Bump cryptography from 45.0.3 to 46.0.1 #59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test | |
| permissions: | |
| contents: read | |
| packages: write | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| merge_group: | |
| workflow_dispatch: | |
| release: | |
| types: | |
| - published | |
| env: | |
| REGISTRY: ghcr.io | |
| BASE_IMAGE_NAME: ${{ github.repository }}/base | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image-tag: ${{ steps.meta.outputs.tags }} | |
| image-digest: ${{ steps.build.outputs.digest }} | |
| cache-hit: ${{ steps.cache-check.outputs.cache-hit }} | |
| deps-hash: ${{ steps.deps-hash.outputs.hash }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Alternative: Use a Personal Access Token if GITHUB_TOKEN doesn't work | |
| # password: ${{ secrets.GHCR_TOKEN }} | |
| - name: Generate dependency hash | |
| id: deps-hash | |
| run: | | |
| DEPS_HASH=$(cat requirements.txt package.json package-lock.json | sha256sum | cut -d' ' -f1) | |
| echo "hash=$DEPS_HASH" >> $GITHUB_OUTPUT | |
| - name: Check if base image exists | |
| id: cache-check | |
| run: | | |
| # Check if an image with this dependency hash already exists | |
| if docker manifest inspect ${{ env.REGISTRY }}/${{ env.BASE_IMAGE_NAME }}:deps-${{ steps.deps-hash.outputs.hash }} > /dev/null 2>&1; then | |
| echo "cache-hit=true" >> $GITHUB_OUTPUT | |
| echo "Base image cache hit!" | |
| else | |
| echo "cache-hit=false" >> $GITHUB_OUTPUT | |
| echo "Base image cache miss, will build new image" | |
| fi | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.BASE_IMAGE_NAME }} | |
| tags: | | |
| type=raw,value=deps-${{ steps.deps-hash.outputs.hash }} | |
| type=raw,value=latest | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha | |
| labels: | | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} | |
| org.opencontainers.image.description=Base image with dependencies for Jazzband website | |
| - name: Build and push base image | |
| if: steps.cache-check.outputs.cache-hit != 'true' | |
| id: build | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: Dockerfile.base | |
| platforms: linux/amd64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| build-args: | | |
| DEPS_HASH=${{ steps.deps-hash.outputs.hash }} | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - name: Cancel Previous Runs | |
| uses: styfle/[email protected] | |
| with: | |
| access_token: ${{ github.token }} | |
| - uses: actions/checkout@v4 | |
| - name: Log in to Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "15" | |
| check-latest: true | |
| - name: Create .env file | |
| run: make envvar | |
| - name: Pull base image | |
| run: | | |
| docker pull ${{ env.REGISTRY }}/${{ env.BASE_IMAGE_NAME }}:deps-${{ needs.build.outputs.deps-hash }} | |
| - name: Build application image | |
| env: | |
| BASE_IMAGE: ${{ env.REGISTRY }}/${{ env.BASE_IMAGE_NAME }}:deps-${{ needs.build.outputs.deps-hash }} | |
| run: make build-app | |
| - name: Run tests | |
| env: | |
| JAZZBAND_IMAGE: jazzband-website:latest | |
| COVERAGE_FILE: /app/.coverage | |
| COVERAGE_XML: /app/coverage.xml | |
| run: | | |
| # Create coverage output directory | |
| mkdir -p $PWD/coverage-data | |
| chmod 777 $PWD/coverage-data | |
| # Run tests with volume mount for coverage output | |
| docker compose run --rm \ | |
| -e COVERAGE_FILE \ | |
| -e COVERAGE_XML \ | |
| -v $PWD/coverage-data:/app/coverage-data \ | |
| -u root \ | |
| web sh -c " | |
| pytest tests/ --cov=jazzband --cov-report=xml --cov-report=term | |
| cp /app/coverage.xml /app/coverage-data/coverage.xml | |
| chmod 644 /app/coverage-data/coverage.xml | |
| " | |
| # Copy coverage XML from mounted volume | |
| - name: Copy coverage XML from container | |
| run: | | |
| cp coverage-data/coverage.xml ./coverage.xml || echo "Failed to copy coverage.xml" | |
| - name: Upload coverage reports to Codecov with GitHub Action | |
| uses: codecov/codecov-action@v5 | |
| with: | |
| files: ./coverage.xml | |
| sentry-release: | |
| if: github.event.action == 'published' && github.repository == 'jazzband/website' | |
| runs-on: ubuntu-latest | |
| needs: [test] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Create Sentry release | |
| uses: getsentry/action-release@v1 | |
| env: | |
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
| SENTRY_ORG: ${{ secrets.SENTRY_ORG }} | |
| SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }} | |
| with: | |
| environment: production | |
| version: ${{ github.ref_name }} |