Merge pull request #377 from itk-dev/feature/security-update #57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Do not edit this file! Make a pull request on changing | |
| # github/workflows/drupal/site.yaml in | |
| # https://github.com/itk-dev/devops_itkdev-docker if need be. | |
| ### ### Drupal | |
| ### | |
| ### Checks that site can be installed and can be updated (from base branch on | |
| ### pull request). | |
| ### | |
| ### #### Assumptions | |
| ### | |
| ### 1. A docker compose service named `phpfpm` can be run and `composer` can be | |
| ### run inside the `phpfpm` service. | |
| ### 2. The docker setup contains a database container and other the dependent | |
| ### services and the default settings match connection credentials for these | |
| ### services. | |
| ### 3. The Drupal site can be installed from existing config. | |
| name: Drupal | |
| env: | |
| COMPOSE_USER: root | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| jobs: | |
| install-site: | |
| name: Check that site can be installed | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Create docker network | |
| run: | | |
| docker network create frontend | |
| - name: Start docker and install dependencies | |
| run: | | |
| docker compose pull | |
| docker compose up --detach | |
| # Important: Use --no-interaction to make https://getcomposer.org/doc/06-config.md#discard-changes have effect. | |
| docker compose exec phpfpm composer install --no-interaction | |
| - name: Install site | |
| run: | | |
| # Add some local settings. | |
| cat > web/sites/default/settings.local.php <<'EOF' | |
| <?php | |
| $settings['hash_salt'] = '${{ github.head_ref }}'; | |
| EOF | |
| # Install the site from config | |
| docker compose exec phpfpm vendor/bin/drush site:install --existing-config --yes | |
| - name: Show site URL | |
| run: | | |
| echo $(docker compose exec phpfpm vendor/bin/drush --uri=http://$(docker compose port nginx 8080) user:login) | |
| update-site: | |
| # Check updating site only on pull request. | |
| if: github.event_name == 'pull_request' | |
| name: Check that site can be updated | |
| # This job checks that the Drupal site can be upgraded without issues. | |
| # | |
| # We do this by | |
| # | |
| # 1. Checking out the base branch ("github.base_ref") and installing the | |
| # site from scratch (using the exact same steps as the "install-site" | |
| # job) | |
| # 2. Checking out the updated code and updating the site from the previous | |
| # installation | |
| # | |
| # Notice that step 2 is NOT run with the code in our new branch, but with | |
| # the updated code merged on top of the target branch | |
| # (cf.https://github.com/actions/checkout/issues/881). This makes sure that | |
| # we can actually update the site after merging with the base branch. | |
| # | |
| # In some cases we run into a situation where the base site (step 1) cannot | |
| # be installed, e.g. if this is a new project or we're making changes that | |
| # require manual steps on the upgrade path, and then this jobs will fail. In | |
| # that case we should note this in the pull request description and document | |
| # the steps needed to complete the upgrade path. | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Install site from our base ref | |
| - uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.base_ref }} | |
| - name: Create docker network | |
| run: | | |
| docker network create frontend | |
| - name: Start docker and install dependencies | |
| run: | | |
| docker compose pull | |
| docker compose up --detach | |
| # Important: Use --no-interaction to make https://getcomposer.org/doc/06-config.md#discard-changes have effect. | |
| docker compose exec phpfpm composer install --no-interaction | |
| - name: Install site | |
| run: | | |
| # Add some local settings. | |
| cat > web/sites/default/settings.local.php <<'EOF' | |
| <?php | |
| $settings['hash_salt'] = '${{ github.head_ref }}'; | |
| EOF | |
| # Install the site from config | |
| docker compose exec phpfpm vendor/bin/drush site:install --existing-config --yes | |
| - name: Show site URL | |
| run: | | |
| echo $(docker compose exec phpfpm vendor/bin/drush --uri=http://$(docker compose port nginx 8080) user:login) | |
| - name: Clean up root stuff | |
| run: | | |
| sudo chown -Rv $USER:$USER vendor/ web/ private-files/ || true | |
| sudo chmod -Rv a+w web/sites/default || true | |
| # Update site using our updated code. | |
| - uses: actions/checkout@v5 | |
| with: | |
| # Keep our local settings (cf. | |
| # https://github.com/actions/checkout?tab=readme-ov-file#usage) | |
| clean: false | |
| - name: Start docker and install dependencies | |
| run: | | |
| docker compose pull | |
| docker compose up --detach | |
| # Important: Use --no-interaction to make https://getcomposer.org/doc/06-config.md#discard-changes have effect. | |
| docker compose exec phpfpm composer install --no-interaction | |
| - name: Update site | |
| run: | | |
| docker compose exec phpfpm vendor/bin/drush deploy --yes | |
| - name: Show site URL | |
| run: | | |
| echo $(docker compose exec phpfpm vendor/bin/drush --uri=http://$(docker compose port nginx 8080) user:login) |