chore(docker)(deps): bump rust from 1.82-slim-bookworm to 1.92-slim-bookworm in /services/analytics-api #25
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI Pipeline | |
| on: | |
| pull_request: | |
| branches: [main, develop, release/*] | |
| push: | |
| branches: [main, develop, release/*] | |
| env: | |
| CARGO_TERM_COLOR: always | |
| RUST_BACKTRACE: 1 | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }}/analytics-api | |
| jobs: | |
| # ============================================================ | |
| # Job 1: Code Quality & Linting | |
| # ============================================================ | |
| code-quality: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: rustfmt, clippy | |
| - name: Cache cargo registry | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cargo/registry/index | |
| key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-registry- | |
| - name: Cache cargo git | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.cargo/git/db | |
| key: ${{ runner.os }}-cargo-git-${{ hashFiles('**/Cargo.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-git- | |
| - name: Cache cargo build | |
| uses: actions/cache@v4 | |
| with: | |
| path: target | |
| key: ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/*.rs') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-build-${{ hashFiles('**/Cargo.lock') }}- | |
| ${{ runner.os }}-cargo-build- | |
| - name: Check code formatting | |
| run: cargo fmt --all -- --check | |
| working-directory: services/analytics-api | |
| - name: Run clippy | |
| run: cargo clippy --all-targets --all-features -- -D warnings | |
| working-directory: services/analytics-api | |
| - name: Check documentation | |
| run: cargo doc --no-deps --all-features | |
| env: | |
| RUSTDOCFLAGS: "-D warnings" | |
| working-directory: services/analytics-api | |
| # ============================================================ | |
| # Job 2: Unit Tests | |
| # ============================================================ | |
| unit-tests: | |
| name: Unit Tests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| services: | |
| postgres: | |
| image: timescale/timescaledb:latest-pg15 | |
| env: | |
| POSTGRES_USER: test_user | |
| POSTGRES_PASSWORD: test_password | |
| POSTGRES_DB: test_db | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| - 5432:5432 | |
| redis: | |
| image: redis:7-alpine | |
| options: >- | |
| --health-cmd "redis-cli ping" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| - 6379:6379 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Restore cargo cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry/index | |
| ~/.cargo/git/db | |
| target | |
| key: ${{ runner.os }}-cargo-test-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/*.rs') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-test-${{ hashFiles('**/Cargo.lock') }}- | |
| ${{ runner.os }}-cargo-test- | |
| - name: Install sqlx-cli | |
| run: cargo install sqlx-cli --no-default-features --features postgres --locked | |
| - name: Run database migrations | |
| env: | |
| DATABASE_URL: postgres://test_user:test_password@localhost:5432/test_db | |
| run: | | |
| cd crates/storage | |
| sqlx migrate run | |
| - name: Install cargo-tarpaulin | |
| run: cargo install cargo-tarpaulin --locked | |
| - name: Run unit tests with coverage | |
| env: | |
| DATABASE_URL: postgres://test_user:test_password@localhost:5432/test_db | |
| REDIS_URL: redis://localhost:6379/0 | |
| JWT_SECRET: test-secret-key-for-ci-testing-only-minimum-32-chars | |
| run: | | |
| cargo tarpaulin --out Xml --output-dir ./coverage --workspace --exclude-files 'target/*' --timeout 300 | |
| working-directory: services/analytics-api | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| files: ./services/analytics-api/coverage/cobertura.xml | |
| flags: unittests | |
| name: unit-tests | |
| fail_ci_if_error: false | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| - name: Check test coverage threshold | |
| run: | | |
| if [ -f coverage/cobertura.xml ]; then | |
| COVERAGE=$(grep -oP 'line-rate="\K[0-9.]+' coverage/cobertura.xml | head -1 || echo "0.0") | |
| COVERAGE_PCT=$(echo "$COVERAGE * 100" | bc -l) | |
| echo "Coverage: $COVERAGE_PCT%" | |
| # Allow coverage check to pass even if below threshold (warning only) | |
| if (( $(echo "$COVERAGE_PCT < 90" | bc -l) )); then | |
| echo "⚠️ Warning: Coverage $COVERAGE_PCT% is below 90% threshold" | |
| echo "This is a warning - not blocking the build" | |
| else | |
| echo "✅ Coverage $COVERAGE_PCT% meets threshold" | |
| fi | |
| else | |
| echo "⚠️ Warning: Coverage report not found - skipping check" | |
| fi | |
| working-directory: services/analytics-api | |
| # ============================================================ | |
| # Job 3: Integration Tests | |
| # ============================================================ | |
| integration-tests: | |
| name: Integration Tests | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| needs: [code-quality] | |
| services: | |
| postgres: | |
| image: timescale/timescaledb:latest-pg15 | |
| env: | |
| POSTGRES_USER: test_user | |
| POSTGRES_PASSWORD: test_password | |
| POSTGRES_DB: test_db | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| - 5432:5432 | |
| redis: | |
| image: redis:7-alpine | |
| options: >- | |
| --health-cmd "redis-cli ping" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| - 6379:6379 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Restore cargo cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry/index | |
| ~/.cargo/git/db | |
| target | |
| key: ${{ runner.os }}-cargo-test-${{ hashFiles('**/Cargo.lock') }}-${{ hashFiles('**/*.rs') }} | |
| restore-keys: | | |
| ${{ runner.os }}-cargo-test-${{ hashFiles('**/Cargo.lock') }}- | |
| ${{ runner.os }}-cargo-test- | |
| - name: Install sqlx-cli | |
| run: cargo install sqlx-cli --no-default-features --features postgres --locked | |
| - name: Run database migrations | |
| env: | |
| DATABASE_URL: postgres://test_user:test_password@localhost:5432/test_db | |
| run: | | |
| cd crates/storage | |
| sqlx migrate run | |
| - name: Run integration tests | |
| env: | |
| DATABASE_URL: postgres://test_user:test_password@localhost:5432/test_db | |
| REDIS_URL: redis://localhost:6379/0 | |
| JWT_SECRET: test-secret-key-for-ci-testing-only-minimum-32-chars | |
| RUST_LOG: info | |
| run: cargo test --test '*' -- --test-threads=1 --nocapture | |
| working-directory: services/analytics-api | |
| # ============================================================ | |
| # Job 4: Security Scanning | |
| # ============================================================ | |
| security-scan: | |
| name: Security Scanning | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| # Cargo Audit - Check for known vulnerabilities | |
| - name: Run cargo audit | |
| run: | | |
| cargo install cargo-audit --locked | |
| cargo audit --deny warnings || echo "⚠️ Vulnerabilities found - review required" | |
| working-directory: services/analytics-api | |
| continue-on-error: true | |
| # Cargo Deny - Check licenses and security advisories | |
| - name: Install cargo-deny | |
| run: cargo install cargo-deny --locked | |
| - name: Run cargo deny | |
| run: cargo deny check advisories | |
| working-directory: services/analytics-api | |
| continue-on-error: true | |
| # Trivy - Scan for vulnerabilities in dependencies | |
| - name: Run Trivy vulnerability scanner (filesystem) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: './services/analytics-api' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '0' | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| # Secret scanning | |
| - name: Gitleaks scan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # ============================================================ | |
| # Job 5: Build & Containerize | |
| # ============================================================ | |
| build: | |
| name: Build & Push Container | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| needs: [unit-tests, integration-tests, security-scan] | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=sha,prefix={{branch}}- | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: services/analytics-api/Dockerfile | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| BUILDKIT_INLINE_CACHE=1 | |
| - name: Scan container image | |
| if: github.event_name != 'pull_request' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }} | |
| format: 'sarif' | |
| output: 'trivy-image-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '0' | |
| - name: Upload image scan results | |
| if: github.event_name != 'pull_request' | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-image-results.sarif' | |
| # ============================================================ | |
| # Job 6: Quality Gates | |
| # ============================================================ | |
| quality-gates: | |
| name: Quality Gates | |
| runs-on: ubuntu-latest | |
| needs: [code-quality, unit-tests, integration-tests, security-scan, build] | |
| if: always() | |
| steps: | |
| - name: Check job statuses | |
| run: | | |
| echo "Checking quality gates..." | |
| CODE_QUALITY="${{ needs.code-quality.result }}" | |
| UNIT_TESTS="${{ needs.unit-tests.result }}" | |
| INTEGRATION_TESTS="${{ needs.integration-tests.result }}" | |
| SECURITY_SCAN="${{ needs.security-scan.result }}" | |
| BUILD="${{ needs.build.result }}" | |
| echo "Code Quality: $CODE_QUALITY" | |
| echo "Unit Tests: $UNIT_TESTS" | |
| echo "Integration Tests: $INTEGRATION_TESTS" | |
| echo "Security Scan: $SECURITY_SCAN" | |
| echo "Build: $BUILD" | |
| if [ "$CODE_QUALITY" != "success" ] || [ "$UNIT_TESTS" != "success" ] || \ | |
| [ "$INTEGRATION_TESTS" != "success" ] || [ "$BUILD" != "success" ]; then | |
| echo "❌ Quality gates failed!" | |
| exit 1 | |
| fi | |
| echo "✅ All quality gates passed!" | |
| echo " - Code quality and linting ✓" | |
| echo " - Unit tests ✓" | |
| echo " - Integration tests ✓" | |
| echo " - Security scanning ✓" | |
| echo " - Container build ✓" | |
| echo "" | |
| echo "Ready for deployment!" |