From b861b7aa7263b4b99fffe70c45fee9357c678555 Mon Sep 17 00:00:00 2001
From: Gabriel Augendre <gabriel@augendre.info>
Date: Sat, 25 Mar 2023 20:24:12 +0100
Subject: [PATCH] Add github actions

---
 .github/dependabot.yaml                    | 10 +++
 .github/workflows/codeql-analysis.yaml     | 76 ++++++++++++++++++++++
 .github/workflows/publish.yaml             | 53 +++++++++++++++
 .github/workflows/pull_request.yaml        | 33 ++++++++++
 .github/workflows/test.yaml                | 35 ++++++++++
 .github/workflows/update-dependencies.yaml | 44 +++++++++++++
 6 files changed, 251 insertions(+)
 create mode 100644 .github/dependabot.yaml
 create mode 100644 .github/workflows/codeql-analysis.yaml
 create mode 100644 .github/workflows/publish.yaml
 create mode 100644 .github/workflows/pull_request.yaml
 create mode 100644 .github/workflows/test.yaml
 create mode 100644 .github/workflows/update-dependencies.yaml

diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
new file mode 100644
index 0000000..7629a45
--- /dev/null
+++ b/.github/dependabot.yaml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
new file mode 100644
index 0000000..1af5458
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yaml
@@ -0,0 +1,76 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+    paths:
+      - "**.py"
+      - "**.js"
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+    paths:
+      - "**.py"
+      - "**.js"
+  schedule:
+    - cron: '35 4 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
new file mode 100644
index 0000000..5a9d65d
--- /dev/null
+++ b/.github/workflows/publish.yaml
@@ -0,0 +1,53 @@
+name: Test, build, publish & deploy
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: read
+
+jobs:
+  tests:
+    uses: ./.github/workflows/test.yaml
+  push_to_registry:
+    name: Push Docker image to Docker Hub
+    runs-on: ubuntu-latest
+    needs: [tests]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: true
+          tags: crocmagnon/checkout:latest
+          cache-from: type=registry,ref=crocmagnon/checkout:latest
+          cache-to: type=inline
+          platforms: linux/amd64
+  deploy:
+    name: Deploy new image
+    runs-on: ubuntu-latest
+    needs: [push_to_registry]
+    steps:
+      - name: Deploy
+        run: |
+          TEMP=$(mktemp)
+          echo "${{ secrets.DEPLOY_KEY }}" > $TEMP
+          ssh -o StrictHostKeyChecking=no -i $TEMP -p ${{ secrets.DEPLOY_PORT }} ${{ secrets.DEPLOY_USERNAME }}@${{ secrets.DEPLOY_HOST }} /mnt/data/checkout/update
+      - name: Check
+        uses: nick-fields/retry@v2
+        with:
+          timeout_seconds: 30
+          max_attempts: 5
+          retry_wait_seconds: 2
+          warning_on_retry: false
+          command: curl -sSL --fail -m 10 https://checkout.augendre.info | grep ${GITHUB_SHA::7} > /dev/null
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
new file mode 100644
index 0000000..6027084
--- /dev/null
+++ b/.github/workflows/pull_request.yaml
@@ -0,0 +1,33 @@
+name: Test & auto merge
+
+on:
+  pull_request:
+    branches: [ "master" ]
+
+permissions:
+  contents: read
+
+jobs:
+  tests:
+    uses: ./.github/workflows/test.yaml
+  auto_merge:
+    name: Auto merge
+    runs-on: ubuntu-latest
+    needs: tests
+    permissions:
+      pull-requests: write
+      contents: write
+    env:
+      GH_TOKEN: ${{ github.token }}
+    if: >-
+      github.event.pull_request
+      && github.event.pull_request.merged == false
+      && (
+        github.event.pull_request.user.login == 'crocmagnon-pr[bot]'
+        || github.event.pull_request.user.login == 'pre-commit-ci[bot]'
+      )
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Auto merge
+        run: gh pr merge ${{github.event.pull_request.number}} --delete-branch --rebase
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
new file mode 100644
index 0000000..9a72b32
--- /dev/null
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,35 @@
+name: Test
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  tests:
+    name: Python tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+          cache: pip
+      - name: Install dependencies
+        run: |
+          pip install pip-tools
+          pip-sync requirements.txt requirements-dev.txt
+      - name: Setup pre-commit cache
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+      - name: Check pre-commit
+        run: pre-commit run --show-diff-on-failure --color=always --all-files
+      - name: Test
+        run: pytest --cov=. --cov-branch --cov-report term-missing:skip-covered
+        working-directory: ./src/
diff --git a/.github/workflows/update-dependencies.yaml b/.github/workflows/update-dependencies.yaml
new file mode 100644
index 0000000..7ec9004
--- /dev/null
+++ b/.github/workflows/update-dependencies.yaml
@@ -0,0 +1,44 @@
+name: Update dependencies
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 18 * * MON'
+
+permissions:
+  contents: read
+
+jobs:
+  update:
+    name: Update dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: master
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+          cache: pip
+      - name: Update dependencies
+        run: |
+          pip install pip-tools invoke
+          invoke update-dependencies --no-sync
+      - name: Generate token
+        uses: tibdex/github-app-token@v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.PR_APP_ID }}
+          private_key: ${{ secrets.PR_APP_PRIVATE_KEY }}
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v4
+        id: create-pull-request
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          commit-message: Update dependencies
+          base: master
+          branch: update-dependencies
+          title: Update dependencies
+          delete-branch: true