Update dependency Werkzeug to v3 [SECURITY] #930
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - '**' | |
| jobs: | |
| build: | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@master | |
| with: | |
| platforms: all | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Docker meta | |
| id: docker_meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: mormahr/pdf-service | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=edge,branch=main | |
| type=sha,format=long | |
| labels: | | |
| org.opencontainers.image.vendor=Moritz Mahringer | |
| - name: Docker meta (testing) | |
| id: docker_meta_testing | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: mormahr/pdf-service | |
| flavor: | | |
| latest=false | |
| suffix=-testing | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=edge,branch=main | |
| type=sha,format=long | |
| labels: | | |
| org.opencontainers.image.vendor=Moritz Mahringer | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Extract branch name | |
| shell: bash | |
| run: | | |
| BRANCH=${GITHUB_REF#refs/heads/} | |
| SAFE_BRANCH=${BRANCH//\//_} | |
| echo "##[set-output name=branch;]$(echo $SAFE_BRANCH)" | |
| id: extract_branch | |
| - name: Build and push | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: . | |
| push: ${{ github.event_name != 'pull_request' }} | |
| build-args: GITHUB_SHA=${{ github.sha }} | |
| cache-from: | | |
| type=registry,ref=mormahr/pdf-service:main | |
| type=registry,ref=mormahr/pdf-service:main-testing | |
| type=registry,ref=mormahr/pdf-service:${{ steps.extract_branch.outputs.branch }} | |
| type=registry,ref=mormahr/pdf-service:${{ steps.extract_branch.outputs.branch }}-testing | |
| cache-to: type=inline | |
| tags: ${{ steps.docker_meta.outputs.tags }} | |
| labels: ${{ steps.docker_meta.outputs.labels }} | |
| target: production | |
| platforms: linux/amd64,linux/arm64 | |
| - name: Build and push (testing image) | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: . | |
| push: ${{ github.event_name != 'pull_request' }} | |
| build-args: GITHUB_SHA=${{ github.sha }} | |
| cache-from: | | |
| type=registry,ref=mormahr/pdf-service:main | |
| type=registry,ref=mormahr/pdf-service:main-testing | |
| type=registry,ref=mormahr/pdf-service:${{ steps.extract_branch.outputs.branch }} | |
| type=registry,ref=mormahr/pdf-service:${{ steps.extract_branch.outputs.branch }}-testing | |
| cache-to: type=inline | |
| tags: ${{ steps.docker_meta_testing.outputs.tags }} | |
| labels: ${{ steps.docker_meta_testing.outputs.labels }} | |
| target: testing | |
| platforms: linux/amd64,linux/arm64 | |
| build-e2e: | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Docker meta (e2e) | |
| id: docker_meta_testing | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: mormahr/pdf-service | |
| flavor: | | |
| latest=false | |
| suffix=-e2e | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=edge,branch=main | |
| type=sha,format=long | |
| labels: | | |
| org.opencontainers.image.vendor=Moritz Mahringer | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Extract branch name | |
| shell: bash | |
| run: | | |
| BRANCH=${GITHUB_REF#refs/heads/} | |
| SAFE_BRANCH=${BRANCH//\//_} | |
| echo "##[set-output name=branch;]$(echo $SAFE_BRANCH)" | |
| id: extract_branch | |
| - name: Build and push (e2e image) | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: e2e | |
| push: ${{ github.event_name != 'pull_request' }} | |
| build-args: GITHUB_SHA=${{ github.sha }} | |
| cache-from: | | |
| type=registry,ref=mormahr/pdf-service:main-e2e | |
| type=registry,ref=mormahr/pdf-service:${{ steps.extract_branch.outputs.branch }}-e2e | |
| cache-to: type=inline | |
| tags: ${{ steps.docker_meta_testing.outputs.tags }} | |
| labels: ${{ steps.docker_meta_testing.outputs.labels }} | |
| test: | |
| runs-on: ubuntu-20.04 | |
| needs: | |
| - build | |
| strategy: | |
| matrix: | |
| platform: | |
| - "linux/amd64" | |
| - "linux/arm64" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@master | |
| with: | |
| platforms: ${{ matrix.platform }} | |
| if: ${{ matrix.platform != 'linux/amd64' }} | |
| - name: Run tests | |
| run: | | |
| mkdir coverage | |
| chown 1001 coverage | |
| docker run \ | |
| --rm \ | |
| --platform=${{ matrix.platform }} \ | |
| --user pdf_service_user \ | |
| -v "$(pwd)/coverage:/usr/src/app/coverage/" \ | |
| mormahr/pdf-service:sha-${{ github.sha }}-testing \ | |
| python -m pytest \ | |
| -rA \ | |
| --cov=pdf_service \ | |
| --cov-report term \ | |
| --cov-report html:coverage/cov_html \ | |
| --cov-report xml:coverage/cov.xml \ | |
| --cov-report annotate:coverage/cov_annotate | |
| - name: Upload coverage report | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: coverage/cov.xml | |
| flags: unit | |
| name: unit | |
| fail_ci_if_error: true | |
| verbose: true | |
| test-e2e: | |
| runs-on: ubuntu-20.04 | |
| needs: | |
| - build | |
| - build-e2e | |
| strategy: | |
| matrix: | |
| platform: | |
| - "linux/amd64" | |
| - "linux/arm64" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@master | |
| with: | |
| platforms: ${{ matrix.platform }} | |
| if: ${{ matrix.platform != 'linux/amd64' }} | |
| - name: Run visual tests | |
| run: | | |
| cd e2e | |
| export TAG="sha-$GITHUB_SHA" | |
| export PLATFORM="${{ matrix.platform }}" | |
| docker-compose run --rm test | |
| - uses: actions/upload-artifact@v3 | |
| if: ${{ failure() }} | |
| with: | |
| name: visual-diffs | |
| path: e2e/diffs | |
| licences: | |
| runs-on: ubuntu-20.04 | |
| needs: | |
| - build | |
| steps: | |
| - uses: philips-labs/tern-action@v1.2.0 | |
| id: scan | |
| with: | |
| image: mormahr/pdf-service:sha-${{ github.sha }} | |
| format: human | |
| output: licenses.human.txt | |
| - uses: actions/upload-artifact@v3 | |
| with: | |
| name: tern | |
| path: ${{ steps.scan.outputs.file }} | |
| tag: | |
| runs-on: ubuntu-20.04 | |
| if: github.ref == 'refs/heads/main' | |
| needs: | |
| - build | |
| - test | |
| - test-e2e | |
| steps: | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Docker meta | |
| id: docker_meta | |
| uses: docker/metadata-action@v4 | |
| with: | |
| images: mormahr/pdf-service | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=edge,branch=main | |
| - name: Install jq | |
| run: sudo apt-get install jq | |
| - name: Tag edge | |
| env: | |
| INPUT_TAGS: ${{ steps.docker_meta.outputs.tags }} | |
| run: | | |
| echo "$INPUT_TAGS" | while read -r TAG | |
| do | |
| echo "tagging $TAG" | |
| MANIFEST_LIST=$( \ | |
| docker manifest inspect mormahr/pdf-service:sha-${{ github.sha }} | \ | |
| jq -rc '.manifests[].digest' | \ | |
| sed -e 's/^/mormahr\/pdf-service@/' | \ | |
| tr '\n' ' ' \ | |
| ) | |
| docker manifest create "$TAG" $MANIFEST_LIST | |
| docker manifest push "$TAG" | |
| done |