fix: (v1.2.0) fully disable Rack Attack #2401
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CI/CD" | |
| on: [push] | |
| env: | |
| CI: "true" | |
| SIMPLECOV: "true" | |
| RSPEC_FORMAT: "documentation" | |
| RUBY_VERSION: 2.7.5 | |
| RAILS_ENV: test | |
| NODE_VERSION: 16.9.1 | |
| RUBYOPT: '-W:no-deprecated' | |
| # Set locales available for i18n tasks | |
| ENFORCED_LOCALES: "en,fr" | |
| AVAILABLE_LOCALES: "en,fr" | |
| jobs: | |
| todo: | |
| name: TODO | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 1 | |
| - name: "TODO to Issue" | |
| uses: "alstr/todo-to-issue-action@v4" | |
| lint: | |
| name: Lint code | |
| runs-on: ubuntu-latest | |
| if: "!startsWith(github.head_ref, 'chore/l10n')" | |
| timeout-minutes: 60 | |
| steps: | |
| - uses: rokroskar/workflow-run-cleanup-action@v0.3.0 | |
| if: "github.ref != 'refs/heads/develop'" | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| - uses: OpenSourcePolitics/lint-action@master | |
| with: | |
| ruby_version: ${{ env.RUBY_VERSION }} | |
| node_version: ${{ env.NODE_VERSION }} | |
| tests: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| slice: [ "0-2", "1-2" ] | |
| name: Tests | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:11 | |
| ports: ["5432:5432"] | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| env: | |
| POSTGRES_PASSWORD: postgres | |
| env: | |
| DATABASE_USERNAME: postgres | |
| DATABASE_PASSWORD: postgres | |
| DATABASE_HOST: localhost | |
| steps: | |
| - uses: rokroskar/workflow-run-cleanup-action@v0.2.2 | |
| if: "github.ref != 'refs/heads/master' || github.ref != 'refs/heads/develop'" | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 1 | |
| - uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: ${{ env.RUBY_VERSION }} | |
| bundler-cache: true | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Install dependencies | |
| run: yarn install --prefer-offline --frozen-lockfile | |
| - name: Create db | |
| run: | | |
| bundle exec rails parallel:create parallel:migrate | |
| - name: Register cache hash | |
| id: cache-hash | |
| run: | | |
| echo "::set-output name=hash::$(bundle exec rake test:assets_hash)" | |
| - uses: OpenSourcePolitics/cache-precompile-action@master | |
| with: | |
| key: asset-cache-${{ runner.os }}-${{ steps.cache-hash.outputs.hash }} | |
| - run: mkdir -p ./spec/tmp/screenshots | |
| name: Create the screenshots folder | |
| # TODO: Use latest version | |
| - uses: nanasess/setup-chromedriver@v2 | |
| with: | |
| chromedriver-version: "114.0.5735.90" | |
| - run: bundle exec rake "test:run[exclude, spec/system/**/*_spec.rb, ${{ matrix.slice }}]" | |
| name: RSpec | |
| - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH | |
| name: Upload coverage | |
| - uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: screenshots | |
| path: ./spec/tmp/screenshots | |
| - uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: assets-manifest-${{ matrix.slice }} | |
| path: ./tmp/assets_manifest.json | |
| system_tests: | |
| strategy: | |
| matrix: | |
| slice: [ "0-4", "1-4", "2-4", "3-4" ] | |
| name: System tests | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:11 | |
| ports: ["5432:5432"] | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| env: | |
| POSTGRES_PASSWORD: postgres | |
| env: | |
| DATABASE_USERNAME: postgres | |
| DATABASE_PASSWORD: postgres | |
| DATABASE_HOST: localhost | |
| steps: | |
| - uses: rokroskar/workflow-run-cleanup-action@v0.2.2 | |
| if: "github.ref != 'refs/heads/master' || github.ref != 'refs/heads/develop'" | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 1 | |
| - uses: ruby/setup-ruby@v1 | |
| with: | |
| ruby-version: ${{ env.RUBY_VERSION }} | |
| bundler-cache: true | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| - name: Install dependencies | |
| run: yarn install --prefer-offline --frozen-lockfile | |
| - name: Create db | |
| run: | | |
| bundle exec rails parallel:create parallel:migrate | |
| - name: Register cache hash | |
| id: cache-hash | |
| run: | | |
| echo "::set-output name=hash::$(bundle exec rake test:assets_hash)" | |
| - uses: OpenSourcePolitics/cache-precompile-action@master | |
| with: | |
| key: asset-cache-${{ runner.os }}-${{ steps.cache-hash.outputs.hash }} | |
| - run: mkdir -p ./spec/tmp/screenshots | |
| name: Create the screenshots folder | |
| # TODO: Use latest version | |
| - uses: nanasess/setup-chromedriver@v2 | |
| with: | |
| chromedriver-version: "114.0.5735.90" | |
| - run: bundle exec rake "test:run[include, spec/system/**/*_spec.rb, ${{ matrix.slice }}]" | |
| name: RSpec | |
| - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH | |
| name: Upload coverage | |
| - uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: screenshots | |
| path: ./spec/tmp/screenshots | |
| - uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: assets-manifest-${{ matrix.slice }} | |
| path: ./tmp/assets_manifest.json | |
| test_build: | |
| name: Test build docker image | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: postgres:11 | |
| ports: [ "5432:5432" ] | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| env: | |
| POSTGRES_PASSWORD: postgres | |
| env: | |
| DATABASE_USERNAME: postgres | |
| DATABASE_PASSWORD: postgres | |
| DATABASE_HOST: host.docker.internal | |
| steps: | |
| - uses: OpenSourcePolitics/build-and-test-images-action@master | |
| with: | |
| registry: ${{ vars.REGISTRY_ENDPOINT }} | |
| namespace: ${{ vars.REGISTRY_NAMESPACE }} | |
| image_name: ${{ vars.IMAGE_NAME }} | |
| tag: ${{ github.ref }} | |
| password: ${{ secrets.TOKEN }} | |
| database_username: ${{ env.DATABASE_USERNAME }} | |
| database_password: ${{ env.DATABASE_PASSWORD }} | |
| database_host: ${{ env.DATABASE_HOST }} | |
| deploy_develop: | |
| if: "github.ref == 'refs/heads/develop'" | |
| needs: [lint, tests, system_tests, test_build] | |
| name: Deploy develop branch on develop instance | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Run Ansible playbook | |
| uses: appleboy/ssh-action@v0.1.4 | |
| with: | |
| host: ${{ secrets.ANSIBLE_HOST }} | |
| username: ${{ secrets.ANSIBLE_USERNAME }} | |
| key: ${{ secrets.ANSIBLE_KEY }} | |
| port: ${{ secrets.SSH_PORT }} | |
| script: ansible-playbook -u ${{ secrets.ANSIBLE_USERNAME }} --private-key="~/.ssh/ansible-deploy/ansible-deploy" -i /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/inventories/develop.yml /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/playbooks/update_decidim_app.yml | |
| deploy_rc: | |
| if: "github.ref == 'refs/heads/rc'" | |
| needs: [lint, tests, system_tests, test_build] | |
| name: Deploy rc branch on RC instance | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Run Ansible playbook | |
| uses: appleboy/ssh-action@v0.1.4 | |
| with: | |
| host: ${{ secrets.ANSIBLE_HOST }} | |
| username: ${{ secrets.ANSIBLE_USERNAME }} | |
| key: ${{ secrets.ANSIBLE_KEY }} | |
| port: ${{ secrets.SSH_PORT }} | |
| script: ansible-playbook -u ${{ secrets.ANSIBLE_USERNAME }} --private-key="~/.ssh/ansible-deploy/ansible-deploy" -i /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/inventories/rc.yml /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/playbooks/update_decidim_app.yml | |
| deploy_staging: | |
| if: "github.ref == 'refs/heads/master'" | |
| needs: [lint, tests, system_tests, test_build] | |
| name: Deploy staging branch on staging instance | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Run Ansible playbook | |
| uses: appleboy/ssh-action@v0.1.4 | |
| with: | |
| host: ${{ secrets.ANSIBLE_HOST }} | |
| username: ${{ secrets.ANSIBLE_USERNAME }} | |
| key: ${{ secrets.ANSIBLE_KEY }} | |
| port: ${{ secrets.SSH_PORT }} | |
| script: ansible-playbook -u ${{ secrets.ANSIBLE_USERNAME }} --private-key="~/.ssh/ansible-deploy/ansible-deploy" -i /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/inventories/staging.yml /home/${{ secrets.ANSIBLE_USERNAME }}/ansible/decidim/playbooks/update_decidim_app.yml | |
| build_and_push_image_dev: | |
| name: Build and push image to Registry | |
| if: "github.ref == 'refs/heads/develop'" | |
| needs: [lint, tests, system_tests, test_build] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: OpenSourcePolitics/build-and-push-images-action@master | |
| with: | |
| registry: ${{ vars.REGISTRY_ENDPOINT }} | |
| namespace: ${{ vars.REGISTRY_NAMESPACE }} | |
| password: ${{ secrets.TOKEN }} | |
| image_name: ${{ vars.IMAGE_NAME }} | |
| tag: "develop" | |
| generate_release: | |
| name: Generate release | |
| needs: [lint, tests, system_tests, test_build] | |
| if: "github.ref == 'refs/heads/master'" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: mathieudutour/github-tag-action@v6.1 | |
| name: Bump version and push tag | |
| id: tag_version | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: ncipollo/release-action@v1 | |
| name: Create a GitHub release | |
| with: | |
| generateReleaseNotes: true | |
| tag: ${{ steps.tag_version.outputs.new_tag }} | |
| name: Release ${{ steps.tag_version.outputs.new_tag }} | |
| body: ${{ steps.tag_version.outputs.changelog }} | |
| - uses: OpenSourcePolitics/build-and-push-images-action@master | |
| with: | |
| registry: ${{ vars.REGISTRY_ENDPOINT }} | |
| namespace: ${{ vars.REGISTRY_NAMESPACE }} | |
| password: ${{ secrets.TOKEN }} | |
| image_name: ${{ vars.IMAGE_NAME }} | |
| tag: ${{ steps.tag_version.outputs.new_tag }} |