Skip to content

feat(INSTALLER): run processes as pi_portal user #829

feat(INSTALLER): run processes as pi_portal user

feat(INSTALLER): run processes as pi_portal user #829

Workflow file for this run

---
name: pi_portal-github-workflow-push
# Begin Cookiecutter Template Content{% raw %}
on:
push:
schedule:
- cron: "0 6 * * 1"
workflow_dispatch:
# secrets:
# SLACK_WEBHOOK:
# description: "Optional, enables Slack notifications."
# required: false
jobs:
configuration:
uses: cicd-tools-org/cicd-tools/.github/workflows/job-00-generic-read_json_file.yml@master
with:
JSON_FILE_PATH: ".github/config/workflows/workflow-push.json"
start:
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-00-generic-notification.yml@master
with:
NOTIFICATION_EMOJI: ":vertical_traffic_light:"
NOTIFICATION_MESSAGE: "Workflow has started!"
commit_lint:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-rev_range_command.yml@master
with:
COMMAND: |
poetry run cz check --rev-range "${PUSHED_COMMIT_REV_RANGE}"
COMMAND_NAME: "Commit Message Lint"
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }}
REV_RANGE: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_commitizen_rev_range }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
commit_spell_check:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-rev_range_command.yml@master
with:
COMMAND: |
CICD_COMMIT_MESSAGES_FILE="$(mktemp XXXXXXXX.git_history_file)"
git log --pretty=format:%s "${PUSHED_COMMIT_REV_RANGE}" > "${CICD_COMMIT_MESSAGES_FILE}"
poetry run pre-commit run --hook-stage commit-msg spelling-commit-message --commit-msg-filename "${CICD_COMMIT_MESSAGES_FILE}"
COMMAND_NAME: "Commit Message Spelling"
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }}
REV_RANGE: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_commit_spelling_rev_range }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
container:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
strategy:
fail-fast: true
matrix:
python-version: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_versions }}
max-parallel: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-40-compose-run_cached_commands.yml@master
with:
BUILD_ARG_ENV_FILE_CONTENT: |
#!/bin/bash
export BUILD_ARG_PYTHON_VERSION="${{ matrix.python-version }}"
export DOCKER_USER_UID="$(id -u)"
export DOCKER_USER_GID="$(id -g)"
COMMANDS: |
dev security-bandit
dev security-safety
dev fmt
dev lint
dev coverage
dev types
COMPOSE_BUILDX_CACHE_KEY: "pi_portal-${{ matrix.python-version }}"
COMPOSE_MOUNTED_CACHE_FOLDER: ".pre-commit"
COMPOSE_MOUNTED_CACHE_KEY_FILE: ".pre-commit-config.yaml"
COMPOSE_SERVICE_NAME: "pi_portal"
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
PRE_COMMAND: bash .github/scripts/job-40-prebuild.sh "${{ matrix.python-version }}"
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
dockerfile_lint:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml@master
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
PRECOMMIT_HOOK_ID: "lint-dockerfile"
PRECOMMIT_HOOK_NAME: "Dockerfile Linting"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
json_schema_lint:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml@master
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
PRECOMMIT_HOOK_ID: "check-jsonschema"
PRECOMMIT_HOOK_NAME: "Workflow Config JSON Schema Linting"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
security:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-10-generic-security_scan_credentials.yml@master
with:
EXTRA_BINARY_ARGS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_trufflehog_extra_scan_args }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
markdown_links:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-30-generic-markdown_links.yml@master
with:
CONFIG_FILE: ".github/config/actions/gaurav-nelson-github-action-markdown-link-check.json"
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
markdown_lint:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml@master
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
PRECOMMIT_HOOK_ID: "lint-markdown"
PRECOMMIT_HOOK_NAME: "Markdown Linting"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
markdown_spelling:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-80-poetry-precommit_commit_stage_hook.yml@master
with:
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
PRECOMMIT_HOOK_ID: "spelling-markdown"
PRECOMMIT_HOOK_NAME: "Markdown Spelling"
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
pre-commit_hooks:
needs: [configuration]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-50-poetry-test_basic_precommit_hooks.yml@master
with:
CHECK_CREDENTIALS: true
CHECK_TOML: true
CHECK_WORKFLOW: true
CONCURRENCY: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
PYTHON_VERSIONS: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_python_default_version) }}
VERBOSE_NOTIFICATIONS: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_verbose_notifications }}
create_release:
permissions:
contents: write
needs: [commit_lint, commit_spell_check, configuration, container, dockerfile_lint, json_schema_lint, markdown_links, markdown_lint, markdown_spelling, pre-commit_hooks, security, start]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-99-poetry-create_release.yml@master
with:
JSON_APPENDED_CONTENT: ${{ toJSON(fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_extra_release_content) }}
build_filebeat:
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }}
needs: [configuration, create_release]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-generic-build_artifact.yml@master
with:
ARTIFACT_NAME: build-stage-1-filebeat
ARTIFACT_FOLDERS: packaging/filebeat/dist
BUILD_COMMAND: bash .github/scripts/job-95-package-filebeat.sh
REQUIRES_BUILDX: true
REQUIRES_QEMU: true
WORKFLOW_NAME: "release"
build_pi_portal:
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }}
needs: [configuration, create_release]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-generic-build_artifact.yml@master
with:
ARTIFACT_NAME: build-stage-1-pi_portal
ARTIFACT_FOLDERS: dist
BUILD_COMMAND: poetry build
REQUIRES_POETRY: true
WORKFLOW_NAME: "release"
build_packages_for_debian:
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }}
needs: [build_filebeat, build_pi_portal, configuration, create_release]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
strategy:
fail-fast: true
matrix:
debian: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_debian_distributions }}
max-parallel: ${{ fromJSON(needs.configuration.outputs.JSON_FILE_DATA).ci_concurrency_limit }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-generic-build_artifact.yml@master
with:
ARTIFACT_NAME: build-stage-2-debian-${{ matrix.debian.name }}
ARTIFACT_FOLDERS: |
packaging/debian/dist
DEPENDENT_ARTIFACT_NAME_PATTERN: build-stage-1-*
BUILD_COMMAND: |
export PACKAGING_DEBIAN_VERSION="${{ matrix.debian.name }}"
export PACKAGING_PYTHON_VERSION="${{ matrix.debian.python_version }}"
bash .github/scripts/job-95-package-debian.sh
REQUIRES_BUILDX: true
REQUIRES_POETRY: true
REQUIRES_QEMU: true
VERBOSE_NOTIFICATIONS: true
WORKFLOW_NAME: "release"
build_docker_images:
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }}
needs: [build_packages_for_debian, configuration, create_release]
secrets:
ENV_SECRET_1: ${{ secrets.GITHUB_TOKEN }}
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-95-generic-build_artifact.yml@master
with:
ARTIFACT_NAME: build-stage-3-docker-manifest
ARTIFACT_FOLDERS: |
packaging/docker/dist
DEPENDENT_ARTIFACT_NAME_PATTERN: build-stage-2-debian-bookworm
BUILD_COMMAND: |
export PACKAGING_IMAGE_NAME="pi-portal/pi-portal"
export PACKAGING_REGISTRY_NAME="ghcr.io"
bash .github/scripts/job-95-package-docker.sh
REQUIRES_BUILDX: true
REQUIRES_QEMU: true
VERBOSE_NOTIFICATIONS: true
WORKFLOW_NAME: "release"
attach_artifacts:
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE == 'true' }}
needs: [build_docker_images, configuration, create_release]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-99-generic-attach_artifact_to_release.yml@master
with:
ARTIFACT_NAME_PATTERN: build-stage-*
RELEASE_CONTEXT: ${{ needs.create_release.outputs.RELEASE_CONTEXT }}
UPLOAD_FOLDERS: |
dist
packaging/filebeat/dist
packaging/debian/dist
packaging/docker/dist
VERBOSE_NOTIFICATIONS: true
WORKFLOW_NAME: "release"
success:
if: ${{ needs.create_release.outputs.RELEASE_CANDIDATE != 'true' }}
needs: [configuration, create_release]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-00-generic-notification.yml@master
with:
NOTIFICATION_EMOJI: ":checkered_flag:"
NOTIFICATION_MESSAGE: "Workflow has completed successfully!"
success_release:
needs: [configuration, attach_artifacts]
secrets:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
uses: cicd-tools-org/cicd-tools/.github/workflows/job-00-generic-notification.yml@master
with:
NOTIFICATION_EMOJI: ":checkered_flag:"
NOTIFICATION_MESSAGE: "Release workflow has completed successfully!"
WORKFLOW_NAME: "release"