fix: implement admin permissions #1431
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
- \d+.\d+ | |
pull_request: ~ | |
workflow_dispatch: ~ | |
# Check api-platform/core:dev-main every sunday at 02:00 | |
schedule: | |
- cron: 0 2 * * 0 | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
tests: | |
name: Tests | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Build Docker images | |
uses: docker/bake-action@v5 | |
with: | |
pull: true | |
load: true | |
files: | | |
compose.yaml | |
compose.override.yaml | |
set: | | |
php.cache-from=type=gha,scope=${{ github.ref }} | |
php.cache-from=type=gha,scope=refs/heads/main | |
php.cache-to=type=gha,scope=${{ github.ref }},mode=max | |
pwa.cache-from=type=gha,scope=${{ github.ref }} | |
pwa.cache-from=type=gha,scope=refs/heads/main | |
pwa.cache-to=type=gha,scope=${{ github.ref }},mode=max | |
keycloak.cache-from=type=gha,scope=${{ github.ref }} | |
keycloak.cache-from=type=gha,scope=refs/heads/main | |
keycloak.cache-to=type=gha,scope=${{ github.ref }},mode=max | |
- | |
name: Start services | |
run: docker compose up --wait --no-build | |
- | |
name: Update API Platform to latest | |
if: ${{ github.event_name == 'schedule' }} | |
run: docker compose exec php composer require api-platform/core:dev-main | |
- | |
name: Check HTTP reachability | |
run: curl -v --fail-with-body http://localhost | |
- | |
name: Check API reachability | |
run: curl -vk --fail-with-body https://localhost | |
- | |
name: Check PWA reachability | |
run: "curl -vk --fail-with-body -H 'Accept: text/html' https://localhost" | |
- | |
name: Create test database | |
run: docker compose exec -T php bin/console -e test doctrine:database:create | |
- | |
name: Run migrations | |
run: docker compose exec -T php bin/console -e test doctrine:migrations:migrate --no-interaction | |
- | |
name: Run PHPUnit | |
run: docker compose exec -T php vendor/bin/phpunit | |
- | |
name: Doctrine Schema Validator | |
run: docker compose exec -T php bin/console -e test doctrine:schema:validate | |
- | |
name: Run PHPStan | |
run: docker compose exec -T php vendor/bin/phpstan --memory-limit=256M | |
- | |
name: Check OpenAPI | |
run: docker compose exec -T php bin/console api:openapi:export --yaml | docker run --rm -i -v $(pwd)/redocly.yaml:/spec/redocly.yaml redocly/cli lint /dev/stdin | |
- | |
name: Debug services | |
if: failure() | |
run: | | |
docker compose ps | |
docker compose logs | |
# run e2e tests iso-prod | |
e2e-tests: | |
name: E2E Tests | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
strategy: | |
matrix: | |
# don't run @read and @write scenarios to prevent conflict between them | |
annotation: | |
- '@read' | |
- '@write' | |
fail-fast: false | |
env: | |
PHP_DOCKER_IMAGE: api-platform/demo/php:latest | |
PWA_DOCKER_IMAGE: api-platform/demo/pwa:latest | |
KEYCLOAK_DOCKER_IMAGE: api-platform/demo/keycloak:latest | |
APP_SECRET: ba63418865d58089f7f070e0a437b6d16b1fb970 | |
CADDY_MERCURE_JWT_SECRET: 33b04d361e437e0d7d715600fc24fdefba317154 | |
POSTGRES_PASSWORD: aae5bf316ef5fe87ad806c6a9240fff68bcfdaf7 | |
KEYCLOAK_POSTGRES_PASSWORD: 26d7f630f1524eb210bbf496443f2038a9316e9e | |
KEYCLOAK_ADMIN_PASSWORD: 2f31e2fad93941b818449fd8d57fd019b6ce7fa5 | |
# https://nextjs.org/docs/app/building-your-application/configuring/environment-variables#bundling-environment-variables-for-the-browser | |
NEXT_PUBLIC_OIDC_SERVER_URL: https://localhost/oidc/realms/demo | |
# https://docs.docker.com/compose/environment-variables/envvars/#compose_file | |
COMPOSE_FILE: compose.yaml:compose.prod.yaml:compose.e2e.yaml | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
- | |
name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- | |
name: Generate AUTH_SECRET | |
run: echo "AUTH_SECRET=$(openssl rand -hex 32)" >> $GITHUB_ENV | |
- | |
name: Build Docker Images | |
uses: docker/bake-action@v5 | |
with: | |
pull: true | |
load: true | |
files: | | |
compose.yaml | |
compose.prod.yaml | |
set: | | |
php.cache-from=type=gha,scope=${{ github.ref }}-e2e | |
php.cache-from=type=gha,scope=${{ github.ref }} | |
php.cache-from=type=gha,scope=refs/heads/main | |
php.cache-to=type=gha,scope=${{ github.ref }}-e2e,mode=max | |
pwa.cache-from=type=gha,scope=${{ github.ref }}-e2e | |
pwa.cache-from=type=gha,scope=${{ github.ref }} | |
pwa.cache-from=type=gha,scope=refs/heads/main | |
pwa.cache-to=type=gha,scope=${{ github.ref }}-e2e,mode=max | |
keycloak.cache-from=type=gha,scope=${{ github.ref }}-e2e | |
keycloak.cache-from=type=gha,scope=${{ github.ref }} | |
keycloak.cache-from=type=gha,scope=refs/heads/main | |
keycloak.cache-to=type=gha,scope=${{ github.ref }}-e2e,mode=max | |
- | |
name: Start Services | |
run: docker compose up --wait --no-build | |
- | |
name: Update API Platform to latest | |
if: ${{ github.event_name == 'schedule' }} | |
run: docker compose exec php composer require api-platform/core:dev-main | |
- | |
name: Load Fixtures | |
run: docker compose run --rm php bin/console doctrine:fixtures:load --no-interaction | |
- | |
name: Cache Playwright Binaries | |
id: playwright-cache | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cache/ms-playwright | |
key: ${{ runner.os }}-playwright | |
- | |
name: Install PNPM | |
uses: pnpm/action-setup@v4 | |
with: | |
version: latest | |
- | |
name: Cache PNPM | |
uses: actions/cache@v4 | |
with: | |
path: ${{ env.PNPM_HOME }} | |
key: ${{ runner.os }}-pnpm-${{ github.run_id }} | |
restore-keys: | | |
${{ runner.os }}-pnpm- | |
- | |
name: Install Dependencies | |
working-directory: pwa | |
run: pnpm install | |
- | |
name: Install Playwright Browsers with Deps | |
if: steps.playwright-cache.outputs.cache-hit != 'true' | |
working-directory: pwa | |
run: pnpm exec playwright install --with-deps | |
- | |
name: Install Playwright Browsers | |
if: steps.playwright-cache.outputs.cache-hit == 'true' | |
working-directory: pwa | |
run: pnpm exec playwright install | |
- | |
name: Run Playwright | |
working-directory: pwa | |
# use 1 worker to prevent conflict between scenarios (longer but safer) | |
run: pnpm exec playwright test --workers=1 --grep ${{ matrix.annotation }} | |
- | |
name: Debug Services | |
if: failure() | |
run: | | |
docker compose ps | |
docker compose logs | |
- | |
name: Debug Services | |
if: failure() | |
run: | | |
docker compose ps | |
docker compose logs | |
- | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: playwright-screenshots | |
path: pwa/test-results | |
lint: | |
name: Lint | |
runs-on: ubuntu-latest | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v4 | |
# Lint Dockerfiles | |
- | |
name: Lint Dockerfiles | |
uses: hadolint/[email protected] | |
with: | |
recursive: true | |
# Lint API | |
- | |
name: PHP CS Fixer Cache | |
uses: actions/cache@v4 | |
with: | |
path: api/.php-cs-fixer.cache | |
key: ${{ runner.OS }}-phpcsfixer-${{ github.sha }} | |
restore-keys: | | |
${{ runner.OS }}-phpcsfixer- | |
- | |
name: Get API changed files | |
id: api-changed-files | |
uses: tj-actions/changed-files@v45 | |
with: | |
files: api/**/*.php | |
- | |
name: Get Extra Arguments for PHP-CS-Fixer | |
id: phpcs-intersection | |
run: | | |
CHANGED_FILES=$(echo "${{ steps.api-changed-files.outputs.all_changed_and_modified_files }}" | tr ' ' '\n') | |
if ! echo "${CHANGED_FILES}" | grep -qE "^api\/(\\.php-cs-fixer(\\.dist)?\\.php|composer\\.lock)$"; then EXTRA_ARGS=$(printf -- '--path-mode=intersection\n--\n%s' "${CHANGED_FILES}"); else EXTRA_ARGS=''; fi | |
echo "PHPCS_EXTRA_ARGS<<EOF" >> $GITHUB_ENV | |
echo "$EXTRA_ARGS" >> $GITHUB_ENV | |
echo "EOF" >> $GITHUB_ENV | |
- | |
name: Lint API | |
uses: docker://oskarstark/php-cs-fixer-ga | |
with: | |
args: --config=api/.php-cs-fixer.dist.php -v --dry-run --stop-on-violation --using-cache=no ${{ env.PHPCS_EXTRA_ARGS }}" | |
# Lint PWA | |
- | |
name: Install PNPM | |
uses: pnpm/action-setup@v4 | |
with: | |
version: latest | |
- | |
name: Cache PNPM | |
uses: actions/cache@v4 | |
with: | |
path: ${{ env.PNPM_HOME }} | |
key: ${{ runner.os }}-pnpm-${{ github.run_id }} | |
restore-keys: | | |
${{ runner.os }}-pnpm- | |
- | |
name: Install Dependencies | |
working-directory: pwa | |
run: pnpm install | |
- | |
name: Lint PWA | |
working-directory: pwa | |
run: pnpm lint | |
# Lint HELM | |
- | |
name: Cache Helm Dependencies | |
uses: actions/cache@v4 | |
with: | |
path: helm/api-platform/charts/ | |
key: ${{ runner.os }}-helm-dependencies-${{ github.run_id }} | |
restore-keys: | | |
${{ runner.os }}-helm-dependencies- | |
- | |
name: Build Helm Dependencies | |
run: | | |
helm repo add bitnami https://charts.bitnami.com/bitnami/ | |
helm repo add stable https://charts.helm.sh/stable/ | |
helm dependency build ./helm/api-platform | |
- | |
name: Lint Helm | |
run: helm lint ./helm/api-platform/ | |
# Lint Markdown Docs | |
- | |
name: Lint changelog file | |
uses: docker://avtodev/markdown-lint:v1 | |
with: | |
config: 'docs/.markdown-lint.yaml' | |
args: 'docs/**/*.md' |