Merge pull request #5074 from linuxfoundation/unicron-fix-single-vuln #800
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Copyright The Linux Foundation and each contributor to CommunityBridge. | |
| # SPDX-License-Identifier: MIT | |
| name: Build and Deploy to DEV | |
| on: | |
| push: | |
| branches: | |
| - dev | |
| pull_request_target: | |
| types: [closed] | |
| branches: | |
| - dev | |
| workflow_dispatch: | |
| permissions: | |
| # These permissions are needed to interact with GitHub's OIDC Token endpoint to fetch/set the AWS deployment credentials. | |
| id-token: write | |
| contents: read | |
| env: | |
| AWS_REGION: us-east-1 | |
| STAGE: dev | |
| DD_VERSION: ${{ github.event.pull_request.merge_commit_sha || github.sha }} | |
| concurrency: | |
| group: deploy-dev | |
| cancel-in-progress: true | |
| jobs: | |
| build-deploy-dev: | |
| runs-on: ubuntu-latest | |
| environment: dev | |
| if: github.event_name != 'pull_request_target' || github.event.pull_request.merged == true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} | |
| persist-credentials: false | |
| - name: Setup go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.25' | |
| - name: Go Version | |
| run: go version | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Setup python (swagger tooling) | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| cache: 'pip' | |
| cache-dependency-path: cla-backend-go/swagger/requirements.txt | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| audience: sts.amazonaws.com | |
| role-to-assume: arn:aws:iam::395594542180:role/github-actions-deploy | |
| aws-region: us-east-1 | |
| - name: Cache Go modules | |
| uses: actions/cache@v3 | |
| with: | |
| path: ${{ github.workspace }}/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| - name: Configure Git to clone private Github repos | |
| run: git config --global url."https://${TOKEN_USER}:${TOKEN}@github.com".insteadOf "https://github.com" | |
| env: | |
| TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN_GITHUB }} | |
| TOKEN_USER: ${{ secrets.PERSONAL_ACCESS_TOKEN_USER_GITHUB }} | |
| - name: Add OS Tools | |
| run: sudo apt update && sudo apt-get install file -y | |
| - name: Go Setup | |
| working-directory: cla-backend-go | |
| run: | | |
| make clean setup | |
| - name: Go Dependencies | |
| working-directory: cla-backend-go | |
| run: make deps | |
| - name: Go Swagger Generate | |
| working-directory: cla-backend-go | |
| run: | | |
| make swagger | |
| - name: Go Build | |
| working-directory: cla-backend-go | |
| run: | | |
| make build-lambdas-linux build-functional-tests-linux | |
| - name: Go Test | |
| working-directory: cla-backend-go | |
| run: make test | |
| - name: Go Lint | |
| working-directory: cla-backend-go | |
| run: make lint | |
| - name: Go Setup CLA Legacy Backend | |
| working-directory: cla-backend-legacy | |
| run: | | |
| go mod tidy | |
| - name: Go Build CLA Legacy Backend | |
| working-directory: cla-backend-legacy | |
| run: | | |
| make lambdas | |
| - name: Go Test CLA Legacy Backend | |
| working-directory: cla-backend-legacy | |
| run: go test ./... | |
| - name: Go Lint CLA Legacy Backend | |
| working-directory: cla-backend-legacy | |
| run: make lint | |
| - name: Setup Deployment | |
| working-directory: cla-backend | |
| run: | | |
| mkdir -p bin | |
| cp ../cla-backend-go/bin/backend-aws-lambda bin/ | |
| cp ../cla-backend-go/bin/user-subscribe-lambda bin/ | |
| cp ../cla-backend-go/bin/metrics-aws-lambda bin/ | |
| cp ../cla-backend-go/bin/metrics-report-lambda bin/ | |
| cp ../cla-backend-go/bin/dynamo-events-lambda bin/ | |
| cp ../cla-backend-go/bin/zipbuilder-scheduler-lambda bin/ | |
| cp ../cla-backend-go/bin/zipbuilder-lambda bin/ | |
| cp ../cla-backend-go/bin/gitlab-repository-check-lambda bin/ | |
| cp ../cla-backend-legacy/bin/legacy-api-lambda bin/ | |
| - name: EasyCLA API Deployment us-east-1 | |
| working-directory: cla-backend | |
| run: | | |
| yarn install | |
| if [[ ! -f bin/backend-aws-lambda ]]; then echo "Missing bin/backend-aws-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f bin/user-subscribe-lambda ]]; then echo "Missing bin/user-subscribe-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f bin/metrics-aws-lambda ]]; then echo "Missing bin/metrics-aws-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f bin/metrics-report-lambda ]]; then echo "Missing bin/metrics-report-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f bin/dynamo-events-lambda ]]; then echo "Missing bin/dynamo-events-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f bin/zipbuilder-lambda ]]; then echo "Missing bin/zipbuilder-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f bin/zipbuilder-scheduler-lambda ]]; then echo "Missing bin/zipbuilder-scheduler-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f bin/gitlab-repository-check-lambda ]]; then echo "Missing bin/gitlab-repository-check-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f bin/legacy-api-lambda ]]; then echo "Missing bin/legacy-api-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f serverless.yml ]]; then echo "Missing serverless.yml file. Exiting..."; exit 1; fi | |
| if [[ ! -f serverless-authorizer.yml ]]; then echo "Missing serverless-authorizer.yml file. Exiting..."; exit 1; fi | |
| yarn sls deploy --force --stage ${STAGE} --region us-east-1 --verbose | |
| - name: EasyCLA API Service Check | |
| run: | | |
| set -euo pipefail | |
| sudo apt install curl jq -y | |
| declare -r v2_url="https://api.lfcla.${STAGE}.platform.linuxfoundation.org/v2/health" | |
| declare -r v3_url="https://api.lfcla.${STAGE}.platform.linuxfoundation.org/v3/ops/health" | |
| echo "Validating v2 backend using endpoint: ${v2_url}" | |
| v2_headers="$(mktemp)" | |
| curl --fail -sS -D "${v2_headers}" -o /dev/null -XGET "${v2_url}" | |
| if tr -d '\r' < "${v2_headers}" | grep -iq '^x-easycla-backend: cla-backend-legacy$'; then | |
| echo "v2 is served by cla-backend-legacy" | |
| else | |
| echo "Missing X-EasyCLA-Backend: cla-backend-legacy header on ${v2_url}" | |
| cat "${v2_headers}" | |
| exit 1 | |
| fi | |
| echo "Validating v3 backend using endpoint: ${v3_url}" | |
| curl --fail -XGET ${v3_url} | |
| exit_code=$? | |
| if [[ ${exit_code} -eq 0 ]]; then | |
| echo "Successful response from endpoint: ${v3_url}" | |
| if [[ `curl -s -XGET ${v3_url} | jq -r '.Status'` == "healthy" ]]; then | |
| echo "Service is healthy" | |
| else | |
| echo "Service is NOT healthy" | |
| exit -1 | |
| fi | |
| else | |
| echo "Failed to get a successful response from endpoint: ${v3_url}" | |
| exit ${exit_code} | |
| fi | |
| - name: EasyCLA v2 Deployment us-east-2 | |
| working-directory: cla-backend-go | |
| run: | | |
| if [[ ! -f bin/backend-aws-lambda ]]; then echo "Missing bin/backend-aws-lambda binary file. Exiting..."; exit 1; fi | |
| if [[ ! -f bin/user-subscribe-lambda ]]; then echo "Missing bin/user-subscribe-lambda binary file. Exiting..."; exit 1; fi | |
| rm -rf ./node_modules/ | |
| yarn install | |
| yarn sls deploy --force --stage ${STAGE} --region us-east-2 --verbose | |
| - name: EasyCLA v2 Service Check | |
| run: | | |
| sudo apt install curl jq -y | |
| # Development environment endpoint to test | |
| v4_url="https://api-gw.${STAGE}.platform.linuxfoundation.org/cla-service/v4/ops/health" | |
| echo "Validating v4 backend using endpoint: ${v4_url}" | |
| curl --fail -XGET ${v4_url} | |
| exit_code=$? | |
| if [[ ${exit_code} -eq 0 ]]; then | |
| echo "Successful response from endpoint: ${v4_url}" | |
| # JSON response should include "Status": "healthy" | |
| if [[ `curl -s -XGET ${v4_url} | jq -r '.Status'` == "healthy" ]]; then | |
| echo "Service is healthy" | |
| else | |
| echo "Service is NOT healthy" | |
| exit -1 | |
| fi | |
| else | |
| echo "Failed to get a successful response from endpoint: ${v4_url}" | |
| exit ${exit_code} | |
| fi | |
| cypress-functional-after-deploy: | |
| name: Cypress Functional Tests (post-deploy) - executes on a freshly deployed dev API. | |
| if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false }} | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| timeout-minutes: 75 | |
| needs: [build-deploy-dev] | |
| environment: dev | |
| defaults: | |
| run: | |
| working-directory: tests/functional | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install system dependencies | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| sudo apt-get update | |
| # Core deps for Cypress/Electron under Xvfb | |
| sudo apt-get install -y xvfb libgtk-3-0 libgbm1 libnss3 libxss1 xauth fonts-liberation xdg-utils ca-certificates libatk-bridge2.0-0 libatspi2.0-0 libdrm2 | |
| # Optional/legacy GTK2 (ok if missing) | |
| sudo apt-get install -y libgtk2.0-0 || true | |
| # Audio lib: Noble uses libasound2t64 (fallback to libasound2 on older images) | |
| sudo apt-get install -y libasound2t64 || sudo apt-get install -y libasound2 || true | |
| # Notify lib: prefer runtime package; fall back to -dev if needed | |
| sudo apt-get install -y libnotify4 || sudo apt-get install -y libnotify-dev || true | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Create .env from secrets and constants | |
| run: | | |
| cat > .env <<'EOF' | |
| APP_URL=https://api-gw.dev.platform.linuxfoundation.org/ | |
| AUTH0_TOKEN_API=https://linuxfoundation-dev.auth0.com/oauth/token | |
| CYPRESS_ENV=dev | |
| AUTH0_USER_NAME=${{ secrets.AUTH0_USER_NAME }} | |
| AUTH0_PASSWORD=${{ secrets.AUTH0_PASSWORD }} | |
| LFX_API_TOKEN=${{ secrets.LFX_API_TOKEN }} | |
| AUTH0_CLIENT_SECRET=${{ secrets.AUTH0_CLIENT_SECRET }} | |
| AUTH0_CLIENT_ID=${{ secrets.AUTH0_CLIENT_ID }} | |
| EOF | |
| echo "Wrote $(pwd)/.env" | |
| - name: Show Cypress version | |
| run: npx cypress --version | |
| - name: Verify Cypress binary | |
| run: npx cypress verify | |
| - name: Run Cypress (xvfb) | |
| run: xvfb-run -a npx cypress run | |
| - name: Upload Cypress Artifacts (on failure) | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cypress-artifacts-post-deploy | |
| path: | | |
| tests/functional/cypress/screenshots | |
| tests/functional/cypress/videos | |
| if-no-files-found: ignore |