vets-api/.github/workflows/code_checks.yml at 678873b5ddb98b610daa3e25411984f6b4ca8f54 · department-of-veterans-affairs/vets-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
name: Code Checks
on:
  push:
    branches: [master]
  pull_request:
    types: [opened, reopened, synchronize]
permissions:
  id-token: write
  contents: read
  checks: write
jobs:
  compare_sha:
    runs-on: ubuntu-latest
    name: Compare sha
    steps:
      - name: Compare commit ids
        run: |
          echo "github.sha: ${{ github.sha }}"
          echo "github.event.push.head_commit.id: ${{ github.event.push.head_commit.id }}"
          echo "github.event.pull_request.merge_commit_sha: ${{ github.event.pull_request.merge_commit_sha }}"
          echo "github.event.head_commit.id: ${{ github.event.head_commit.id }}"

  linting_and_security:
    name: Linting and Security
    env:
      BUNDLE_ENTERPRISE__CONTRIBSYS__COM: ${{ secrets.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
    permissions: write-all
    runs-on: ubuntu-32-cores-latest
    steps:
      - name: Checkout PR
        if: ${{ github.event_name != 'pull_request' }}
        uses: actions/checkout@v4

      - name: Checkout PR HEAD ref
        if: ${{ github.event_name == 'pull_request' }}
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          token: ${{ secrets.GITHUB_TOKEN }}
          fetch-depth: 0

      - uses: ruby/setup-ruby@v1
        with:
          bundler-cache: true

      - name: Run bundle-audit (checks gems for CVE issues)
        run: bundle exec bundle-audit check --update --ignore CVE-2024-27456

      - name: Run Rubocop
        run: bundle exec rubocop --parallel --format github

      - name: Run Brakeman
        run: bundle exec brakeman --ensure-latest --confidence-level=2 --format github

      # Always add the "lint-failure" label on failure and remove it on success
      - name: Add Lint Failure label
        if: ${{ failure() && github.event_name == 'pull_request' }}
        uses: actions-ecosystem/action-add-labels@v1
        with:
          number: ${{ github.event.pull_request.number }}
          labels: lint-failure

      - name: Remove Lint Failure label
        if: ${{ success() && github.event_name == 'pull_request' }}
        uses: actions-ecosystem/action-remove-labels@v1
        with:
          number: ${{ github.event.pull_request.number }}
          labels: lint-failure

  tests:
    name: Test
    runs-on: ubuntu-32-cores-latest
    permissions: write-all
    env:
      BUNDLE_ENTERPRISE__CONTRIBSYS__COM: ${{ secrets.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
      ECR_REGISTRY_WITH_SLASH: "${{ secrets.ECR_REGISTRY }}/"
      CI: true
      RAILS_ENV: test
      TERM: xterm-256color
      DOCKER_BUILDKIT: 1
      COMPOSE_DOCKER_CLI_BUILD: 1
      COMPOSE_BASH_CMD: docker compose -f docker-compose.test.yml run web bash -c
    steps:
      - name: Checkout PR
        if: ${{ github.event_name != 'pull_request' }}
        uses: actions/checkout@v4

      - name: Checkout PR HEAD ref
        if: ${{ github.event_name == 'pull_request' }}
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          token: ${{ secrets.GITHUB_TOKEN }}
          fetch-depth: 0

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4.0.2
        with:
          role-to-assume: ${{ vars.AWS_ASSUME_ROLE }}
          aws-region: us-gov-west-1

      - name: Login to Amazon ECR
        id: ecr-login
        uses: aws-actions/amazon-ecr-login@v2.0.1
        with:
          mask-password: true

      - name: Set Environment Variable
        run: echo "VETS_API_USER_ID=$(id -u)" >> $GITHUB_ENV

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build Docker Image
        uses: docker/build-push-action@v6
        env:
          DOCKER_BUILD_SUMMARY: false
        with:
          build-args: |
            BUNDLE_ENTERPRISE__CONTRIBSYS__COM=${{ env.BUNDLE_ENTERPRISE__CONTRIBSYS__COM }}
            USER_ID=${{ env.VETS_API_USER_ID }}
          context: .
          push: false
          load: true
          tags: vets-api
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Setup Database
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
        with:
          timeout_minutes: 10
          retry_wait_seconds: 3 # Seconds
          max_attempts: 3
          command: >
            ${{ env.COMPOSE_BASH_CMD }}
            "bundle exec rake parallel:setup[24]"

      - name: Setup system tmp dir
        run: >
          ${{ env.COMPOSE_BASH_CMD }}
          "mkdir -p tmp/systmp"

      - name: Run Specs
        timeout-minutes: 15
        run: >
          ${{ env.COMPOSE_BASH_CMD }}
          "TMPDIR=tmp/systmp bundle exec rake 'parallel:spec[24, , , modules\/]'"

      - name: Upload Coverage Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: Coverage Report
          path: coverage
          include-hidden-files: true

      - name: Upload Test Results (JUnit XMLs)
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: Test Results
          path: log/*.xml
          if-no-files-found: ignore

      - name: Upload Test Artifacts (log)
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: Test Artifacts (log directory)
          path: |
            log
            !log/*.xml
          if-no-files-found: ignore

      - name: Upload Test Artifacts (rails tmp)
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: Test Artifacts (rails tmp directory)
          path: tmp
          if-no-files-found: ignore
          retention-days: 14

      - name: Remove Test Failure label
        if: ${{ success() && github.event_name == 'pull_request' }}
        uses: actions-ecosystem/action-remove-labels@v1
        with:
          number: ${{ github.event.pull_request.number }}
          labels: test-failure

      - name: Add Test Failure label
        if: ${{ failure() && github.event_name == 'pull_request' }}
        uses: actions-ecosystem/action-add-labels@v1
        with:
          number: ${{ github.event.pull_request.number }}
          labels: test-failure

  publish_results:
    name: Publish Test Results and Coverage
    if: always()
    needs: tests
    permissions: write-all
    runs-on: ubuntu-16-cores-latest

    steps:
      - uses: actions/download-artifact@v4

      - name: Publish Test Results to GitHub
        if: always()
        uses: EnricoMi/publish-unit-test-result-action@v2
        with:
          check_name: Test Results
          comment_mode: off
          files: Test Results/*.xml
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Fix up coverage report to work with coverage-check-action
        run: sed -i 's/"line"/"covered_percent"/g' 'Coverage Report/.last_run.json'

      - name: Publish Coverage Report
        if: ${{ hashFiles('Coverage Report/.last_run.json') != '' }}
        uses: devmasx/coverage-check-action@v1.2.0
        with:
          type: simplecov
          result_path: Coverage Report/.last_run.json
          min_coverage: 90
          token: ${{ secrets.GITHUB_TOKEN }}