-latest + permissions: + packages: read + contents: read + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Build and unit-test + uses: docker/build-push-action@v5 + with: + file: infra/docker/web/Dockerfile + target: unit-test + push: false + cache-to: | + type=gha,scope=test,mode=max + cache-from: | + type=gha,scope=base + type=gha,scope=test + platforms: linux/amd64 + + + + # # # # # NEXT JOB ####################################################################### + # pulls test image from GHCR and run integration test in docker compose testing ability of the built app + # to succesfully connect to postgres db + integration-test: + name: Integration test in Compose + needs: [build-test-image] + runs-on: ubuntu-latest + permissions: + packages: read + contents: read + + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Downcase repo name + run: | + echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Test healthcheck in Docker Compose + run: | + export TESTING_IMAGE=ghcr.io/${REPO}:"$GITHUB_RUN_ID" + echo Testing image: "$TESTING_IMAGE" + + docker compose -f ./infra/docker/web/integration-test/compose.yml up -d calcom + + echo "Waiting for the server to be healthy..." + sleep 60s + + curl --fail http://localhost:3000 || exit 1 + + +# # # # # NEXT JOB ####################################################################### +# pulls test image from GHCR and run a trivy vulnerability scan for high and crtical CVEs (non-blocking) +# and uploads the sarif result to github security tab + scan-image: + name: Scan Image with Trivy + needs: [build-test-image] + runs-on: ubuntu-latest + + permissions: + contents: read + packages: read + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Downcase repo name + run: | + echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Run Trivy for HIGH,CRITICAL CVEs and report (non-blocking) + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{env.REPO}}:${{ github.run_id }} + exit-code: 0 + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'HIGH,CRITICAL' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif' + +# NEXT JOB ####################################################################### +# generates changelog.MD or add to an existing one and create releases using conventional commits. +# creates prelease when a pull request is made to main branch if a succesful test image +# was built, with succesful unit and integration test. +# creates a release when a merge is made to the main branch +# and adds either the prelease or released version to github output +# to be used by final image published to docker hub + changelog: + name: automated changelog using conventional commit + needs: [build-test-image, unit-test, integration-test, scan-image] + runs-on: ubuntu-latest + outputs: + TAG: ${{ steps.docker_tag.outputs.TAG }} + permissions: + contents: write + + + steps: + - name: check out the repository with all releases + uses: actions/checkout@v4 + with: + # fetch-depth: 0 + persist-credentials: 'false' + ref: ${{github.event.repository.default_branch}} + + + + - name: conventional Changelog Action + id: changelog + uses: TriPSs/conventional-changelog-action@v5.1.0 + with: + github-token: ${{ secrets.RELEASE_MAIN }} + version-file: "./apps/web/package.json" + git-branch: ${{github.event.repository.default_branch}} + preset: "conventionalcommits" + input-file: "./apps/web/CHANGELOG.md" + output-file: "./apps/web/CHANGELOG.md" + tag-prefix: "v" + pre-release: ${{github.event_name == 'pull_request'}} + pre-release-identifier: "alpha" + skip-on-empty: 'false' + # release-count: 20 + skip-git-pull: true + + - name: Create Release + uses: actions/create-release@v1 + if: ${{ steps.changelog.outputs.skipped == 'false' }} + env: + GITHUB_TOKEN: ${{ secrets.RELEASE_MAIN }} + with: + tag_name: ${{ steps.changelog.outputs.tag }} + release_name: ${{ steps.changelog.outputs.tag }} + body: ${{ steps.changelog.outputs.clean_changelog }} + + - name: export tag for final build + id: docker_tag + run: | + echo "TAG=${{ steps.changelog.outputs.tag }}" >> $GITHUB_OUTPUT + + + +# NEXT JOB ####################################################################### +# builds the final image and adds latest tag and image:V*.*.* semantic versioning tag to merge request +# and image:v*.*.*-alpha.* tag to pull requests made to main branch before pushing to dockerhub + build-final-image: + name: Build Final Image + needs: [unit-test, integration-test, scan-image,changelog] + runs-on: ubuntu-latest + + permissions: + contents: read + packages: write + pull-requests: write # needed to create and update comments in PRs + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + + - name: Docker Metadata for Final Image Build + id: docker_meta + uses: docker/metadata-action@v5 + with: + images: calcom/cal.com + flavor: | + latest=false + tags: | + type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} + type=raw,value=${{needs.changelog.outputs.TAG}} + + # adds the Docker image tag(s)/labels pushed to docker hub,to the pull request comment section for reference purpose + - name: Find comment for image tags + uses: peter-evans/find-comment@v1 + if: github.event_name == 'pull_request' + id: fc + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: Docker image tag(s) pushed + + - name: Create or update comment for image tags + uses: peter-evans/create-or-update-comment@v1 + if: github.event_name == 'pull_request' + with: + comment-id: ${{ steps.fc.outputs.comment-id }} + issue-number: ${{ github.event.pull_request.number }} + body: | + Docker image tag(s) pushed: + ```text + ${{ steps.docker_meta.outputs.tags }} + ``` + + Labels added to images: + ```text + ${{ steps.docker_meta.outputs.labels }} + ``` + edit-mode: replace + +# needed for argocd pull request generator: yet to be implemented +# adds a "preview" label to pull reguest to main branch + - name: add labels + uses: actions-ecosystem/action-add-labels@v1 + if: github.event_name == 'pull_request' + with: + labels: | + preview + + - name: Docker Build and Push to Docker Hub + uses: docker/build-push-action@v5 + with: + file: infra/docker/web/Dockerfile + push: true + tags: | + ${{ steps.docker_meta.outputs.tags }} , + labels: ${{ steps.docker_meta.outputs.labels }} + cache-from: | + type=gha,scope=base + platforms: linux/amd64 + + + From c66e12b4a6f6271a26333fc83eca10f1d44ea929 Mon Sep 17 00:00:00 2001 From: chichi Date: Thu, 8 Feb 2024 09:10:10 -0800 Subject: [PATCH 05/27] add opionated next build output --- apps/web/config/build-env.config.js | 19 +++++++++++++ apps/web/config/getValidatedBuildEnv.js | 22 ++++++++++++++ apps/web/config/utils.js | 38 +++++++++++++++++++++++++ apps/web/next.config.js | 15 ++++++++-- apps/web/package.json | 1 + infra/docker/web/.env.example | 1 + infra/docker/web/Dockerfile | 4 +++ 7 files changed, 97 insertions(+), 3 deletions(-) create mode 100644 apps/web/config/build-env.config.js create mode 100644 apps/web/config/getValidatedBuildEnv.js create mode 100644 apps/web/config/utils.js diff --git a/apps/web/config/build-env.config.js b/apps/web/config/build-env.config.js new file mode 100644 index 00000000000000..123dfb876a11ca --- /dev/null +++ b/apps/web/config/build-env.config.js @@ -0,0 +1,19 @@ +const { z } = require("zod"); +const {getValidatedBuildEnv} = require("./getValidatedBuildEnv"); + + +const schema = { + NEXT_BUILD_ENV_OUTPUT: z + .enum(['standalone', 'classic'], { + description: + 'For standalone mode: https://nextjs.org/docs/pages/api-reference/next-config-js/output', + }) + .default('classic') +}; + + +const buildEnvSchema = z.object(schema); +const buildEnv = getValidatedBuildEnv(buildEnvSchema); + + +module.exports = { buildEnvSchema, buildEnv }; diff --git a/apps/web/config/getValidatedBuildEnv.js b/apps/web/config/getValidatedBuildEnv.js new file mode 100644 index 00000000000000..c0ad4b5a3ea652 --- /dev/null +++ b/apps/web/config/getValidatedBuildEnv.js @@ -0,0 +1,22 @@ +const { exitOrThrowError, printValidatedEnv } = require("./utils"); + +/** + * Return a validated / transformed environment object from a zodSchema + * + * Validated build envs are shown in the console by default. In case of error it will + * exit/die with an error indicating missing requirements + * +*/ +const getValidatedBuildEnv = (zodSchema, options = {}) => { + const { env = process.env, displayConsole = true } = options ?? {}; + const parsedEnv = zodSchema.safeParse(env); + if (parsedEnv.success) { + if (displayConsole) { + printValidatedEnv('Build env(s)', parsedEnv); + } + return parsedEnv.data; + } + exitOrThrowError(parsedEnv); +}; + +module.exports = { getValidatedBuildEnv }; \ No newline at end of file diff --git a/apps/web/config/utils.js b/apps/web/config/utils.js new file mode 100644 index 00000000000000..ff82ede3b3aa57 --- /dev/null +++ b/apps/web/config/utils.js @@ -0,0 +1,38 @@ +const pc = require ("picocolors"); + + +const isRunningInNode = process !== undefined; +const isTestEnv = process.env.NODE_ENV === 'test'; + + +const exitOrThrowError = (zodSafeParseError) => { + if (isRunningInNode && !isTestEnv) { + console.error( + '- ' + pc.red('error'.padEnd(7)).concat('Invalid server env(s):'), + Object.keys(zodSafeParseError.error.flatten().fieldErrors).join(',') + ); + console.error(JSON.stringify(zodSafeParseError.error.format(), null, 2)); + process.exit(1); + } else { + throw new Error( + `Invalid server env(s): ${JSON.stringify( + zodSafeParseError.error.format(), + null, + 2 + )}}` + ); + } +}; + + + const printValidatedEnv = (section, zodSafeParseSuccess) => { + if (isRunningInNode && !isTestEnv) { + const prefix = pc.cyan('- info'.padEnd(7)); + console.info(prefix.concat(`${section} validation successful:`)); + for (const [key, value] of Object.entries(zodSafeParseSuccess.data)) { + console.info(prefix.concat(`${key}=${value}`)); + } + } +}; + +module.exports = { exitOrThrowError, printValidatedEnv }; diff --git a/apps/web/next.config.js b/apps/web/next.config.js index 748e2ada3268f0..5fc254c0df38ef 100644 --- a/apps/web/next.config.js +++ b/apps/web/next.config.js @@ -13,6 +13,8 @@ const { orgUserTypeEmbedRoutePath, } = require("./pagesAndRewritePaths"); +const { buildEnv } = require ("./config/build-env.config"); + const path = require ('node:path') ; const url = require ('node:url'); @@ -165,11 +167,18 @@ const matcherConfigUserTypeEmbedRoute = { /** @type {import("next").NextConfig} */ const nextConfig = { - output: 'standalone', - outputFileTracing: true , + + ...(buildEnv.NEXT_BUILD_ENV_OUTPUT === 'standalone' + ? { output: 'standalone', outputFileTracing: true } + : {}), + swcMinify: true, experimental: { - outputFileTracingRoot: workspaceRoot , + + ...(buildEnv.NEXT_BUILD_ENV_OUTPUT === 'standalone' + ? { outputFileTracingRoot: workspaceRoot } + : {}), + // externalize server-side node_modules with size > 1mb, to improve dev mode performance/RAM usage serverComponentsExternalPackages: ["next-i18next"], }, diff --git a/apps/web/package.json b/apps/web/package.json index e472b8798d7bff..446e5bafaa86ed 100644 --- a/apps/web/package.json +++ b/apps/web/package.json @@ -102,6 +102,7 @@ "next-themes": "^0.2.0", "nodemailer": "^6.7.8", "otplib": "^12.0.1", + "picocolors": "1.0.0", "qrcode": "^1.5.1", "raw-body": "^2.5.1", "react": "^18.2.0", diff --git a/infra/docker/web/.env.example b/infra/docker/web/.env.example index cf91da2e4ab3e9..e0a3c10c33c253 100644 --- a/infra/docker/web/.env.example +++ b/infra/docker/web/.env.example @@ -59,3 +59,4 @@ EMAIL_SERVER_PASSWORD=email_password NODE_ENV=production # HOSTNAME=example.com +# NEXTJS_PORT='' diff --git a/infra/docker/web/Dockerfile b/infra/docker/web/Dockerfile index 8d6417a46b126e..52cd6f6c396ec8 100644 --- a/infra/docker/web/Dockerfile +++ b/infra/docker/web/Dockerfile @@ -15,6 +15,8 @@ WORKDIR /app ENV PRISMA_SKIP_POSTINSTALL_GENERATE=true \ HUSKY=0 +ENV NEXT_BUILD_ENV_OUTPUT=standalone + ENV NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000 \ NEXTAUTH_URL=${NEXT_PUBLIC_WEBAPP_URL}/api/auth \ NEXTAUTH_SECRET=auth_secret \ @@ -87,6 +89,8 @@ ENTRYPOINT ["/bin/bash", "./replace-placeholder.sh"] # enables standalone access to api route endpoints by changing the inline "localhost" # in server.js to "0.0.0.0" ENV HOSTNAME=0.0.0.0 +ENV PORT=${NEXTJS_PORT:-3000} +EXPOSE ${PORT} CMD ["yarn", "workspace", "@calcom/web", "docker-start-web"] From cc59283d6d3f9e2d1ac52af0979c8bd77c07a464 Mon Sep 17 00:00:00 2001 From: chichi Date: Thu, 8 Feb 2024 11:27:45 -0800 Subject: [PATCH 06/27] try fixing eslint error --- apps/web/config/getValidatedBuildEnv.js | 6 ++-- apps/web/config/utils.js | 38 ------------------------- apps/web/package.json | 1 - 3 files changed, 2 insertions(+), 43 deletions(-) delete mode 100644 apps/web/config/utils.js diff --git a/apps/web/config/getValidatedBuildEnv.js b/apps/web/config/getValidatedBuildEnv.js index c0ad4b5a3ea652..2562dd97b3551c 100644 --- a/apps/web/config/getValidatedBuildEnv.js +++ b/apps/web/config/getValidatedBuildEnv.js @@ -1,5 +1,3 @@ -const { exitOrThrowError, printValidatedEnv } = require("./utils"); - /** * Return a validated / transformed environment object from a zodSchema * @@ -12,11 +10,11 @@ const getValidatedBuildEnv = (zodSchema, options = {}) => { const parsedEnv = zodSchema.safeParse(env); if (parsedEnv.success) { if (displayConsole) { - printValidatedEnv('Build env(s)', parsedEnv); + console.log('Build env(s)', parsedEnv); } return parsedEnv.data; } - exitOrThrowError(parsedEnv); + console.error(parsedEnv); }; module.exports = { getValidatedBuildEnv }; \ No newline at end of file diff --git a/apps/web/config/utils.js b/apps/web/config/utils.js deleted file mode 100644 index ff82ede3b3aa57..00000000000000 --- a/apps/web/config/utils.js +++ /dev/null @@ -1,38 +0,0 @@ -const pc = require ("picocolors"); - - -const isRunningInNode = process !== undefined; -const isTestEnv = process.env.NODE_ENV === 'test'; - - -const exitOrThrowError = (zodSafeParseError) => { - if (isRunningInNode && !isTestEnv) { - console.error( - '- ' + pc.red('error'.padEnd(7)).concat('Invalid server env(s):'), - Object.keys(zodSafeParseError.error.flatten().fieldErrors).join(',') - ); - console.error(JSON.stringify(zodSafeParseError.error.format(), null, 2)); - process.exit(1); - } else { - throw new Error( - `Invalid server env(s): ${JSON.stringify( - zodSafeParseError.error.format(), - null, - 2 - )}}` - ); - } -}; - - - const printValidatedEnv = (section, zodSafeParseSuccess) => { - if (isRunningInNode && !isTestEnv) { - const prefix = pc.cyan('- info'.padEnd(7)); - console.info(prefix.concat(`${section} validation successful:`)); - for (const [key, value] of Object.entries(zodSafeParseSuccess.data)) { - console.info(prefix.concat(`${key}=${value}`)); - } - } -}; - -module.exports = { exitOrThrowError, printValidatedEnv }; diff --git a/apps/web/package.json b/apps/web/package.json index ac60ad9209a98d..c9a57e1b97479a 100644 --- a/apps/web/package.json +++ b/apps/web/package.json @@ -102,7 +102,6 @@ "next-themes": "^0.2.0", "nodemailer": "^6.7.8", "otplib": "^12.0.1", - "picocolors": "1.0.0", "qrcode": "^1.5.1", "raw-body": "^2.5.1", "react": "^18.2.0", From 3fdf8d0b686041249c2e44d956f1b9e2e24b9b95 Mon Sep 17 00:00:00 2001 From: chichi Date: Tue, 21 May 2024 08:35:27 -0700 Subject: [PATCH 07/27] fix: update docker env variables --- infra/docker/web/.env.example | 1 + infra/docker/web/Dockerfile | 1 + infra/docker/web/scripts/placeholder.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/infra/docker/web/.env.example b/infra/docker/web/.env.example index e0a3c10c33c253..a9406aef0a41b0 100644 --- a/infra/docker/web/.env.example +++ b/infra/docker/web/.env.example @@ -13,6 +13,7 @@ LICENSE= # NEXT_PUBLIC_APP_URL=http://localhost:3000 NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000 +NEXT_PUBLIC_API_V2_URL=http://localhost:5555/api/v # Configure NEXTAUTH_URL manually if needed, otherwise it will resolve to {NEXT_PUBLIC_WEBAPP_URL}/api/auth diff --git a/infra/docker/web/Dockerfile b/infra/docker/web/Dockerfile index 52cd6f6c396ec8..4db156eeca7313 100644 --- a/infra/docker/web/Dockerfile +++ b/infra/docker/web/Dockerfile @@ -18,6 +18,7 @@ ENV PRISMA_SKIP_POSTINSTALL_GENERATE=true \ ENV NEXT_BUILD_ENV_OUTPUT=standalone ENV NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000 \ + NEXT_PUBLIC_API_V2_URL=http://localhost:5555/api/v2 \ NEXTAUTH_URL=${NEXT_PUBLIC_WEBAPP_URL}/api/auth \ NEXTAUTH_SECRET=auth_secret \ CALENDSO_ENCRYPTION_KEY=encyrption_secret \ diff --git a/infra/docker/web/scripts/placeholder.yml b/infra/docker/web/scripts/placeholder.yml index 84d4602c444916..a5a742d559ea39 100644 --- a/infra/docker/web/scripts/placeholder.yml +++ b/infra/docker/web/scripts/placeholder.yml @@ -1,4 +1,5 @@ NEXT_PUBLIC_WEBAPP_URL : http://localhost:3000 +NEXT_PUBLIC_API_V2_URL: http://localhost:5555/api/v2 NEXTAUTH_SECRET : auth_secret CALENDSO_ENCRYPTION_KEY : encyrption_secret NEXT_PUBLIC_LICENSE_CONSENT: NEXT_PUBLIC_LICENSE_CONSENT_PLACEHOLDER From 8ca77d8d2c99d4757924ddd5f86f407378b3657f Mon Sep 17 00:00:00 2001 From: chichi Date: Tue, 21 May 2024 08:37:14 -0700 Subject: [PATCH 08/27] fix: change yarn run test to yarn test in dockerfile --- infra/docker/web/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/docker/web/Dockerfile b/infra/docker/web/Dockerfile index 4db156eeca7313..8195038bc3380f 100644 --- a/infra/docker/web/Dockerfile +++ b/infra/docker/web/Dockerfile @@ -48,7 +48,7 @@ WORKDIR /app COPY --from=builder /app/. ./ -RUN yarn run test +RUN yarn test ############################################# From 080ef8fe8bf499b40627115c47cf4e6c75428bfc Mon Sep 17 00:00:00 2001 From: chichi Date: Tue, 21 May 2024 08:41:13 -0700 Subject: [PATCH 09/27] fix: change yarn run test to yarn test in dockerfile --- infra/docker/web/.env.example | 2 +- infra/docker/web/integration-test/compose.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/infra/docker/web/.env.example b/infra/docker/web/.env.example index a9406aef0a41b0..676f508438d969 100644 --- a/infra/docker/web/.env.example +++ b/infra/docker/web/.env.example @@ -13,7 +13,7 @@ LICENSE= # NEXT_PUBLIC_APP_URL=http://localhost:3000 NEXT_PUBLIC_WEBAPP_URL=http://localhost:3000 -NEXT_PUBLIC_API_V2_URL=http://localhost:5555/api/v +NEXT_PUBLIC_API_V2_URL=http://localhost:5555/api/v2 # Configure NEXTAUTH_URL manually if needed, otherwise it will resolve to {NEXT_PUBLIC_WEBAPP_URL}/api/auth diff --git a/infra/docker/web/integration-test/compose.yml b/infra/docker/web/integration-test/compose.yml index 7d681a99d4fe9d..0c8ea91b130bc5 100644 --- a/infra/docker/web/integration-test/compose.yml +++ b/infra/docker/web/integration-test/compose.yml @@ -17,6 +17,7 @@ services: - 3000:3000 environment: - DATABASE_URL=postgresql://postgres:postgres@database:5432/calcom + - DATABASE_DIRECT_URL=postgresql://postgres:postgres@database:5432/calcom depends_on: - database From ead939887c12a614ad5d99e290986a98bcff1055 Mon Sep 17 00:00:00 2001 From: chichi Date: Tue, 21 May 2024 08:42:58 -0700 Subject: [PATCH 10/27] fix: add database direct url to compose integration test --- infra/docker/web/integration-test/compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/infra/docker/web/integration-test/compose.yml b/infra/docker/web/integration-test/compose.yml index 0c8ea91b130bc5..6646e44a68080f 100644 --- a/infra/docker/web/integration-test/compose.yml +++ b/infra/docker/web/integration-test/compose.yml @@ -11,6 +11,7 @@ services: POSTGRES_PASSWORD: postgres + calcom: image: "${TESTING_IMAGE}" ports: From f4ff6e55a52c16e543dd0ec7b2d914205462488b Mon Sep 17 00:00:00 2001 From: chichi Date: Tue, 21 May 2024 08:46:35 -0700 Subject: [PATCH 11/27] fix: fix and bump trivy version --- .github/workflows/docker-ci.yml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index f0f8a474e8c852..5a9dace9f31984 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -195,20 +195,24 @@ jobs: run: | echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - name: Run Trivy for HIGH,CRITICAL CVEs and report (non-blocking) - uses: aquasecurity/trivy-action@master + - name: Run Trivy for HIGH,CRITICAL CVEs and report (non-blocking) + uses: aquasecurity/trivy-action@0.20.0 with: image-ref: ghcr.io/${{env.REPO}}:${{ github.run_id }} - exit-code: 0 - ignore-unfixed: true + format: sarif # table, json, sarif + exit-code: 0 # 1 or 0. 0 means don't fail the job if issues are found + ignore-unfixed: true # Ignore unpatched/unfixed vulnerabilities vuln-type: 'os,library' - severity: 'HIGH,CRITICAL' - format: 'sarif' + severity: 'HIGH,CRITICAL' # UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + timeout: 10m0s output: 'trivy-results.sarif' + env: + TRIVY_USERNAME: ${{ github.repository_owner }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - if: always() + uses: github/codeql-action/upload-sarif@v3 + if: always() with: sarif_file: 'trivy-results.sarif' From 1ae914c014ede793f47630f567ddd072837afdbd Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Tue, 21 May 2024 11:46:15 -0700 Subject: [PATCH 12/27] feat: add workflow to automatically update compose and remote k8s manifest file --- .github/workflows/docker-ci.yml | 71 ++++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 5a9dace9f31984..ac28213e2f6876 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -315,7 +315,7 @@ jobs: id: docker_meta uses: docker/metadata-action@v5 with: - images: calcom/cal.com + images: ${{ secrets.DOCKERHUB_USERNAME }}/cal.com flavor: | latest=false tags: | @@ -373,3 +373,72 @@ jobs: +# NEXT JOB ####################################################################### +#update docker compose image tag and kubernetes manifest "image tag "in a seperate repo + + tag-manifest-update-compose: + name: Tag kubernetes manifest and update compose + needs: [unit-test, integration-test, scan-image,changelog,build-final-image] + runs-on: ubuntu-latest + + permissions: + contents: write + + steps: + + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + fetch-depth: 0 + + - name: Extract parameters + run: | + cp infra/docker/web/.env.example infra/docker/web/.env + yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/cal.com::${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml + + - name: Configure git + run: | + git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config --local user.name "github-actions[bot]" + + - name: Commit changes + run: | + git add . + git commit -m "Release ${{ needs.changelog.outputs.TAG }} [skip ci]" + + - name: Pull the latest changes and rebase + run: | + git pull origin --rebase + + + - name: Push changes + uses: ad-m/github-push-action@master + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + branch: ${{ github.ref }} + + # - name: Trigger workflow in remote repository for pull requests + # if: github.event_name == 'pull_request' + # env: + # GH_TOKEN: ${{ secrets.RELEASE_MAIN }} + # run: | + # gh api \ + # -X POST \ + # -H "Accept: application/vnd.github.v3+json" \ + # /repos/${{ github.repository_owner }}/REPO_NAME/actions/workflows/WORKFLOW_NAME.yaml/dispatches \ + # -f ref=main \ + # -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}" + + + # - name: Trigger workflow in remote repository for other events + # if: github.event_name != 'pull_request' + # env: + # GH_TOKEN: ${{ secrets.RELEASE_MAIN }} + # run: | + # gh api \ + # -X POST \ + # -H "Accept: application/vnd.github.v3+json" \ + # /repos/${{ github.repository_owner }}/REPO_NAME/actions/workflows/WORKFLOW_NAME.yaml/dispatches \ + # -f ref=main \ + # -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}" \ No newline at end of file From afff09f813eafb46be71d95fd7962f9ba5b91472 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Tue, 21 May 2024 12:46:54 -0700 Subject: [PATCH 13/27] fix: update workflow --- .github/workflows/docker-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index ac28213e2f6876..f29f0b653a73fb 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -390,7 +390,8 @@ jobs: uses: actions/checkout@v4 with: persist-credentials: false - fetch-depth: 0 + # fetch-depth: 0 + ref: ${{github.event.repository.default_branch}} - name: Extract parameters run: | From 3d7e429c9de4525382839058f220ca62fd67631d Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Tue, 21 May 2024 13:01:27 -0700 Subject: [PATCH 14/27] fix: update workflow --- .github/workflows/docker-ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index f29f0b653a73fb..534703a9e1e6c7 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -390,12 +390,11 @@ jobs: uses: actions/checkout@v4 with: persist-credentials: false - # fetch-depth: 0 + fetch-depth: 0 ref: ${{github.event.repository.default_branch}} - name: Extract parameters run: | - cp infra/docker/web/.env.example infra/docker/web/.env yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/cal.com::${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml - name: Configure git From 75cf69dbde77488823acdc917a2c470dd772b816 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Tue, 21 May 2024 13:15:13 -0700 Subject: [PATCH 15/27] fix: update workflow --- .github/workflows/docker-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 534703a9e1e6c7..93b82a524207bc 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -390,7 +390,7 @@ jobs: uses: actions/checkout@v4 with: persist-credentials: false - fetch-depth: 0 + # fetch-depth: 0 ref: ${{github.event.repository.default_branch}} - name: Extract parameters @@ -415,7 +415,7 @@ jobs: - name: Push changes uses: ad-m/github-push-action@master with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ secrets.RELEASE_MAIN }} branch: ${{ github.ref }} # - name: Trigger workflow in remote repository for pull requests From 01cc7f13375d135e836a332dd18af0e0eea696e9 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Tue, 21 May 2024 13:52:07 -0700 Subject: [PATCH 16/27] fix: --- .github/workflows/docker-ci.yml | 64 ++++++++++++++++----------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 93b82a524207bc..992e4d3d402664 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -376,47 +376,47 @@ jobs: # NEXT JOB ####################################################################### #update docker compose image tag and kubernetes manifest "image tag "in a seperate repo - tag-manifest-update-compose: - name: Tag kubernetes manifest and update compose - needs: [unit-test, integration-test, scan-image,changelog,build-final-image] - runs-on: ubuntu-latest + # tag-manifest-update-compose: + # name: Tag kubernetes manifest and update compose + # needs: [unit-test, integration-test, scan-image,changelog,build-final-image] + # runs-on: ubuntu-latest - permissions: - contents: write + # permissions: + # contents: write - steps: + # steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - persist-credentials: false - # fetch-depth: 0 - ref: ${{github.event.repository.default_branch}} + # - name: Checkout repository + # uses: actions/checkout@v4 + # with: + # persist-credentials: false + # # fetch-depth: 0 + # ref: ${{github.event.repository.default_branch}} - - name: Extract parameters - run: | - yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/cal.com::${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml + # - name: Extract parameters + # run: | + # yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/cal.com::${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml - - name: Configure git - run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" + # - name: Configure git + # run: | + # git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" + # git config --local user.name "github-actions[bot]" - - name: Commit changes - run: | - git add . - git commit -m "Release ${{ needs.changelog.outputs.TAG }} [skip ci]" + # - name: Commit changes + # run: | + # git add . + # git commit -m "Release ${{ needs.changelog.outputs.TAG }} [skip ci]" - - name: Pull the latest changes and rebase - run: | - git pull origin --rebase + # - name: Pull the latest changes and rebase + # run: | + # git pull origin --rebase - - name: Push changes - uses: ad-m/github-push-action@master - with: - github_token: ${{ secrets.RELEASE_MAIN }} - branch: ${{ github.ref }} + # - name: Push changes + # uses: ad-m/github-push-action@master + # with: + # github_token: ${{ secrets.RELEASE_MAIN }} + # branch: ${{ github.ref }} # - name: Trigger workflow in remote repository for pull requests # if: github.event_name == 'pull_request' From 45ec1d721874440c98e39ee72e28d02f255be111 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Thu, 23 May 2024 05:20:41 -0700 Subject: [PATCH 17/27] Tag kubernetes manifest and update compose --- .github/workflows/docker-ci.yml | 146 +++++++++++++++++--------------- infra/docker/web/.env.example | 1 + 2 files changed, 78 insertions(+), 69 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 992e4d3d402664..fb6fef24006700 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -3,13 +3,14 @@ name: Docker CI on: # # enable when merged to upstream repo -# push: -# branches: -# - main - -# pull_request: -# branches: -# - main + # push: + # branches: + # - main + + # pull_request_target: + # branches: + # - main + workflow_dispatch: @@ -376,69 +377,76 @@ jobs: # NEXT JOB ####################################################################### #update docker compose image tag and kubernetes manifest "image tag "in a seperate repo - # tag-manifest-update-compose: - # name: Tag kubernetes manifest and update compose - # needs: [unit-test, integration-test, scan-image,changelog,build-final-image] - # runs-on: ubuntu-latest - - # permissions: - # contents: write + tag-manifest-update-compose: + name: Tag kubernetes manifest and update compose + needs: [unit-test, integration-test, scan-image,changelog,build-final-image] + runs-on: ubuntu-latest + permissions: + contents: write - # steps: - - # - name: Checkout repository - # uses: actions/checkout@v4 - # with: - # persist-credentials: false - # # fetch-depth: 0 - # ref: ${{github.event.repository.default_branch}} - - # - name: Extract parameters - # run: | - # yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/cal.com::${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml - - # - name: Configure git - # run: | - # git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - # git config --local user.name "github-actions[bot]" - - # - name: Commit changes - # run: | - # git add . - # git commit -m "Release ${{ needs.changelog.outputs.TAG }} [skip ci]" - - # - name: Pull the latest changes and rebase - # run: | - # git pull origin --rebase + steps: + + - name: Set default values for manifest tag + run: | + echo "PUSH_MANIFEST_TAG='false'" >> $GITHUB_ENV + echo "ENABLE_PREVIEW='false'" >> $GITHUB_ENV + echo "REMOTE_REPO=''" >> $GITHUB_ENV + echo "REMOTE_WORKFLOW=''" >> $GITHUB_ENV + echo "PREVIEW_WORKFLOW=''" >> $GITHUB_ENV - - # - name: Push changes - # uses: ad-m/github-push-action@master - # with: - # github_token: ${{ secrets.RELEASE_MAIN }} - # branch: ${{ github.ref }} - - # - name: Trigger workflow in remote repository for pull requests - # if: github.event_name == 'pull_request' - # env: - # GH_TOKEN: ${{ secrets.RELEASE_MAIN }} - # run: | - # gh api \ - # -X POST \ - # -H "Accept: application/vnd.github.v3+json" \ - # /repos/${{ github.repository_owner }}/REPO_NAME/actions/workflows/WORKFLOW_NAME.yaml/dispatches \ - # -f ref=main \ - # -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}" + - name: Checkout repository + uses: actions/checkout@v4 + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + with: + persist-credentials: false + fetch-depth: 0 + ref: ${{ github.ref }} + + - name: Update compose manifest + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + run: | + yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml + + - name: Configure git + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + run: | + git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config --local user.name "github-actions[bot]" + + - name: Commit changes + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + run: | + git add . + git commit -m "Release ${{ needs.changelog.outputs.TAG }} [skip ci]" + + - name: Push changes + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + uses: ad-m/github-push-action@master + with: + github_token: ${{ secrets.RELEASE_MAIN }} + branch: ${{ github.ref }} + + - name: Trigger workflow in remote repository for pull requests + if: github.event_name == 'pull_request' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' + env: + GH_TOKEN: ${{ secrets.RELEASE_MAIN }} + run: | + gh api \ + -X POST \ + -H "Accept: application/vnd.github.v3+json" \ + /repos/${{ github.repository_owner }}/${{ env.REMOTE_REPO }}/actions/workflows/${{env.PREVIEW_WORKFLOW}}/dispatches \ + -f ref=main \ + -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" - # - name: Trigger workflow in remote repository for other events - # if: github.event_name != 'pull_request' - # env: - # GH_TOKEN: ${{ secrets.RELEASE_MAIN }} - # run: | - # gh api \ - # -X POST \ - # -H "Accept: application/vnd.github.v3+json" \ - # /repos/${{ github.repository_owner }}/REPO_NAME/actions/workflows/WORKFLOW_NAME.yaml/dispatches \ - # -f ref=main \ - # -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}" \ No newline at end of file + - name: Trigger workflow in remote repository for other events + if: github.event_name != 'pull_request' && env.PUSH_MANIFEST_TAG == 'true' + env: + GH_TOKEN: ${{ secrets.RELEASE_MAIN }} + run: | + gh api \ + -X POST \ + -H "Accept: application/vnd.github.v3+json" \ + /repos/${{ github.repository_owner }}/${{ env.REMOTE_REPO }}/actions/workflows/${{env.REMOTE_WORKFLOW}}/dispatches \ + -f ref=main \ + -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" \ No newline at end of file diff --git a/infra/docker/web/.env.example b/infra/docker/web/.env.example index 676f508438d969..effbab25a84e97 100644 --- a/infra/docker/web/.env.example +++ b/infra/docker/web/.env.example @@ -34,6 +34,7 @@ POSTGRES_PASSWORD=magical_password POSTGRES_DB=calendso DATABASE_HOST=database:5432 DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${DATABASE_HOST}/${POSTGRES_DB} +DATABASE_DIRECT_URL=${DATABASE_URL} GOOGLE_API_CREDENTIALS={} # Set this to '1' if you don't want Cal to collect anonymous usage From e38a00225323d166e2e1bf9ec7807eba88ff1706 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Thu, 23 May 2024 05:43:43 -0700 Subject: [PATCH 18/27] Tag kubernetes manifest and update compose --- .github/workflows/docker-ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index fb6fef24006700..9b952b76704372 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -396,38 +396,38 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') with: persist-credentials: false fetch-depth: 0 ref: ${{ github.ref }} - name: Update compose manifest - if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') run: | yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml - name: Configure git - if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') run: | git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" git config --local user.name "github-actions[bot]" - name: Commit changes - if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') run: | git add . git commit -m "Release ${{ needs.changelog.outputs.TAG }} [skip ci]" - name: Push changes - if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') uses: ad-m/github-push-action@master with: github_token: ${{ secrets.RELEASE_MAIN }} branch: ${{ github.ref }} - name: Trigger workflow in remote repository for pull requests - if: github.event_name == 'pull_request' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' + if: github.event_name == 'pull_request_target' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' env: GH_TOKEN: ${{ secrets.RELEASE_MAIN }} run: | @@ -440,7 +440,7 @@ jobs: - name: Trigger workflow in remote repository for other events - if: github.event_name != 'pull_request' && env.PUSH_MANIFEST_TAG == 'true' + if: github.event_name != 'pull_request_target' && env.PUSH_MANIFEST_TAG == 'true' env: GH_TOKEN: ${{ secrets.RELEASE_MAIN }} run: | From 5afc2a8314113b733d5efba2c2d52f5e2f524e43 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Thu, 23 May 2024 06:05:51 -0700 Subject: [PATCH 19/27] . --- .github/workflows/docker-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 9b952b76704372..36bd64a17a54e2 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -405,7 +405,7 @@ jobs: - name: Update compose manifest if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') run: | - yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml + yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml - name: Configure git if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') @@ -436,7 +436,7 @@ jobs: -H "Accept: application/vnd.github.v3+json" \ /repos/${{ github.repository_owner }}/${{ env.REMOTE_REPO }}/actions/workflows/${{env.PREVIEW_WORKFLOW}}/dispatches \ -f ref=main \ - -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" + -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}" - name: Trigger workflow in remote repository for other events @@ -449,4 +449,4 @@ jobs: -H "Accept: application/vnd.github.v3+json" \ /repos/${{ github.repository_owner }}/${{ env.REMOTE_REPO }}/actions/workflows/${{env.REMOTE_WORKFLOW}}/dispatches \ -f ref=main \ - -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" \ No newline at end of file + -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}" \ No newline at end of file From 570f47423aa93e125e08aa226d5c003b6dd1aa19 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Thu, 23 May 2024 07:18:52 -0700 Subject: [PATCH 20/27] workflow update --- .github/workflows/docker-ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 36bd64a17a54e2..2f98fd25f910a6 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -396,38 +396,38 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' && github.ref == 'refs/heads/main' with: persist-credentials: false fetch-depth: 0 ref: ${{ github.ref }} - name: Update compose manifest - if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml - name: Configure git - if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" git config --local user.name "github-actions[bot]" - name: Commit changes - if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | git add . git commit -m "Release ${{ needs.changelog.outputs.TAG }} [skip ci]" - name: Push changes - if: github.event_name == 'push' || (github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main') + if: github.event_name == 'push' && github.ref == 'refs/heads/main' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.RELEASE_MAIN }} branch: ${{ github.ref }} - name: Trigger workflow in remote repository for pull requests - if: github.event_name == 'pull_request_target' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' + if: github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' env: GH_TOKEN: ${{ secrets.RELEASE_MAIN }} run: | @@ -440,7 +440,7 @@ jobs: - name: Trigger workflow in remote repository for other events - if: github.event_name != 'pull_request_target' && env.PUSH_MANIFEST_TAG == 'true' + if: github.event_name == 'push' && github.ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' env: GH_TOKEN: ${{ secrets.RELEASE_MAIN }} run: | From 8e997c02023a697d6fed95bfc3052f24293db831 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Mon, 27 May 2024 12:53:41 -0700 Subject: [PATCH 21/27] update pull_request to pull_request_targert --- .github/workflows/docker-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 2f98fd25f910a6..b98be2a658c565 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -255,7 +255,7 @@ jobs: input-file: "./apps/web/CHANGELOG.md" output-file: "./apps/web/CHANGELOG.md" tag-prefix: "v" - pre-release: ${{github.event_name == 'pull_request'}} + pre-release: ${{github.event_name == 'pull_request_target'}} pre-release-identifier: "alpha" skip-on-empty: 'false' # release-count: 20 @@ -326,19 +326,19 @@ jobs: # adds the Docker image tag(s)/labels pushed to docker hub,to the pull request comment section for reference purpose - name: Find comment for image tags uses: peter-evans/find-comment@v1 - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' id: fc with: - issue-number: ${{ github.event.pull_request.number }} + issue-number: ${{ github.event.pull_request_target.number }} comment-author: 'github-actions[bot]' body-includes: Docker image tag(s) pushed - name: Create or update comment for image tags uses: peter-evans/create-or-update-comment@v1 - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' with: comment-id: ${{ steps.fc.outputs.comment-id }} - issue-number: ${{ github.event.pull_request.number }} + issue-number: ${{ github.event.pull_request_target.number }} body: | Docker image tag(s) pushed: ```text @@ -355,7 +355,7 @@ jobs: # adds a "preview" label to pull reguest to main branch - name: add labels uses: actions-ecosystem/action-add-labels@v1 - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request_target' with: labels: | preview From 3a5315e01dd241a5e918d9889869ba5dee2525f7 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Fri, 31 May 2024 12:17:14 -0700 Subject: [PATCH 22/27] split workflow --- .github/workflows/pull-request-target.yaml | 334 +++++++++++++++++ .github/workflows/pull-request.yaml | 337 ++++++++++++++++++ .../{docker-ci.yml => push-merge.yaml} | 112 ++---- 3 files changed, 697 insertions(+), 86 deletions(-) create mode 100644 .github/workflows/pull-request-target.yaml create mode 100755 .github/workflows/pull-request.yaml rename .github/workflows/{docker-ci.yml => push-merge.yaml} (77%) mode change 100644 => 100755 diff --git a/.github/workflows/pull-request-target.yaml b/.github/workflows/pull-request-target.yaml new file mode 100644 index 00000000000000..8c507394ef43a8 --- /dev/null +++ b/.github/workflows/pull-request-target.yaml @@ -0,0 +1,334 @@ +name: Docker CI Pull Request Target + +on: + # pull_request_target: + # branches: + # - main + # types: [opened, synchronize, reopened] + +jobs: + # FIRST JOB ####################################################################### + build-test-image: + name: Build Image for Testing + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' + + steps: + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata for the Docker image + id: docker_meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: ${{ github.run_id }} + + - name: Build and Push to GHCR + uses: docker/build-push-action@v5 + with: + file: infra/docker/web/Dockerfile + push: true + tags: ${{ steps.docker_meta.outputs.tags }} + cache-to: type=gha,scope=base,mode=max + cache-from: type=gha,scope=base + platforms: linux/amd64 + + # NEXT JOB ####################################################################### + unit-test: + name: Unit Test in Docker + needs: [build-test-image] + runs-on: ubuntu-latest + permissions: + packages: read + contents: read + if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' + + steps: + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and Unit-Test + uses: docker/build-push-action@v5 + with: + file: infra/docker/web/Dockerfile + target: unit-test + push: false + cache-to: type=gha,scope=test,mode=max + cache-from: | + type=gha,scope=base + type=gha,scope=test + platforms: linux/amd64 + + # NEXT JOB ####################################################################### + integration-test: + name: Integration Test in Compose + needs: [build-test-image] + runs-on: ubuntu-latest + permissions: + packages: read + contents: read + if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Downcase repo name + run: | + echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Test healthcheck in Docker Compose + run: | + export TESTING_IMAGE=ghcr.io/${REPO}:"$GITHUB_RUN_ID" + echo Testing image: "$TESTING_IMAGE" + docker compose -f ./infra/docker/web/integration-test/compose.yml up -d calcom + echo "Waiting for the server to be healthy..." + sleep 60s + curl --fail http://localhost:3000 || exit 1 + + # NEXT JOB ####################################################################### + scan-image: + name: Scan Image with Trivy + needs: [build-test-image] + runs-on: ubuntu-latest + permissions: + contents: read + packages: read + security-events: write + if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Downcase repo name + run: | + echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Run Trivy for HIGH,CRITICAL CVEs and report (non-blocking) + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: ghcr.io/${{env.REPO}}:${{ github.run_id }} + format: sarif + exit-code: 0 + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'HIGH,CRITICAL' + timeout: 10m0s + output: 'trivy-results.sarif' + env: + TRIVY_USERNAME: ${{ github.repository_owner }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + # NEXT JOB ####################################################################### + changelog: + name: Automated Changelog using Conventional Commit + needs: [build-test-image, unit-test, integration-test, scan-image] + runs-on: ubuntu-latest + outputs: + TAG: ${{ steps.docker_tag.outputs.TAG }} + permissions: + contents: write + if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' + + steps: + - name: Check out the repository with all releases + uses: actions/checkout@v4 + with: + persist-credentials: 'false' + ref: ${{github.event.repository.default_branch}} + + - name: Conventional Changelog Action + id: changelog + uses: TriPSs/conventional-changelog-action@v5.1.0 + with: + github-token: ${{ secrets.RELEASE_MAIN }} + version-file: "./apps/web/package.json" + git-branch: ${{github.event.repository.default_branch}} + preset: "conventionalcommits" + input-file: "./apps/web/CHANGELOG.md" + output-file: "./apps/web/CHANGELOG.md" + tag-prefix: "v" + pre-release: "${{github.event_name == 'pull_request_target'}}" + pre-release-identifier: "alpha" + skip-on-empty: 'false' + skip-git-pull: true + + - name: Create Release + uses: actions/create-release@v1 + if: ${{ steps.changelog.outputs.skipped == 'false' }} + env: + GITHUB_TOKEN: ${{ secrets.RELEASE_MAIN }} + with: + tag_name: ${{ steps.changelog.outputs.tag }} + release_name: ${{ steps.changelog.outputs.tag }} + body: ${{ steps.changelog.outputs.clean_changelog }} + + - name: Export tag for final build + id: docker_tag + run: | + echo "TAG=${{ steps.changelog.outputs.tag }}" >> $GITHUB_OUTPUT + + # NEXT JOB ####################################################################### + build-final-image: + name: Build Final Image + needs: [unit-test, integration-test, scan-image, changelog] + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + pull-requests: write + if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker Metadata for Final Image Build + id: docker_meta + uses: docker/metadata-action@v5 + with: + images: ${{ secrets.DOCKERHUB_USERNAME }}/cal.com + tags: | + type=raw,value=${{needs.changelog.outputs.TAG}} + + - name: Comment on pull request + uses: marocchino/sticky-pull-request-comment@v2 + with: + header: final-image + message: | + image tag: ${{ steps.docker_meta.outputs.tags }} + image label: ${{ steps.docker_meta.outputs.labels }} + + - name: Add labels + uses: actions-ecosystem/action-add-labels@v1 + if: github.event_name == 'pull_request_target' + with: + labels: preview + + - name: Docker Build and Push to Docker Hub + uses: docker/build-push-action@v5 + with: + file: infra/docker/web/Dockerfile + push: true + tags: | + ${{ steps.docker_meta.outputs.tags }} + labels: ${{ steps.docker_meta.outputs.labels }} + cache-from: type=gha,scope=base + platforms: linux/amd64 + + # NEXT JOB ####################################################################### + tag-manifest-update-compose: + + name: Tag Kubernetes Manifest and Update Compose + needs: [unit-test, integration-test, scan-image, changelog, build-final-image] + runs-on: ubuntu-latest + permissions: + contents: write + if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' + + steps: + + - name: Set default values for manifest tag + run: | + echo "PUSH_MANIFEST_TAG='false'" >> $GITHUB_ENV + echo "ENABLE_PREVIEW='false'" >> $GITHUB_ENV + echo "REMOTE_REPO=''" >> $GITHUB_ENV + echo "REMOTE_WORKFLOW=''" >> $GITHUB_ENV + echo "PREVIEW_WORKFLOW=''" >> $GITHUB_ENV + + - name: Trigger Deployment Workflow + if: github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' + uses: benc-uk/workflow-dispatch@v1 + with: + workflow: ${{env.PREVIEW_WORKFLOW}} + repo: ${{ env.REMOTE_REPO }} + inputs: '{"image": "${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" }' + token: "${{ secrets.RELEASE_MAIN }}" + diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml new file mode 100755 index 00000000000000..d17d318e0db838 --- /dev/null +++ b/.github/workflows/pull-request.yaml @@ -0,0 +1,337 @@ +name: Docker CI Pull Request + +on: + # pull_request: + # branches: + # - main + # types: [opened, synchronize, reopened] + +jobs: +# FIRST JOB ####################################################################### + build-test-image: + name: Build Image for Testing + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') + permissions: + contents: write + packages: write + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata for the Docker image + id: docker_meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: | + ${{ github.run_id }} + + - name: Build and Push to GHCR + uses: docker/build-push-action@v5 + with: + file: infra/docker/web/Dockerfile + push: true + tags: ${{ steps.docker_meta.outputs.tags }} + cache-to: | + type=gha,scope=base,mode=max + cache-from: | + type=gha,scope=base + platforms: linux/amd64 + +# NEXT JOB ####################################################################### + unit-test: + name: unit test in docker + needs: [build-test-image] + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') + permissions: + packages: read + contents: read + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and unit-test + uses: docker/build-push-action@v5 + with: + file: infra/docker/web/Dockerfile + target: unit-test + push: false + cache-to: | + type=gha,scope=test,mode=max + cache-from: | + type=gha,scope=base + type=gha,scope=test + platforms: linux/amd64 + +# NEXT JOB ####################################################################### + integration-test: + name: Integration test in Compose + needs: [build-test-image] + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') + permissions: + packages: read + contents: read + + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Downcase repo name + run: | + echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Test healthcheck in Docker Compose + run: | + export TESTING_IMAGE=ghcr.io/${REPO}:"$GITHUB_RUN_ID" + echo Testing image: "$TESTING_IMAGE" + + docker compose -f ./infra/docker/web/integration-test/compose.yml up -d calcom + + echo "Waiting for the server to be healthy..." + sleep 60s + + curl --fail http://localhost:3000 || exit 1 + +# NEXT JOB ####################################################################### + scan-image: + name: Scan Image with Trivy + needs: [build-test-image] + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') + permissions: + contents: read + packages: read + security-events: write + + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Downcase repo name + run: | + echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Run Trivy for HIGH,CRITICAL CVEs and report (non-blocking) + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: ghcr.io/${{env.REPO}}:${{ github.run_id }} + format: sarif + exit-code: 0 + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'HIGH,CRITICAL' + timeout: 10m0s + output: 'trivy-results.sarif' + env: + TRIVY_USERNAME: ${{ github.repository_owner }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + +# NEXT JOB ####################################################################### + changelog: + name: automated changelog using conventional commit + needs: [build-test-image, unit-test, integration-test, scan-image] + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') + outputs: + TAG: ${{ steps.docker_tag.outputs.TAG }} + permissions: + contents: write + + steps: + - name: check out the repository with all releases + uses: actions/checkout@v4 + with: + persist-credentials: 'false' + ref: ${{github.event.repository.default_branch}} + + - name: conventional Changelog Action + id: changelog + uses: TriPSs/conventional-changelog-action@v5.1.0 + with: + github-token: ${{ secrets.RELEASE_MAIN }} + version-file: "./apps/web/package.json" + git-branch: ${{github.event.repository.default_branch}} + preset: "conventionalcommits" + input-file: "./apps/web/CHANGELOG.md" + output-file: "./apps/web/CHANGELOG.md" + tag-prefix: "v" + pre-release: "${{github.event_name == 'pull_request'}}" + pre-release-identifier: "alpha" + skip-on-empty: 'false' + skip-git-pull: true + + - name: Create Release + uses: actions/create-release@v1 + if: ${{ steps.changelog.outputs.skipped == 'false' }} + env: + GITHUB_TOKEN: ${{ secrets.RELEASE_MAIN }} + with: + tag_name: ${{ steps.changelog.outputs.tag }} + release_name: ${{ steps.changelog.outputs.tag }} + body: ${{ steps.changelog.outputs.clean_changelog }} + + - name: export tag for final build + id: docker_tag + run: | + echo "TAG=${{ steps.changelog.outputs.tag }}" >> $GITHUB_OUTPUT + +# NEXT JOB ####################################################################### + build-final-image: + name: Build Final Image + needs: [unit-test, integration-test, scan-image, changelog] + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') + permissions: + contents: write + packages: write + pull-requests: write + + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Login to ghcr.io registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata for the Docker image + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ secrets.DOCKERHUB_USERNAME }}/cal.com + tags: type=raw,value=${{needs.changelog.outputs.TAG}} + + + - name: Comment on pull request + uses: marocchino/sticky-pull-request-comment@v2 + with: + header: final-image + message: | + image tag: ${{ steps.docker_meta.outputs.tags }} + image label: ${{ steps.docker_meta.outputs.labels }} + + - name: Add labels + uses: actions-ecosystem/action-add-labels@v1 + if: github.event_name == 'pull_request' + with: + labels: preview + + - name: Docker Build and Push to Docker Hub + uses: docker/build-push-action@v5 + with: + file: infra/docker/web/Dockerfile + push: true + tags: | + ${{ steps.docker_meta.outputs.tags }} + labels: ${{ steps.docker_meta.outputs.labels }} + cache-from: type=gha,scope=base + platforms: linux/amd64 + + +# NEXT JOB ####################################################################### + tag-manifest-update-compose: + name: Tag kubernetes manifest and update compose + needs: [unit-test, integration-test, scan-image, changelog, build-final-image] + runs-on: ubuntu-latest + if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') + permissions: + contents: write + + steps: + - name: Set default values for manifest tag + run: | + echo "PUSH_MANIFEST_TAG='false'" >> $GITHUB_ENV + echo "ENABLE_PREVIEW='false'" >> $GITHUB_ENV + echo "REMOTE_REPO=''" >> $GITHUB_ENV + echo "REMOTE_WORKFLOW=''" >> $GITHUB_ENV + echo "PREVIEW_WORKFLOW=''" >> $GITHUB_ENV + + - name: Trigger Deployment Workflow + if: github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' + uses: benc-uk/workflow-dispatch@v1 + with: + workflow: ${{env.PREVIEW_WORKFLOW}} + repo: ${{ env.REMOTE_REPO }} + inputs: '{"image": "${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" }' + token: "${{ secrets.RELEASE_MAIN }}" diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/push-merge.yaml old mode 100644 new mode 100755 similarity index 77% rename from .github/workflows/docker-ci.yml rename to .github/workflows/push-merge.yaml index b98be2a658c565..1f128a4717dca0 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/push-merge.yaml @@ -1,17 +1,11 @@ --- -name: Docker CI +name: Docker Push/Merge Workflow on: -# # enable when merged to upstream repo # push: # branches: # - main - # pull_request_target: - # branches: - # - main - - workflow_dispatch: @@ -23,7 +17,7 @@ jobs: name: Build Image for Testing runs-on: ubuntu-latest permissions: - contents: read + contents: write packages: write steps: @@ -62,9 +56,9 @@ jobs: push: true tags: ${{ steps.docker_meta.outputs.tags }} cache-to: | - type=gha,scope=base,mode=max + type=gha,scope=main-base,mode=max cache-from: | - type=gha,scope=base + type=gha,scope=main-base platforms: linux/amd64 @@ -107,14 +101,13 @@ jobs: target: unit-test push: false cache-to: | - type=gha,scope=test,mode=max + type=gha,scope=main-test,mode=max cache-from: | - type=gha,scope=base - type=gha,scope=test + type=gha,scope=main-base + type=gha,scope=main-test platforms: linux/amd64 - # # # # # NEXT JOB ####################################################################### # pulls test image from GHCR and run integration test in docker compose testing ability of the built app # to succesfully connect to postgres db @@ -196,6 +189,7 @@ jobs: run: | echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + - name: Run Trivy for HIGH,CRITICAL CVEs and report (non-blocking) uses: aquasecurity/trivy-action@0.20.0 with: @@ -255,8 +249,6 @@ jobs: input-file: "./apps/web/CHANGELOG.md" output-file: "./apps/web/CHANGELOG.md" tag-prefix: "v" - pre-release: ${{github.event_name == 'pull_request_target'}} - pre-release-identifier: "alpha" skip-on-empty: 'false' # release-count: 20 skip-git-pull: true @@ -277,7 +269,6 @@ jobs: echo "TAG=${{ steps.changelog.outputs.tag }}" >> $GITHUB_OUTPUT - # NEXT JOB ####################################################################### # builds the final image and adds latest tag and image:V*.*.* semantic versioning tag to merge request # and image:v*.*.*-alpha.* tag to pull requests made to main branch before pushing to dockerhub @@ -287,7 +278,7 @@ jobs: runs-on: ubuntu-latest permissions: - contents: read + contents: write packages: write pull-requests: write # needed to create and update comments in PRs @@ -311,7 +302,6 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Docker Metadata for Final Image Build id: docker_meta uses: docker/metadata-action@v5 @@ -323,43 +313,6 @@ jobs: type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }} type=raw,value=${{needs.changelog.outputs.TAG}} - # adds the Docker image tag(s)/labels pushed to docker hub,to the pull request comment section for reference purpose - - name: Find comment for image tags - uses: peter-evans/find-comment@v1 - if: github.event_name == 'pull_request_target' - id: fc - with: - issue-number: ${{ github.event.pull_request_target.number }} - comment-author: 'github-actions[bot]' - body-includes: Docker image tag(s) pushed - - - name: Create or update comment for image tags - uses: peter-evans/create-or-update-comment@v1 - if: github.event_name == 'pull_request_target' - with: - comment-id: ${{ steps.fc.outputs.comment-id }} - issue-number: ${{ github.event.pull_request_target.number }} - body: | - Docker image tag(s) pushed: - ```text - ${{ steps.docker_meta.outputs.tags }} - ``` - - Labels added to images: - ```text - ${{ steps.docker_meta.outputs.labels }} - ``` - edit-mode: replace - -# needed for argocd pull request generator: yet to be implemented -# adds a "preview" label to pull reguest to main branch - - name: add labels - uses: actions-ecosystem/action-add-labels@v1 - if: github.event_name == 'pull_request_target' - with: - labels: | - preview - - name: Docker Build and Push to Docker Hub uses: docker/build-push-action@v5 with: @@ -369,10 +322,10 @@ jobs: ${{ steps.docker_meta.outputs.tags }} , labels: ${{ steps.docker_meta.outputs.labels }} cache-from: | - type=gha,scope=base + type=gha,scope=main-base platforms: linux/amd64 - + # NEXT JOB ####################################################################### #update docker compose image tag and kubernetes manifest "image tag "in a seperate repo @@ -389,11 +342,9 @@ jobs: - name: Set default values for manifest tag run: | echo "PUSH_MANIFEST_TAG='false'" >> $GITHUB_ENV - echo "ENABLE_PREVIEW='false'" >> $GITHUB_ENV echo "REMOTE_REPO=''" >> $GITHUB_ENV echo "REMOTE_WORKFLOW=''" >> $GITHUB_ENV - echo "PREVIEW_WORKFLOW=''" >> $GITHUB_ENV - + - name: Checkout repository uses: actions/checkout@v4 if: github.event_name == 'push' && github.ref == 'refs/heads/main' @@ -405,7 +356,7 @@ jobs: - name: Update compose manifest if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | - yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml + yq --inplace ".services.calcom.image = \"${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}\"" infra/docker/web/docker-compose.yaml - name: Configure git if: github.event_name == 'push' && github.ref == 'refs/heads/main' @@ -414,39 +365,28 @@ jobs: git config --local user.name "github-actions[bot]" - name: Commit changes - if: github.event_name == 'push' && github.ref == 'refs/heads/main' + if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | git add . git commit -m "Release ${{ needs.changelog.outputs.TAG }} [skip ci]" - name: Push changes - if: github.event_name == 'push' && github.ref == 'refs/heads/main' + if: github.event_name == 'push' && github.ref == 'refs/heads/main' uses: ad-m/github-push-action@master with: github_token: ${{ secrets.RELEASE_MAIN }} branch: ${{ github.ref }} - - name: Trigger workflow in remote repository for pull requests - if: github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' - env: - GH_TOKEN: ${{ secrets.RELEASE_MAIN }} - run: | - gh api \ - -X POST \ - -H "Accept: application/vnd.github.v3+json" \ - /repos/${{ github.repository_owner }}/${{ env.REMOTE_REPO }}/actions/workflows/${{env.PREVIEW_WORKFLOW}}/dispatches \ - -f ref=main \ - -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}" + - name: Trigger Deployment Workflow + if: github.event_name == 'push' && github.ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' + uses: benc-uk/workflow-dispatch@v1 + with: + workflow: ${{env.REMOTE_WORKFLOW}} + repo: ${{ env.REMOTE_REPO }} + inputs: '{"image": "${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" }' + token: "${{ secrets.RELEASE_MAIN }}" + + - - name: Trigger workflow in remote repository for other events - if: github.event_name == 'push' && github.ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' - env: - GH_TOKEN: ${{ secrets.RELEASE_MAIN }} - run: | - gh api \ - -X POST \ - -H "Accept: application/vnd.github.v3+json" \ - /repos/${{ github.repository_owner }}/${{ env.REMOTE_REPO }}/actions/workflows/${{env.REMOTE_WORKFLOW}}/dispatches \ - -f ref=main \ - -f "inputs[image]=${{ secrets.DOCKERHUB_USERNAME }}/cal.com:${{ needs.changelog.outputs.TAG }}" \ No newline at end of file + \ No newline at end of file From 0fcb71fe02f33d107c037f344ef52e8da26113ab Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Fri, 31 May 2024 12:29:32 -0700 Subject: [PATCH 23/27] split workflow --- .github/workflows/pull-request-target.yaml | 8 ++++---- .github/workflows/pull-request.yaml | 8 ++++---- .github/workflows/push-merge.yaml | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pull-request-target.yaml b/.github/workflows/pull-request-target.yaml index 8c507394ef43a8..9d4341d065b7a6 100644 --- a/.github/workflows/pull-request-target.yaml +++ b/.github/workflows/pull-request-target.yaml @@ -1,10 +1,10 @@ name: Docker CI Pull Request Target on: - # pull_request_target: - # branches: - # - main - # types: [opened, synchronize, reopened] + pull_request_target: + branches: + - main + types: [opened, synchronize, reopened] jobs: # FIRST JOB ####################################################################### diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index d17d318e0db838..cdd666a3d4d35e 100755 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -1,10 +1,10 @@ name: Docker CI Pull Request on: - # pull_request: - # branches: - # - main - # types: [opened, synchronize, reopened] + pull_request: + branches: + - main + types: [opened, synchronize, reopened] jobs: # FIRST JOB ####################################################################### diff --git a/.github/workflows/push-merge.yaml b/.github/workflows/push-merge.yaml index 1f128a4717dca0..83170540b6a7a5 100755 --- a/.github/workflows/push-merge.yaml +++ b/.github/workflows/push-merge.yaml @@ -2,9 +2,9 @@ name: Docker Push/Merge Workflow on: - # push: - # branches: - # - main + push: + branches: + - main workflow_dispatch: From c3f44567b435b4fd3260c4340d3577ff5d6aa4f6 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Fri, 31 May 2024 12:35:48 -0700 Subject: [PATCH 24/27] update workflow --- .github/workflows/pull-request-target.yaml | 10 ++++++---- .github/workflows/pull-request.yaml | 10 ++++++---- .github/workflows/push-merge.yaml | 6 +++--- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pull-request-target.yaml b/.github/workflows/pull-request-target.yaml index 9d4341d065b7a6..f73678f3c0317d 100644 --- a/.github/workflows/pull-request-target.yaml +++ b/.github/workflows/pull-request-target.yaml @@ -1,10 +1,12 @@ name: Docker CI Pull Request Target on: - pull_request_target: - branches: - - main - types: [opened, synchronize, reopened] + # pull_request_target: + # branches: + # - main + # types: [opened, synchronize, reopened] + + workflow_dispatch: jobs: # FIRST JOB ####################################################################### diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index cdd666a3d4d35e..4f0d3350169aef 100755 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -1,10 +1,12 @@ name: Docker CI Pull Request on: - pull_request: - branches: - - main - types: [opened, synchronize, reopened] + # pull_request: + # branches: + # - main + # types: [opened, synchronize, reopened] + + workflow_dispatch: jobs: # FIRST JOB ####################################################################### diff --git a/.github/workflows/push-merge.yaml b/.github/workflows/push-merge.yaml index 83170540b6a7a5..1f128a4717dca0 100755 --- a/.github/workflows/push-merge.yaml +++ b/.github/workflows/push-merge.yaml @@ -2,9 +2,9 @@ name: Docker Push/Merge Workflow on: - push: - branches: - - main + # push: + # branches: + # - main workflow_dispatch: From edbe8fc66f70b4121cd010e8324923279e100ae2 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Fri, 31 May 2024 12:42:34 -0700 Subject: [PATCH 25/27] fix package.json --- apps/web/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/web/package.json b/apps/web/package.json index 9f9c471568c039..b916acfeeddef5 100644 --- a/apps/web/package.json +++ b/apps/web/package.json @@ -19,7 +19,7 @@ "lint:report": "eslint . --format json --output-file ../../lint-results/web.json", "check-changed-files": "ts-node scripts/ts-check-changed-files.ts", - "docker-start-web": "prisma migrate deploy --schema /app/packages/prisma/schema.prisma && node /app/apps/web/server.js" + "docker-start-web": "prisma migrate deploy --schema /app/packages/prisma/schema.prisma && node /app/apps/web/server.js", "translate-locales": "ts-node scripts/check-missing-translations.ts" From f527954e94459372e2fbc7d178af0d0803348a37 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Mon, 22 Jul 2024 06:48:10 -0700 Subject: [PATCH 26/27] consolidate workflow into docker-ci --- .../workflows/{push-merge.yaml => docker-ci} | 37 +- .github/workflows/pull-request-target.yaml | 336 ----------------- .github/workflows/pull-request.yaml | 339 ------------------ 3 files changed, 18 insertions(+), 694 deletions(-) rename .github/workflows/{push-merge.yaml => docker-ci} (90%) delete mode 100644 .github/workflows/pull-request-target.yaml delete mode 100755 .github/workflows/pull-request.yaml diff --git a/.github/workflows/push-merge.yaml b/.github/workflows/docker-ci similarity index 90% rename from .github/workflows/push-merge.yaml rename to .github/workflows/docker-ci index 1f128a4717dca0..a5a57645b23135 100755 --- a/.github/workflows/push-merge.yaml +++ b/.github/workflows/docker-ci @@ -2,9 +2,19 @@ name: Docker Push/Merge Workflow on: - # push: - # branches: - # - main + push: + branches: + - main + + pull_request: + branches: + - main + types: [opened, synchronize, reopened] + + pull_request_target: + branches: + - main + types: [opened, synchronize, reopened] workflow_dispatch: @@ -249,6 +259,8 @@ jobs: input-file: "./apps/web/CHANGELOG.md" output-file: "./apps/web/CHANGELOG.md" tag-prefix: "v" + pre-release: "${{github.event_name == 'pull_request'}} || ${{github.event_name == 'pull_request_target'}}" + pre-release-identifier: "alpha" skip-on-empty: 'false' # release-count: 20 skip-git-pull: true @@ -328,9 +340,9 @@ jobs: # NEXT JOB ####################################################################### -#update docker compose image tag and kubernetes manifest "image tag "in a seperate repo +#update docker compose image tag - tag-manifest-update-compose: + update-compose: name: Tag kubernetes manifest and update compose needs: [unit-test, integration-test, scan-image,changelog,build-final-image] runs-on: ubuntu-latest @@ -339,11 +351,6 @@ jobs: steps: - - name: Set default values for manifest tag - run: | - echo "PUSH_MANIFEST_TAG='false'" >> $GITHUB_ENV - echo "REMOTE_REPO=''" >> $GITHUB_ENV - echo "REMOTE_WORKFLOW=''" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 @@ -377,15 +384,7 @@ jobs: github_token: ${{ secrets.RELEASE_MAIN }} branch: ${{ github.ref }} - - name: Trigger Deployment Workflow - if: github.event_name == 'push' && github.ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' - uses: benc-uk/workflow-dispatch@v1 - with: - workflow: ${{env.REMOTE_WORKFLOW}} - repo: ${{ env.REMOTE_REPO }} - inputs: '{"image": "${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" }' - token: "${{ secrets.RELEASE_MAIN }}" - + diff --git a/.github/workflows/pull-request-target.yaml b/.github/workflows/pull-request-target.yaml deleted file mode 100644 index f73678f3c0317d..00000000000000 --- a/.github/workflows/pull-request-target.yaml +++ /dev/null @@ -1,336 +0,0 @@ -name: Docker CI Pull Request Target - -on: - # pull_request_target: - # branches: - # - main - # types: [opened, synchronize, reopened] - - workflow_dispatch: - -jobs: - # FIRST JOB ####################################################################### - build-test-image: - name: Build Image for Testing - runs-on: ubuntu-latest - permissions: - contents: write - packages: write - if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' - - steps: - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata for the Docker image - id: docker_meta - uses: docker/metadata-action@v5 - with: - images: ghcr.io/${{ github.repository }} - tags: ${{ github.run_id }} - - - name: Build and Push to GHCR - uses: docker/build-push-action@v5 - with: - file: infra/docker/web/Dockerfile - push: true - tags: ${{ steps.docker_meta.outputs.tags }} - cache-to: type=gha,scope=base,mode=max - cache-from: type=gha,scope=base - platforms: linux/amd64 - - # NEXT JOB ####################################################################### - unit-test: - name: Unit Test in Docker - needs: [build-test-image] - runs-on: ubuntu-latest - permissions: - packages: read - contents: read - if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' - - steps: - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and Unit-Test - uses: docker/build-push-action@v5 - with: - file: infra/docker/web/Dockerfile - target: unit-test - push: false - cache-to: type=gha,scope=test,mode=max - cache-from: | - type=gha,scope=base - type=gha,scope=test - platforms: linux/amd64 - - # NEXT JOB ####################################################################### - integration-test: - name: Integration Test in Compose - needs: [build-test-image] - runs-on: ubuntu-latest - permissions: - packages: read - contents: read - if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Downcase repo name - run: | - echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Test healthcheck in Docker Compose - run: | - export TESTING_IMAGE=ghcr.io/${REPO}:"$GITHUB_RUN_ID" - echo Testing image: "$TESTING_IMAGE" - docker compose -f ./infra/docker/web/integration-test/compose.yml up -d calcom - echo "Waiting for the server to be healthy..." - sleep 60s - curl --fail http://localhost:3000 || exit 1 - - # NEXT JOB ####################################################################### - scan-image: - name: Scan Image with Trivy - needs: [build-test-image] - runs-on: ubuntu-latest - permissions: - contents: read - packages: read - security-events: write - if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Downcase repo name - run: | - echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Run Trivy for HIGH,CRITICAL CVEs and report (non-blocking) - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: ghcr.io/${{env.REPO}}:${{ github.run_id }} - format: sarif - exit-code: 0 - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'HIGH,CRITICAL' - timeout: 10m0s - output: 'trivy-results.sarif' - env: - TRIVY_USERNAME: ${{ github.repository_owner }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' - - # NEXT JOB ####################################################################### - changelog: - name: Automated Changelog using Conventional Commit - needs: [build-test-image, unit-test, integration-test, scan-image] - runs-on: ubuntu-latest - outputs: - TAG: ${{ steps.docker_tag.outputs.TAG }} - permissions: - contents: write - if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' - - steps: - - name: Check out the repository with all releases - uses: actions/checkout@v4 - with: - persist-credentials: 'false' - ref: ${{github.event.repository.default_branch}} - - - name: Conventional Changelog Action - id: changelog - uses: TriPSs/conventional-changelog-action@v5.1.0 - with: - github-token: ${{ secrets.RELEASE_MAIN }} - version-file: "./apps/web/package.json" - git-branch: ${{github.event.repository.default_branch}} - preset: "conventionalcommits" - input-file: "./apps/web/CHANGELOG.md" - output-file: "./apps/web/CHANGELOG.md" - tag-prefix: "v" - pre-release: "${{github.event_name == 'pull_request_target'}}" - pre-release-identifier: "alpha" - skip-on-empty: 'false' - skip-git-pull: true - - - name: Create Release - uses: actions/create-release@v1 - if: ${{ steps.changelog.outputs.skipped == 'false' }} - env: - GITHUB_TOKEN: ${{ secrets.RELEASE_MAIN }} - with: - tag_name: ${{ steps.changelog.outputs.tag }} - release_name: ${{ steps.changelog.outputs.tag }} - body: ${{ steps.changelog.outputs.clean_changelog }} - - - name: Export tag for final build - id: docker_tag - run: | - echo "TAG=${{ steps.changelog.outputs.tag }}" >> $GITHUB_OUTPUT - - # NEXT JOB ####################################################################### - build-final-image: - name: Build Final Image - needs: [unit-test, integration-test, scan-image, changelog] - runs-on: ubuntu-latest - permissions: - contents: write - packages: write - pull-requests: write - if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' - - steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Docker Metadata for Final Image Build - id: docker_meta - uses: docker/metadata-action@v5 - with: - images: ${{ secrets.DOCKERHUB_USERNAME }}/cal.com - tags: | - type=raw,value=${{needs.changelog.outputs.TAG}} - - - name: Comment on pull request - uses: marocchino/sticky-pull-request-comment@v2 - with: - header: final-image - message: | - image tag: ${{ steps.docker_meta.outputs.tags }} - image label: ${{ steps.docker_meta.outputs.labels }} - - - name: Add labels - uses: actions-ecosystem/action-add-labels@v1 - if: github.event_name == 'pull_request_target' - with: - labels: preview - - - name: Docker Build and Push to Docker Hub - uses: docker/build-push-action@v5 - with: - file: infra/docker/web/Dockerfile - push: true - tags: | - ${{ steps.docker_meta.outputs.tags }} - labels: ${{ steps.docker_meta.outputs.labels }} - cache-from: type=gha,scope=base - platforms: linux/amd64 - - # NEXT JOB ####################################################################### - tag-manifest-update-compose: - - name: Tag Kubernetes Manifest and Update Compose - needs: [unit-test, integration-test, scan-image, changelog, build-final-image] - runs-on: ubuntu-latest - permissions: - contents: write - if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened' - - steps: - - - name: Set default values for manifest tag - run: | - echo "PUSH_MANIFEST_TAG='false'" >> $GITHUB_ENV - echo "ENABLE_PREVIEW='false'" >> $GITHUB_ENV - echo "REMOTE_REPO=''" >> $GITHUB_ENV - echo "REMOTE_WORKFLOW=''" >> $GITHUB_ENV - echo "PREVIEW_WORKFLOW=''" >> $GITHUB_ENV - - - name: Trigger Deployment Workflow - if: github.event_name == 'pull_request_target' && github.base_ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' - uses: benc-uk/workflow-dispatch@v1 - with: - workflow: ${{env.PREVIEW_WORKFLOW}} - repo: ${{ env.REMOTE_REPO }} - inputs: '{"image": "${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" }' - token: "${{ secrets.RELEASE_MAIN }}" - diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml deleted file mode 100755 index 4f0d3350169aef..00000000000000 --- a/.github/workflows/pull-request.yaml +++ /dev/null @@ -1,339 +0,0 @@ -name: Docker CI Pull Request - -on: - # pull_request: - # branches: - # - main - # types: [opened, synchronize, reopened] - - workflow_dispatch: - -jobs: -# FIRST JOB ####################################################################### - build-test-image: - name: Build Image for Testing - runs-on: ubuntu-latest - if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') - permissions: - contents: write - packages: write - - steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata for the Docker image - id: docker_meta - uses: docker/metadata-action@v5 - with: - images: ghcr.io/${{ github.repository }} - tags: | - ${{ github.run_id }} - - - name: Build and Push to GHCR - uses: docker/build-push-action@v5 - with: - file: infra/docker/web/Dockerfile - push: true - tags: ${{ steps.docker_meta.outputs.tags }} - cache-to: | - type=gha,scope=base,mode=max - cache-from: | - type=gha,scope=base - platforms: linux/amd64 - -# NEXT JOB ####################################################################### - unit-test: - name: unit test in docker - needs: [build-test-image] - runs-on: ubuntu-latest - if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') - permissions: - packages: read - contents: read - - steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and unit-test - uses: docker/build-push-action@v5 - with: - file: infra/docker/web/Dockerfile - target: unit-test - push: false - cache-to: | - type=gha,scope=test,mode=max - cache-from: | - type=gha,scope=base - type=gha,scope=test - platforms: linux/amd64 - -# NEXT JOB ####################################################################### - integration-test: - name: Integration test in Compose - needs: [build-test-image] - runs-on: ubuntu-latest - if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') - permissions: - packages: read - contents: read - - steps: - - name: checkout - uses: actions/checkout@v4 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Downcase repo name - run: | - echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Test healthcheck in Docker Compose - run: | - export TESTING_IMAGE=ghcr.io/${REPO}:"$GITHUB_RUN_ID" - echo Testing image: "$TESTING_IMAGE" - - docker compose -f ./infra/docker/web/integration-test/compose.yml up -d calcom - - echo "Waiting for the server to be healthy..." - sleep 60s - - curl --fail http://localhost:3000 || exit 1 - -# NEXT JOB ####################################################################### - scan-image: - name: Scan Image with Trivy - needs: [build-test-image] - runs-on: ubuntu-latest - if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') - permissions: - contents: read - packages: read - security-events: write - - steps: - - name: checkout - uses: actions/checkout@v4 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Downcase repo name - run: | - echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Run Trivy for HIGH,CRITICAL CVEs and report (non-blocking) - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: ghcr.io/${{env.REPO}}:${{ github.run_id }} - format: sarif - exit-code: 0 - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'HIGH,CRITICAL' - timeout: 10m0s - output: 'trivy-results.sarif' - env: - TRIVY_USERNAME: ${{ github.repository_owner }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' - -# NEXT JOB ####################################################################### - changelog: - name: automated changelog using conventional commit - needs: [build-test-image, unit-test, integration-test, scan-image] - runs-on: ubuntu-latest - if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') - outputs: - TAG: ${{ steps.docker_tag.outputs.TAG }} - permissions: - contents: write - - steps: - - name: check out the repository with all releases - uses: actions/checkout@v4 - with: - persist-credentials: 'false' - ref: ${{github.event.repository.default_branch}} - - - name: conventional Changelog Action - id: changelog - uses: TriPSs/conventional-changelog-action@v5.1.0 - with: - github-token: ${{ secrets.RELEASE_MAIN }} - version-file: "./apps/web/package.json" - git-branch: ${{github.event.repository.default_branch}} - preset: "conventionalcommits" - input-file: "./apps/web/CHANGELOG.md" - output-file: "./apps/web/CHANGELOG.md" - tag-prefix: "v" - pre-release: "${{github.event_name == 'pull_request'}}" - pre-release-identifier: "alpha" - skip-on-empty: 'false' - skip-git-pull: true - - - name: Create Release - uses: actions/create-release@v1 - if: ${{ steps.changelog.outputs.skipped == 'false' }} - env: - GITHUB_TOKEN: ${{ secrets.RELEASE_MAIN }} - with: - tag_name: ${{ steps.changelog.outputs.tag }} - release_name: ${{ steps.changelog.outputs.tag }} - body: ${{ steps.changelog.outputs.clean_changelog }} - - - name: export tag for final build - id: docker_tag - run: | - echo "TAG=${{ steps.changelog.outputs.tag }}" >> $GITHUB_OUTPUT - -# NEXT JOB ####################################################################### - build-final-image: - name: Build Final Image - needs: [unit-test, integration-test, scan-image, changelog] - runs-on: ubuntu-latest - if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') - permissions: - contents: write - packages: write - pull-requests: write - - steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Login to ghcr.io registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata for the Docker image - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ secrets.DOCKERHUB_USERNAME }}/cal.com - tags: type=raw,value=${{needs.changelog.outputs.TAG}} - - - - name: Comment on pull request - uses: marocchino/sticky-pull-request-comment@v2 - with: - header: final-image - message: | - image tag: ${{ steps.docker_meta.outputs.tags }} - image label: ${{ steps.docker_meta.outputs.labels }} - - - name: Add labels - uses: actions-ecosystem/action-add-labels@v1 - if: github.event_name == 'pull_request' - with: - labels: preview - - - name: Docker Build and Push to Docker Hub - uses: docker/build-push-action@v5 - with: - file: infra/docker/web/Dockerfile - push: true - tags: | - ${{ steps.docker_meta.outputs.tags }} - labels: ${{ steps.docker_meta.outputs.labels }} - cache-from: type=gha,scope=base - platforms: linux/amd64 - - -# NEXT JOB ####################################################################### - tag-manifest-update-compose: - name: Tag kubernetes manifest and update compose - needs: [unit-test, integration-test, scan-image, changelog, build-final-image] - runs-on: ubuntu-latest - if: github.event.pull_request.head.repo.full_name == github.repository && (github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened') - permissions: - contents: write - - steps: - - name: Set default values for manifest tag - run: | - echo "PUSH_MANIFEST_TAG='false'" >> $GITHUB_ENV - echo "ENABLE_PREVIEW='false'" >> $GITHUB_ENV - echo "REMOTE_REPO=''" >> $GITHUB_ENV - echo "REMOTE_WORKFLOW=''" >> $GITHUB_ENV - echo "PREVIEW_WORKFLOW=''" >> $GITHUB_ENV - - - name: Trigger Deployment Workflow - if: github.event_name == 'pull_request' && github.base_ref == 'refs/heads/main' && env.PUSH_MANIFEST_TAG == 'true' && env.ENABLE_PREVIEW == 'true' - uses: benc-uk/workflow-dispatch@v1 - with: - workflow: ${{env.PREVIEW_WORKFLOW}} - repo: ${{ env.REMOTE_REPO }} - inputs: '{"image": "${{ secrets.DOCKERHUB_USERNAME }}/calcom:${{ needs.changelog.outputs.TAG }}" }' - token: "${{ secrets.RELEASE_MAIN }}" From ed817da1d2d693597d0e227d4b5b54fe2c9b0e69 Mon Sep 17 00:00:00 2001 From: ChichiCaleb Date: Mon, 22 Jul 2024 07:01:21 -0700 Subject: [PATCH 27/27] update workflow name --- .github/workflows/docker-ci | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-ci b/.github/workflows/docker-ci index a5a57645b23135..4d4c932b12cbee 100755 --- a/.github/workflows/docker-ci +++ b/.github/workflows/docker-ci @@ -1,5 +1,5 @@ --- -name: Docker Push/Merge Workflow +name: Docker CI on: push: