Update dependency puma to v6.4.3 [SECURITY] #873
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build and deploy staging | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| branches: [master] | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| - ready_for_review | |
| - unlocked | |
| jobs: | |
| build: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set variables | |
| run: | | |
| echo "REGISTRY_VERSION_FILE=staging_registry_version" | |
| echo "REGISTRY_VERSION_FILE=staging_registry_version" >> $GITHUB_ENV | |
| - name: Set image tag | |
| run: | | |
| SHORT_SHA=$(echo $GITHUB_SHA | cut -c 1-7) #pr-s test commit of merged state | |
| echo "TAG=ghcr.io/internetee/accreditation_center:RC-$SHORT_SHA" >> $GITHUB_ENV | |
| echo "STATIC_TAG=ghcr.io/internetee/accreditation_center:STATIC_RC-$SHORT_SHA" >> $GITHUB_ENV | |
| echo "REGISTRY_TAG=ghcr.io/internetee/accreditation_center:REGISTRY_RC-$SHORT_SHA" >> $GITHUB_ENV | |
| echo "SHORT_TAG=RC-$SHORT_SHA" >> $GITHUB_ENV | |
| echo "SHORT_REGISTRY_TAG=REGISTRY_RC-$SHORT_SHA" >> $GITHUB_ENV | |
| - name: Get pull request reference number | |
| run: | | |
| echo "$GITHUB_REF" | |
| echo "PR_REF=$(cat /home/runner/work/_temp/_github_workflow/event.json | jq -r '.number')" >> $GITHUB_ENV | |
| echo $(cat /home/runner/work/_temp/_github_workflow/event.json | jq -r '.number') | |
| - name: Set config files for build | |
| run: | | |
| cp config/database.yml.sample config/database.yml | |
| cp config/application.yml.sample config/application.yml | |
| sed -i -e 's/BASE_URL: "http:\/\/registry:3000"/BASE_URL: "https:\/\/reg-api-accreditation-'$PR_REF'.pilv.tld.ee"/' config/application.yml | |
| sed -i -e 's/BASE_REPP_URL: "http:\/\/registry:3000"/BASE_REPP_URL: "https:\/\/repp-accreditation-'$PR_REF'.pilv.tld.ee"/' config/application.yml | |
| # - name: Build rails image | |
| # env: | |
| # KEY_BASE: ${{ secrets.KEY_BASE}} | |
| # run: | | |
| # docker build -t $TAG --build-arg RAILS_ENV=staging --build-arg SECRET_KEY_BASE="$KEY_BASE" -f Dockerfile.generic . | |
| # - name: Build static content image | |
| # run: | | |
| # docker create -ti --name rails $TAG bash | |
| # docker cp rails:/opt/webapps/app/public/ ./public/ | |
| # docker build -t $STATIC_TAG -f Dockerfile.generic-static . | |
| # - name: Clone registry project | |
| # run: | | |
| # git clone https://github.com/internetee/registry.git | |
| # - name: Check registry version file | |
| # id: check_files | |
| # uses: andstor/file-existence-action@f02338908d150e00a4b8bebc2dad18bd9e5229b0 | |
| # with: | |
| # files: "staging_registry_version" | |
| # - name: Checkout specific registry | |
| # if: steps.check_files.outputs.files_exists == 'true' | |
| # run: | | |
| # REGISTRY_VERSION=`(cat $REGISTRY_VERSION_FILE)` | |
| # cd registry | |
| # git checkout $REGISTRY_VERSION | |
| # - name: Build registry image | |
| # env: | |
| # KEY_BASE: ${{ secrets.KEY_BASE}} | |
| # ST_APP: ${{ secrets.ST_REGISTRY_APPLICATION_YML}} | |
| # run: | | |
| # cd registry | |
| # mkdir log | |
| # echo $ST_APP | base64 -di > config/application.yml | |
| # cp config/database.yml.sample config/database.yml | |
| # sed -i -e 's/LABEL org.opencontainers.image.source=https:\/\/github.com\/internetee\/registry/LABEL org.opencontainers.image.source=https:\/\/github.com\/internetee\/accreditation_center/' Dockerfile.generic | |
| # docker build -t $REGISTRY_TAG --build-arg RAILS_ENV=staging --build-arg SECRET_KEY_BASE="$KEY_BASE" -f Dockerfile.generic . | |
| # - name: Push Docker images to gh container registry | |
| # env: | |
| # PASSWORD: ${{ secrets.GHCR }} | |
| # run: | | |
| # echo $PASSWORD | docker login ghcr.io -u eisbot --password-stdin | |
| # docker push $TAG | |
| # docker push $STATIC_TAG | |
| # docker push $REGISTRY_TAG | |
| # - name: Get repo name | |
| # run: | | |
| # OIFS=$IFS | |
| # IFS='/' | |
| # read -a parts <<< "$GITHUB_REPOSITORY" | |
| # IFS=OIFS | |
| # echo "REPO=${parts[1]}" >> $GITHUB_ENV | |
| # - name: Set deploy config | |
| # env: | |
| # OVPN: ${{ secrets.OVPN }} | |
| # VPN_PWD: ${{ secrets.VPN_PWD }} | |
| # P12: ${{ secrets.P12 }} | |
| # K_CONFIG: ${{ secrets.KUBE_CONFIG }} | |
| # SSH_KEY: ${{ secrets.EISBOT_SSH_KEY }} | |
| # run: | | |
| # echo $VPN_PWD | base64 -di > client.pwd | |
| # chmod 0600 client.pwd | |
| # echo $OVPN | base64 -di > config.ovpn | |
| # echo $P12 | base64 -di > cert.p12 | |
| # mkdir -p ~/.ssh | |
| # echo $SSH_KEY | base64 -di > ~/.ssh/key | |
| # chmod 0600 ~/.ssh/key | |
| # mkdir -p $REPO/$PR_REF | |
| # cd $REPO/$PR_REF | |
| # echo "$SHORT_SHA" > TAG | |
| # echo $K_CONFIG | base64 -di > kubeconfig | |
| # chmod 0600 kubeconfig | |
| # - name: Install Open VPN | |
| # run: sudo apt-get install openvpn | |
| # - name: Deploy from remote server | |
| # timeout-minutes: 5 | |
| # run: | | |
| # sudo openvpn --config config.ovpn --askpass client.pwd --auth-nocache --daemon& | |
| # sleep 15 | |
| # ping -c 1 192.168.99.12 | |
| # eval `ssh-agent` | |
| # touch ~/.ssh/known_hosts | |
| # ssh-add ~/.ssh/key | |
| # ssh-keyscan 192.168.99.12 > ~/.ssh/known_hosts | |
| # rsync -av "$REPO" [email protected]:/home/runner/ | |
| # ssh -T [email protected] << EOSSH | |
| # bash | |
| # cd "$REPO"/"$PR_REF" | |
| # export KUBECONFIG=./kubeconfig | |
| # helm repo add eisrepo https://internetee.github.io/helm-charts/ | |
| # helm repo update | |
| # helm upgrade --install accreditation-st-"$PR_REF" --set image.tag="$SHORT_TAG",reference="$PR_REF" eisrepo/accreditation -n accreditation | |
| # helm upgrade --install reg-repp-"$PR_REF" --set nameOverride="epp-accreditation",image.repository="ghcr.io/internetee/accreditation_center",image.tag="$SHORT_REGISTRY_TAG",reference="$PR_REF" eisrepo/registry-epp -n epp | |
| # helm upgrade --install reg-api-"$PR_REF" --set nameOverride="reg-api-accreditation",image.repository="ghcr.io/internetee/accreditation_center",image.tag="$SHORT_REGISTRY_TAG",reference="$PR_REF" eisrepo/registry-api -n reg-api | |
| # rm kubeconfig | |
| # echo "server obs.tld.ee | |
| # zone pilv.tld.ee | |
| # update add accreditation-"$PR_REF".pilv.tld.ee. 3600 CNAME riigi.pilv.tld.ee. | |
| # update add repp-accreditation-"$PR_REF".pilv.tld.ee. 3600 CNAME riigi.pilv.tld.ee. | |
| # update add reg-api-accreditation-"$PR_REF".pilv.tld.ee. 3600 CNAME riigi.pilv.tld.ee. | |
| # send | |
| # " | nsupdate -k ~/Kgh-runner.infra.tld.ee.+165+27011.key | |
| # if [ "$?" -eq "0" ]; then | |
| # echo "CNAME update success" | |
| # else | |
| # echo "CNAME update failed" | |
| # fi | |
| # EOSSH | |
| # - name: Notify developers | |
| # timeout-minutes: 1 | |
| # env: | |
| # NOTIFICATION_URL: ${{ secrets.NOTIFICATION_URL}} | |
| # run: | | |
| # curl -i -X POST --data-urlencode 'payload={ | |
| # "text": "##### Build and deploy from pull request has been succesful :tada:\n | |
| # | Project | Branch | :net: | | |
| # |:-----------|:----------------------:|:-------------------------------------------:| | |
| # | **'$REPO'**|'${{ github.head_ref }}'| https://accreditation-'$PR_REF'.pilv.tld.ee | | |
| # " | |
| # }' $NOTIFICATION_URL |