Pin docker images to specific version #7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy | |
| on: push | |
| jobs: | |
| django-check: | |
| name: Django Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: .venv | |
| key: v0-${{ hashFiles('./uv.lock') }} | |
| - name: Install Dependencies | |
| run: |- | |
| cd . | |
| uv sync | |
| - name: Test (run in parallel) | |
| run: |- | |
| cd . | |
| uv run coverage run --concurrency=multiprocessing manage.py test --settings=penncfa.settings.ci --parallel | |
| uv run coverage combine | |
| - name: Upload Code Coverage | |
| run: |- | |
| ROOT=$(pwd) | |
| cd . | |
| uv run codecov --root $ROOT --flags backend | |
| container: | |
| image: ghcr.io/astral-sh/uv:0.6.2-python3.12-bookworm | |
| env: | |
| DATABASE_URL: postgres://postgres:postgres@postgres:5432/postgres | |
| services: | |
| postgres: | |
| image: postgres:17 | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_DB: postgres | |
| POSTGRES_PASSWORD: postgres | |
| options: "--health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5" | |
| publish-backend: | |
| name: Publish backend | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: docker/setup-qemu-action@v1 | |
| - uses: docker/setup-buildx-action@v1 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: buildx-publish-backend | |
| - uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build/Publish | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: ${{ github.ref == 'refs/heads/master' }} | |
| cache-from: type=local,src=/tmp/.buildx-cache,type=registry,ref=pennlabs/common-funding-application:latest | |
| cache-to: type=local,dest=/tmp/.buildx-cache | |
| tags: pennlabs/common-funding-application:latest,pennlabs/common-funding-application:${{ github.sha }} | |
| needs: django-check | |
| deploy: | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/master' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - id: synth | |
| name: Synth cdk8s manifests | |
| run: |- | |
| cd k8s | |
| yarn install --frozen-lockfile | |
| # get repo name (by removing owner/organization) | |
| export RELEASE_NAME=${REPOSITORY#*/} | |
| # Export RELEASE_NAME as an output | |
| echo "::set-output name=RELEASE_NAME::$RELEASE_NAME" | |
| yarn build | |
| env: | |
| GIT_SHA: ${{ github.sha }} | |
| REPOSITORY: ${{ github.repository }} | |
| AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
| - name: Deploy | |
| run: |- | |
| aws eks --region us-east-1 update-kubeconfig --name production --role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/kubectl | |
| # get repo name from synth step | |
| RELEASE_NAME=${{ steps.synth.outputs.RELEASE_NAME }} | |
| # Deploy | |
| kubectl apply -f k8s/dist/ -l app.kubernetes.io/component=certificate | |
| kubectl apply -f k8s/dist/ --prune -l app.kubernetes.io/part-of=$RELEASE_NAME | |
| env: | |
| AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
| AWS_ACCESS_KEY_ID: ${{ secrets.GH_AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.GH_AWS_SECRET_ACCESS_KEY }} | |
| needs: | |
| - publish-backend |