Skip to content

[Snyk] Fix for 2 vulnerabilities #119

[Snyk] Fix for 2 vulnerabilities

[Snyk] Fix for 2 vulnerabilities #119

Workflow file for this run

name: Setup review environment
on:
# run it during pull request
pull_request:
branches: [ master, stable ]
jobs:
build-and-test:
name: Build and Test
# run only when code is compiling and tests are passing
runs-on: ubuntu-latest
outputs:
dockerTag: ${{ steps.compute.outputs.docker_tag }}
services:
# Label used to access the service container
postgres:
# Docker Hub image
image: postgres:11.5
# Provide the password for postgres
env:
POSTGRES_DB: testdb
# Set health checks to wait until postgres has started
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
# Maps tcp port 5432 on service container to the host
- 5432:5432
redis:
image: redis
# Set health checks to wait until redis has started
options: >-
--health-cmd "redis-cli ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 6379:6379
env:
DJANGO_SETTINGS_MODULE: app.settings
SUPRESS_DEBUG_TOOLBAR: 1
GITCOIN_API_USER: ${{ secrets.GITCOIN_API_USER }}
GITHUB_API_TOKEN: ${{ secrets.GITCOIN_API_TOKEN }}
POLYGONSCAN_API_KEY: ${{ secrets.POLYGONSCAN_API_KEY }}
# steps to perform in job
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Use Node.js 14
uses: actions/setup-node@v2
with:
node-version: 14
cache: "yarn"
- name: Use Python 3.7
uses: "actions/setup-python@v2"
with:
python-version: 3.7
cache: "pip"
- name: Setup Env
run: |
echo "PYTHONPATH=/home/runner/work/web/web/app" >> $GITHUB_ENV
cp app/app/ci.env app/app/.env
pip install pip==20.0.2 setuptools wheel --upgrade
- name: Fetch and Install GeoIP database files
run: |
sudo apt-get update && sudo apt-get install -y libmaxminddb-dev libsodium-dev libsecp256k1-dev
cp dist/*.gz ./
gunzip GeoLite2-City.mmdb.tar.gz && gunzip GeoLite2-Country.mmdb.tar.gz
tar -xvf GeoLite2-City.mmdb.tar && tar -xvf GeoLite2-Country.mmdb.tar
sudo mkdir -p /opt/GeoIP/
sudo mv GeoLite2-City_20200128/*.mmdb /opt/GeoIP/
sudo mv GeoLite2-Country_20200128/*.mmdb /opt/GeoIP/
- name: Install libvips, Node, and Python dependencies
run: |
sudo apt-get install -y libvips libvips-dev
node --version
yarn install
pip install -r requirements/test.txt
yarn run eslint
yarn run stylelint
(cd app; python ./manage.py collectstatic --noinput --disable-collectfast)
- name: Run management commands
run: |
python app/manage.py migrate
python app/manage.py fetch_gas_prices
- name: Run Python and UI tests
run: |
pytest -p no:ethereum -p no:warnings
bin/ci/cypress-run
- name: Deploy to Github Pages 🚀
uses: peaceiris/actions-gh-pages@v3
if: github.ref == 'refs/heads/master'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: _build/site
cname: docs.gitcoin.coind
- name: Compute some values
id: compute
run: |
echo "::set-output name=docker_tag::gitcoin/web:${GITHUB_SHA: -10}"
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
- name: Deploy to Docker Hub 🚀
uses: docker/build-push-action@v2
with:
context: ./
file: ./Dockerfile
builder: ${{ steps.buildx.outputs.name }}
push: true
tags: ${{ steps.compute.outputs.docker_tag }}
cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/web:buildcache
cache-to: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/web:buildcache,mode=max
- uses: actions/github-script@v6
with:
script: |
console.log("Context", context)
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `The new docker image for has been pushed to: \`${{ steps.compute.outputs.docker_tag }}\``
})
deploy:
name: Deploy
needs: build-and-test
environment: review
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Compute some values
id: compute
run: |
echo "::set-output name=pulumi_stack::gitcoin/review/review-${{ github.event.number }}"
echo "::set-output name=review_domain::review-${{ github.event.number }}.review.gitcoin.co"
#########################################################################
# Provision the shared ressources for the review environment
#########################################################################
- name: Use Node.js
uses: actions/setup-node@v2
with:
cache: "npm"
cache-dependency-path: infra/review-env/package-lock.json
# Install pulumi dependencies
# Select the new pulumi stack
- run: |
npm install
pulumi stack select -c gitcoin/review-env/review
pulumi config -s gitcoin/review-env/review set aws:region us-west-2 --non-interactive
working-directory: infra/review-env
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
# Run pulumi actions
- uses: pulumi/actions@v3
id: pulumi-env
name: Ensure the pulumi review environment shared ressources
with:
command: up
stack-name: gitcoin/review-env/review
upsert: true
work-dir: infra/review-env
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_CONFIG_PASSPHRASE:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
#########################################################################
# Provision the PR specific ressources for the review environment
#########################################################################
- name: Use Node.js
uses: actions/setup-node@v2
with:
cache: "npm"
cache-dependency-path: infra/review-pr/package-lock.json
# Install pulumi dependencies
# Select the new pulumi stack
- run: |
npm install
pulumi stack select -c ${{ steps.compute.outputs.pulumi_stack }}
pulumi config -s ${{ steps.compute.outputs.pulumi_stack }} set aws:region us-west-2 --non-interactive
working-directory: infra/review-pr
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
# Run pulumi actions
- uses: pulumi/actions@v3
id: pulumi
name: Create the environment specific for this PR
with:
command: up
stack-name: ${{ steps.compute.outputs.pulumi_stack }}
upsert: true
work-dir: infra/review-pr
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
DB_NAME: ${{ secrets.DB_NAME }}
DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
DB_USER: ${{ secrets.DB_USER }}
DOCKER_GTC_WEB_IMAGE: ${{ needs.build-and-test.outputs.dockerTag }}
GITHUB_API_USER: ${{ secrets.REVIEW_GITHUB_API_USER }}
GITHUB_API_TOKEN: ${{ secrets.REVIEW_GITHUB_API_TOKEN }}
GITHUB_APP_NAME: ${{ secrets.GTC_GITHUB_APP_NAME }}
GITHUB_CLIENT_ID: ${{ secrets.GTC_GITHUB_CLIENT_ID }}
GITHUB_CLIENT_SECRET: ${{ secrets.GTC_GITHUB_CLIENT_SECRET }}
# Pass in the outputs from the generic environment, we will deploy our ressources in the VPC
# and subnet that where created there
REVIEW_ENV_VPC_ID: ${{ steps.pulumi-env.outputs.vpcID }}
REVIEW_ENV_PRIVATE_SUBNET_1: ${{ steps.pulumi-env.outputs.vpcPrivateSubnetId1 }}
REVIEW_ENV_PRIVATE_SUBNET_2: ${{ steps.pulumi-env.outputs.vpcPrivateSubnetId2 }}
REVIEW_ENV_PUBLIC_SUBNET_1: ${{ steps.pulumi-env.outputs.vpcPublicSubnetId1 }}
REVIEW_ENV_PUBLIC_SUBNET_2: ${{ steps.pulumi-env.outputs.vpcPublicSubnetId2 }}
REVIEW_ENV_ROUTE53_ZONE_ID: ${{ secrets.ROUTE53_ZONE_ID }}
REVIEW_ENV_DOMAIN: ${{ steps.compute.outputs.review_domain }}
REVIEW_ENV_NAME: ${{ github.event.number }}
- name: Start migration task
run: |
aws ecs run-task --launch-type FARGATE --task-definition ${{ steps.pulumi.outputs.taskDefinition }} --cluster ${{ steps.pulumi.outputs.clusterId }} --network-configuration "awsvpcConfiguration={subnets=[${{ steps.pulumi-env.outputs.vpcPrivateSubnetId1 }}],securityGroups=[${{ steps.pulumi.outputs.securityGroupForTaskDefinition }}],assignPublicIp=ENABLED}"
env:
# We need AWS_EC2_METADATA_DISABLED, because: https://github.com/actions/checkout/issues/440
AWS_EC2_METADATA_DISABLED: true
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-west-2
- name: Copy static files to bucket
run: |
mkdir static_files_to_deploy
mkdir docker_bin
cat <<EOT >> docker_bin/static_files.sh
#!/bin/bash
python3.7 manage.py bundle
python3.7 manage.py collectstatic --disable-collectfast
EOT
docker run -v $(pwd)/static_files_to_deploy:/code/app/static -v $(pwd)/docker_bin:/code/app/bin -e DATABASE_URL=${{ steps.pulumi.outputs.rdsConnectionUrl }} -e BUNDLE_USE_CHECKSUM=${BUNDLE_USE_CHECKSUM} ${{ needs.build-and-test.outputs.dockerTag }} sh /code/app/bin/static_files.sh
echo "Syncing to bucket: ${{ steps.pulumi.outputs.bucketName }}"
echo "Source folder: $(pwd)/static_files_to_deploy"
aws s3 sync $(pwd)/static_files_to_deploy s3://${{ steps.pulumi.outputs.bucketName }}/static --acl public-read --delete
env:
# We need AWS_EC2_METADATA_DISABLED, because: https://github.com/actions/checkout/issues/440
AWS_EC2_METADATA_DISABLED: true
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
BUNDLE_USE_CHECKSUM: 'false'
- uses: actions/github-script@v6
with:
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `Test your commit here: \n\
- [${{ steps.pulumi.outputs.frontendURL }}](${{ steps.pulumi.outputs.frontendURL }}) \n\
- [https://${{ steps.compute.outputs.review_domain }}](https://${{ steps.compute.outputs.review_domain }}) \n\
`
})