.github/workflows/cicd.yml

# Docs: https://docs.github.com/en/actions


name: CI/CD

on:
  push:
    branches: ["master"]
  pull_request:
    branches: ["master"]

jobs:

  lint:

    name: Linters

    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:

      - name: Harden CI
        uses: step-security/harden-runner@v2.10.1
        with:
          disable-sudo: true
          disable-file-monitoring: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            files.pythonhosted.org:443
            github.com:443
            objects.githubusercontent.com:443
            pypi.org:443

      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Install Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: Install uv
        uses: astral-sh/setup-uv@v3

      - name: Set up Tox environment
        run: |
          uv tool install tox --with tox-uv
          tox run -e lint --notest

      - name: Run Linters
        run: tox run -e lint
        env:
          # no-commit-to-branch always fails in CI, because this pre-commit
          # is only designed for running locally (i.e. when committing to a
          # local master branch)
          SKIP: no-commit-to-branch


  mypy:

    name: Mypy (static type checker)

    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:

      - name: Harden CI
        uses: step-security/harden-runner@v2.10.1
        with:
          disable-sudo: true
          disable-file-monitoring: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            files.pythonhosted.org:443
            github.com:443
            objects.githubusercontent.com:443
            pypi.org:443

      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Install Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: Install uv
        uses: astral-sh/setup-uv@v3

      - name: Set up Tox environment
        run: |
          uv tool install tox --with tox-uv
          tox run -e lint --notest

      - name: Run Mypy
        run: tox run -e mypy


  packaging:
    name: Packaging

    runs-on: ubuntu-latest
    timeout-minutes: 5

    steps:

      - name: Harden CI
        uses: step-security/harden-runner@v2.10.1
        with:
          disable-sudo: true
          disable-file-monitoring: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            files.pythonhosted.org:443
            github.com:443
            objects.githubusercontent.com:443
            pypi.org:443

      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Install Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: Install uv
        uses: astral-sh/setup-uv@v3

      - name: Set up Tox environment
        run: |
          uv tool install tox --with tox-uv
          tox run -e lint --notest

      - name: Check packaging
        run: tox run -e packaging


  unit:

    name: "Py:${{ matrix.python-version }} - ${{ matrix.os }}"
    # Available versions:
    # https://github.com/actions/python-versions/blob/main/versions-manifest.json

    runs-on: ${{ matrix.os }}
    timeout-minutes: 30
    continue-on-error: ${{ matrix.optional }}
    strategy:
      matrix:
        os: ["ubuntu-latest"]
        python-version: ["3.13"]  # Versions to test with coverage
        tox-prefix: ["coverage"]
        optional: [false]
        include:
          # Test next Python version but allow it to fail
          - os: "ubuntu-latest"
            python-version: "3.14.0-alpha.1"
            optional: true
            tox-prefix: "test"

    services:
      mysql:
        image: mariadb:10.5.17
        env:
          MYSQL_ROOT_HOST: "%"
          MYSQL_ROOT_PASSWORD: ims
          MYSQL_USER: ims
          MYSQL_PASSWORD: ims
        ports:
          - 3306
        options: >-
          --health-cmd="mysqladmin ping"
          --health-interval=10s
          --health-timeout=5s
          --health-retries=5

    steps:

      - name: Harden CI
        uses: step-security/harden-runner@v2.10.1
        with:
          disable-sudo: true
          disable-file-monitoring: true
          egress-policy: block
          allowed-endpoints: >
            api.codecov.io:443
            api.github.com:443
            cli.codecov.io:443
            codecov.io:443
            files.pythonhosted.org:443
            github.com:443
            objects.githubusercontent.com:443
            pypi.org:443
            storage.googleapis.com:443
            uploader.codecov.io:443

      - name: Checkout source code
        uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Install Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}

      - name: Translate Python version to Tox environment
        shell: python
        run: |
          from os import environ
          from pathlib import Path

          py = "${{ matrix.python-version }}"
          py = "".join(py.split(".")[:2])   # Combine major/minor, toss rest
          py = py.replace("pypy-", "py")     # For Pypy: have a litte less py
          env = f"${{ matrix.tox-prefix }}-py{py}"

          print(f"TOX_ENV={env}")

          p = Path(environ["GITHUB_ENV"])
          f = p.open(mode="a")
          f.write(f"TOX_ENV={env}\n")

      - name: Install uv
        uses: astral-sh/setup-uv@v3

      - name: Set up Tox environment
        run: |
          uv tool install tox --with tox-uv
          tox run -e lint --notest

      - name: Run unit tests
        id: test
        run: |
          status=0
          tox run -e "${TOX_ENV}" || status=$?
          if [ ${status} -ne 0 ] && [ "${{ matrix.optional }}" == "true" ]; then
            echo "::warning::Optional matrix job failed."
            echo "optional_fail=true" >> "${GITHUB_OUTPUT}"
            echo "optional_fail_status=${status}" >> "${GITHUB_OUTPUT}"
            exit 0  # Ignore error here to keep the green checkmark going
          fi;
          exit ${status}
        env:
          IMS_TEST_MYSQL_HOST: localhost
          IMS_TEST_MYSQL_PORT: ${{ job.services.mysql.ports['3306'] }}
          IMS_TEST_MYSQL_ROOT_PASSWORD: ims
          IMS_TEST_MYSQL_USERNAME: ims
          IMS_TEST_MYSQL_PASSWORD: ims

      - name: Upload Trial log artifact
        if: ${{ failure() || steps.test.outputs.optional_fail == 'true' }}
        uses: actions/upload-artifact@v4
        with:
          name: trial
          path: .tox/${TOX_ENV}/log/trial.log

      - name: Add comment if optional job failed; delete otherwise
        if: ${{ matrix.optional }}
        uses: thollander/actions-comment-pull-request@v3
        with:
          # Note: tag must be unique to each matrix case
          comment-tag: "${{ matrix.python-version }}-${{ matrix.os }}-optional-notice"
          message: |
            ### ⚠️ Optional matrix job Py:${{ matrix.python-version }} - ${{ matrix.os }} failed ⚠️
             - tox prefix: ${{ matrix.tox-prefix }}
             - exit status: ${{ steps.test.outputs.optional_fail_status }}
          mode: ${{ steps.test.outputs.optional_fail == 'true' && 'upsert' || 'delete' }}

      # Use the latest supported Python version for combining coverage to
      # prevent parsing errors in older versions when looking at modern code.
      - uses: "actions/setup-python@v5"
        if: ${{ matrix.tox-prefix == 'coverage' }}
        with:
          python-version: 3.13

      - name: "Upload coverage to Codecov"
        uses: "codecov/codecov-action@v4"
        if: ${{ matrix.tox-prefix == 'coverage' }}
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: .tox/coverage.xml
          env_vars: GITHUB_REF,GITHUB_COMMIT,GITHUB_USER,GITHUB_WORKFLOW
          fail_ci_if_error: true
        env:
          GITHUB_REF: ${{ github.ref }}
          GITHUB_COMMIT: ${{ github.sha }}
          GITHUB_USER: ${{ github.actor }}
          GITHUB_WORKFLOW: ${{ github.workflow }}


  docker-build:
    name: Build Docker image

    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:

      - name: Harden CI
        uses: step-security/harden-runner@v2.10.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            auth.docker.io:443
            dl-cdn.alpinelinux.org:443
            files.pythonhosted.org:443
            github.com:443
            production.cloudflare.docker.com:443
            pypi.org:443
            registry-1.docker.io:443

      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Build Docker image
        run: ./bin/build

      - name: Save Docker image
        run: docker image save ranger-ims-server:dev | gzip -9 > docker_image.tgz

      - name: Upload Docker image artifacts
        uses: actions/upload-artifact@v4
        with:
          name: docker
          path: docker_image.tgz


  docker-test:

    name: Test Docker image

    needs: [docker-build]

    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:

      - name: Harden CI
        uses: step-security/harden-runner@v2.10.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            auth.docker.io:443
            github.com:443
            production.cloudflare.docker.com:443
            registry-1.docker.io:443

      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Download Docker image artifacts
        uses: actions/download-artifact@v4
        with:
          name: docker

      - name: Load Docker image
        run: gzip --uncompress --stdout docker_image.tgz | docker image load

      - name: Test Docker image
        run: ./bin/test_docker


  # Can't figure out how to keep a failed docker-trivy job from marking a build
  # as failed in the UI and it's driving me nuts so never mind this.

  # docker-trivy:

  #   name: Trivy (security scan)

  #   needs: [docker-build]

  #   runs-on: ubuntu-latest
  #   timeout-minutes: 10
  #   continue-on-error: true

  #   steps:

  #     - uses: step-security/harden-runner@v2.10.1
  #       with:
  #         egress-policy: audit

  #     - name: Checkout source code
  #       uses: actions/checkout@v4

  #     - name: Download Docker image artifacts
  #       uses: actions/download-artifact@v4
  #       with:
  #         name: docker

  #     - name: Load Docker image
  #       run: gzip --uncompress --stdout docker_image.tgz | docker image load

  #     - name: Run Trivy
  #       run: docker run -v /var/run/docker.sock:/var/run/docker.sock --rm aquasec/trivy image --exit-code 1 --no-progress ranger-ims-server:dev

  deploy-staging:
    name: Deploy image built from master branch to the staging environment

    needs: [docker-test, lint, mypy, packaging, unit]
    if: ${{ github.ref == 'refs/heads/master' }}

    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:

      - name: Harden CI
        uses: step-security/harden-runner@v2.10.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            655216687927.dkr.ecr.us-west-2.amazonaws.com:443
            api.ecr.us-west-2.amazonaws.com:443
            ecs.us-west-2.amazonaws.com:443
            email-smtp.us-west-2.amazonaws.com:465
            files.pythonhosted.org:443
            github.com:443
            pypi.org:443
            raw.githubusercontent.com:443
            api.github.com:443
            objects.githubusercontent.com:443

      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Download Docker image artifacts
        uses: actions/download-artifact@v4
        with:
          name: docker

      - name: Load Docker image
        run: gzip --uncompress --stdout docker_image.tgz | docker image load

      - name: Install Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Deploy to staging
        run: ./bin/deploy staging
        env:
          # https://github.com/burningmantech/ranger-ims-server/settings/secrets
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
          AWS_ECR_IMAGE_NAME: ${{ secrets.AWS_ECR_IMAGE_NAME }}
          AWS_ECS_CLUSTER_STAGING: rangers
          AWS_ECS_SERVICE_STAGING: ${{ secrets.AWS_ECS_SERVICE_STAGING }}
          NOTIFY_SMTP_HOST: ${{ secrets.NOTIFY_SMTP_HOST }}
          NOTIFY_SMTP_USER: ${{ secrets.NOTIFY_SMTP_USER }}
          NOTIFY_SMTP_PASSWORD: ${{ secrets.NOTIFY_SMTP_PASSWORD }}
          NOTIFY_EMAIL_RECIPIENT: ${{ secrets.NOTIFY_EMAIL_RECIPIENT }}
          NOTIFY_EMAIL_SENDER: ${{ secrets.NOTIFY_EMAIL_SENDER }}
          CI: true
          PROJECT_NAME: Ranger IMS Server
          REPOSITORY_ID: ${{ github.repository }}
          BUILD_NUMBER: 0
          BUILD_URL: https://github.com/burningmantech/ranger-ims-server/commit/${{ github.sha }}/checks
          COMMIT_ID: ${{ github.event.head_commit.id }}
          COMMIT_URL: ${{ github.event.head_commit.url }}
          COMMIT_AUTHOR_USER: ${{ github.event.head_commit.author.username }}
          COMMIT_AUTHOR_NAME: ${{ github.event.head_commit.author.name }}
          COMMIT_AUTHOR_EMAIL: ${{ github.event.head_commit.author.email }}
          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}