pseudonymisation_service/.github/workflows/test.yml at main · NHSDigital/pseudonymisation_service · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Test

on: [push]

jobs:
  test:
    strategy:
      fail-fast: false
      matrix:
        ruby-version:
          - '3.3'
          - '3.4'

    name: Ruby ${{ matrix.ruby-version }}

    runs-on: ubuntu-latest

    services:
      postgres:
        image: postgres
        env:
          POSTGRES_USER: rails
          POSTGRES_PASSWORD: rails_password
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          - 5432:5432

    env:
      DB_HOST: localhost
      DB_PORT: 5432
      DB_USERNAME: rails
      DB_PASSWORD: rails_password

    steps:
    - uses: actions/checkout@v2
    - name: Set up Ruby + Bundle
      uses: ruby/setup-ruby@v1
      with:
        bundler-cache: true
        ruby-version: ${{ matrix.ruby-version }}
    - name: Inject configuration
      run: cp config/database.yml{.ci,}
    - name: Prepare the database
      run: bin/rails db:setup
    - name: Run tests
      run: bin/rails test

  brakeman:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - name: Set up Ruby + Bundle
      uses: ruby/setup-ruby@v1
      with:
        bundler-cache: true
    - name: Run Brakeman analysis
      run: bundle exec brakeman

  bundle-audit:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - name: Set up Ruby + Bundle
      uses: ruby/setup-ruby@v1
      with:
        bundler-cache: true
    - name: Audit the bundle
      run: bundle exec bundle-audit check --update

  # A utility job upon which Branch Protection can depend,
  # thus remaining agnostic of the matrix.
  test_matrix:
    if: ${{ always() }}
    runs-on: ubuntu-latest
    name: Matrix
    needs: test
    steps:
    - name: Check build matrix status
      if: ${{ needs.test.result != 'success' }}
      run: exit 1

  notify:
    # Run only on master, but regardless of whether tests past:
    if: ${{ always() && github.ref == 'refs/heads/master' }}

    needs:
      - test_matrix
      - brakeman
      - bundle-audit

    runs-on: ubuntu-latest

    steps:
    - uses: 8398a7/action-slack@v3
      with:
        status: custom
        fields: workflow,commit,author
        custom_payload: |
          {
            channel: 'CSCHWSP53',
            username: 'CI',
            icon_emoji: ':hammer_and_wrench:',
            attachments: [{
              color: '${{ needs.test.result }}' === 'success' ? 'good' : '${{ needs.test.result }}' === 'failure' ? 'danger' : 'warning',
              text: `${process.env.AS_WORKFLOW} against \`${{ github.ref }}\` (${process.env.AS_COMMIT}) for ${{ github.actor }} resulted in *${{ needs.test.result }}*.`
            },{
              color: '${{ needs.brakeman.result }}' === 'success' ? 'good' : '${{ needs.brakeman.result }}' === 'failure' ? 'danger' : 'warning',
              text: `Brakeman checks returned *${{ needs.brakeman.result }}*.`
            },{
              color: '${{ needs.bundle-audit.result }}' === 'success' ? 'good' : '${{ needs.bundle-audit.result }}' === 'failure' ? 'danger' : 'warning',
              text: `Bundle Audit checks returned *${{ needs.bundle-audit.result }}*.`
            }]
          }
      env:
        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}