cac6194acd
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com>
76 lines
2.3 KiB
YAML
76 lines
2.3 KiB
YAML
name: tests
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
branches-ignore:
|
|
- i18n_master
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
tests:
|
|
runs-on: ubuntu-18.04
|
|
timeout-minutes: 60
|
|
services:
|
|
postgres:
|
|
image: postgres:10.10
|
|
ports: ["5432:5432"]
|
|
options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
|
|
env:
|
|
POSTGRES_USER: consul
|
|
POSTGRES_PASSWORD: ""
|
|
env:
|
|
CI_BUILD_NUMBER: ${{ github.run_number }}
|
|
COVERALLS_FLAG_NAME: run-${{ matrix.ci_node_index }}
|
|
COVERALLS_PARALLEL: true
|
|
COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
|
|
PGUSER: consul
|
|
POSTGRES_HOST: postgres
|
|
RAILS_ENV: test
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
ci_node_total: [5]
|
|
ci_node_index: [0, 1, 2, 3, 4]
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
- uses: ruby/setup-ruby@v1
|
|
with:
|
|
bundler-cache: true
|
|
- name: Setup NPM
|
|
uses: actions/setup-node@v1
|
|
- name: Copy secrets and database files
|
|
run: for i in config/*.example; do cp "$i" "${i/.example}"; done
|
|
- name: Setup database
|
|
run: bundle exec rake db:setup
|
|
- name: Compile assets
|
|
run: bundle exec rake assets:precompile > /dev/null 2>&1
|
|
- name: Run test suite
|
|
env:
|
|
KNAPSACK_PRO_TEST_SUITE_TOKEN_RSPEC: ${{ secrets.KNAPSACK_PRO_TEST_SUITE_TOKEN_RSPEC }}
|
|
KNAPSACK_PRO_CI_NODE_TOTAL: ${{ matrix.ci_node_total }}
|
|
KNAPSACK_PRO_CI_NODE_INDEX: ${{ matrix.ci_node_index }}
|
|
KNAPSACK_PRO_FIXED_QUEUE_SPLIT: true
|
|
KNAPSACK_PRO_LOG_LEVEL: info
|
|
run: bin/knapsack_pro_rspec
|
|
- name: Upload screenshots
|
|
if: failure()
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: screenshots
|
|
path: tmp/screenshots
|
|
coveralls:
|
|
permissions:
|
|
contents: none
|
|
runs-on: ubuntu-18.04
|
|
needs: tests
|
|
env:
|
|
CI_BUILD_NUMBER: ${{ github.run_number }}
|
|
COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
|
|
steps:
|
|
- name: Finish coveralls
|
|
run: curl -k https://coveralls.io/webhook?repo_token=$COVERALLS_REPO_TOKEN -d "payload[build_num]=$CI_BUILD_NUMBER&payload[status]=done"
|