refactor: improved message obfuscation by randomizing length and hand… #22204
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [master, dev, edge, avs, mobile, acc] | |
| tags: | |
| - '*staging*' | |
| - '*production*' | |
| pull_request: | |
| branches: [master, dev, edge, avs, mobile, acc] | |
| concurrency: | |
| group: ci-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| test_build_deploy: | |
| runs-on: buildjet-8vcpu-ubuntu-2204 | |
| env: | |
| TEST_COVERAGE_FAIL_THRESHOLD: 45 | |
| TEST_COVERAGE_WARNING_THRESHOLD: 60 | |
| DEPLOYMENT_RECOVERY_TIMEOUT_SECONDS: 150 | |
| AWS_APPLICATION_NAME: Webapp | |
| AWS_BUILD_ZIP_PATH: server/dist/s3/ebs.zip | |
| COMMIT_URL: ${{github.event.head_commit.url}} | |
| COMMITTER: ${{github.event.head_commit.committer.name}} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: 16.x | |
| cache: 'yarn' | |
| - name: Set environment variables | |
| run: | | |
| echo "BRANCH_NAME=$(git branch --show-current)" >> $GITHUB_ENV | |
| echo "TAG=$(git tag --points-at ${{github.sha}})" >> $GITHUB_ENV | |
| echo "PR_LAST_COMMIT_MESSAGE=$(git log --format=%B -n 1 ${{github.event.after}} | head -n 1)" >> $GITHUB_ENV | |
| - name: Set TITLE and BUILD_DESKTOP | |
| env: | |
| PR_TITLE: ${{github.event.pull_request.title || env.PR_LAST_COMMIT_MESSAGE}} | |
| run: | | |
| echo "TITLE=${PR_TITLE}" >> $GITHUB_ENV | |
| echo "BUILD_DESKTOP=${{contains(env.TAG, 'staging') || contains(env.TAG, 'production') || contains(env.PR_LAST_COMMIT_MESSAGE, '+Desktop')}}" >> $GITHUB_ENV | |
| - name: Print environment variables | |
| run: | | |
| echo -e "BRANCH_NAME = ${BRANCH_NAME}" | |
| echo -e "TAG = ${TAG}" | |
| echo -e "TITLE = ${TITLE}" | |
| echo -e "PR_LAST_COMMIT_MESSAGE = ${PR_LAST_COMMIT_MESSAGE}" | |
| echo -e "COMMIT_URL = ${COMMIT_URL}" | |
| echo -e "COMMITTER = ${COMMITTER}" | |
| echo -e "BUILD_DESKTOP = ${BUILD_DESKTOP}" | |
| - name: Skip CI | |
| if: | | |
| contains(env.TITLE || env.PR_LAST_COMMIT_MESSAGE, '[skip ci]') || | |
| contains(env.TITLE || env.PR_LAST_COMMIT_MESSAGE, '[ci skip]') | |
| uses: andymckay/[email protected] | |
| - name: Authenticate git clone | |
| env: | |
| GH_TOKEN: ${{secrets.OTTO_THE_BOT_GH_TOKEN}} | |
| run: echo "machine github.com login ${GH_TOKEN}" > ~/.netrc | |
| - name: Install JS dependencies | |
| run: yarn --immutable | |
| - name: Test | |
| run: | | |
| set -o pipefail | |
| yarn test --coverage --coverage-reporters=lcov --detectOpenHandles=false 2>&1 | tee ./unit-tests.log | |
| - name: Monitor coverage | |
| uses: codecov/[email protected] | |
| with: | |
| fail_ci_if_error: false | |
| files: ./coverage/lcov.info | |
| flags: unittests | |
| - uses: kanga333/variable-mapper@master | |
| with: | |
| # We try to map a branch to a dev environment | |
| key: '${{github.ref}}' | |
| map: | | |
| { | |
| "edge": { "dev_env": "wire-webapp-edge-al2" }, | |
| "dev": { "dev_env": "wire-webapp-dev-al2" }, | |
| "master": { "dev_env": "wire-webapp-master-al2" } | |
| } | |
| - uses: kanga333/variable-mapper@master | |
| with: | |
| # We try to map a tag to a dev environment | |
| key: '${{env.TAG}}' | |
| map: | | |
| { | |
| "production": { "prod_env": "wire-webapp-prod-al2" }, | |
| "staging": { "prod_env": "wire-webapp-staging-al2" } | |
| } | |
| - name: Build | |
| if: env.prod_env || env.dev_env | |
| run: yarn build:prod | |
| - name: Assembling release information | |
| if: contains(env.TAG, 'production') | |
| # NOTE: always using 'master' config, since release version is only consumed at | |
| # 'production' stage for now | |
| shell: bash | |
| run: | | |
| configVersion=$(cat ./app-config/package.json | jq -r '.dependencies["wire-web-config-default-master"]' | awk -F '#' '{ print $2 }') | |
| packageVersion=$(cat ./package.json | jq -r '.version') | |
| containerImageTag="${TAG:-${packageVersion}}-${configVersion}-${GITHUB_SHA::7}" | |
| echo "{\"imageTag\": \"${containerImageTag}\", \"releaseName\": \"${TAG:-v${packageVersion}}\"}" > ./release-info.json | |
| - name: Storing release information | |
| if: contains(env.TAG, 'production') | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: release-info.json | |
| path: ./release-info.json | |
| # Stage 1: https://wire-webapp-edge.zinfra.io/ | |
| - name: Deploy to dev env | |
| if: env.dev_env | |
| uses: einaregilsson/beanstalk-deploy@v21 | |
| with: | |
| application_name: ${{env.AWS_APPLICATION_NAME}} | |
| aws_access_key: ${{secrets.WEBTEAM_AWS_ACCESS_KEY_ID}} | |
| aws_secret_key: ${{secrets.WEBTEAM_AWS_SECRET_ACCESS_KEY}} | |
| deployment_package: ${{env.AWS_BUILD_ZIP_PATH}} | |
| environment_name: ${{env.dev_env}} | |
| region: eu-central-1 | |
| use_existing_version_if_available: true | |
| version_description: ${{github.sha}} | |
| version_label: ${{github.run_id}} | |
| wait_for_deployment: false | |
| wait_for_environment_recovery: ${{env.DEPLOYMENT_RECOVERY_TIMEOUT_SECONDS}} | |
| - name: Deploy to prod env | |
| if: env.prod_env | |
| uses: einaregilsson/beanstalk-deploy@v21 | |
| with: | |
| application_name: ${{env.AWS_APPLICATION_NAME}} | |
| aws_access_key: ${{secrets.WEBTEAM_AWS_ACCESS_KEY_ID}} | |
| aws_secret_key: ${{secrets.WEBTEAM_AWS_SECRET_ACCESS_KEY}} | |
| deployment_package: ${{env.AWS_BUILD_ZIP_PATH}} | |
| environment_name: ${{env.prod_env}} | |
| region: eu-central-1 | |
| use_existing_version_if_available: true | |
| version_description: ${{github.sha}} | |
| version_label: ${{env.TAG}}-${{github.run_id}} | |
| wait_for_deployment: false | |
| wait_for_environment_recovery: ${{env.DEPLOYMENT_RECOVERY_TIMEOUT_SECONDS}} | |
| - name: Push master/dev/edge/mobile Docker image | |
| if: | | |
| env.BRANCH_NAME == 'master' || | |
| env.BRANCH_NAME == 'dev' || | |
| env.BRANCH_NAME == 'edge' || | |
| env.BRANCH_NAME == 'mobile' | |
| env: | |
| DOCKER_PASSWORD: ${{secrets.WEBTEAM_QUAY_PASSWORD}} | |
| DOCKER_USERNAME: ${{secrets.WEBTEAM_QUAY_USERNAME}} | |
| run: yarn docker '' "${{env.BRANCH_NAME}}" | |
| - name: Push staging Docker image | |
| if: contains(env.TAG, 'staging') | |
| env: | |
| DOCKER_PASSWORD: ${{secrets.WEBTEAM_QUAY_PASSWORD}} | |
| DOCKER_USERNAME: ${{secrets.WEBTEAM_QUAY_USERNAME}} | |
| run: yarn docker '' staging "$TAG" | |
| - name: Push production Docker image | |
| if: contains(env.TAG, 'production') | |
| env: | |
| DOCKER_PASSWORD: ${{secrets.WEBTEAM_QUAY_PASSWORD}} | |
| DOCKER_USERNAME: ${{secrets.WEBTEAM_QUAY_USERNAME}} | |
| run: yarn docker '' production "$TAG" | |
| - name: Generate changelog for production release | |
| if: contains(env.TAG, 'production') | |
| run: yarn changelog:production | |
| - name: Create GitHub production release | |
| id: create_release_production | |
| if: contains(env.TAG, 'production') | |
| uses: softprops/action-gh-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{github.token}} | |
| with: | |
| tag_name: ${{env.TAG}} | |
| name: ${{env.TAG}} | |
| body_path: ./CHANGELOG.md | |
| files: ./unit-tests.log | |
| draft: false | |
| prerelease: false | |
| - name: Announce production release | |
| if: contains(env.TAG, 'production') | |
| uses: wireapp/[email protected] | |
| with: | |
| email: ${{secrets.WIRE_BOT_EMAIL}} | |
| password: ${{secrets.WIRE_BOT_PASSWORD}} | |
| conversation: 1784ed44-7c32-4984-b5e2-0b4d55b034ed | |
| send_text: 'The web team just rolled out a new version of [Wire for Web](https://app.wire.com/). You can find what has changed in our [GitHub release notes](https://github.com/wireapp/wire-webapp/releases/latest).\n\nPlease note that the rollout can take up to 30 minutes to be fully deployed on all nodes. You can check here if you get already served our latest version from today: https://app.wire.com/version' | |
| - name: Generate changelog for staging release | |
| if: contains(env.TAG, 'staging') | |
| run: yarn changelog:staging | |
| - name: Create GitHub staging release | |
| id: create_release_staging | |
| if: contains(env.TAG, 'staging') | |
| uses: softprops/action-gh-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{github.token}} | |
| with: | |
| tag_name: ${{env.TAG}} | |
| name: ${{env.TAG}} | |
| body_path: ./CHANGELOG.md | |
| files: ./unit-tests.log | |
| draft: false | |
| prerelease: true | |
| - name: Announce staging release | |
| if: contains(env.TAG, 'staging') | |
| uses: wireapp/[email protected] | |
| with: | |
| email: ${{secrets.WIRE_BOT_EMAIL}} | |
| password: ${{secrets.WIRE_BOT_PASSWORD}} | |
| conversation: '697c93e8-0b13-4204-a35e-59270462366a' | |
| send_text: 'Staging bump for commit **${{github.sha}}** ("${{env.TITLE}}") done! 🏁' | |
| - name: Notify CI error | |
| if: failure() && github.event_name != 'pull_request' | |
| uses: wireapp/[email protected] | |
| with: | |
| email: ${{secrets.WIRE_BOT_EMAIL}} | |
| password: ${{secrets.WIRE_BOT_PASSWORD}} | |
| conversation: 'b2cc7120-4154-4be4-b0c0-45a8c361c4d1' | |
| send_text: '${{env.COMMITTER}} broke the "${{env.BRANCH_NAME}}" branch on "${{github.repository}}" with [${{env.TITLE}}](${{env.COMMIT_URL}}) 🌵' | |
| - name: Upload WebApp artifacts | |
| if: env.BUILD_DESKTOP == 'true' | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: webapp-dist | |
| path: ./server/dist | |
| update_helm_chart: | |
| name: Update Helm chart | |
| runs-on: ubuntu-latest | |
| needs: test_build_deploy | |
| steps: | |
| # NOTE: on average, this step will throw an error, because the artifact is generated | |
| # conditionally; see the if-statement of 'Assembling release information'. The | |
| # flag continue-on-error facilitates this design. Overall, the approach is | |
| # basically the vehicle to allow putting the PR creation into a separate, more | |
| # loosely coupled job. The existence of the artifact is used to conditionally | |
| # run all subsequent steps. | |
| - name: Obtaining release information artifact | |
| id: release-info-artifact | |
| uses: actions/download-artifact@v3 | |
| continue-on-error: true | |
| with: | |
| name: release-info.json | |
| - name: Indicating whether release info exist | |
| id: release-info-file | |
| env: | |
| ARTIFACT_LOCAL_PATH: '${{ steps.release-info-artifact.outputs.download-path }}/release-info.json' | |
| shell: bash | |
| run: | | |
| test -s "${ARTIFACT_LOCAL_PATH}" && echo '::set-output name=exists::true' | |
| echo "::set-output name=releaseInfo::$(cat ${ARTIFACT_LOCAL_PATH})" | |
| - name: Checking out 'wire-server' | |
| uses: actions/checkout@v3 | |
| if: ${{ steps.release-info-file.outputs.exists == 'true' }} | |
| with: | |
| repository: 'wireapp/wire-server' | |
| fetch-depth: 1 | |
| - name: Changing Helm value of the webapp chart | |
| id: change-helm-value | |
| if: ${{ steps.release-info-file.outputs.exists == 'true' }} | |
| shell: bash | |
| run: | | |
| sed --in-place --expression="s/ tag: .*/ tag: \"${{ fromJSON(steps.release-info-file.outputs.releaseInfo).imageTag }}\"/" ./charts/webapp/values.yaml | |
| git add ./charts/webapp/values.yaml | |
| echo "Upgrade webapp version to ${{ fromJSON(steps.release-info-file.outputs.releaseInfo).imageTag }}" > ./changelog.d/0-release-notes/webapp-upgrade | |
| git add ./changelog.d/0-release-notes/webapp-upgrade | |
| echo "::set-output name=releaseUrl::${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/releases/tag/${{ fromJSON(steps.release-info-file.outputs.releaseInfo).releaseName }}" | |
| - name: Creating Pull Request | |
| id: create-pr | |
| if: ${{ steps.release-info-file.outputs.exists == 'true' }} | |
| uses: peter-evans/create-pull-request@v5 | |
| with: | |
| draft: false | |
| token: ${{ secrets.ZEBOT_GH_TOKEN }} | |
| author: 'Zebot <[email protected]>' | |
| branch: charts-update-webapp-image-tag-${{ github.run_number }} | |
| commit-message: 'chore: [charts] Update webapp version' | |
| title: 'Update webapp version in Helm chart [skip ci]' | |
| body: | | |
| Image tag: `${{ fromJSON(steps.release-info-file.outputs.releaseInfo).imageTag }}` | |
| Release: [`${{ fromJSON(steps.release-info-file.outputs.releaseInfo).releaseName }}`](${{ steps.change-helm-value.outputs.releaseUrl }}) | |
| - name: Printing Pull Request URL | |
| if: ${{ steps.release-info-file.outputs.exists == 'true' }} | |
| shell: bash | |
| run: | | |
| echo "PR: ${{ steps.create-pr.outputs.pull-request-url }}" | |
| cleanup_artifacts: | |
| permissions: | |
| contents: none | |
| name: Cleanup artifacts | |
| needs: update_helm_chart | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Delete WebApp artifacts | |
| uses: geekyeggo/delete-artifact@v2 | |
| with: | |
| failOnError: false | |
| name: | | |
| webapp-dist | |
| release-info.json |