chore(deps): update dependency express to v4.20.0 [security] (#2576) #1106
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy RS School App | |
on: | |
push: | |
branches: [master] | |
paths-ignore: | |
- 'tools/bumblebee/**' | |
concurrency: | |
group: deploy | |
cancel-in-progress: true | |
jobs: | |
deploy_build_client: | |
name: Build (Client) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '20' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# - name: Restore next cache | |
# uses: actions/cache@v4 | |
# env: | |
# cache-name: cache-next | |
# with: | |
# path: client/.next/cache/ | |
# key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.sha }} | |
# restore-keys: | | |
# ${{ runner.os }}-${{ env.cache-name }}- | |
- name: Restore npm cache | |
uses: actions/cache@v4 | |
env: | |
cache-name: cache-npm | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-${{ env.cache-name }}- | |
- name: Generate a isolated subworkspace for Client | |
run: npx turbo prune --scope=client --docker | |
- name: Add lockfile and package.json's and source of isolated subworkspace | |
run: | | |
mkdir -p app | |
cp -r out/json/. app | |
cp -r out/full/. app | |
cp -r out/package-lock.json app | |
cp -r .dockerignore app | |
cp -r common app/common | |
- name: Install dependencies | |
run: npm ci | |
working-directory: ./app | |
- name: Test (npm run test:ci) | |
run: npm run test:ci | |
working-directory: ./app | |
- name: Build (npm run build) | |
env: | |
NODE_ENV: production | |
RSSHCOOL_UI_GCP_MAPS_API_KEY: ${{ secrets.RSSHCOOL_UI_GCP_MAPS_API_KEY }} | |
CDN_HOST: 'https://cdn.rs.school' | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | |
DO_NOT_TRACK: 1 | |
working-directory: ./app | |
run: npm run build | |
- name: Clean modules | |
working-directory: ./app | |
run: npm prune --production | |
- name: Upload to CDN | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: eu-central-1 | |
run: aws s3 cp ./app/client/.next/static s3://cdn.rs.school/_next/static/ --recursive --cache-control "public,max-age=15552000,immutable" | |
- name: Build container | |
run: docker build -t ghcr.io/rolling-scopes/rsschool-app-client:master -f client/Dockerfile ./app | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish "client" container | |
run: docker push ghcr.io/rolling-scopes/rsschool-app-client:master | |
deploy_build_server: | |
name: Build (Server) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '20' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Restore npm cache | |
uses: actions/cache@v4 | |
env: | |
cache-name: cache-npm | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-${{ env.cache-name }}- | |
- name: Generate a isolated subworkspace for Client | |
run: npx turbo prune --scope=server --docker | |
- name: Add lockfile and package.json's and source of isolated subworkspace | |
run: | | |
mkdir -p app | |
cp -r out/json/. app | |
cp -r out/full/. app | |
cp -r out/package-lock.json app | |
cp -r common app/common | |
- name: Install dependencies | |
run: npm ci | |
working-directory: ./app | |
- name: Test (npm test) | |
run: npm test | |
working-directory: ./app | |
- name: Build (npm run build) | |
env: | |
NODE_ENV: production | |
DO_NOT_TRACK: 1 | |
run: npm run build | |
working-directory: ./app | |
- name: Build container | |
run: docker build -t ghcr.io/rolling-scopes/rsschool-app-server:master -f server/Dockerfile ./app | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish "server" container | |
run: docker push ghcr.io/rolling-scopes/rsschool-app-server:master | |
deploy_build_nestjs: | |
name: Build (Nest.js) | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '20' | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Restore npm cache | |
uses: actions/cache@v4 | |
env: | |
cache-name: cache-npm | |
with: | |
path: ~/.npm | |
key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-${{ env.cache-name }}- | |
- name: Generate a isolated subworkspace for Client | |
run: npx turbo prune --scope=server --scope=nestjs --docker | |
- name: Add lockfile and package.json's and source of isolated subworkspace | |
run: | | |
mkdir -p app | |
cp -r out/json/. app | |
cp -r out/full/. app | |
cp -r out/package-lock.json app | |
cp -r common app/common | |
- name: Install dependencies | |
run: npm ci | |
working-directory: ./app | |
# - name: Test (npm test) | |
# run: npm test | |
- name: Build (npm run build) | |
env: | |
NODE_ENV: production | |
DO_NOT_TRACK: 1 | |
run: npx turbo run build --filter=nestjs | |
working-directory: ./app | |
- name: Build container | |
run: docker build -t ghcr.io/rolling-scopes/rsschool-app-nestjs:master -f nestjs/Dockerfile ./app | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v1 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish "nestjs" container | |
run: docker push ghcr.io/rolling-scopes/rsschool-app-nestjs:master | |
deploy_aws: | |
name: Deploy to AWS | |
needs: [deploy_build_client, deploy_build_server, deploy_build_nestjs] | |
runs-on: ubuntu-latest | |
env: | |
PRIVATE_KEY: ${{ secrets.AWS_PRIVATE_KEY }} | |
HOSTNAME: ${{ secrets.EC2_HOSTNAME }} | |
USERNAME: ${{ secrets.EC2_USERNAME }} | |
environment: | |
name: production | |
url: https://app.rs.school | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Pull AWS SSM Params | |
uses: deptno/[email protected] | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: eu-central-1 | |
with: | |
ssm-path: /prod/app | |
format: dotenv | |
output: .env | |
- name: Pull the latest images | |
run: | | |
echo "$PRIVATE_KEY" > private_key && chmod 600 private_key | |
scp -o StrictHostKeyChecking=no -i private_key ./.env ${USERNAME}@${HOSTNAME}:~/.env | |
scp -o StrictHostKeyChecking=no -i private_key ./docker-compose.yml ${USERNAME}@${HOSTNAME}:~/docker-compose.yml | |
scp -o StrictHostKeyChecking=no -i private_key ./setup/nginx/nginx.conf ${USERNAME}@${HOSTNAME}:~/nginx/nginx.conf | |
ssh -o StrictHostKeyChecking=no -i private_key ${USERNAME}@${HOSTNAME} ' | |
sleep 10 | |
docker-compose pull | |
' | |
- name: Restart | |
run: | | |
echo "$PRIVATE_KEY" > private_key && chmod 600 private_key | |
ssh -o StrictHostKeyChecking=no -i private_key ${USERNAME}@${HOSTNAME} ' | |
docker-compose up -d | |
docker-compose restart nginx | |
' | |
- name: Clean up | |
run: | | |
echo "$PRIVATE_KEY" > private_key && chmod 600 private_key | |
ssh -o StrictHostKeyChecking=no -i private_key ${USERNAME}@${HOSTNAME} ' | |
docker system prune -f | |
' |