doc: reviewed security model #218
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & tests | |
| on: | |
| push: | |
| branches: | |
| - "**" | |
| - "!main" | |
| tags: | |
| - "v*.*.*" | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| if: " ! startsWith(github.event.ref, 'refs/tags/v')" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: cachix/install-nix-action@v20 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - uses: cachix/cachix-action@v12 | |
| with: | |
| name: novops | |
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
| - uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.cargo/bin/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: ${{ runner.os }}-${{ runner.arch }}-cargo | |
| - uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.local/share/containers/storage/ | |
| key: ${{ runner.os }}-${{ runner.arch }}-podman | |
| - run: nix develop -c make test | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: cachix/install-nix-action@v20 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - uses: cachix/cachix-action@v12 | |
| with: | |
| name: novops | |
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
| - uses: actions/cache@v3 | |
| with: | |
| path: | | |
| build/cache | |
| key: ${{ runner.os }}-${{ runner.arch }}-podman | |
| - run: nix develop -c make build-image build-binary | |
| - name: Upload built artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: novops-build | |
| if-no-files-found: error | |
| path: | | |
| build/novops | |
| build/novops.zip | |
| build/novops.zip.sha256sum | |
| build/image.tar | |
| # Build and push to cachix | |
| build-flake: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: cachix/install-nix-action@v20 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-unstable | |
| - uses: cachix/cachix-action@v12 | |
| with: | |
| name: novops | |
| authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
| - run: nix build --json | jq -r '.[].outputs | to_entries[].value' | cachix push novops | |
| test-novops-cli: | |
| runs-on: ubuntu-latest | |
| if: " ! startsWith(github.event.ref, 'refs/tags/v')" | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: download novops artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: novops-build | |
| path: build | |
| - name: novops load | |
| run: | | |
| ls -al build | |
| chmod +x build/novops | |
| build/novops load -c tests/.novops.plain-strings.yml -s .envrc -e dev | |
| cat .envrc >> "$GITHUB_ENV" | |
| - name: check novops loaded values | |
| run: env | grep MY_APP_HOST | |
| - name: novops run and check var | |
| run: | | |
| build/novops run -c tests/.novops.plain-strings.yml -e dev -- sh -c "env | grep DOG_PATH" | |
| - name: novops run with builtin env variables | |
| run: | | |
| export NOVOPS_CONFIG=tests/.novops.plain-strings.yml | |
| export NOVOPS_ENVIRONMENT=dev | |
| build/novops run -- sh -c "env | grep DOG_PATH" | |
| # Upload artifacts for release tags only | |
| release-artifacts: | |
| needs: build | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| if: startsWith(github.event.ref, 'refs/tags/v') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: download novops artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: novops-build | |
| path: build | |
| - run: nix develop -c make docker-publish | |
| - run: nix develop -c make release-artifacts | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} |