mirror of
https://github.com/element-hq/matrix-authentication-service.git
synced 2026-05-05 11:36:07 +00:00
dependabot[bot]
18a74f6e7e
Bumps [open-policy-agent/setup-opa](https://github.com/open-policy-agent/setup-opa) from 2.0.1 to 2.1.0. - [Release notes](https://github.com/open-policy-agent/setup-opa/releases) - [Commits](https://github.com/open-policy-agent/setup-opa/compare/v2.0.1...v2.1.0) --- updated-dependencies: - dependency-name: open-policy-agent/setup-opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
469 lines
12 KiB
YAML
469 lines
12 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
pull_request:
|
|
branches: [ main ]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
CARGO_NET_GIT_FETCH_WITH_CLI: "true"
|
|
|
|
jobs:
|
|
opa-lint:
|
|
name: Lint and test OPA policies
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3.5.3
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2.1.0
|
|
with:
|
|
version: 0.53.1
|
|
|
|
- name: Lint policies
|
|
working-directory: ./policies
|
|
run: make lint
|
|
|
|
- name: Run OPA tests
|
|
working-directory: ./policies
|
|
run: make test
|
|
|
|
- name: Run OPA tests with coverage
|
|
working-directory: ./policies
|
|
run: make coverage
|
|
|
|
- name: Upload to codecov.io
|
|
uses: codecov/codecov-action@v3.1.4
|
|
with:
|
|
files: policies/coverage.json
|
|
flags: policies
|
|
|
|
frontend-lint:
|
|
name: Check frontend style
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3.5.3
|
|
|
|
- name: Install Node
|
|
uses: actions/setup-node@v3.6.0
|
|
with:
|
|
node-version: 18
|
|
cache: 'npm'
|
|
cache-dependency-path: frontend/package-lock.json
|
|
|
|
- name: Install Node dependencies
|
|
working-directory: ./frontend
|
|
run: npm ci
|
|
|
|
- name: Lint
|
|
working-directory: ./frontend
|
|
run: npm run lint
|
|
|
|
|
|
frontend-test:
|
|
name: Run the frontend test suite
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3.5.3
|
|
|
|
- name: Install Node
|
|
uses: actions/setup-node@v3.6.0
|
|
with:
|
|
node-version: 18
|
|
cache: 'npm'
|
|
cache-dependency-path: frontend/package-lock.json
|
|
|
|
- name: Install Node dependencies
|
|
working-directory: ./frontend
|
|
run: npm ci
|
|
|
|
- name: Test
|
|
working-directory: ./frontend
|
|
run: npm run coverage
|
|
|
|
- name: Upload to codecov.io
|
|
uses: codecov/codecov-action@v3.1.4
|
|
with:
|
|
directory: frontend/coverage/
|
|
flags: frontend
|
|
|
|
|
|
rustfmt:
|
|
name: Check Rust style
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3.5.3
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
rustup toolchain install nightly
|
|
rustup default nightly
|
|
rustup component add rustfmt
|
|
|
|
- name: Check style
|
|
run: cargo fmt --all -- --check
|
|
|
|
|
|
check-schema:
|
|
name: Check schema
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3.5.3
|
|
|
|
- name: Install Rust toolchain
|
|
run: |
|
|
rustup toolchain install stable
|
|
rustup default stable
|
|
|
|
- name: Setup Rust cache
|
|
uses: Swatinem/rust-cache@v2.4.0
|
|
|
|
- name: Install Node
|
|
uses: actions/setup-node@v3.6.0
|
|
with:
|
|
node-version: 18
|
|
cache: 'npm'
|
|
cache-dependency-path: frontend/package-lock.json
|
|
|
|
- name: Install Node dependencies
|
|
working-directory: ./frontend
|
|
run: npm ci
|
|
|
|
- name: Update the schemas
|
|
run: sh ./misc/update.sh
|
|
|
|
- name: Check that the workspace is clean
|
|
run: |
|
|
[[ -z $(git status -s) ]]
|
|
|
|
|
|
clippy:
|
|
name: Run Clippy
|
|
needs: [rustfmt, opa-lint]
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3.5.3
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
rustup toolchain install 1.70.0
|
|
rustup default 1.70.0
|
|
rustup component add clippy
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2.1.0
|
|
with:
|
|
version: 0.53.1
|
|
|
|
- name: Compile OPA policies
|
|
working-directory: ./policies
|
|
run: make
|
|
|
|
- name: Setup Rust cache
|
|
uses: Swatinem/rust-cache@v2.4.0
|
|
|
|
- name: Run clippy
|
|
run: |
|
|
cargo clippy --workspace --tests --bins --lib -- -D warnings
|
|
|
|
|
|
test:
|
|
name: Run test suite with Rust ${{ matrix.toolchain }}
|
|
needs: [rustfmt, opa-lint]
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
strategy:
|
|
fail-fast: false # Continue other jobs if one fails to help filling the cache
|
|
matrix:
|
|
toolchain:
|
|
- stable
|
|
- beta
|
|
- nightly
|
|
|
|
services:
|
|
postgres:
|
|
image: docker.io/library/postgres:15.1
|
|
env:
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: postgres
|
|
POSTGRES_DB: postgres
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
- "5432:5432"
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3.5.3
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
rustup toolchain install ${{ matrix.toolchain }}
|
|
rustup default ${{ matrix.toolchain }}
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2.1.0
|
|
with:
|
|
version: 0.53.1
|
|
|
|
- name: Compile OPA policies
|
|
working-directory: ./policies
|
|
run: make
|
|
|
|
- name: Setup Rust cache
|
|
uses: Swatinem/rust-cache@v2.4.0
|
|
|
|
- name: Test
|
|
id: test
|
|
env:
|
|
DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
|
|
SQLX_OFFLINE: '1'
|
|
run: |
|
|
cargo test --workspace
|
|
|
|
# Ignore errors on the nightly toolchain
|
|
continue-on-error: "${{ matrix.toolchain == 'nightly' }}"
|
|
|
|
- name: Emit error annotation on failures
|
|
if: steps.test.outcome == 'failure'
|
|
run: |
|
|
echo "::error ::Test suite failed on ${{ matrix.toolchain }} toolchain"
|
|
|
|
|
|
coverage:
|
|
name: Code coverage
|
|
needs: [rustfmt, opa-lint]
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
services:
|
|
postgres:
|
|
image: docker.io/library/postgres:15.1
|
|
env:
|
|
POSTGRES_USER: postgres
|
|
POSTGRES_PASSWORD: postgres
|
|
POSTGRES_DB: postgres
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
- "5432:5432"
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3.5.3
|
|
|
|
- name: Install toolchain
|
|
run: |
|
|
rustup toolchain install stable
|
|
rustup default stable
|
|
rustup component add llvm-tools-preview
|
|
|
|
- name: Setup OPA
|
|
uses: open-policy-agent/setup-opa@v2.1.0
|
|
with:
|
|
version: 0.53.1
|
|
|
|
- name: Compile OPA policies
|
|
working-directory: ./policies
|
|
run: make
|
|
|
|
- name: Setup Rust cache
|
|
uses: Swatinem/rust-cache@v2.4.0
|
|
|
|
- name: Download grcov
|
|
run: |
|
|
mkdir -p "${HOME}/.local/bin"
|
|
curl -sL https://github.com/mozilla/grcov/releases/download/v0.8.18/grcov-x86_64-unknown-linux-gnu.tar.bz2 | tar jxf - -C "${HOME}/.local/bin"
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
- name: Run test suite with profiling enabled
|
|
run: |
|
|
cargo test --no-fail-fast --workspace
|
|
env:
|
|
RUSTFLAGS: '-Cinstrument-coverage'
|
|
LLVM_PROFILE_FILE: "cargo-test-%p-%m.profraw"
|
|
DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
|
|
SQLX_OFFLINE: '1'
|
|
|
|
- name: Build grcov report
|
|
run: |
|
|
mkdir -p target/coverage
|
|
grcov . --binary-path ./target/debug/deps/ -s . -t lcov --branch --ignore-not-existing --ignore '../*' --ignore "/*" -o target/coverage/tests.lcov
|
|
|
|
- name: Upload to codecov.io
|
|
uses: codecov/codecov-action@v3.1.4
|
|
with:
|
|
files: target/coverage/*.lcov
|
|
flags: unit
|
|
|
|
|
|
build-image:
|
|
name: Build and push Docker image
|
|
needs: [rustfmt, opa-lint]
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
IMAGE: ghcr.io/matrix-org/matrix-authentication-service
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: Checkout the code
|
|
uses: actions/checkout@v3.5.3
|
|
|
|
- name: Docker meta
|
|
id: meta
|
|
uses: docker/metadata-action@v4.6.0
|
|
with:
|
|
images: "${{ env.IMAGE }}"
|
|
bake-target: docker-metadata-action
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
type=sha
|
|
|
|
- name: Docker meta (debug variant)
|
|
id: meta-debug
|
|
uses: docker/metadata-action@v4.6.0
|
|
with:
|
|
images: "${{ env.IMAGE }}"
|
|
bake-target: docker-metadata-action-debug
|
|
tags: |
|
|
type=ref,event=branch,suffix=-debug
|
|
type=semver,pattern={{version}},suffix=-debug
|
|
type=semver,pattern={{major}}.{{minor}},suffix=-debug
|
|
type=semver,pattern={{major}},suffix=-debug
|
|
type=sha,suffix=-debug
|
|
|
|
- name: Setup Cosign
|
|
uses: sigstore/cosign-installer@v3.0.5
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2.7.0
|
|
with:
|
|
config-inline: |
|
|
[registry."docker.io"]
|
|
mirrors = ["mirror.gcr.io"]
|
|
|
|
- name: Login to GitHub Container Registry
|
|
if: github.event_name != 'pull_request'
|
|
uses: docker/login-action@v2.2.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
# For pull-requests, only read from the cache, do not try to push to the
|
|
# cache or the image itself
|
|
# We only build for the amd64 platform in pull-requests to speed-up CI
|
|
- name: Build
|
|
uses: docker/bake-action@v3.1.0
|
|
if: github.event_name == 'pull_request'
|
|
with:
|
|
files: |
|
|
docker-bake.hcl
|
|
${{ steps.meta.outputs.bake-file }}
|
|
${{ steps.meta-debug.outputs.bake-file }}
|
|
set: |
|
|
base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
|
|
base.platform=linux/amd64
|
|
base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
|
|
|
|
- name: Build and push
|
|
id: bake
|
|
uses: docker/bake-action@v3.1.0
|
|
if: github.event_name != 'pull_request'
|
|
with:
|
|
files: |
|
|
docker-bake.hcl
|
|
${{ steps.meta.outputs.bake-file }}
|
|
${{ steps.meta-debug.outputs.bake-file }}
|
|
set: |
|
|
base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
|
|
base.output=type=image,push=true
|
|
base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
|
|
base.cache-to=type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
|
|
|
|
- name: Sign the images with GitHub Actions provided token
|
|
# Only sign on tags and on commits on main branch
|
|
if: |
|
|
github.event_name != 'pull_request'
|
|
&& (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')
|
|
|
|
run: |-
|
|
cosign sign --yes \
|
|
"${{ env.IMAGE }}@${{ fromJSON(steps.bake.outputs.metadata).regular['containerimage.digest'] }}" \
|
|
"${{ env.IMAGE }}@${{ fromJSON(steps.bake.outputs.metadata).debug['containerimage.digest'] }}"
|
|
|
|
|
|
tests-done:
|
|
name: Tests done
|
|
if: ${{ always() }}
|
|
needs:
|
|
- opa-lint
|
|
- frontend-lint
|
|
- frontend-test
|
|
- rustfmt
|
|
- clippy
|
|
- check-schema
|
|
- test
|
|
- coverage
|
|
- build-image
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- uses: matrix-org/done-action@v2
|
|
with:
|
|
needs: ${{ toJSON(needs) }}
|