refactor: improve overall pipelines and fix deps (#23)

* refactor(dockerfile): use same approach as in https://github.com/opticrd/gob-do-portal * fix(build): use correct docker stage * refactor: use better `.gitignore` and add `.dockerignore` * fix(dockerfile): add application variables * refactor(actions): use reusable workflows * fix(deploy): add project param to reusable action * fix(deploy): remove extra param * fix(build): allow installation files * refactor(linter): use super-linter instead of custom approach * feat(ci): add yarn test * fix(build): use bigger timeout for first build * fix(ci): linter and tests execution * fix(deploy): do not require specific secrets * fix(deploy): use correct credentials secret * fix(ci): node matrix version * fix(test): try to build instead of test * fix(deps): remove AWS packages warnings * fix(build): yarn install only production deps from lockfile * fix(build): `--production` needs an argument * fix(deps): add missing dependencies * feat(test): add audit validation and check package integrity * lint: fix GitHub Actions warnings * fix(ci): use non-vulnerable `sweetalert` version * lint: fix remaining linter issues * build(deps): revert wrong removal
ogticrd · May 12, 2023 · cd6f95f · cd6f95f
1 parent 1b3ef8e
commit cd6f95f
Show file tree

Hide file tree

Showing 17 changed files with 5,596 additions and 1,135 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,23 @@
+# Before the docker CLI sends the context to the docker daemon, it looks for a file 
+# named .dockerignore in the root directory of the context. If this file exists, the 
+# CLI modifies the context to exclude files and directories that match patterns in it. 
+#
+# You may want to specify which files to include in the context, rather than which 
+# to exclude. To achieve this, specify * as the first pattern, followed by one or 
+# more ! exception patterns.
+# 
+# https://docs.docker.com/engine/reference/builder/#dockerignore-file
+
+# Exclude everything:
+#
+*
+
+# Now un-exclude required files and folders:
+#
+!public
+!src
+!*.js
+!*.ts
+!*.json
+!*.lock
+!*.env
diff --git a/.github/workflows/build-docker-image.yml b/.github/workflows/build-docker-image.yml
@@ -0,0 +1,109 @@
+name: Build docker image
+
+on:
+  workflow_call:
+    inputs:
+      app_name:
+        required: true
+        type: string
+      dockerfile_path:
+        required: true
+        type: string
+      dockerfile_target:
+        required: true
+        type: string
+      registry:
+        required: true
+        type: string
+    outputs:
+      image_digest:
+        description: 'The image digest to be used on a caller workflow'
+        value: ${{ jobs.build.outputs.image_digest }}
+
+jobs:
+  build:
+    name: Build images
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+    outputs:
+      image_digest: ${{ steps.docker_build.outputs.digest }}
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      - uses: actions/checkout@v3.5.2
+        with:
+          persist-credentials: false
+
+      - name: Inject slug/short variables
+        uses: rlespinasse/github-slug-action@v4.4.1
+        with:
+          short-length: 7
+
+      # Automatic tag management and OCI Image Format Specification for labels
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4.4.0
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            ${{ inputs.registry }}/${{ inputs.app_name }}
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            type=schedule
+            # semver and ref,tag automatically add a "latest" tag, but only on stable releases
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=ref,event=tag
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+            # edge is the latest commit on the default branch.
+            type=edge,enable={{is_default_branch}}
+
+      # Setup Docker Buildx to allow use of docker cache layers from GH
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Google Artifact Registry
+        uses: docker/login-action@v2.1.0
+        with:
+          registry: us-docker.pkg.dev
+          username: _json_key
+          password: ${{ secrets.GAR_JSON_KEY }}
+
+      # Build and push image to Google Artifact Registry, and possibly DockerHub
+      - name: Build & push
+        id: docker_build
+        uses: docker/build-push-action@v4.0.0
+        with:
+          target: ${{ inputs.dockerfile_target }}
+          context: .
+          file: ${{ inputs.dockerfile_path }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          push: true
+          build-args: |
+            NEXT_PUBLIC_IAM_API=${{ secrets.NEXT_PUBLIC_IAM_API }}
+            NEXT_PUBLIC_CEDULA_API=${{ secrets.NEXT_PUBLIC_CEDULA_API }}
+            NEXT_PUBLIC_CEDULA_API_KEY=${{ secrets.NEXT_PUBLIC_CEDULA_API_KEY }}
+            NEXT_PUBLIC_SITE_KEY=${{ secrets.NEXT_PUBLIC_SITE_KEY }}
+            NEXT_PUBLIC_PHOTO_API=${{ secrets.NEXT_PUBLIC_PHOTO_API }}
+            NEXT_PUBLIC_PHOTO_API_KEY=${{ secrets.NEXT_PUBLIC_PHOTO_API_KEY }}
+          # To improve build speeds, for each branch we push an additional image to the registry,
+          # to be used as the caching layer, using the `max` caching mode.
+          #
+          # We use multiple cache sources to confirm a cache hit, starting from a per-branch cache,
+          # and if there's no hit, then continue with the `main` branch. When changes are added to a PR,
+          # they are usually smaller than the diff between the PR and `main` branch. So this provides the
+          # best performance.
+          #
+          # The caches are tried in top-down order, the first available cache is used:
+          # https://github.com/moby/moby/pull/26839#issuecomment-277383550
+          cache-from: |
+            type=registry,ref=${{ inputs.registry }}/${{ inputs.app_name }}:${{ env.GITHUB_REF_SLUG_URL }}-cache
+            type=registry,ref=${{ inputs.registry }}/${{ inputs.app_name }}:${{ github.event.repository.default_branch }}-cache
+          cache-to: |
+            type=registry,ref=${{ inputs.registry }}/${{ inputs.app_name }}:${{ env.GITHUB_REF_SLUG_URL }}-cache,mode=max
diff --git a/.github/workflows/cloudrun-deploy.yml b/.github/workflows/cloudrun-deploy.yml
@@ -0,0 +1,84 @@
+name: Deploy to Cloud Run
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        required: true
+        type: string
+      region:
+        required: true
+        type: string
+      project:
+        required: true
+        type: string
+      env_vars:
+        required: false
+        type: string
+
+jobs:
+  versioning:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.set.outputs.version }}
+    steps:
+      - name: Getting API Version
+        id: get
+        uses: actions/github-script@v6
+        if: ${{ github.event_name == 'release' }}
+        with:
+          result-encoding: string
+          script: |
+            return context.payload.release.tag_name.substring(0,2)
+      - name: Setting API Version
+        id: set
+        run: echo "version=${{ steps.get.outputs.result }}" >> "$GITHUB_OUTPUT"
+
+  deploy:
+    name: Deploy to Cloud Run
+    needs: ["versioning"]
+    timeout-minutes: 10
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    environment:
+      name: development
+      url: ${{ steps.deploy.outputs.url }}
+    steps:
+      - name: Inject slug/short variables
+        uses: rlespinasse/github-slug-action@v4.4.1
+
+      - name: Authenticate to GCP
+        id: auth
+        uses: google-github-actions/auth@v1.1.1
+        with:
+          credentials_json: ${{ secrets.GAR_JSON_KEY }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v1.1.1
+
+      - name: Deploy to cloud run
+        id: deploy
+        uses: google-github-actions/deploy-cloudrun@v1.0.2
+        with:
+          image: ${{ inputs.image }}
+          service: ${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG }}-${{ needs.versioning.outputs.version || env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }}
+          credentials: ${{ secrets.credentials_json }}
+          region: ${{ inputs.region }}
+          env_vars: |
+            NEXT_PUBLIC_IAM_API=${{ secrets.NEXT_PUBLIC_IAM_API }},
+            NEXT_PUBLIC_CEDULA_API=${{ secrets.NEXT_PUBLIC_CEDULA_API }},
+            NEXT_PUBLIC_CEDULA_API_KEY=${{ secrets.NEXT_PUBLIC_CEDULA_API_KEY }},
+            NEXT_PUBLIC_SITE_KEY=${{ secrets.NEXT_PUBLIC_SITE_KEY }},
+            NEXT_PUBLIC_PHOTO_API=${{ secrets.NEXT_PUBLIC_PHOTO_API }},
+            NEXT_PUBLIC_PHOTO_API_KEY=${{ secrets.NEXT_PUBLIC_PHOTO_API_KEY }},
+            NEXT_PUBLIC_COOKIE_KEY=${{ secrets.NEXT_PUBLIC_COOKIE_KEY }},
+
+      - name: Allow unauthenticated calls to the service
+        run: |
+          gcloud run services add-iam-policy-binding ${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG }}-${{ env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} \
+          --region=${{ inputs.region }} --member=allUsers --role=roles/run.invoker --quiet
+
+      - name: Test service with cURL
+        run: curl "${{ steps.deploy.outputs.url }}"
diff --git a/.github/workflows/deploy-to-dev.yml b/.github/workflows/deploy-to-dev.yml
@@ -0,0 +1,40 @@
+name: Deploy to dev
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - "master"
+    paths:
+      - "**.js*"
+      - "**.ts*"
+      - "package*.json"
+      - "Dockerfile"
+      - "entrypoint.sh"
+      - ".github/workflows/deploy-to-dev.yml"
+
+concurrency:
+  # Ensures that only one workflow task will run at a time. Previous builds, if
+  # already in process, will get cancelled. Only the latest commit will be allowed
+  # to run, cancelling any workflows in between
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    uses: ./.github/workflows/build-docker-image.yml
+    with:
+      dockerfile_path: ./Dockerfile
+      dockerfile_target: runner
+      app_name: auth-registry-frontend
+      registry: us-docker.pkg.dev/auth-do/auth-frontend
+    secrets: inherit
+
+  deploy:
+    needs: ['build']
+    uses: ./.github/workflows/cloudrun-deploy.yml
+    with:
+      project: auth-do
+      region: us-east1
+      image: us-docker.pkg.dev/auth-do/auth-frontend/auth-registry-frontend@${{ needs.build.outputs.image_digest }}
+    secrets: inherit
diff --git a/.github/workflows/deploy-to-prod.yml b/.github/workflows/deploy-to-prod.yml
@@ -0,0 +1,32 @@
+name: Deploy to production
+
+on:
+  release:
+    types:
+      - published
+
+concurrency:
+  # Ensures that only one workflow task will run at a time. Previous builds, if
+  # already in process, will get cancelled. Only the latest commit will be allowed
+  # to run, cancelling any workflows in between
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    uses: ./.github/workflows/build-docker-image.yml
+    with:
+      dockerfile_path: ./Dockerfile
+      dockerfile_target: runner
+      app_name: auth-registry-frontend
+      registry: us-docker.pkg.dev/auth-do/auth-frontend
+    secrets: inherit
+
+  deploy:
+    needs: ['build']
+    uses: ./.github/workflows/cloudrun-deploy.yml
+    with:
+      project: auth-do
+      region: us-east1
+      image: us-docker.pkg.dev/auth-do/auth-frontend/auth-registry-frontend@${{ needs.build.outputs.image_digest }}
+    secrets: inherit
diff --git a/.github/workflows/deploy-to-staging.yml b/.github/workflows/deploy-to-staging.yml
@@ -0,0 +1,40 @@
+name: Deploy to staging
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "master"
+    paths:
+      - "**.js*"
+      - "**.ts*"
+      - "package*.json"
+      - "Dockerfile"
+      - "entrypoint.sh"
+      - ".github/workflows/deploy-to-dev.yml"
+
+concurrency:
+  # Ensures that only one workflow task will run at a time. Previous builds, if
+  # already in process, will get cancelled. Only the latest commit will be allowed
+  # to run, cancelling any workflows in between
+  group: ${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    uses: ./.github/workflows/build-docker-image.yml
+    with:
+      dockerfile_path: ./Dockerfile
+      dockerfile_target: runner
+      app_name: auth-registry-frontend
+      registry: us-docker.pkg.dev/auth-do/auth-frontend
+    secrets: inherit
+
+  deploy:
+    needs: ['build']
+    uses: ./.github/workflows/cloudrun-deploy.yml
+    with:
+      project: auth-do
+      region: us-east1
+      image: us-docker.pkg.dev/auth-do/auth-frontend/auth-registry-frontend@${{ needs.build.outputs.image_digest }}
+    secrets: inherit