ci: Workflow to check, build and publish oci image

Builds the service as a docker image and upload it to ghcr.io. We want to use a rock in the future but using a rocks right now will slow our progress. I've refined the check jobs to include cargo audit and clippy and make their output available in github's ui. In time we can evolve this to trigger another action (like create an issue for a security vulnerability).
ubuntu · Feb 23, 2024 · b69ee20 · b69ee20
1 parent 500a937
commit b69ee20
Show file tree

Hide file tree

Showing 5 changed files with 125 additions and 65 deletions.
diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
@@ -8,30 +8,28 @@ jobs:
     name: Build Ratings
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
 
-      - name: Setup Rust toolchain
-        uses: actions-rs/toolchain@v1
+      - uses: actions-rs/toolchain@v1
         with:
-          toolchain: 1.76.0
+          toolchain: stable
           components: clippy, rustfmt
 
-      - name: Install additional build dependencies
+      - name: Install build dependencies
         run: |
           sudo apt-get update
           sudo apt-get install -y libssl-dev pkg-config protobuf-compiler
-      - name: Check code format
+
+      - name: Check code formating
         uses: actions-rs/cargo@v1
         with:
           command: fmt
           args: --check
 
-      - name: Lint code
-        uses: actions-rs/clippy-check@v1
+      - uses: actions-rs/clippy-check@v1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-          args: --all-features
+          args: --all-features --all-targets -- -Dwarnings
 
       - name: Setup and Run Tests
         run: |

diff --git a/.github/workflows/check-build-publish.yaml b/.github/workflows/check-build-publish.yaml
@@ -0,0 +1,106 @@
+name: Check, build and publish
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  checks:
+    name: Test and lint
+    runs-on: ubuntu-22.04
+    permissions:
+      checks: write
+    steps:
+      - name: Install build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libssl-dev pkg-config protobuf-compiler libprotobuf-dev
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup rust toolchain
+        uses: actions-rs/toolchain@v1
+        with: # seems to ignore rust-toolchain but it should be supported
+          toolchain: "1.76.0"
+          components: rustfmt, clippy
+
+      - name: Check code formatting
+        uses: actions-rs/cargo@v1
+        with:
+          command: fmt
+          args: --check
+
+      - name: Clippy linting
+        uses: giraffate/clippy-action@v1
+        with:
+          reporter: "github-pr-review"
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Dependencies security audit 
+        uses: actions-rust-lang/audit@v1
+        with:
+          ignore: RUSTSEC-2023-0071 # patch not available att
+
+      - name: Run tests
+        run: |
+          cp example.env .env
+          cargo install cargo-make
+          cargo make db-up
+          cargo make full-test
+
+  publish:
+    name: Publish to ghcr.io
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Install build dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libssl-dev pkg-config protobuf-compiler libprotobuf-dev
+
+    - name: Setup rust toolchain
+      uses: actions-rs/toolchain@v1
+      with: # seems to ignore rust-toolchain but it should be supported
+        toolchain: "1.76.0"
+
+    - name: Build release binary
+      uses: actions-rs/cargo@v1
+      with:
+        command: build
+        args: --release
+
+    - name: Log in to gchr.io
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata for image labels and tags
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ghcr.io/${{ github.repository }}
+        tags: |
+          type=semver,pattern={{version}}
+          type=sha,format=short
+
+    - name: Build and push image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        file: ./docker/ratings/Dockerfile
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,9 +1,9 @@
 [package]
 name = "ratings"
-description = "Backend for ratings for the Ubuntu app center."
+description = "Ubuntu App Center ratings service"
 license = "GPL-3.0-only"
 authors = ["Canonical"]
-version = "0.2.0"
+version = "0.0.3"
 edition = "2021"
 
 [dependencies]

diff --git a/docker/ratings/Dockerfile b/docker/ratings/Dockerfile
@@ -0,0 +1,9 @@
+FROM ubuntu:22.04
+
+RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+COPY target/release/ratings /app/ratings
+
+EXPOSE 8080
+ENTRYPOINT ["/app/ratings"]
diff --git a/rockcraft.yaml b/rockcraft.yaml