s0wlz (Matthias Puchstein)
31f8ef74fe
- Security: Add Secure flag to checkin identity cookie, implement rate limiting on login, and harden Helm security context. - Security: Add cargo-audit to CI and Release pipelines for dependency vulnerability scanning. - Backend: Enable SQLite WAL mode and fix AppState initialization in tests. - Frontend: Fully type the API client, fix importStudents FormData handling, and pin dependency versions. - Frontend: Add auto-logout on 401 and resolve authentication initialization race conditions. - CI/CD: Pin pnpm version in release workflow and include lint/audit quality gates.
115 lines
2.9 KiB
YAML
115 lines
2.9 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*.*.*'
|
|
|
|
env:
|
|
IMAGE: registry.itsh.dev/s0wlz/tutortool
|
|
NAMESPACE: tenant-5
|
|
RELEASE_NAME: tutortool
|
|
|
|
jobs:
|
|
release:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '22'
|
|
|
|
- uses: pnpm/action-setup@v4
|
|
with:
|
|
version: '9'
|
|
|
|
- uses: dtolnay/rust-toolchain@master
|
|
with:
|
|
toolchain: '1.95.0'
|
|
components: clippy, rustfmt
|
|
|
|
- name: Cache Cargo
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/.cargo/registry
|
|
~/.cargo/git
|
|
backend/target
|
|
key: cargo-${{ hashFiles('backend/Cargo.lock') }}
|
|
restore-keys: cargo-
|
|
|
|
- name: Cache pnpm store
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: ~/.local/share/pnpm/store
|
|
key: pnpm-${{ hashFiles('frontend/pnpm-lock.yaml') }}
|
|
restore-keys: pnpm-
|
|
|
|
- name: Install frontend deps
|
|
run: pnpm --dir frontend install --frozen-lockfile
|
|
|
|
- name: Generate SvelteKit types
|
|
run: pnpm --dir frontend exec svelte-kit sync
|
|
|
|
- name: Type check (frontend)
|
|
run: pnpm --dir frontend exec tsgo --version && pnpm --dir frontend check
|
|
|
|
- name: Type check (backend)
|
|
run: cargo check --manifest-path backend/Cargo.toml
|
|
|
|
- name: Clippy
|
|
run: cargo clippy --manifest-path backend/Cargo.toml -- -D warnings
|
|
|
|
- name: Format check
|
|
run: cargo fmt --manifest-path backend/Cargo.toml -- --check
|
|
|
|
- name: Unit tests (backend)
|
|
run: cargo test --manifest-path backend/Cargo.toml
|
|
|
|
- name: Security audit
|
|
run: |
|
|
cargo install cargo-audit --locked
|
|
cargo audit --manifest-path backend/Cargo.toml
|
|
|
|
- name: Build frontend
|
|
run: pnpm --dir frontend build
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log in to registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: registry.itsh.dev
|
|
username: ${{ secrets.REGISTRY_USER }}
|
|
password: ${{ secrets.REGISTRY_TOKEN }}
|
|
|
|
- name: Build and push image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: .
|
|
push: true
|
|
tags: |
|
|
${{ env.IMAGE }}:${{ github.ref_name }}
|
|
${{ env.IMAGE }}:latest
|
|
|
|
- name: Configure kubectl
|
|
run: |
|
|
mkdir -p ~/.kube
|
|
echo "${{ secrets.K8S_CONFIG }}" | base64 -d > ~/.kube/config
|
|
chmod 600 ~/.kube/config
|
|
|
|
- name: Set up Helm
|
|
uses: azure/setup-helm@v4
|
|
with:
|
|
version: v3.16.2
|
|
|
|
- name: Deploy via Helm
|
|
run: |
|
|
helm upgrade --install ${{ env.RELEASE_NAME }} ./deploy \
|
|
-f ./deploy/values_override.yaml \
|
|
--set image.tag=${{ github.ref_name }} \
|
|
-n ${{ env.NAMESPACE }} \
|
|
--wait --timeout 5m
|