ci: add SILL deployment workflows and sync-upstream #98
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI - CD | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| security-scan: | |
| name: Security scan dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| - name: Download Shai-Hulud IOC list | |
| run: | | |
| curl -o iocs.csv https://raw.githubusercontent.com/DataDog/indicators-of-compromise/refs/heads/main/shai-hulud-2.0/consolidated_iocs.csv | |
| - name: Scan dependencies against IOCs | |
| run: node scripts/scan-dependencies.js | |
| validations: | |
| needs: security-scan | |
| runs-on: ubuntu-latest | |
| env: | |
| DATABASE_URL: postgresql://catalogi:pg_password@localhost:5432/db | |
| services: | |
| postgres: | |
| image: postgres:16-alpine | |
| env: | |
| POSTGRES_USER: catalogi | |
| POSTGRES_PASSWORD: pg_password | |
| POSTGRES_DB: db | |
| ports: | |
| - 5432:5432 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| - uses: bahmutov/npm-install@v1 | |
| - name: Build back | |
| run: cd api && yarn build | |
| - name: Migrate db | |
| run: cd api && yarn migrate latest | |
| - name: Fullcheck | |
| run: yarn fullcheck | |
| e2e: | |
| name: E2E tests | |
| runs-on: ubuntu-latest | |
| needs: security-scan | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile --ignore-scripts | |
| - name: Install Playwright browsers | |
| run: cd e2e && npx playwright install --with-deps chromium | |
| - name: Run e2e tests | |
| run: cd e2e && yarn test:e2e | |
| check_if_version_upgraded: | |
| name: Check if version upgrade | |
| if: github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| needs: [validations, e2e] | |
| outputs: | |
| is_upgraded_in_preprod: ${{ steps.check_version.outputs.is_upgraded_in_preprod }} | |
| is_upgraded_version: ${{ steps.check_version.outputs.is_upgraded_version }} | |
| to_version: ${{ steps.check_version.outputs.to_version }} | |
| from_version: ${{ steps.check_version.outputs.from_version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Check version upgrade | |
| id: check_version | |
| run: | | |
| # Get current version from package.json | |
| CURRENT_VERSION=$(jq -r '.version' package.json) | |
| echo "Version in package.json: $CURRENT_VERSION" | |
| # Get deployed version from preprod API | |
| PRE_PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill-preprod/api/getApiVersion" | jq -r '.result.data.json') | |
| PROD_DEPLOYED_VERSION=$(curl -s "https://code.gouv.fr/sill/api/getApiVersion" | jq -r '.result.data.json') | |
| echo "Deployed version in preprod: $PRE_PROD_DEPLOYED_VERSION" | |
| echo "Deployed version in prod: $PROD_DEPLOYED_VERSION" | |
| # Simple comparison: check if versions are different | |
| if [ "$CURRENT_VERSION" != "$PRE_PROD_DEPLOYED_VERSION" ]; then | |
| IS_UPGRADED_IN_PRE_PROD="true" | |
| IS_UPGRADED="true" | |
| echo "✅ Version different from preprod ($PRE_PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION" | |
| elif [ "$CURRENT_VERSION" != "$PROD_DEPLOYED_VERSION" ]; then | |
| IS_UPGRADED="true" | |
| echo "✅ Version different from prod ($PROD_DEPLOYED_VERSION), should deploy: $CURRENT_VERSION" | |
| else | |
| IS_UPGRADED="false" | |
| echo "ℹ️ Version unchanged: $CURRENT_VERSION" | |
| fi | |
| echo "Is version upgraded: $IS_UPGRADED" | |
| # Set outputs | |
| echo "is_upgraded_version=$IS_UPGRADED" >> $GITHUB_OUTPUT | |
| echo "is_upgraded_in_preprod=$IS_UPGRADED_IN_PRE_PROD" >> $GITHUB_OUTPUT | |
| echo "to_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT | |
| echo "from_version=$PRE_PROD_DEPLOYED_VERSION" >> $GITHUB_OUTPUT | |
| trigger_pre_production_deploy: | |
| needs: | |
| - check_if_version_upgraded | |
| if: needs.check_if_version_upgraded.outputs.is_upgraded_in_preprod == 'true' | |
| uses: ./.github/workflows/trigger-deploy.yaml | |
| with: | |
| server_host: code.gouv.fr | |
| server_user: web | |
| deploy_script_path: ./update-sill-preprod.sh | |
| server_ssh_key_path: ~/.ssh/sill-data | |
| environment_name: pre-production | |
| version: v${{ needs.check_if_version_upgraded.outputs.to_version }} | |
| secrets: | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |
| trigger_production_deploy: | |
| needs: | |
| - trigger_pre_production_deploy | |
| - check_if_version_upgraded | |
| if: needs.check_if_version_upgraded.outputs.is_upgraded_version == 'true' && (needs.trigger_pre_production_deploy.result == 'success' || needs.trigger_pre_production_deploy.result == 'skipped') | |
| uses: ./.github/workflows/trigger-deploy.yaml | |
| with: | |
| server_host: code.gouv.fr | |
| server_user: web | |
| deploy_script_path: ./update-sill-docker-compose.sh | |
| server_ssh_key_path: ~/.ssh/sill-data | |
| environment_name: production | |
| version: v${{ needs.check_if_version_upgraded.outputs.to_version }} | |
| github_environment: production | |
| secrets: | |
| SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} | |