slowreader/.github/workflows/server.yml at main · Ledchig/slowreader · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Server
on:
  push:
    branches:
      - main
    paths:
      - 'server/*'
      - 'server/**/*'
      - '!server/*.md'
      - 'pnpm-lock.yaml'
      - '.github/workflows/server.yml'
      - '.github/actions/init-node/action.yml'
      - '.github/actions/deploy/action.yml'
  pull_request:
    paths:
      - 'server/*'
      - 'server/**/*'
      - '!server/*.md'
      - 'pnpm-lock.yaml'
      - '.github/workflows/server.yml'
      - '.github/actions/init-node/action.yml'
      - '.github/actions/deploy/action.yml'
jobs:
  test:
    name: Server Test
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            nodejs.org:443
            release-assets.githubusercontent.com
            objects.githubusercontent.com:443
            registry.npmjs.org:443
      - name: Checkout the repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Initialize Node.js
        uses: ./.github/actions/init-node
      - name: Run tests
        run: cd server && pnpm test
  build:
    name: Server Build
    if: github.ref == 'refs/heads/main'
    permissions:
      contents: read
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            nodejs.org:443
            release-assets.githubusercontent.com:443
            objects.githubusercontent.com:443
            registry.npmjs.org:443
      - name: Checkout the repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Initialize Node.js
        uses: ./.github/actions/init-node
        with:
          cache: false
          install: -F server -F proxy -F api --prod
      - name: Build server
        run: cd server && node --run build:server
      - name: Create archive to keep symlinks
        run: tar -cf server.tar server/dist/
      - name: Upload server build
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: server-build-${{ github.sha }}
          retention-days: 1
          path: |
            ./server.tar
  staging:
    name: Server Staging Deploy
    needs:
      - test
      - build
    if: github.ref == 'refs/heads/main'
    permissions:
      contents: read
      id-token: write
    concurrency:
      group: staging-server
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          allowed-endpoints: >
            9236a389bd48b984df91adc1bc924620.r2.cloudflarestorage.com:443
            api.github.com:443
            apk.cgr.dev:443
            artifactregistry.googleapis.com:443
            cgr.dev:443
            dev-server.slowreader.app:443
            dl.google.com:443
            europe-west1-docker.pkg.dev:443
            europe-west1-run.googleapis.com:443
            github.com:443
            iamcredentials.googleapis.com:443
            nodejs.org:443
            release-assets.githubusercontent.com:443
            raw.githubusercontent.com:443
            run.googleapis.com:443
            serviceusage.googleapis.com:443
            sts.googleapis.com:443
      - name: Checkout the repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Download server build from previous step
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: server-build-${{ github.sha }}
          path: ./
      - name: Extract archive to restore symlinks
        run: tar -xf server.tar
      - name: Create empty assets
        run: mkdir server/web
      - name: Deploy to Google Cloud
        uses: ./.github/actions/deploy
        with:
          projectId: slowreader-453400
          region: europe-west1
          folder: ./server/
          registry: staging/server
          service: staging-server
          shutdown: 'https://dev-server.slowreader.app/dump'
          env: ASSETS=,PROXY_ORIGIN=,DATABASE_URL=dump:/var/mnt/db/db.pglite,DEBUG=1
          # Persistent database was disable temporary to save money
          # flags: |
          #   --vpc-connector db-connector
          #   --update-secrets DATABASE_URL=staging-db-url:latest
          flags: |
            --memory 1Gi
            --add-volume name=db,type=cloud-storage,bucket=slowreader-staging-db,mount-options=uid=65532;gid=65532
            --add-volume-mount volume=db,mount-path=/var/mnt/db