Tighten security #317
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pse backend CI | |
| on: | |
| pull_request: | |
| paths: ['pse-backend-demo/**/*', '.github/workflows/pse-ci.yaml'] | |
| push: | |
| branches: ["main"] | |
| jobs: | |
| setup: | |
| name: Setup and Install | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Setup pnpm | |
| uses: ./.github/actions/setup-pnpm | |
| # quality: | |
| # defaults: | |
| # run: | |
| # working-directory: ./pse-backend-demo/ | |
| # name: Code Quality | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| # - uses: biomejs/setup-biome@f382a98e582959e6aaac8e5f8b17b31749018780 # v2 | |
| # with: | |
| # version: latest | |
| # - run: biome ci . | |
| build: | |
| defaults: | |
| run: | |
| working-directory: ./pse-backend-demo/ | |
| name: Build | |
| needs: setup | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: ./.github/actions/setup-pnpm | |
| - run: pnpm build | |
| # deploy: | |
| # runs-on: ubuntu-latest | |
| # permissions: | |
| # deployments: write | |
| # needs: build | |
| # defaults: | |
| # run: | |
| # working-directory: ./pse-backend-demo/ | |
| # steps: | |
| # - name: Deploy to production | |
| # uses: johnbeynon/render-deploy-action@v0.0.8 | |
| # with: | |
| # service-id: ${{ secrets.RENDER_SERVICE_ID }} | |
| # api-key: ${{ secrets.RENDER_API_KEY }} | |
| # wait-for-success: true | |
| # - uses: JorgeLNJunior/render-deploy@v1.4.5 | |
| # with: | |
| # service_id: ${{ secrets.RENDER_SERVICE_ID }} | |
| # api_key: ${{ secrets.RENDER_API_KEY }} | |
| # clear_cache: true # Optional: Clear Render's build cache | |
| # wait_deploy: true | |
| # github_deployment: true | |
| # deployment_environment: 'production' | |
| # github_token: ${{ secrets.GITHUB_TOKEN }} | |
| test: | |
| defaults: | |
| run: | |
| working-directory: ./pse-backend-demo/ | |
| name: Test | |
| needs: setup | |
| runs-on: ubuntu-latest | |
| env: | |
| GNOSIS_PSE_PRIVATE_API_BASE_URL: 'https://mock.com' | |
| CLIENT_CERT: 'mock' | |
| CLIENT_KEY: 'mock' | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - uses: ./.github/actions/setup-pnpm | |
| - run: pnpm test | |
| # docker: | |
| # defaults: | |
| # run: | |
| # working-directory: ./pse-backend-demo/ | |
| # name: Docker Build and Push | |
| # needs: [build, test] | |
| # runs-on: ubuntu-latest | |
| # permissions: | |
| # contents: read | |
| # packages: write | |
| # steps: | |
| # - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| # with: | |
| # fetch-depth: 0 # Fetch all history for proper versioning | |
| # # Set up Docker Buildx | |
| # - name: Set up Docker Buildx | |
| # uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 | |
| # # Login to GitHub Container Registry | |
| # - name: Login to GitHub Container Registry | |
| # uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 | |
| # with: | |
| # registry: ghcr.io | |
| # username: ${{ github.actor }} | |
| # password: ${{ secrets.GITHUB_TOKEN }} | |
| # # Generate Docker metadata (tags, labels) | |
| # - name: Docker metadata | |
| # id: meta | |
| # uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5 | |
| # with: | |
| # images: ghcr.io/${{ github.repository }} | |
| # tags: | | |
| # type=raw,value=${{ github.sha }} | |
| # type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} | |
| # type=semver,pattern={{version}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} | |
| # type=semver,pattern={{major}}.{{minor}},enable=${{ startsWith(github.ref, 'refs/tags/v') }} | |
| # type=ref,event=branch | |
| # type=ref,event=pr | |
| # type=sha,format=long | |
| # # Build and push | |
| # - name: Build and push | |
| # uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6 | |
| # with: | |
| # context: . | |
| # push: ${{ github.event_name != 'pull_request' }} | |
| # tags: ${{ steps.meta.outputs.tags }} | |
| # labels: ${{ steps.meta.outputs.labels }} | |
| # cache-from: | | |
| # type=gha,scope=${{ github.ref_name }}-${{ github.job }} | |
| # type=registry,ref=ghcr.io/${{ github.repository }}:buildcache | |
| # cache-to: | | |
| # type=gha,mode=max,scope=${{ github.ref_name }}-${{ github.job }} | |
| # type=registry,ref=ghcr.io/${{ github.repository }}:buildcache,mode=max | |
| summary: | |
| defaults: | |
| run: | |
| working-directory: ./pse-backend-demo/ | |
| name: Workflow Summary | |
| needs: [setup, test, build] | |
| runs-on: ubuntu-latest | |
| if: always() # Run even if previous jobs fail | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Generate CI Summary | |
| run: | | |
| echo "# 📋 CI Workflow Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| # Build info | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "## 🔨 Build Information" >> $GITHUB_STEP_SUMMARY | |
| echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY | |
| echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Repository** | ${{ github.repository }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Branch/Tag** | ${{ github.ref_name }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Commit** | [${{ github.sha }}](https://github.com/${{ github.repository }}/commit/${{ github.sha }}) |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Triggered by** | ${{ github.event_name }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Workflow Run** | [View Details](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) |" >> $GITHUB_STEP_SUMMARY | |
| # Docker image info (when applicable) | |
| if [[ "${{ needs.docker.result }}" == "success" && "${{ github.event_name }}" != "pull_request" ]]; then | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "## 🐳 Docker Image" >> $GITHUB_STEP_SUMMARY | |
| echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY | |
| echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Repository** | ghcr.io/${{ github.repository }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Latest Tag** | ghcr.io/${{ github.repository }}:${{ github.sha }} |" >> $GITHUB_STEP_SUMMARY | |
| echo "| **Package URL** | [View on GitHub](https://github.com/${{ github.repository }}/pkgs/container/$(echo '${{ github.repository }}' | cut -d'/' -f2)) |" >> $GITHUB_STEP_SUMMARY | |
| fi |