Skip to content

Update NestBot manifest #30

Update NestBot manifest

Update NestBot manifest #30

Workflow file for this run

name: CI/CD
on:
merge_group:
pull_request:
branches:
- main
paths-ignore:
- backend/data/nest.json.gz
push:
branches:
- main
paths-ignore:
- backend/data/nest.json.gz
release:
types:
- published
workflow_dispatch:
permissions:
contents: read
concurrency:
cancel-in-progress: true
group: ${{ github.repository }}-${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
env:
DOCKERHUB_USERNAME: arkid15r
FORCE_COLOR: 1
jobs:
pre-commit:
name: Run pre-commit
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Install Poetry
run: pipx install poetry
- name: Set up Python
uses: actions/setup-python@v5
with:
cache: poetry
cache-dependency-path: backend/poetry.lock
python-version: '3.13'
- name: Run pre-commit
uses: pre-commit/[email protected]
- name: Set up Node
uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
cache-dependency-path: frontend/package-lock.json
- name: Install frontend dependencies
working-directory: frontend
run: npm install
- name: Run npm format
working-directory: frontend
run: npm run format
- name: Run npm lint check
working-directory: frontend
run: npm run lint:check
- name: Check for uncommitted changes
run: |
git diff --exit-code || (echo 'Unstaged changes detected. \
Run `make check` and use `git add` to address it.' && exit 1)
code-ql:
name: CodeQL
needs:
- pre-commit
permissions:
security-events: write
runs-on: ubuntu-latest
strategy:
matrix:
language:
- javascript-typescript
- python
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Set up Node
if: matrix.language == 'javascript-typescript'
uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
cache-dependency-path: frontend/package-lock.json
- name: Install dependencies for frontend
if: matrix.language == 'javascript-typescript'
working-directory: frontend
run: npm install
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3
with:
category: '/language:${{ matrix.language }}'
run-backend-tests:
name: Run backend tests
needs:
- pre-commit
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Set up Docker buildx
uses: docker/setup-buildx-action@v3
- name: Build backend test image
uses: docker/build-push-action@v6
with:
cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-backend:cache
context: backend
file: backend/Dockerfile.test
load: true
platforms: linux/amd64
tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-backend:latest
- name: Run backend tests
run: |
docker run -e DJANGO_CONFIGURATION=Test ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-backend:latest poetry run pytest
run-frontend-tests:
name: Run frontend tests
needs:
- pre-commit
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Set up Docker buildx
uses: docker/setup-buildx-action@v3
- name: Build frontend test image
uses: docker/build-push-action@v6
with:
cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-frontend:cache
context: frontend
file: frontend/Dockerfile.test
load: true
platforms: linux/amd64
tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-frontend:latest
- name: Run frontend tests
run: |
docker run --env-file frontend/.env.example ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-test-frontend:latest npm run test
build-docker-staging-images:
name: Build Docker Staging Images
environment: staging
if: |
github.repository == 'OWASP/Nest' &&
github.ref == 'refs/heads/main'
needs:
- code-ql
- run-backend-tests
- run-frontend-tests
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build backend image
uses: docker/build-push-action@v6
with:
cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:cache
cache-to: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:cache,mode=max
context: backend
file: backend/Dockerfile.staging
platforms: linux/amd64
push: true
tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging
- name: Prepare frontend environment
run: |
echo "VITE_ALGOLIA_APP_ID=${{ secrets.VITE_ALGOLIA_APP_ID }}" > frontend/.env.staging
echo "VITE_ALGOLIA_SEARCH_API_KEY=${{ secrets.VITE_ALGOLIA_SEARCH_API_KEY }}" >> frontend/.env.staging
echo "VITE_API_URL=${{ secrets.VITE_API_URL }}" >> frontend/.env.staging
echo "VITE_ENVIRONMENT=${{ secrets.VITE_ENVIRONMENT }}" >> frontend/.env.staging
echo "VITE_RELEASE_VERSION=$(date '+%y.%-m.%-d')-${GITHUB_SHA:0:7}" >> frontend/.env.staging
echo "VITE_SENTRY_DSN=${{ secrets.SENTRY_DSN }}" >> frontend/.env.staging
- name: Build frontend image
uses: docker/build-push-action@v6
with:
cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:cache
cache-to: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:cache,mode=max
context: frontend
file: frontend/Dockerfile.staging
platforms: linux/amd64
push: true
tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging
deploy-nest-staging:
name: Deploy Nest Staging
env:
ANSIBLE_HOST_KEY_CHECKING: False
STAGING_HOST_IP_ADDRESS: '${{ secrets.STAGING_HOST_IP_ADDRESS }}'
STAGING_SSH_PRIVATE_KEY_PATH: '${{ vars.STAGING_SSH_PRIVATE_KEY_PATH }}'
environment: staging
if: |
github.repository == 'OWASP/Nest' &&
github.ref == 'refs/heads/main'
needs:
- build-docker-staging-images
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare SSH key
run: |
mkdir -m 700 ~/.ssh
echo "${{ secrets.STAGING_SSH_PRIVATE_KEY }}" > ${{ env.STAGING_SSH_PRIVATE_KEY_PATH }}
chmod 400 ${{ env.STAGING_SSH_PRIVATE_KEY_PATH }}
- name: Prepare secrets
run: |
# Backend
echo "DJANGO_ALGOLIA_APPLICATION_ID=${{ secrets.DJANGO_ALGOLIA_APPLICATION_ID }}" > .env.backend
echo "DJANGO_ALGOLIA_APPLICATION_REGION=${{ secrets.DJANGO_ALGOLIA_APPLICATION_REGION }}" >> .env.backend
echo "DJANGO_ALGOLIA_WRITE_API_KEY=${{ secrets.DJANGO_ALGOLIA_WRITE_API_KEY }}" >> .env.backend
echo "DJANGO_ALLOWED_HOSTS=${{ secrets.DJANGO_ALLOWED_HOSTS }}" >> .env.backend
echo "DJANGO_AWS_ACCESS_KEY_ID=${{ secrets.DJANGO_AWS_ACCESS_KEY_ID }}" >> .env.backend
echo "DJANGO_AWS_SECRET_ACCESS_KEY=${{ secrets.DJANGO_AWS_SECRET_ACCESS_KEY }}" >> .env.backend
echo "DJANGO_CONFIGURATION=${{ secrets.DJANGO_CONFIGURATION }}" >> .env.backend
echo "DJANGO_DB_HOST=${{ secrets.DJANGO_DB_HOST }}" >> .env.backend
echo "DJANGO_DB_NAME=${{ secrets.DJANGO_DB_NAME }}" >> .env.backend
echo "DJANGO_DB_PASSWORD=${{ secrets.DJANGO_DB_PASSWORD }}" >> .env.backend
echo "DJANGO_DB_PORT=${{ secrets.DJANGO_DB_PORT }}" >> .env.backend
echo "DJANGO_DB_USER=${{ secrets.DJANGO_DB_USER }}" >> .env.backend
echo "DJANGO_OPEN_AI_SECRET_KEY=${{ secrets.DJANGO_OPEN_AI_SECRET_KEY }}" >> .env.backend
echo "DJANGO_RELEASE_VERSION=$(date '+%y.%-m.%-d')-${GITHUB_SHA:0:7}" >> .env.backend
echo "DJANGO_SECRET_KEY=${{ secrets.DJANGO_SECRET_KEY }}" >> .env.backend
echo "DJANGO_SENTRY_DSN=${{ secrets.DJANGO_SENTRY_DSN }}" >> .env.backend
echo "DJANGO_SETTINGS_MODULE=${{ secrets.DJANGO_SETTINGS_MODULE }}" >> .env.backend
echo "DJANGO_SLACK_BOT_TOKEN=${{ secrets.DJANGO_SLACK_BOT_TOKEN }}" >> .env.backend
echo "DJANGO_SLACK_SIGNING_SECRET=${{ secrets.DJANGO_SLACK_SIGNING_SECRET }}" >> .env.backend
echo "GITHUB_TOKEN=${{ secrets.DJANGO_GITHUB_TOKEN }}" >> .env.backend
# Database
echo "POSTGRES_DB=${{ secrets.DJANGO_DB_NAME }}" > .env.db
echo "POSTGRES_PASSWORD=${{ secrets.DJANGO_DB_PASSWORD }}" >> .env.db
echo "POSTGRES_USER=${{ secrets.DJANGO_DB_USER }}" >> .env.db
- name: Run Nest deploy
working-directory: .github/ansible
run: ansible-playbook -i inventory.yaml staging/deploy.yaml -e "github_workspace=$GITHUB_WORKSPACE"
build-docker-production-images:
name: Build Docker Production Images
environment: production
if: |
github.event_name == 'release' &&
github.event.action == 'published'
needs:
- code-ql
- run-backend-tests
- run-frontend-tests
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build backend image
uses: docker/build-push-action@v6
with:
cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:cache
cache-to: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:cache,mode=max
context: backend
file: backend/Dockerfile.production
platforms: linux/amd64
push: true
tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-backend:production
- name: Prepare frontend environment
run: |
echo "VITE_ALGOLIA_APP_ID=${{ secrets.ALGOLIA_APP_ID }}" > frontend/.env.production
echo "VITE_ALGOLIA_SEARCH_API_KEY=${{ secrets.ALGOLIA_SEARCH_API_KEY }}" >> frontend/.env.production
echo "VITE_API_URL=https://nest.owasp.org/api/v1" >> frontend/.env.production
echo "VITE_ENVIRONMENT=production" >> frontend/.env.production
echo "VITE_RELEASE_VERSION=${{ github.event.release.tag_name }}" >> frontend/.env.production
echo "VITE_SENTRY_DSN=${{ secrets.SENTRY_DSN }}" >> frontend/.env.production
- name: Build frontend image
uses: docker/build-push-action@v6
with:
cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:cache
cache-to: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:cache,mode=max
context: frontend
file: frontend/Dockerfile.production
platforms: linux/amd64
push: true
tags: ${{ env.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production
deploy-nest-production:
name: Deploy Nest Production
env:
ANSIBLE_HOST_KEY_CHECKING: False
PRODUCTION_HOST_IP_ADDRESS: '${{ secrets.PRODUCTION_HOST_IP_ADDRESS }}'
PRODUCTION_SSH_PRIVATE_KEY_PATH: '~/.ssh/nest_production_private_key'
environment: production
if: |
github.event_name == 'release' &&
github.event.action == 'published'
needs:
- build-docker-production-images
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Prepare SSH key
run: |
mkdir -m 700 ~/.ssh
echo "${{ secrets.PRODUCTION_SSH_PRIVATE_KEY }}" > ${{ env.PRODUCTION_SSH_PRIVATE_KEY_PATH }}
chmod 400 ${{ env.PRODUCTION_SSH_PRIVATE_KEY_PATH }}
- name: Run Nest deploy
working-directory: .github/ansible
run: ansible-playbook -i inventory.yaml production/deploy.yaml -e "github_workspace=$GITHUB_WORKSPACE"