-
Notifications
You must be signed in to change notification settings - Fork 0
172 lines (153 loc) · 8.05 KB
/
pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: Pipeline
on: [push, workflow_dispatch]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
static_analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Dependencies and library
shell: bash
run: |
set -ux
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run mypy
shell: bash
run: mypy captn google_ads openai_agent application.py
- name: Run bandit
shell: bash
run: bandit -c pyproject.toml -r captn
- name: Run Semgrep
shell: bash
run: semgrep scan --config auto --error
test:
runs-on: ubuntu-latest
strategy:
matrix:
pytest-marks: ["not openai", "openai and (not brief_creation_team and not campaign_creation_team and not weekly_analysis_team and not get_info_from_the_web_page)", "brief_creation_team and openai", "campaign_creation_team and openai", "weekly_analysis_team", "get_info_from_the_web_page"]
fail-fast: false
services:
postgres:
image: postgres:13
env:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: gads
ports:
- 5432:5432
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
env:
INFOBIP_API_KEY: "dummy_key"
INFOBIP_BASE_URL: "dummy_url"
DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/gads"
AZURE_API_VERSION: ${{ secrets.STAGING_AZURE_API_VERSION }}
AZURE_API_ENDPOINT: ${{ secrets.STAGING_AZURE_API_ENDPOINT }}
AZURE_GPT4_MODEL: ${{ secrets.STAGING_AZURE_GPT4_MODEL }}
AZURE_GPT35_MODEL: ${{ secrets.STAGING_AZURE_GPT35_MODEL }}
AZURE_OPENAI_API_KEY: ${{ secrets.STAGING_AZURE_OPENAI_API_KEY }}
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
cache: "pip"
cache-dependency-path: pyproject.toml
- name: Install Dependencies
run: pip install -e ".[dev]"
- name: Prisma generate
run: prisma generate
- name: Create client secrets file
run: echo '{"web":{"client_id":"dummy.apps.googleusercontent.com","project_id":"dummy-id","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_secret":"dummy-secret","redirect_uris":["http://localhost:9000/login/callback"]}}' > client_secret.json
- name: Test
run: pytest tests/ci/ -m "${{ matrix.pytest-marks }}"
docker_build_push:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
env:
PORT: ${{ vars.PORT }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 18
- name: Install wasp
run: curl -sSL https://get.wasp-lang.dev/installer.sh | sh
- name: Log in to the Container registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- run: docker pull ghcr.io/$GITHUB_REPOSITORY:$GITHUB_REF_NAME || docker pull ghcr.io/$GITHUB_REPOSITORY:dev || true
- run: docker build --build-arg PORT=$PORT -t ghcr.io/$GITHUB_REPOSITORY:${GITHUB_REF_NAME////-} .
- name: Add tag latest if branch is main
if: github.ref_name == 'main'
run: docker tag ghcr.io/$GITHUB_REPOSITORY:$GITHUB_REF_NAME ghcr.io/$GITHUB_REPOSITORY:latest
- name: Push only if branch name is main or dev
if: github.ref_name == 'main' || github.ref_name == 'dev'
run: docker push ghcr.io/$GITHUB_REPOSITORY --all-tags
# https://github.com/marketplace/actions/alls-green#why
check: # This job does nothing and is only used for the branch protection
if: github.event.pull_request.draft == false
needs:
- test
- static_analysis
- docker_build_push
runs-on: ubuntu-latest
steps:
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@release/v1 # nosemgrep
with:
jobs: ${{ toJSON(needs) }}
deploy:
runs-on: ubuntu-22.04
defaults:
run:
shell: bash
needs: [check]
if: github.ref_name == 'main' || github.ref_name == 'dev'
env:
GITHUB_USERNAME: ${{ github.actor }}
GITHUB_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
DEVELOPER_TOKEN: ${{ secrets.DEVELOPER_TOKEN }}
PORT: ${{ vars.PORT }}
DOMAIN: ${{ github.ref_name == 'main' && vars.PROD_DOMAIN || vars.STAGING_DOMAIN }}
REDIRECT_DOMAIN: ${{ github.ref_name == 'main' && vars.PROD_REDIRECT_DOMAIN || vars.STAGING_REDIRECT_DOMAIN }}
CLIENT_SECRET: ${{ github.ref_name == 'main' && secrets.PROD_CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
DATABASE_URL: ${{ github.ref_name == 'main' && secrets.PROD_DATABASE_URL || secrets.STAGING_DATABASE_URL }}
REACT_APP_API_URL: ${{ github.ref_name == 'main' && secrets.PROD_REACT_APP_API_URL || secrets.STAGING_REACT_APP_API_URL }}
AZURE_API_VERSION: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_API_VERSION || secrets.STAGING_AZURE_API_VERSION }}
AZURE_API_ENDPOINT: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_API_ENDPOINT || secrets.STAGING_AZURE_API_ENDPOINT }}
AZURE_GPT4_MODEL: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_GPT4_MODEL || secrets.STAGING_AZURE_GPT4_MODEL }}
AZURE_GPT35_MODEL: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_GPT35_MODEL || secrets.STAGING_AZURE_GPT35_MODEL }}
AZURE_OPENAI_API_KEY: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_OPENAI_API_KEY || secrets.STAGING_AZURE_OPENAI_API_KEY }}
INFOBIP_API_KEY: ${{ github.ref_name == 'main' && secrets.PROD_INFOBIP_API_KEY || secrets.STAGING_INFOBIP_API_KEY }}
INFOBIP_BASE_URL: ${{ github.ref_name == 'main' && secrets.PROD_INFOBIP_BASE_URL || secrets.STAGING_INFOBIP_BASE_URL }}
SSH_KEY: ${{ github.ref_name == 'main' && secrets.PROD_SSH_KEY || secrets.STAGING_SSH_KEY }}
steps:
- uses: actions/checkout@v3 # Don't change it to cheackout@v4. V4 is not working with container image.
# This is to fix GIT not liking owner of the checkout dir - https://github.com/actions/runner/issues/2033#issuecomment-1204205989
- run: chown -R $(id -u):$(id -g) $PWD
- run: if [[ $GITHUB_REF_NAME == "main" ]]; then echo "TAG=latest" >> $GITHUB_ENV ; else echo "TAG=dev" >> $GITHUB_ENV ; fi;
- run: echo "PATH=$PATH:/github/home/.local/bin" >> $GITHUB_ENV
- run: 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client git gettext -y )'
- run: eval $(ssh-agent -s)
- run: mkdir -p ~/.ssh
- run: chmod 700 ~/.ssh
- run: ssh-keyscan "$DOMAIN" >> ~/.ssh/known_hosts
- run: chmod 644 ~/.ssh/known_hosts
- run: echo "$SSH_KEY" | base64 --decode > key.pem
- run: chmod 600 key.pem
- run: ssh -o StrictHostKeyChecking=no -i key.pem azureuser@"$DOMAIN" "docker images"
- run: bash scripts/deploy.sh
- run: rm key.pem