-
Notifications
You must be signed in to change notification settings - Fork 1
153 lines (125 loc) · 3.98 KB
/
ci.yml
File metadata and controls
153 lines (125 loc) · 3.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: Deploy
concurrency:
group: production
cancel-in-progress: true
on:
pull_request:
push:
branches: [ main ]
jobs:
scan_ruby:
runs-on: ubuntu-latest
env:
RAILS_ENV: production
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Scan for common Rails security vulnerabilities using static analysis
run: bin/brakeman --no-pager
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Lint code for consistent style
run: bin/rubocop -f github
test:
runs-on: ubuntu-latest
steps:
- name: Install packages
run: sudo apt-get update && sudo apt-get install --no-install-recommends -y build-essential git libyaml-dev pkg-config google-chrome-stable
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install Node.js dependencies
run: npm install
- name: Generate JS routes
run: bin/rails js:routes
- name: Build frontend assets
run: bin/rails assets:precompile
env:
SECRET_KEY_BASE_DUMMY: 1
- name: Prepare database
run: |
bin/rails db:test:prepare
- name: Run tests
env:
RAILS_ENV: test
run: |
bin/rails test
deploy:
needs: [scan_ruby, lint, test]
runs-on: ubuntu-latest
if: false # Deploy step disabled - change to true to re-enable
timeout-minutes: 20
env:
RAILS_ENV: production
DOCKER_BUILDKIT: 1
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up SSH agent
uses: webfactory/ssh-agent@v0.9.0
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: .ruby-version
bundler-cache: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: image=moby/buildkit:master
- name: Setup Rails master key
run: |
echo "${{ secrets.RAILS_MASTER_KEY }}" > config/master.key
chmod 600 config/master.key
- name: Login to DigitalOcean Container Registry
run: |
echo "${{ secrets.DOCKER_REGISTRY_TOKEN }}" | docker login registry.digitalocean.com/super-registry -u ${{ secrets.DOCKER_REGISTRY_TOKEN }} --password-stdin
- name: Set up SSH key manually (alternative to webfactory/ssh-agent)
run: |
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/my_key
chmod 600 ~/.ssh/my_key
eval $(ssh-agent -s)
ssh-add ~/.ssh/my_key
# Optionally add your server to known_hosts to avoid host verification prompts
ssh-keyscan -t rsa your.server.ip >> ~/.ssh/known_hosts
- name: Kamal Deploy
env:
DOCKER_REGISTRY_TOKEN: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
SMTP_USERNAME: ${{ secrets.SMTP_USERNAME }}
SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
RESEND_API_KEY: ${{ secrets.RESEND_API_KEY }}
ADMIN_PASSWORD: ${{ secrets.ADMIN_PASSWORD }}
run: |
bin/kamal lock release --verbose
bin/kamal redeploy --verbose