diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 56135be7b..202ed1696 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -141,6 +141,8 @@ jobs: actions: read steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: get commit hash id: get_commit_hash @@ -168,7 +170,7 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} #TODO(berry): fix on git labels multiple tags env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index @@ -179,7 +181,6 @@ jobs: echo "annotations: ${{ steps.meta.outputs.annotations }}" echo "hash: ${{ steps.get_commit_hash.outputs.commit_hash }}" - - name: Build and push Docker image uses: docker/build-push-action@v5 with: @@ -208,10 +209,20 @@ jobs: with: sarif_file: 'trivy-results.sarif' + - name: Extract metadata for Docker + id: meta2 + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} #TODO(berry): fix on git labels multiple tags + flavor: | + latest=false + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + - name: Run Trivy SBOM uses: aquasecurity/trivy-action@master with: - image-ref: ${{ steps.meta.outputs.tags }} + image-ref: ${{ steps.meta2.outputs.tags }} scan-type: image exit-code: 0 format: 'cyclonedx' @@ -224,7 +235,7 @@ jobs: - name: Run Trivy license scanner uses: aquasecurity/trivy-action@master with: - image-ref: ${{ steps.meta.outputs.tags }} + image-ref: ${{ steps.meta2.outputs.tags }} scan-type: image scanners: 'license' exit-code: 0 @@ -243,6 +254,34 @@ jobs: if-no-files-found: error overwrite: true + deploy: + runs-on: ubuntu-latest + needs: [build] + if: ${{ github.event_name == 'push' }} + permissions: + actions: write + steps: + - name: Extract metadata for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: "" # make empty to get the correct tag + flavor: | + latest=false + + - name: print metadata + run: | + echo "tags: ${{ steps.meta.outputs.tags }}" + + - uses: actions/checkout@v4 + + - name: Trigger deployment + run: | + gh workflow run deploy.yml -f image_tag=${{ steps.meta.outputs.tags }} -f environment=production + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + notifyMattermost: runs-on: ubuntu-latest needs: [lint, security, test, build ] diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 892f67062..b0659e110 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,10 +1,6 @@ name: deploy - on: - push: - branches: - - main workflow_dispatch: inputs: image_tag: @@ -28,47 +24,14 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - with: - path: 'source/tad/' - - - name: get commit hash - id: get_commit_hash - run: | - cd source/tad/ - echo "commit_hash=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" - - - name: Get GHCR package hash id: get_package_hash run: | - if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then container_id=$(gh api --paginate -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /orgs/MinBZK/packages/container/tad/versions | jq -r '.[] | select(.metadata.container.tags | contains(["${{ inputs.image_tag }}"])) | .name') echo "container_id=$container_id" >> "$GITHUB_OUTPUT" - else - container_id=$(gh api --paginate -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /orgs/MinBZK/packages/container/tad/versions | jq -r '.[] | select(.metadata.container.tags | contains(["main"])) | .name') - echo "container_id=$container_id" >> "$GITHUB_OUTPUT" - fi env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Get deploy environment - id: get_deploy_env - run: | - if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then - echo "env=${{ inputs.environment }}" >> "$GITHUB_OUTPUT" - else - echo "env=sandbox" >> "$GITHUB_OUTPUT" - fi - - - name: Print deploy hash and environment - run: | - echo "Container ID: ${{ steps.get_package_hash.outputs.container_id }}" - echo "Overlay: ${{ steps.get_deploy_env.outputs.env }}" - echo "Version: ${{ inputs.image_tag || 'main' }}" - echo "Actor: ${{ github.actor}}" - echo "Commit: ${{ steps.get_commit_hash.outputs.commit_hash }}" - - name: check correct name run: | if [ -z "${{steps.get_package_hash.outputs.container_id}}" ]; then @@ -90,17 +53,16 @@ jobs: - name: Make changes to the file run: | - sed -i 's/newTag: .*$/newTag: ${{inputs.image_tag || 'main' }}@${{ steps.get_package_hash.outputs.container_id }}/g' apps/tad/overlays/${{ steps.get_deploy_env.outputs.env }}/kustomization.yaml - sed -i 's/commithash: .*$/commithash: ${{ steps.get_commit_hash.outputs.commit_hash }}/g' apps/tad/overlays/${{ steps.get_deploy_env.outputs.env }}/kustomization.yaml - sed -i 's|minbzk.github.io/version: .*$|minbzk.github.io/version: ${{ inputs.image_tag || 'main' }}|g' apps/tad/overlays/${{ steps.get_deploy_env.outputs.env }}/kustomization.yaml - git add apps/tad/overlays/${{ steps.get_deploy_env.outputs.env }}/kustomization.yaml + sed -i 's/newTag: .*$/newTag: ${{inputs.image_tag }}@${{ steps.get_package_hash.outputs.container_id }}/g' apps/tad/overlays/${{ inputs.environment }}/kustomization.yaml + sed -i 's|minbzk.github.io/version: .*$|minbzk.github.io/version: ${{ inputs.image_tag }}|g' apps/tad/overlays/${{ inputs.environment }}/kustomization.yaml + git add apps/tad/overlays/${{ inputs.environment }}/kustomization.yaml - name: show changes run: git diff --staged - name: push changes run: | - git commit -m "Update tad overlay ${{ steps.get_deploy_env.outputs.env }} tag ${{ steps.get_package_hash.outputs.container_id }} by actor ${{ github.actor}}" + git commit -m "Update tad overlay ${{ inputs.environment }} tag ${{ steps.get_package_hash.outputs.container_id }}" git push --force-with-lease env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 83340105f..3dcc8520d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -15,7 +15,7 @@ repos: - id: check-toml - id: detect-private-key - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.4.8 + rev: v0.4.10 hooks: - id: ruff - id: ruff-format diff --git a/tad/repositories/statuses.py b/tad/repositories/statuses.py index bdaeb9e3b..56d86c6bd 100644 --- a/tad/repositories/statuses.py +++ b/tad/repositories/statuses.py @@ -34,14 +34,29 @@ def save(self, status: Status) -> Status: :param status: the status to store :return: the updated status after storing """ - self.session.add(status) try: + self.session.add(status) self.session.commit() + self.session.refresh(status) except Exception as e: self.session.rollback() raise RepositoryError from e return status + def delete(self, status: Status) -> None: + """ + Deletes the given status in the repository. + :param status: the status to store + :return: the updated status after storing + """ + try: + self.session.delete(status) + self.session.commit() + except Exception as e: + self.session.rollback() + raise RepositoryError from e + return None + def find_by_id(self, status_id: int) -> Status: """ Returns the status with the given id or an exception if the id does not exist. diff --git a/tad/repositories/tasks.py b/tad/repositories/tasks.py index c39c2b5c6..82000783d 100644 --- a/tad/repositories/tasks.py +++ b/tad/repositories/tasks.py @@ -53,6 +53,20 @@ def save(self, task: Task) -> Task: raise RepositoryError from e return task + def delete(self, task: Task) -> None: + """ + Deletes the given task in the repository or throws a RepositoryException + :param task: the task to store + :return: the updated task after storing + """ + try: + self.session.delete(task) + self.session.commit() + except Exception as e: + self.session.rollback() + raise RepositoryError from e + return None + def find_by_id(self, task_id: int) -> Task: """ Returns the task with the given id.