Merge pull request #49 from RockefellerArchiveCenter/github-workflows

GitHub workflows

.github/workflows/dependencies.yml

@@ -14,12 +14,20 @@ jobs:
       contents: write
       pull-requests: write
     steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
       - uses: actions/checkout@v4
         with:
+          token: ${{ steps.app-token.outputs.token }}
           ref: development
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: '3.11'
           cache: pip
@@ -29,14 +37,14 @@ jobs:
 
       - name: Run pre-commit autoupdate
         run: pre-commit autoupdate
-      
+
       - name: Run pip-compile
         run: pip-compile --upgrade
-      
+
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v6.0.2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           base: development
           branch: dependency-updates
           delete-branch: true

.github/workflows/deploy.yml

@@ -0,0 +1,68 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - development
+      - base
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    environment:
+      name: ${{ github.ref_name }}
+
+    env:
+      APP_NAME: digitized_av_qc
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4.0.2
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE }}
+          role-skip-session-tagging: true
+          role-duration-seconds: 900
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v2.0.1
+        with:
+          registries: ${{ secrets.ECR_REGISTRIES }}
+
+      - name: Set environment variables
+        run: |
+          echo "DATE=$(date +'%Y%m%dT%H%M%S')" >> $GITHUB_ENV
+
+      - name: Build Docker image
+        run: docker build -t ${{ env.APP_NAME }} --target build .
+
+      - name: Tag and push latest to ECR
+        if: github.ref == 'refs/heads/base'
+        run: |
+          docker tag ${{ env.APP_NAME }} "${{ secrets.AWS_ACCOUNT_ID }}".dkr.ecr."${{ secrets.AWS_REGION }}".amazonaws.com/"${{ env.APP_NAME }}":latest
+          docker push "${{ secrets.AWS_ACCOUNT_ID }}".dkr.ecr."${{ secrets.AWS_REGION }}".amazonaws.com/"${{ env.APP_NAME }}":latest
+
+      - name: Tag and push dev to ECR
+        if: github.ref == 'refs/heads/development'
+        run: |
+          docker tag ${{ env.APP_NAME }} "${{ secrets.AWS_ACCOUNT_ID }}".dkr.ecr."${{ secrets.AWS_REGION }}".amazonaws.com/"${{ env.APP_NAME }}":dev
+          docker push "${{ secrets.AWS_ACCOUNT_ID }}".dkr.ecr."${{ secrets.AWS_REGION }}".amazonaws.com/"${{ env.APP_NAME }}":dev
+
+      - name: Tag and push versioned image to ECR
+        if: github.ref == 'refs/heads/development'
+        run: |
+          docker tag ${{ env.APP_NAME }} "${{ secrets.AWS_ACCOUNT_ID }}".dkr.ecr."${{ secrets.AWS_REGION }}".amazonaws.com/"${{ env.APP_NAME }}":"${{ env.DATE }}"-"${{ github.sha }}"
+          docker push "${{ secrets.AWS_ACCOUNT_ID }}".dkr.ecr."${{ secrets.AWS_REGION }}".amazonaws.com/"${{ env.APP_NAME }}":"${{ env.DATE }}"-"${{ github.sha }}"
+
+      - name: Tag image for production (base branch)
+        if: github.ref == 'refs/heads/base'
+        run: |
+          MANIFEST=$(aws ecr batch-get-image --registry-id ${{ secrets.AWS_ACCOUNT_ID }} --repository-name ${{ env.APP_NAME }} --image-ids imageTag=dev --output json | jq -c --join-output '.images[0].imageManifest')
+          aws ecr put-image --registry-id ${{ secrets.AWS_ACCOUNT_ID }} --repository-name ${{ env.APP_NAME }} --image-tag prod --image-manifest "$MANIFEST"

.github/workflows/enforcer.yml

@@ -0,0 +1,16 @@
+name: 'Check Branch'
+
+on:
+  pull_request:
+    branches:
+      - base
+
+jobs:
+  check_branch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch
+        if: github.head_ref != 'development'
+        run: |
+          echo "ERROR: You can only merge to base from the development branch."
+          exit 1

.github/workflows/tests.yml

@@ -0,0 +1,51 @@
+name: Test
+
+on:
+  pull_request:
+    branches:
+      - development
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    environment:
+      name: development
+
+    env:
+        CONTAINER: web
+        APPLICATION_NAME: digitized_av_qc
+        APPLICATION_PORT: 80
+
+    services:
+      docker:
+        image: docker:stable
+        options: --privileged
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Login to Docker
+        run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
+
+      - name: Start Docker containers
+        run: docker compose up -d
+
+      - name: Install pre-commit
+        run: |
+          pip install "pre-commit===2.13.0"
+          pre-commit install
+
+      - name: Run pre-commit checks
+        run: pre-commit run --all-files --show-diff-on-failure
+
+      - name: Run tests
+        run: docker compose exec -T $CONTAINER python manage.py test

README.md

@@ -21,7 +21,6 @@ When you're done, shut down Docker Compose:
 
     $ docker compose down
 
-
 ## License
 
 Code is released under an MIT License, as all your code should be. See [LICENSE](LICENSE) for details.