dandri/matrix-authentication-service
1
0
Fork 0
mirror of https://github.com/element-hq/matrix-authentication-service.git synced 2026-05-11 11:04:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
feebbd0e97309f6e76b65feff124175d910482c2
matrix-authentication-service/.github/workflows/ci.yaml
T
Workflow config file is invalid. Please check your config file: invalid jobs: yaml: unmarshal errors: line 267: cannot unmarshal !!str `${{ mat...` into bool
Quentin Gliech 9ccc8b1acb Disable the Prometheus feature by default 
It remains enabled in the Docker image, but this avoids having to have
protoc installed to build the binary
2022-11-19 00:11:04 +01:00

468 lines
12 KiB
YAML
Raw Blame History

name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
CARGO_NET_GIT_FETCH_WITH_CLI: "true"
jobs:
opa-lint:
name: Lint and test OPA policies
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Setup OPA
uses: open-policy-agent/setup-opa@v2.0.1
with:
version: 0.45.0
- name: Lint policies
working-directory: ./policies
run: make lint
- name: Run OPA tests
working-directory: ./policies
run: make test
- name: Run OPA tests with coverage
working-directory: ./policies
run: make coverage
- name: Upload to codecov.io
uses: codecov/codecov-action@v3
with:
files: policies/coverage.json
flags: policies
frontend-lint:
name: Check frontend style
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install Node
uses: actions/setup-node@v3
with:
node-version: 16
cache: 'npm'
cache-dependency-path: frontend/package-lock.json
- name: Install Node dependencies
working-directory: ./frontend
run: npm ci
- name: Lint
working-directory: ./frontend
run: npm run lint
frontend-test:
name: Run the frontend test suite
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install Node
uses: actions/setup-node@v3
with:
node-version: 16
cache: 'npm'
cache-dependency-path: frontend/package-lock.json
- name: Install Node dependencies
working-directory: ./frontend
run: npm ci
- name: Test
working-directory: ./frontend
run: npm test
- name: Upload to codecov.io
uses: codecov/codecov-action@v3
with:
directory: frontend/coverage/
flags: frontend
rustfmt:
name: Check Rust style
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install toolchain
run: |
rustup toolchain install nightly
rustup default nightly
rustup component add rustfmt
- name: Check style
run: cargo fmt --all -- --check
check-schema:
name: Check schema
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install Rust toolchain
run: |
rustup toolchain install stable
rustup default stable
- name: Setup Rust cache
uses: Swatinem/rust-cache@v2
- name: Install Node
uses: actions/setup-node@v3
with:
node-version: 16
cache: 'npm'
cache-dependency-path: frontend/package-lock.json
- name: Install Node dependencies
working-directory: ./frontend
run: npm ci
- name: Update the schemas
run: sh ./misc/update.sh
- name: Check that the workspace is clean
run: |
[[ -z $(git status -s) ]]
clippy:
name: Run Clippy
needs: [rustfmt, opa-lint]
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install toolchain
run: |
rustup toolchain install 1.65.0
rustup default 1.65.0
rustup component add clippy
- name: Setup OPA
uses: open-policy-agent/setup-opa@v2.0.1
with:
version: 0.45.0
- name: Compile OPA policies
working-directory: ./policies
run: make
- name: Setup Rust cache
uses: Swatinem/rust-cache@v2
- name: Run clippy
run: |
cargo clippy --workspace -- -D warnings
test:
name: Run test suite with Rust ${{ matrix.toolchain }}
needs: [rustfmt, opa-lint]
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false # Continue other jobs if one fails to help filling the cache
matrix:
toolchain:
- stable
- beta
- nightly
services:
postgres:
image: docker.io/library/postgres:14.4
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- "5432:5432"
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install toolchain
run: |
rustup toolchain install ${{ matrix.toolchain }}
rustup default ${{ matrix.toolchain }}
- name: Setup OPA
uses: open-policy-agent/setup-opa@v2.0.1
with:
version: 0.45.0
- name: Compile OPA policies
working-directory: ./policies
run: make
- name: Setup Rust cache
uses: Swatinem/rust-cache@v2
- name: Test
id: test
env:
DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
SQLX_OFFLINE: '1'
run: |
cargo test --workspace
# Ignore errors on the nightly toolchain
continue-on-error: "${{ matrix.toolchain == 'nightly' }}"
- name: Emit error annotation on failures
if: steps.test.outcome == 'failure'
run: |
echo "::error ::Test suite failed on ${{ matrix.toolchain }} toolchain"
coverage:
name: Code coverage
needs: [rustfmt, opa-lint]
runs-on: ubuntu-latest
permissions:
contents: read
services:
postgres:
image: docker.io/library/postgres:14.4
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- "5432:5432"
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Install toolchain
run: |
rustup toolchain install stable
rustup default stable
rustup component add llvm-tools-preview
- name: Setup OPA
uses: open-policy-agent/setup-opa@v2.0.1
with:
version: 0.45.0
- name: Compile OPA policies
working-directory: ./policies
run: make
- name: Setup Rust cache
uses: Swatinem/rust-cache@v2
- name: Download grcov
run: |
mkdir -p "${HOME}/.local/bin"
curl -sL https://github.com/mozilla/grcov/releases/download/v0.8.13/grcov-x86_64-unknown-linux-gnu.tar.bz2 | tar jxf - -C "${HOME}/.local/bin"
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run test suite with profiling enabled
run: |
cargo test --no-fail-fast --workspace
env:
RUSTFLAGS: '-Cinstrument-coverage'
LLVM_PROFILE_FILE: "cargo-test-%p-%m.profraw"
DATABASE_URL: postgresql://postgres:postgres@localhost/postgres
SQLX_OFFLINE: '1'
- name: Build grcov report
run: |
mkdir -p target/coverage
grcov . --binary-path ./target/debug/deps/ -s . -t lcov --branch --ignore-not-existing --ignore '../*' --ignore "/*" -o target/coverage/tests.lcov
- name: Upload to codecov.io
uses: codecov/codecov-action@v3
with:
files: target/coverage/*.lcov
flags: unit
build-image:
name: Build and push Docker image
needs: [rustfmt, opa-lint]
runs-on: ubuntu-latest
env:
IMAGE: ghcr.io/matrix-org/matrix-authentication-service
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
images: "${{ env.IMAGE }}"
bake-target: docker-metadata-action
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
- name: Docker meta (debug variant)
id: meta-debug
uses: docker/metadata-action@v4
with:
images: "${{ env.IMAGE }}"
bake-target: docker-metadata-action-debug
tags: |
type=ref,event=branch,suffix=-debug
type=semver,pattern={{version}},suffix=-debug
type=semver,pattern={{major}}.{{minor}},suffix=-debug
type=semver,pattern={{major}},suffix=-debug
type=sha,suffix=-debug
- name: Setup Cosign
uses: sigstore/cosign-installer@v2.8.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
config-inline: |
[registry."docker.io"]
mirrors = ["mirror.gcr.io"]
- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
# For pull-requests, only read from the cache, do not try to push to the
# cache or the image itself
# We only build for the amd64 platform in pull-requests to speed-up CI
- name: Build
uses: docker/bake-action@v2
if: github.event_name == 'pull_request'
with:
files: |
docker-bake.hcl
${{ steps.meta.outputs.bake-file }}
${{ steps.meta-debug.outputs.bake-file }}
set: |
base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
base.platform=linux/amd64
base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
- name: Build and push
uses: docker/bake-action@v2
if: github.event_name != 'pull_request'
with:
files: |
docker-bake.hcl
${{ steps.meta.outputs.bake-file }}
${{ steps.meta-debug.outputs.bake-file }}
set: |
base.context=https://github.com/${{ github.repository }}.git#${{ github.ref }}
base.output=type=image,push=true
base.cache-from=type=registry,ref=${{ env.IMAGE }}:buildcache
base.cache-to=type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max
- name: Sign the images with GitHub Actions provided token
# Only sign on tags and on commits on main branch
if: |
github.event_name != 'pull_request'
&& (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main')
run: cosign sign ${TAGS}
env:
TAGS: "${{ steps.meta.outputs.tags }} ${{ steps.meta-debug.outputs.tags }}"
COSIGN_EXPERIMENTAL: 1
tests-done:
name: Tests done
if: ${{ always() }}
needs:
- opa-lint
- frontend-lint
- frontend-test
- rustfmt
- clippy
- check-schema
- test
- coverage
- build-image
runs-on: ubuntu-latest
steps:
- uses: matrix-org/done-action@v2
with:
needs: ${{ toJSON(needs) }}
Reference in New Issue View Git Blame Copy Permalink