-
-
Notifications
You must be signed in to change notification settings - Fork 50
181 lines (165 loc) · 7.49 KB
/
unsafe_app_ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# Copyright (c) 2022 Sharezone UG (haftungsbeschränkt)
# Licensed under the EUPL-1.2-or-later.
#
# You may obtain a copy of the Licence at:
# https://joinup.ec.europa.eu/software/page/eupl
#
# SPDX-License-Identifier: EUPL-1.2
# This workflow handles the CI for the app.
#
# Therefore, it's only triggered on pull requests that make changes to the app.
# It only contains jobs that require secrets. The jobs that don't require
# secrets are handled in the "safe_app_ci.yml" workflow.
name: unsafe-app-ci
concurrency:
group: unsafe-app-ci-${{ github.head_ref }}
# In order to conserve the use of GitHub Actions, we cancel the running action
# of the previous commit. This means that if you first commit "A" and then
# commit "B" to the pull request a few minutes later, the workflow for commit
# "A" will be cancelled.
cancel-in-progress: true
on:
# Triggers the workflow on pull request events
pull_request_target:
types:
- opened
- synchronize
- reopened
# It's important to trigger this workflow again when the pull is changing
# from a draft pull request to a ready for review pull request.
#
# Some jobs are skipped when the pull request is a draft. Therefore, we
# need to trigger these jobs again when the pull request is changing to
# ready for review.
- ready_for_review
# Retrigger the workflow when label has been add to run the CI when the
# "safe to test" label is added.
- labeled
merge_group:
types:
- checks_requested
env:
CI_CD_DART_SCRIPTS_PACKAGE_PATH: "tools/sz_repo_cli/"
# Set permissions to none.
#
# Using the broad default permissions is considered a bad security practice
# and would cause alerts from our scanning tools.
permissions: {}
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# It's important that we run this job first, because we need to remove the
# "safe to test" label when the PR comes from a fork in order to ensure that
# every change is reviewed for security implications.
remove-safe-to-build-label:
runs-on: ubuntu-22.04
permissions:
# Required by the remove-safe-to-test-label action
contents: read
pull-requests: write
steps:
- name: Remove "safe to test" label, if PR is from a fork
uses: SharezoneApp/remove-safe-to-test-label@91b378205db41bb08dde8e4c4f2685847eb3d168
# We can't use the official "paths" filter because it has no support for merge
# groups and we would need some kind of fallback CI when a check is required
# but ignored because of the path filter.
#
# See:
# * https://github.com/community/community/discussions/45899 (merge groups)
# * https://github.com/github/docs/commit/4364076e0fb56c2579ae90cd048939eaa2c18954
# (workaround for required checks with path filters)
changes:
needs: remove-safe-to-build-label
runs-on: ubuntu-22.04
outputs:
changesFound: ${{ steps.filter.outputs.changesFound }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
# Because we are using the "pull_request_target" event, we need to
# checkout the PR head commit instead of the merge commit.
ref: ${{ github.event.pull_request.head.sha }}
- uses: AurorNZ/paths-filter@3b1f3abc3371cca888d8eb03dfa70bc8a9867629
id: filter
with:
filters: |
changesFound:
# When we change the Flutter version, we need to trigger this workflow.
- ".fvm/fvm_config.json"
# We only build and deploy a new version, when a user relevant files
# changed.
- "app/**"
- "lib/**"
# We trigger also this workflow, if this workflow is changed, so that new
# changes will be applied.
- ".github/workflows/unsafe_app_ci.yml"
# The following paths are excluded from the above paths. It's important to
# list the paths at the end of the file, so that the exclude paths are
# applied.
#
# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-including-and-excluding-paths.
- "!**/*.md"
- "!**/*.mdx"
- "!**/*.gitignore"
- "!**/firebase.json"
- "!**/.firebaserc"
- "!app/android/fastlane/**"
# We are building for every PR a web preview, which will be deployed to
# Firebase Hosting. The link to the website will posted as comment (like:
# https://github.com/SharezoneApp/sharezone-app/pull/119#issuecomment-1030012299).
#
# The previews are helping reviewer and other users to quickly view the
# changes in a compiled version.
#
# A link to a preview expires after 7 days.
#
# Required steps to set this up:
# 1. Run "firebase init hosting:github"
# 2. Enable "Firebase Hosting API" in Google Cloud project
# 3. Write GitHub action job
# 4. Adjust website restrictions for Firebase Key "Sharezone Web Key".
web-preview:
needs: changes
# We only want to build the web app only for PRs.
#
# Otherwise this will be triggered inside a merge-queue.
if: ${{ github.event_name == 'pull_request_target' && needs.changes.outputs.changesFound == 'true'}}
runs-on: ubuntu-22.04
permissions:
pull-requests: write # for FirebaseExtended/action-hosting-deploy to comment on PRs
checks: write # for FirebaseExtended/action-hosting-deploy to comment on PRs (without write permissions for checks the action doesn't post a comment to the PR, we don't know why)
steps:
- name: Ensure PR has "safe to test" label, if PR is from a fork
uses: SharezoneApp/verify-safe-to-test-label@c1059d43fc918756660a700ca6d08e445ff314a2
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
# Because we are using the "pull_request_target" event, we need to
# checkout the PR head commit instead of the merge commit.
ref: ${{ github.event.pull_request.head.sha }}
- name: Set Flutter version from FVM config file to environment variables
id: fvm-config-action
uses: kuhnroyal/flutter-fvm-config-action@34c3905bc939a4ff9d9cb07d5a977493fa73b2aa
- uses: subosito/flutter-action@44ac965b96f18d999802d4b807e3256d5a3f9fa1
with:
flutter-version: ${{ steps.fvm-config-action.outputs.FLUTTER_VERSION }}
channel: ${{ steps.fvm-config-action.outputs.FLUTTER_CHANNEL }}
- name: Activate sz_repo_cli package
run: flutter pub global activate --source path "$CI_CD_DART_SCRIPTS_PACKAGE_PATH"
# So we can just use "sz COMMAND" instead of "dart ../path/to/script.dart ..."
- run: echo $(realpath ./bin) >> $GITHUB_PATH
- name: Build web app
working-directory: app
run: |
sz build app web \
--flavor dev \
--stage preview
- name: Deploy to Firebase Hosting (sharezone-debug)
uses: FirebaseExtended/action-hosting-deploy@120e124148ab7016bec2374e5050f15051255ba2
with:
repoToken: ${{ secrets.GITHUB_TOKEN }}
firebaseServiceAccount: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_SHAREZONE_DEBUG }}
projectId: sharezone-debug
entryPoint: "./app"
# The expiration date shouldn't be too high, because if we open a lot
# of pull requests, we will run out of quota (we get 429 errors).
expires: "3d"
target: "test-web-app"